# TryHackMe-Hacker Of The Hill ## Medium ### NMAP ``` PORT STATE SERVICE VERSION 80/tcp open http Microsoft IIS httpd 10.0 | http-methods: |_ Potentially risky methods: TRACE |_http-server-header: Microsoft-IIS/10.0 |_http-title: PhotoStore - Home 81/tcp open http Microsoft IIS httpd 10.0 | http-methods: |_ Potentially risky methods: TRACE |_http-server-header: Microsoft-IIS/10.0 |_http-title: Network Monitor 82/tcp open http Microsoft IIS httpd 10.0 | http-methods: |_ Potentially risky methods: TRACE |_http-server-header: Microsoft-IIS/10.0 |_http-title: Site doesn't have a title (text/html; charset=UTF-8). 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2021-03-07 17:02:28Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: troy.thm0., Site: Default-First-Site-Name) 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open tcpwrapped 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: troy.thm0., Site: Default-First-Site-Name) 3269/tcp open tcpwrapped 3389/tcp open ms-wbt-server Microsoft Terminal Services | rdp-ntlm-info: | Target_Name: TROY | NetBIOS_Domain_Name: TROY | NetBIOS_Computer_Name: TROY-DC | DNS_Domain_Name: troy.thm | DNS_Computer_Name: TROY-DC.troy.thm | DNS_Tree_Name: troy.thm | Product_Version: 10.0.17763 |_ System_Time: 2021-03-07T17:03:27+00:00 | ssl-cert: Subject: commonName=TROY-DC.troy.thm | Not valid before: 2021-02-18T18:07:12 |_Not valid after: 2021-08-20T18:07:12 |_ssl-date: 2021-03-07T17:04:06+00:00; +35s from scanner time. 49668/tcp open msrpc Microsoft Windows RPC 49669/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 49670/tcp open msrpc Microsoft Windows RPC 49671/tcp open msrpc Microsoft Windows RPC Service Info: Host: TROY-DC; OS: Windows; CPE: cpe:/o:microsoft:windows ``` ### PORT 139/445 (SMB) Didn't found any shares on the machine so now we have 3 http ports to enumerate ### PORT 80 (HTTP) I fuzzed for files and directory but found nothing interesting We see a `sign-up` page On registering an account I uploaded an image having `.jpg` extension And could see full path of the image Also inspecting the source code we see that this using javascript Now I used burpsuite to send this request to intruder so I could test for command injection but before doing it we need to block the javascript file which is filtering Make sure to check tick on `Disable Cache` and right click on `script.js` and select `block url` and refresh the page you will be able to use spaces in text field We can now use ping command to verify command injeciton Using a powershell reverse shell I got rce to the machine For convinince I generated a payload for getting a metepreter session Ran `winPeas` but nothing interesting Also I tried to upload `BloodHound.ps1` to gather information about active directory `Invoke-Bloodhound -CollectionMethod All -Domain troy.thm -ZipFileName loot.zip` Now I want this zip archive on my local machine so I could see what information it found The reason why I used metasploit : ) After having the zip archive on my local machine I started `bloodhound` and `neo4j` Now simply drag and drop the zip archive it will automatically extract the archive and then you can run quries On running the qurey `Find All Domain Admins` Then running `Kerberoastable accounts` `Kerberoastable accounts of high value` Download `rubeus.exe` https://github.com/r3motecontrol/Ghostpack-CompiledBinaries On running rubeus we will immediately get a hash Now we need to run hashcat against it and we are done because `achilles` is an administartor It cracks the hash Now we could either login with `RDP` ,`psexec` or with `evil-winrm` ### Evil-Winrm ### Psexec