TryHackMe Corp Writeup – Bypassing Windows Server 2019 Applocker and Kerberoasting

Hello and welcome back my TryHackMe writeup. So, I have a new task assigned for myself today to compromise a Windows machine in the TryHackMe lab. The machine called “Corp” a Windows Server 2019 Datacenter Edition.

Basically the machine is Subscriber only machine. The best part of subscribing THM is in some challenges you will get to have access to the real life virtual machine you can either RDP it or access it through your favorite web browser. However, I always prefer to RDP directly from my Windows laptop on such machine because of the stability.

The Real Task

The task is to bypass the Windows Applocker and escalate privilege. So, by end of the exploit one will learn about basics of kerberoasting, evading antivirus detection, bypassing applocker and escalating privileges on a Windows server.

Let us start.

Lets us make a nmap scan first

Ok, a few good number of ports are open, I will consider the rest ports later and try to RDP the machine first. I used my windows RDP to connect and test and then used XFreeRDP in my Kali for easy access to file share.

TryHackMe Corp Writeup – Bypassing Windows Server 2019 Applocker

[Task 2] Bypassing Applocker

The Applocker is application whitelisting technology introduced since Windows 7. It allows restricting which programs users can execute based on the application’s path, publisher and associated hash.

How To Bypass an Applocker

There are many ways to bypass AppLocker. If the AppLocker is configured using the default AppLocker rules, we can bypass it by placing an executable in the application directory. The C:\Windows\System32\spool\drivers\color – is the one mostly being compromised because this is whitelisted by default.

The other ways are discussed here:

And there is a full repo in GitHub called “Ultimate AppLocker ByPass List” that has a list of different possible ways of bypassing techniques.

But in this challenge I’m going to use the location C:\Windows\System32\spool\drivers\color where I move my netcat.exe and run programs from that location, because anything run from that location being ignored or passed through.

I host a Python SimpleHTTPServer and manually copied the nc.exe to the path, but I’ve been blocked by Internet Explorer security settings.

Using PowerShell to import exe

I used the PowerShell Invoke-WebRequest to import the file from my local Python HTTPServer

Command:

So to make sure my netcat is running, I simply run it and called the help and it is confirmed working.

The Task 2-1 is done.

Task 2-2 – Obtaining The Flag from the ConsoleHost_history

As other OS consoles, PowerShell as well stores the history of Console in the file called ConsoleHost_history.txt in %userprofile%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt location. I need to obtain the first flag from that location.

Command:

And here is the flag:

[Task 3] Kerberoasting

The task 3 is being Kerberoasting. I’m supposed to do use a PowerShell script to request a service ticket for an account and acquire the ticket hash. Then, I will need to crack the hash and get access to another user account!

First, I will need to extract and find all accounts in the Service Principal Name (SPN), for this I will use the PowerShell command:

The script will run for a couple of seconds and returns with the SPN accounts in the server.

I found an existing Service Account for the user called “fela”

Getting Hash From Service Principal Name Account

As we all know, Invoke-Kerberoast.ps1 is one of the commonly used PowerShell script to get HASH from the compromised SPN account. Since the target machine is already connected to the internet I download the script from GitHub CDN.

Once downloaded, I run the command Invoke-Command and output the hash in hashcat format so that its easy fir me to crack it.

Cracking The hash

I used John to crack the hash using a very simple command and rockyou as wordfile.

Once I have the password, I logged-off the RDP from current user Dark and Logged-in as new user Fela. The falg #2 was found in the desktop of the user Fela.

Privilege Escalation To Administrator

Now I have the user Fela compromised I will look for more and see if I can potentially escalate my privilege as Administrator. For this, I’m going to use PowerShellMafia’s PowerSploit. PowerUp normally look for common Windows privilege escalation vectors that rely on misconfigurations. You will find more usage examples and guide on author’s blog.

Firs, I need to import the PowerShell script directly in to the server from GitHub repo and run Invoke-AllChecks to see if I could find any vulnarabilities.

The script found a couple of vulns, let us run Unattended Path exploit. Unattended Setup is the method by which original equipment manufacturers (OEMs), corporations, and other users install Windows NT in unattended mode, where the Administrator password is stored in Base64 encoded format.

Logging As Administrator

I had an issue accessing the Administrator, I wasn’t able to login using XFreeRDP, it was giving LoginFailure error. I tried a couple of times and tried to log in from my Windows RDP, noticed that the password was expired. Windows was prompting me to change the password, but some reason, I couldn’t change it.

Whatever the error, I should get the FLAG, so I re logged-in back thinking to try the DLL exploit found in the PowerSploit enum. But I found a shortcut to read flag from the Administrator’s desktop from the user Fela. C:/Users/Administrator/Desktop/flag.txt. I don’t know if it was allowed intentionally or wrong access rights.

[UPDATE] – I managed to talk to Paradox over Discord and it was an unintended way I owned the last flag, a small issue and has been fixed already I believe.

Thank you for reading.

Click to rate this post!
[Total: 1 Average: 5]

Navin

Hey there, I'm Navin, a passionate Info-Sec enthusiast from Bahrain. I started this blog to share my knowledge. I usually write on HackTheBox machines and challenges, cybersecurity-related articles and bug-bounty. If you are an HTB user and like my articles, please respect here: https://www.hackthebox.eu/home/users/profile/68523

View all posts by Navin →
Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments
Sorry, that action is blocked.
0
Would love your thoughts, please comment.x
()
x
%d bloggers like this: