TryHackMe – VulnNet Roasted

24Aug 2022 by admin

Greetings, everyone!

In today’s post, we’ll be checking out the room VulnNet Roasted in the TryHackMe platform. So without further ado, let’s jump right in!

We’ll start off with our trusty Nmap scan. We’ll use the following flags:

  • -A for scripting
  • -p- for scanning all ports
  • -T4 to speed up the scan
  • -Pn to disable ping
Nmap scan of 10.10.81.207

Looks like this system is a Domain Controller! Looking at the open ports, immediately we notice that port 445 is listed, which is SMB. We’ll begin here with our enumeration.

We’ll use a tool called SMBClient to see what shares are listed:

smbclient to list out shares

Now that we know the shares, our next step is to see if we can connect to any of them without any credentials. The last two shares, VulnNet-Business-Anonymous Disk and VulnNet-Enterprise-Anonymous Disk, look very interesting. Let’s see if we can connect to these without any credentials!

Connecting to VulnNet-Business-Anonymous Disk share

Now that we’re connected, we can browse to see if there are any listed files, download them, and then list them out to see if there are any interesting details!

Downloading some interesting files.
Displaying contents of downloaded files.

Reading the files we’ve downloaded, we can see we have two possible users: Alexa Whitehat and Jack Goldenhand. Sweet! Now let’s take the same steps for the VulnNet-Enterprise-Anonymous Disk share and see if we can find any files there!

Listing out files to download on the share we’re connected to.
Display the contents of the files.

We have two more potential users; Tony Skid and Johnny Leet!

Perfect, we have four possible user accounts. So what do we do now? Well, we’re going to check to see if any of the users we found don’t require Kerberos pre-authentication. To do this, we’ll be doing some ASREP Roasting. The goal is to get a user’s hash that we can take offline and attempt to crack!

The first thing we’ll do is put our found users into a wordlist. We’ll enter in different combinations just because right now we don’t know the naming convention that the domain uses. Our user wordlist looks like this:

Now, let’s load up a tool called GetNPUsers.py, which is part of the Impacket toolset.

The command will look like this:

sudo python3 /usr/share/doc/python3-impacket/examples/GetNPUsers.py -dc-ip 10.10.40.184 -usersfile users.txt -outputfile hashes.txt -no-pass vulnnet-rst.local/

  • -dc-ip is the IP that the Domain Controller is located at
  • -usersfile users.txt is the file we created with the different combinations of possible usernames
  • -outputfile hashes.txt is what will be the resulting file where the hashes found (if any) will be stored
  • vulnnet-rst.local is the domain name
ASREP Roasting using GetNPUsers

After the tool runs, we can check the output file to see if we have any hits:

Hash found

We have a hash for user t-skid!

Now we can load up Hashcat to see if we can crack it! We’ll be using our trusty RockYou wordlist for this:

Hashcat
Hash cracked successfully

We now have a username and password combo; user is t-skid and the password is tj072889*

Now that we have credentials, let’s go back to our listed SMB shares and see what we can authenticate to!

Connecting to NETLOGON share

We’re able to connect to the NETLOGON share! And look at this: we see a file called ResetPassword.vbs which can only be juicy! Let’s download it and have a look!

ResetPassword.vbs file

Well, what do we have here! Looks like some more credentials!

Let’s try connecting to the Domain Controller with these newly found credentials!

Looking back at our Nmap scan, another open port we have listed is port 5985, which is WinRM. We’ll use a tool called Evil-WinRM to abuse this and see if we can connect successfully.

Evil-WinRM to Connect to the Domain Controller

Sweet! We are able to connect to the Domain Controller with the “a-whitehat” credentials we found!

After some digging around on the DC, we’re able to grab the user flag:

User flag

Now let’s see if we can escalate our privileges to get the root flag!

Let’s do a simple netuser command to see what information we can gather about our current user:

netuser of a-whitehat account

Under global group memberships, we see that a-whitehat has Domain Admin privileges! Knowing this, let’s see if we can dump all hashes on the DC, including the Administrator hash! We’ll try this by using secretsdump.py:

Secretsdump.py to dump hashes

Great! We have the Administrator hash! Now, what’s neat here is that we actually don’t need to crack this hash; we can instead just pass it into a command using Evil-WinRM! Let’s try it:

We have Administrator access! Let’s grab the root flag!

Another machine successfully compromised!

Thanks for reading!