8.1 KiB
TryHackMe-THROWBACK-PROD(10.200.34.219)
NMAP
Nmap scan report for 10.200.34.219
Host is up (0.19s latency).
Not shown: 993 filtered ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH for_Windows_7.7 (protocol 2.0)
| ssh-hostkey:
| 2048 85:b8:1f:80:46:3d:91:0f:8c:f2:f2:3f:5c:87:67:72 (RSA)
| 256 5c:0d:46:e9:42:d4:4d:a0:36:d6:19:e5:f3:ce:49:06 (ECDSA)
|_ 256 e2:2a:cb:39:85:0f:73:06:a9:23:9d:bf:be:f7:50:0c (ED25519)
80/tcp open http Microsoft IIS httpd 10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Throwback Hacks
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
3389/tcp open ms-wbt-server Microsoft Terminal Services
| rdp-ntlm-info:
| Target_Name: THROWBACK
| NetBIOS_Domain_Name: THROWBACK
| NetBIOS_Computer_Name: THROWBACK-PROD
| DNS_Domain_Name: THROWBACK.local
| DNS_Computer_Name: THROWBACK-PROD.THROWBACK.local
| DNS_Tree_Name: THROWBACK.local
| Product_Version: 10.0.17763
|_ System_Time: 2021-02-22T17:08:55+00:00
| ssl-cert: Subject: commonName=THROWBACK-PROD.THROWBACK.local
| Not valid before: 2021-02-21T16:52:43
|_Not valid after: 2021-08-23T16:52:43
|_ssl-date: 2021-02-22T17:09:35+00:00; +13s from scanner time.
5357/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Service Unavailable
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 12s, deviation: 0s, median: 12s
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2021-02-22T17:08:58
|_ start_date: N/A
PORT 80 (HTTP)
Since this host has AD running so we can run a tool called responder to start an attack called LLMNR/NBT-NS poisoning
I ran this tool for 2 days and it didn't gave me the hash , there was a problem in Throwbacks network so I had to continue looking up the writeups
Remmina
Since this windows machine has port 3389 open which is for Remote Desktop Protocol we can login with PetersJ's passoword which is Throwback317
Installing Starkiller
Starkiller is C2 (Command and Control) frontend interface for "Empire" used for post exploitation without interfereing with the actual machine it self. It is used for enumeration and for identifiying privilege escalation vectors so for that we need to have starkiller and empire
Now we have to chmod +x starkiller-1.3.2.AppImage and ./starkiller-1.3.2.AppImage --no-sandbox
We will be presented with a login prompt
Installing Empire
Empire is great tool similar to meatsploit for post exploitation and information gathering used on windows machines
Run git clone https://github.com/BC-SECURITY/Empire.git
Run install.sh
This installation would take a long time. So going back to starkiller we log in with the credentials empireadmin:passowrd123 and we need to make this application listen on defualt port which is 1337 leet but in order login we want empire to be running
So our installation for empire is complete but still we need to install some dependencies
pip3 install poetry and poetry install then poetry run python empire
One last thing to do pip3 install click and when you run powershell-empire
And it works but we need to use it with --rest,so
By using this option it will use the default ports and will allow us to use frontend which starkiller
On logging in with the default credentials above
Now we are going to create our listener
We have our listener created
Now we need to create our stager which is the payload we are going to transfer on the target machine
Click on the download or save icon to save the payload somewhere on your local machine and then start a python3 http server to host it in order to download it from the target machine
The web server is running
We have that on the target machine all we need to do is launch the payload
On launching we will see some information regarding the target machine in the agents section
We can see that starkiller is acting like C2 server which sends commands on the target machine and we can see the output over the GUI
Run seatbelt module
This module did enumeration for us a found a user with a saved credential
Now we have logged in as admin-petersj in order to dig deep we have to run mimikatz but for that we need to create another listener and stager in order to run c2 commands as elevated user
On running this payload again
Now we need to run mimikatz module through our C2
Running privilege::debug will give us a status OK means we can escalate our privileges to NT-AUTHORITY
We ran the command and notice if scroll down a little be we can see the password hashes of the users
There's a feature in Starkiller which can save all the credentials or hashes found in a neat way
Now we have the credentials but don't know on which host these credentials are valid so we are going to something called Pass The Hash a realy attack for that we need to run proxychains or autoroute for that we need to have meterepreter session
Install Crackmapexec
https://github.com/byt3bl33d3r/CrackMapExec/wiki/Installation#binaries
We can see that we can ping the ohter machines as well so the task says that the hash from task 10 will work which was from HumprehyW 's hash and the other from the list of credentials we dumped using mimikatz
PetersJ:Throwback317
runas /savecred /user: /profile "cmd.exe"
use auxiliary/server/socks4a