TryHackMe Red Team Capstone Walkthrough Part IV: Flag Submission

TL;DR walkthrough of the Red Team capstone network on TryHackMe. This is Part IV: Flag Submission.

THM Walkthroughs:

A full list of our TryHackMe walkthroughs and cheatsheets is here.

Our Red Team Capstone Walkthrough Series

There are four parts to this walkthrough of the Red Team Capstone due to the sheer size of the network:

• Part I: Initial Access
• Part II: Escalation to Domain Admin
• Part III: Escalation to Enterprise Admin & access to the internal banking app
• Part IV: How flag submission works in the Red Team Capstone

Background

We left off Part III: Escalation to Enterprise Admin with access to the SWIFT banking application with credentials as both Capturer (g.watson \ Corrected1996) and Approver (a.hot \ willnotguessthis1@). I had not submitted any flags yet, so my network diagram still looked like this on TryHackMe.

Had I been putting in the flags as I went then my diagram would have looked like this:

And finally like this:

As I mentioned in the Part III Summary I attempted to create a transaction using the SWIFT credentials I had found, but I was missing several key pieces of information that come from the Red Team Capstone’s flag submission process itself. The process was a bit convoluted and is nothing like what I have seen in other TryHackMe rooms so I decided to outline it in a Part IV of our Red Team Capstone Walkthrough.

How to retrieve flags

I am still running a Kali VM that I grabbed fresh off Kali.og back when I was studying for The Cyber Mentor’s PJTP exam. While it had impacket and evil-winrm already installed it lacked the Thunderbird email client.

Email interaction with 10.200.89.11 is required to retrieve the flags in the Red Team Capstone. Hence I installed Thunderbird.

sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys ED65462EC8D5E4C5

sudo apt-get update --fix-missing

sudo apt install thunderbird

Once that’s done connect to the flag submission VM on 19.200.89.250.

ssh 'e-citizen'@10.200.89.250

The password is ‘stabilitythroughcurrency’

[1] register

Username: <your TryHackMe username>
Password: <the server assigns you an email password>
MailAddr: <your TryHackMe username>@corp.th3reserve.loc

Setup Thunderbird manually and put the IP 10.200.89.11 in as the server name. Please note that the IP for the mail server may be different in your Capstone, check your network diagram.

Once complete you will see your first email.

How to submit flags

In order to submit proof that you have compromised the VMs you will connect to the scoring server as above, hit Option 2 Authenticate, and login using your TryHackMe username & password assigned to you when you registered.

I will use Flag ‘[16] Root Tier 0 Admin’ as an example.

• Select [16].
• The score server will give you a value to place in a text file in C:\Users\Administrator on the ROOTDC VM.
• You copy/paste that value into a text file in the specified location on the VM.
• You hit Y on the scoring server.
• If you did everything correctly you will get confirmation from the scoring server and an email with the flag.

I encountered a few pitfalls along the way while completing flags 1–16:

• Make sure you check view file extensions! *.txt.txt will cause the flag verification to fail. Most of the VMs are NOT showing file extensions in Windows Explorer until you enable that option.
• Some of the VMs did not have an Administrator account in their local users, but the scoring server is insisting that you place a file in C:\Users\Administrator.

As a workaround to the second issue I simply ran ‘compmgmt.msc’, created an Administrator user [or enabled it if it was already there], ran PowerShell as a different user, and ran it as the local Administrator I had just created or enabled. This caused Windows to create a profile for them under C:\Users and I could then place the file there without having to logoff my RDP session as the Enterprise Admin.

Once I got to inputting Flags 17–20 I realized what I had been missing earlier. The scoring server gives you account #s, PIN #s, and other information required to submit the fraudulent transaction that you will then approve using g.watson and a.holt’s credentials.

I highly recommend copy/pasting everything the scoring server tells you for these flags into Notepad on your actual system, NOT your Kali VM or one of the room’s VMs, and saving those details as you go.

Flags 17–20 also build off the information the scoring server gave you for previous flags, for example this was the prompt I received for Flag 20, the final flag in the Red Team Capstone.

This is the final check! Please do not attempt this if you haven't completed all of the other flags.

Once done, follow these steps:
1. Using your DESTINATION credentials, authenticate to SWIFT
2. Using the PIN provided in the SWIFT access flag email, verify the transaction.
3. Using your capturer access, capture the verified transaction.
4. Using your approver access, approve the captured transaction.
5. Profit?

Once you have approved the provided transaction, please enter Y to verify your access.

This may have been hands down the most elaborate flag process I have seen anywhere to date, and I have done a few SANS CTFs, a few ranges like Slayer Labs, lots of TryHackMe, and a couple 100% hands on exams.

I had to:

1. Connect to my foothold VM, 10.200.89.21, using xfreerdp from Kali.
2. RDP into ROOTDC.thereserve.loc as an Enterprise Admin.
3. RDP from ROOTDC into JMP.bank.thereserve.loc as the Domain Admin I had created in the bank domain.
4. Run two Chrome windows side by side, one logged in as g.watson and one as a.holt.
5. Follow TryHackMe’s instructions using the information I had from the previous flags.
6. Check Thunderbird back on Kali to get the email with the flag.

I am including the full uncropped screenshot so everyone can see that.

I give the room’s author credit, they included email traffic from the fictional bank’s POC to us along with the flags.

On a sidenote, I am not including all 20 flags themselves in these writeups for two reasons:

1. This room was really good and everyone should follow along with Parts I — IV of this walkthrough to get the flags.
2. I strongly suspect that TryHackMe gives each user their own values to place in the *.txt files to get the flags and randomly generates the flag values per user based on that.
3. Hence my flags likely wouldn’t work for anyone else anyway.

Summary

Overall I think the Red Team Capstone was an excellent room. The only thing it was missing was additional services like AD CS, MSSQL, Exchange, etc as part of the escalation path. Credential dumping was also not part of the escalation path, but I give the author credit for stressing:

• Enumeration to build email, username, and password lists
• Password spraying
• Local privilege escalation
• Kerberoasting
• DACL enumeration and abuse, particularly on a GPO as many exercises don’t include those
• Forging tickets to escalate from Domain Admin in a child domain to Enterprise Admin in the entire forest
• Further enumeration of additional child domains in that forest in order to compromise the ultimate target
• How users tend to act like users, i.e. password re-use, easy to guess passwords that meet complexity requirements, writing passwords down in *.txt files on their Desktop, etc

I did find the flag submission process a bit tedious, particularly the flags for things like ‘ROOT Tier 0 foothold’. I didn’t get a foothold, I went straight to Enterprise Admin, yet putting in the ‘ROOT Tier 0 Admin’ flag didn’t give me credit for both. I still had to go back, put a file with the specified value in C:\Windows\Temp on ROOTDC, and hit Y to get Flag 15. This is why flag submission alone took me about 2 hours in this room.

It also brings up a serious question; is it simply a foothold if an attacker can login interactively to your DCs in your forest root domain? This is something that is not allowed for Domain Users by default, and if an attacker is doing this then you are likely hours away, at best, from having ransomware running forest wide.

It’s a small complaint though. Overall The Red Team Capstone was excellent and I highly recommend it, especially if your organization uses AD as 90% of the Fortune 500 and most Government agencies do.

References

25 Years of AD: https://auxility.be/25-years-of-active-directory/