VulnNet: Roasted [ TryHackMe ]
Hey guys! taught of doing some write-up for the VulnNet: Roasted challenge. I made 5 other write-ups for different rooms which you can check later.
Challenge scenario: VulnNet Entertainment just deployed a new instance on their network with the newly-hired system administrators. Being a security-aware company, they as always hired you to perform a penetration test, and see how system administrators are performing.
Ok, let us start the challenge by deploying the machine. Please note that the machine IP address can be changed because I am taking this challenge while writing this walkthrough which takes time and sometimes the machine over/crashes or some VPN problem.
Target machine ( in my situation ) - > I started by adding this address to my /etc/hosts file and headed over it to see if I would stumble upon a web app, but nothing came up for me. Using Nmap to scan open ports and services that runs on the server, reveals a list of open ports with the corresponding services
From the results, I can tell we face a Windows OS DC ( Domain Controller ). Kerberos is used for authentication level, LDAP (Lightweight Directory Access Protocol) is a protocol used for accessing and maintaining distributed directory information services over an Internet Protocol (IP) network. It enables the management and access of information about various resources within a network, such as users, groups, systems, and services. LDAP is commonly used for directory services, where it organizes and provides access to directory information, supports authentication and authorization services, and enables centralized management in diverse network environments.
Continue with our Scanning phase, as I see port 445 ( SMB) is open which is a Server Message Block, i was trying to list shares on this network.
Using the command 'smbclient -L \\[ Target ] -U anonymous', I managed to list the folders and type. See the image below, please.
Now retrieving them was not giving much [ I was wrong ] besides Names of technical support, numbers, and People names. I kept the names and used them for later as [FirstName].[LastName] because organizations save names in this way. Now I had to start to enumerate HOST, so I was using the 'NetExec' which is a successor for 'CrackMapExec'. I suggest you all to check and be familiar with this tool on the next link - >
Continue with the next command 'nxc smb' which shows Hosts on the target machine. after that, I thought of using the command 'nxc smb -u 'anonymous' -p ' ' --shaers' to see what shares I can read anonymously. Saw 'IPC$ can Read-ONLY, and then used the' --rid-brute' to enumerate users by brute-forcing the RID on the remote target.
The IPC$ share is used during remote procedure calls (RPCs), which are essential for operations like authentication and authorization. When a user or service on one computer wants to authenticate or initiate a session with another machine in a domain, it uses the IPC$ share to communicate authentication requests, which include security identifiers (SIDs) that contain RIDs.
Now, I thought to take each username with the domain name as 'vulnnet-rst.local/[UserName]', and run a password spraying with wordlists from github or others I already have used such as 'nxc winrm -u 'userfile' -p 'passwordfile'' or even using hydra on smb or psexec[.]py but nothing gave me any results. Then, I head over to the impacket-GetNPU[.]py script which in short is designed to exploit the Kerberos protocol by attempting to retrieve TGTs (Ticket Granting Tickets) for accounts that are configured without requiring pre-authentication.
After getting the hash of the user 't-skid', using hashcat, I managed to crack it and tried to log in using psexec/winrm/wmi but again - Nothing. tries to log in to smb using 'smbclient' and it worked! I managed to download a sensitive file which holds credentials for the username
After gaining the credentials, tried to remotely connect to the machine using wmiexec and it worked! FLAG1 found at the User\s Desktop location.
Now, the flag2 is about getting the system flag (Desktop\system.txt) which belongs to the Administrator (I guess) account. I have to say that this part was easy because the command 'net user' shows that our current user ( a-whitehat) belongs to the administrator group which gives us the option to DUMP the database ( SAM) using secretdump. after that, connect with the Administrator hash using '-hashes' option on wmiexec which gives us the ability to authenticate with the Admin's hash and no need to crack it.
CEO @ Immigrant Women In Business | Social Impact Innovator | Global Advocate for Women's Empowerment
6 个月???? ??? ?? ?? ???????? ??? ?????? ???? ?????? ???: ?????? ????? ??? ??????? ????? ????? ?????? ??????.
??Tora??Cybersecurity??Pen Testing
10 个月Thank you very much this is helpful, good job!