TryHackMe Ra Writeup

Welcome back to another TryHackMe Windows box writeup. Today box is called RA created by 4ndr34zz.

Machine Name: Ra
Difficulty: Hard
Created By: 4ndr34zz

Released On: 03rd July 2020
Machine Link: https://tryhackme.com/room/ra

This Windows box all about exploiting the wrongly configured web server and gaining access to SMB and then eventually gaining access to the WindCorp corporate’s internal network and escalating our privilege to own the Administrator account. There are 3 flags to be captured, so let us get in to the business.

https://i0.wp.com/etegro.com/wp-content/uploads/2017/10/network-960x345-1.jpg?w=1200&ssl=1
TryHackMe Ra Writeup

Enumeration

As always, once the machine is booted and the IP addresses is allocated to me, I update my hots file with the IP of the machine as ra.thm and then started off with nmap scanning.

The nmap scan reveals many ports are open, from an initial check I noticed the ADDC names, DNS address, LDAP services etc are running. I add the newly found DNS and ADDC information to my hosts file.

Webserver

The port 80 hosts a Microsoft IIS httpd 10.0 webserver. Upon visiting the port 80 (re.thm) the company portal opens up.

The website has a link to reset the password, more interestingly list of IT Support staff and their email IDs. I’m pretty sure this has to do something with foothold, so I made a list of username and their email id in tot a file called users.txt, emails.txt. There is a link to an IM service called “Spark“, this could as be a hint for something to gain foothold.

Resetting The User’s Password

As noticed initially, there is a link to reset the password of internal users, however we need to solve a couple of security questions in order to reset the password.

Going through the page, I noticed a section where the company highlighted 3 employees, listed a staff “Lili Levesque” with a pet. Her tagline says, “I love being able to bring my best friend to work with me!”. I recalled a password reset as well has a security question “What is/was your favorite pets name?”.

A quick look at Lily’s image showed me the image name “lilyleAndSparky.jpg” that means, the pet in Lily’s hand is “Sparky”. Let us try our luck here to reset Lily’s password.

I tried with the name as per the image name and successfully changes Lily’s password.

Awesome, I now have the working credential for one of the staffs, so I could eventually get in to the company’s network. However, Lily’s not an IT staff, so she should be having fewer privileges on the network. Looking at the services returned from namp scan I noticed SMB is running.

So next step, I tried to run SMBMAP against the credentials I have and following shares listed but all of them with read-only access to Lily.

Reading the files on the different directories, I found the file “Flag1.txt” in Shared folder, I used the SMBClient to download it.

Flag #1

Going through the other files in Lily’s directory I noticed several installers of “Spark” for different OS, The version of the installer is 2.8.3, so a quick search for “Spark 2.8.3” exploit led me to a recent vulnerability. The vulnerability is listed as “CVE-2020-12772“.

Spark 2.8.3 CVE-2020-12772 Vulnerability

A chat on the IM can include an IMG element with an SRC attribute referencing an external host’s IP address. Upon access to this external host, the (NT)LM hashes of the user are sent with the HTTP request. This allows an attacker to collect these hashes, crack them, and potentially compromise the computer. (ROAR can be configured for automatic access. Also, access can occur if the user clicks.)

As per the exploit I need to install the vulnerable version of the Spark locally, so I download the deb installer and installed it in my Kali box. After installation, I run the Spark, with the credentials of Liliye, but I was getting “certificate error”

But I found the way to bypass the certificate checking from the advanced menu and successfully logged-in as Lilyle.

After spending some time I found a GitHub repo where the RA machine makers put up an article that actually shows how to run the exploit from the image placeholder.

After a trial and error of few tries I finally got the NTLM hash of the user Buse (an IT Support User).

I copied the hash to a text file and used John to crack it.

Getting The System Access

As soon as I have the valid credentials of user Buse, I used Evil-WINRM to login to the system and get PS shell.

Flag #2

Checking the user Buse’s privilege, I found the user Buse is the member of “BUILTIN\Account Operators” it means the user Buse has the rights to reset passwords on standard user accounts.

IT Group members

Privilege Escalation

Going further, I found a couple of directories and a text file, but none of them seemed useful. Enumerating the system, I found a directory in C:/scripts/ with a PowerShell script called “checkservers.ps1“, I tried to run the script but got “access denied”

The CheckServers.ps1 Script

The script:

I download the script to my local machine for further. The script is run by the user Brittanycr, who is as well a member of IT group, but she is not a member of Administrator group. So I can change the password and get the 3rd flag from her desktop.

And I changed the password successfully.

After changing the password, I tried to log in as Brittany, but failed. It means, there is still more to go, Brittany is not the user or Evil-WINRM is not the right way to get 3rd flag.

After spending some time enumerating, I decided to look in tot the PowerShell script which I completely forgot about. Going line by line, I notice the line:

The line says, there is a file on Brittany’s desktop which get executed with the script that check the hosts every cycle or every time the script run. I think I can run anything as an Administrator. Also, luckily I now have a new password for Brittany so that I could access to her directory and access the hosts file. Let us do it using smbclient.

Hosts File Contents:

The hosts file doesn’t have much to show, but only a couple of domain names.

Creating a New Administrator User

Creating a new Administrator user is as simple as it is. It’s just a one line script away. I used the net user command to create a new user as follows:

I copy my new script o host file and upload it to Brittany’s directory and wait for a while to the script get executed and my new user Navin created.

Flag #2

After a minute I used Evil-WinRM again to login to the system as Navin and browse through the Administrator desktop and got the Flg#3.

That’s it, thank you for reading.

Navin

Hey there, I'm Navin, a passionate Info-Sec enthusiast from Bahrain. I started this blog to share my knowledge. I usually write on HackTheBox machines and challenges, cybersecurity-related articles and bug-bounty. If you are an HTB user and like my articles, please respect here: https://www.hackthebox.eu/home/users/profile/68523

View all posts by Navin →
Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments
Sorry, that action is blocked.
%d bloggers like this: