From b8ba1c42fb5b0183e91c9a848866ccfadac15193 Mon Sep 17 00:00:00 2001
From: ARZ <60057481+AbdullahRizwan101@users.noreply.github.com>
Date: Thu, 29 Apr 2021 11:21:01 +0500
Subject: [PATCH] Add files via upload
---
TryHackMe/USTOUN.md | 242 ++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 242 insertions(+)
create mode 100644 TryHackMe/USTOUN.md
diff --git a/TryHackMe/USTOUN.md b/TryHackMe/USTOUN.md
new file mode 100644
index 0000000..f29d118
--- /dev/null
+++ b/TryHackMe/USTOUN.md
@@ -0,0 +1,242 @@
+# TryHackMe-USTOUN
+
+## Rustscan
+
+```bash
+PORT STATE SERVICE REASON VERSION
+53/tcp open domain? syn-ack ttl 127
+| fingerprint-strings:
+| DNSVersionBindReqTCP:
+| version
+|_ bind
+88/tcp open kerberos-sec syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2021-04-03 18:57:34Z)
+135/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
+139/tcp open netbios-ssn syn-ack ttl 127 Microsoft Windows netbios-ssn
+445/tcp open microsoft-ds? syn-ack ttl 127
+464/tcp open kpasswd5? syn-ack ttl 127
+593/tcp open ncacn_http syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
+636/tcp open tcpwrapped syn-ack ttl 127
+1433/tcp open ms-sql-s? syn-ack ttl 127
+3268/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: ustoun.local0., Site: Default-First-Site-Name)
+3269/tcp open tcpwrapped syn-ack ttl 127
+3389/tcp open ssl/ms-wbt-server? syn-ack ttl 127
+| rdp-ntlm-info:
+| Target_Name: DC01
+| NetBIOS_Domain_Name: DC01
+| NetBIOS_Computer_Name: DC
+| DNS_Domain_Name: ustoun.local
+| DNS_Computer_Name: DC.ustoun.local
+| DNS_Tree_Name: ustoun.local
+| Product_Version: 10.0.17763
+|_ System_Time: 2021-04-03T19:00:24+00:00
+| ssl-cert: Subject: commonName=DC.ustoun.local
+| Issuer: commonName=DC.ustoun.local
+| Public Key type: rsa
+| Public Key bits: 2048
+| Signature Algorithm: sha256WithRSAEncryption
+| Not valid before: 2021-01-31T19:39:34
+| Not valid after: 2021-08-02T19:39:34
+| MD5: fce5 375e 0190 ebc1 bf6e f384 468f 69f6
+| SHA-1: dbe7 28d6 1980 1221 c9cb 712a 911e 99b2 303e 5de7
+| -----BEGIN CERTIFICATE-----
+| MIIC4jCCAcqgAwIBAgIQWPJp5aVu8JlPCbMkI/U6AjANBgkqhkiG9w0BAQsFADAa
+| MRgwFgYDVQQDEw9EQy51c3RvdW4ubG9jYWwwHhcNMjEwMTMxMTkzOTM0WhcNMjEw
+| ODAyMTkzOTM0WjAaMRgwFgYDVQQDEw9EQy51c3RvdW4ubG9jYWwwggEiMA0GCSqG
+| SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDErxES6mfg1M0Ur5tZJHE8BKV+voQAWLa4
+| gKJfNi0av9nZ80wp2gJnQmHmZC0ACVpQUufMU9vlaCnk35rqsyM0/igqigSqWXAM
+| OY/876ZWGbo5R1g3PjH4bE3mdPtPAJF0wfS8aZ8CdHlmuGDFlJmnu6qFEP/PoACC
+| tf1S/vky+8GVs4uLFyxZOY5mam5PNULQvsMz2ycOPwj2CYwgWnrnA52N6m/6O9v7
+| XK+K6XBSGHamrHR5EYFXG+u1vItwm4qpUZerUhZl2/WVKIIN4pDXWDCrS59nsVvc
+| UC3fDPcgzruHIVJcA+g+CsEYdidS+E1NO3e3ZnWBeWE77ZCSDyTNAgMBAAGjJDAi
+| MBMGA1UdJQQMMAoGCCsGAQUFBwMBMAsGA1UdDwQEAwIEMDANBgkqhkiG9w0BAQsF
+| AAOCAQEAj9XeCOtYI4LrmeM7qZVQYuuDHIDosWkIw0LMpin4/gt0CDaEB1/uXUnX
+| JnBUEHWMDdjzC22hTsTdUIntZgJAk81aQbPm3qMvSE1AXPCCfsN7GehA4kX/n42X
+| xiz2rwZo/5DYH0JOWj8iCZyFMiXqSwQm3GWbG4LuTOct+x/rv0UwhyCvdllVRtwz
+| P9BM/9qZqy3LecKtJh6UUo8FZ8zkekT9nsJ9/vCv3/THRUMOtEtSXdZUUqccXwRm
+| 0HVLxT09wdGGbwdOzzdQSQfLmewi3rSZQf9liaXDtpkK60qrzj4zcyGG2QvX+9EI
+| pZV0B4rzCUDWrpaTOsv8z7Qlgeb2GA==
+|_-----END CERTIFICATE-----
+|_ssl-date: 2021-04-03T19:01:07+00:00; +1m25s from scanner time.
+5985/tcp open http syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
+|_http-server-header: Microsoft-HTTPAPI/2.0
+|_http-title: Not Found
+9389/tcp open mc-nmf syn-ack ttl 127 .NET Message Framing
+47001/tcp open http syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
+|_http-server-header: Microsoft-HTTPAPI/2.0
+|_http-title: Not Found
+49664/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
+49665/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
+49666/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
+49667/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
+49669/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
+49670/tcp open ncacn_http syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
+49673/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
+49689/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
+49709/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
+49712/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
+49726/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
+
+```
+
+From the scan we can see a domain name
+
+
+
+## PORT 445 (SMB)
+
+
+
+
+
+We can only access `$IPC` as anonymous but there is no use of it. So using `crackmapexec` we can use RID bruteforce which will enumerate all AD objects including users and groups by guessing every resource identifier (RID)
+
+
+
+Here you can see `SVC-Kerb` might be a user we can try to bruteforce as MS-SQL is running we can try there
+
+## PORT 1433 (MS-SQL)
+
+
+The database is Microsfoft SQL so let's brute force credentials using `hydra`
+
+
+
+
+
+We found the password so we can use metasploit's module for code execution `use admin/mssql/mssql_exec`
+
+
+
+So there's a command execution alternatively we can try do `sqsh` which is an opensource program for getting a interactive database shell
+
+
+
+Here `-S` indicates the server where we put the IP address or the port if MS-SQL was on a different port
+
+`-U` specifies the username
+
+`-P` specifies the passowrd
+
+Now to execute windows commands we are going to use `xp_cmdshell` which spawns a windows command shell . `xp_cmdshell` is an extended stored procedure provided by Microsoft and stored in the master database. So the whole command will be `EXEC master ..xp_cmdshell'whoami'` , here `EXEC` is used to execute stored procedure on a database and stored procedures are kinda like functions in mysql /mssql.
+
+
+
+We can find the user.txt in `C:\Users\SVC-Kerb.DC01`
+
+
+
+But when I tried to read it I get access denied
+
+
+
+So first to get a proper shell I uploaded `ncat64.exe` you can download it from here
+
+https://github.com/int0x33/nc.exe
+
+
+
+
+
+Now we got a shell at least so to see what permissions does `SVC-kerb` has we can do `net user SVC-kerb`
+
+
+
+It tells that we are just a domain user also this looks like a service account and we won't be able to with it much since this is a Active Directory we can try to run `SharpHoundp.ps1` to gather everything it could find about the domain
+
+
+
+I transfered the file onto target machine but before run it let's find the domain name we already know it from the nmap scan but just to be sure spawn a powershell by running `powershell` and run `Get-ADDomain` this will show you the information of the domain
+
+
+
+Now we will import sharphound.ps1 and use it's functions
+
+
+
+We need to transfer this on to our local machine so we can analyze the data through `BloodHound`
+
+To transfer it I tried creating a smb share on my local machine and copying the zip file there but windows gave an error that it wasn't allowing to transfer the file so I thought of trying to get a meterpter shell through which I can download the zip file
+
+
+
+
+
+
+
+Run `neo4j console`
+
+
+
+Then `bloodhound`
+
+
+
+
+
+I imported that zip file in blood hound but didn't find anything intersting, so can now upload `PowerUp.ps1` to enumerate for misconfigurations or privilege escalation techniques
+
+## PowerUp
+
+You can download the script from here
+
+https://github.com/PowerShellMafia/PowerSploit/tree/master/Privesc
+
+Also read the documentation from here
+
+https://www.harmj0y.net/blog/powershell/powerup-a-usage-guide/
+
+Now importing the powershell script and running `Invoke-AllChecks`
+
+
+
+
+
+So here we have 2 ways of getting admin first let's try abusing the service `UsoSvc`
+
+### Service Abuse
+
+Looking at the documentation
+
+
+
+We can abuse a service by creating a local administartor by creating a new username and then adding it local adminstrators group or by using the current username
+
+
+
+Creating a new username and adding it to local adminstrator
+
+
+
+To see if this user was added
+
+
+
+Now to switch to this user we can `evil-winrm` to login since winrm service is rinning
+
+
+
+### SeImpersonatePrivilege
+
+Running `whoami /all` to see what privleges the user has
+
+
+
+
+
+Now we can abuse this service by through `PrintSpoofer`
+
+
+
+Download printspoofer 64 bit verison
+
+https://github.com/itm4n/PrintSpoofer/releases/tag/v1.0
+
+
+
+
+
+
+
+And we can access Administrator's directory
+
+