Hacking Year of the Owl (thm)

NOTE: I am currently migrating my writeups and cybersecurity notes to my github

This writeup can be found in a new and shiny form at puzz00 year of the owl writeup

 ---

The Year of the Owl is a machine by MuirlandOracle on tryhackme

 

We start by using nmap to scan the TCP ports. The results show us that this appears to be a windows machine because we see netbios on port 139, SMB on 445 and winrm on its default port of 5985. We take a closer look but don't find much of interest.

Since SMB is running, we can try a null session attack, but this does not work. We cannot connect using rpcclient without valid creds, either.


Web app enumeration does not reveal anything of interest, so I have not included it in this post. We need to find another way to enumerate usernames and potential passwords. We can try common UDP ports using nmap.


The results come back in the open|filtered state which is not very useful. We do not know if the ports are open or if the UDP datagrams are being dropped by some kind of filter. We can test Simple Network Management Protocol using a tool such as onesixtyone. If this service is running, we might be able to bruteforce its community string and then look for usernames via the object identifier 1.3.6.1.4.1.77.1.2.25

In SNMP, community strings act like passwords. If we find one, we can send read or read and write commands to the device we are interacting with. Public community strings let us send read commands whilst private community strings let us send read and write commands. Each managed device has a Management Information Base (MIB) which is essentially a database relating to its properties. The MIB has a tree of objects which can be accessed via their unique Object IDentifier. This OID is the path along the tree to a specific object. We can gather lots of data about the device using SNMP if we find a valid community string. In this case, we want to know more about the users of the device - the usernames are found at the OID of 1.3.6.1.4.1.77.1.2.25 This is a useful one to know.

We try bruteforcing community strings using the onesixtyone tool and a good dictionary from SecLists The attack works and we are able to read the usernames of the managed device at the aforementioned OID - we see there is one non-default username - Jareth.


We could now try to bruteforce a password for Jareth using a wordlist such as rockyou.txt but it could take a long time and possibly not work. At this point, the name Jareth combined with the image of the owl and the clue in the description of the box which mentions labyrinth starts to ring a bell somewhere - it is worth doing some research online.


We can now create a custom wordlist for this user based on Open Source INTelligence. It might not work but it is worth a try. If it does not work, we could use a tool such as the Common User Password Profiler which will mangle the words we enter so we have a better chance of success.



We find the simple word list works. We can now try enumerating SMB again but this time with valid credentials. Unfortunately, we cannot get anything useful even with valid creds and since we do not have write access to the admin shares a psexec attack is not possible.


 

Thinking again, we remember that SMB is not the only service running on this machine - winrm is running, too. Windows Remote Management is used by admin to remotely manage hosts on networks - it is not enabled by default but it is commonly used. We need valid credentials to interact with the remote hosts. This is why it is important that we enumerate usernames. We can also just attack the default windows ones such as the administrator account.

In this case, I used crackmapexec with its winrm mode to see if Jareth had used the same password for winrm and SMB - it turns out that he did so we can now use these creds to get a shell via the evil-winrm tool. We can then grab the user flag and start our priv esc mission.




The priv esc on this machine is tricky as there appears to be antivirus software running. I tried winpeas and managed to get it onto the victim machine using an alternate datastream in a txt file, but I could not then get it to execute! I did manage to get the jaws powershell enumeration script to work, but it did not find anything of use. We need to manually enumerate this machine.





Whilst enumerating the machine, we take a look in Jareth's recycle bin. In order to do this, we need to get the Security IDentifier (SID) for Jareth. Once we have done so, we take a look in his recycle bin and are (pleasantly) surprised to find what appears to be backup files of the SAM database and syskey which is used to encrypt it. These are sensitive files and really shouldn't be hanging around anywhere attackers can access. In windows, passwords for users are hashed and stored in the SAM database. This file is locked by the NT kernel whilst the OS is running to prevent access to it. This is why we usually try to dump the hashes from memory using a tool such as mimikatz or the kiwi extension if we have gained a meterpreter session. This is possible because the process which is responsible for managing authentication (LSAS) stores a copy of the hashes in RAM.

Since we have found what appears to be a backup copy of the SAM database along with the syskey, we can transfer them to the C:\Temp directory we created so we can then download them to our local attacking machine and attempt to get the hashes from them.





We can use secretsdump.py from impacket to get the hashes from the looted sam and system backup files. This is great because we now have the full NTLM hash for the Administrator user. We can use this hash in pass-the-hash attacks or as in this case to get an elevated shell using winrm - we need to always loot hashes whenever we can as they can enable us to gain persistence to the victim machine.

We get an elevated shell with winrm and the looted hash for the Administrator user and soon grab the root flag!





 This is a fun box which reminds us of the importance of enumerating the common UDP ports as well as the TCP ones. It also reminds us to thoroughly enumerate victim machines - the sensitive files in the recycle bin were unexpected but essential to pwn the box.


Thank you for reading and thanks to MuirlandOracle for creating the box - puzz00

 

 

 

Popular posts from this blog

Hacking Reset (thm)

Image
  NOTE: I am currently migrating my writeups and notes regarding hacking aka pentesting to  my github - my reset writeup can be found here     Reset is a fun active directory based box on thm   We start with an nmap scan which shows us that the target machine is probably a domain controller as it has port 88 open. Domain controllers typically have this port open since they are involved in kerberos based authentication. We also find some useful data regarding the domain and machine we are attacking. In addition, we find port 5985 is open - this is of interest as it is a port which is used by winrm which in turn is a service which could potentially give us a remote session on the target machine if we find valid credentials.    Since smb is being used, we start our enumeration of the haystack machine by taking a look at it - can we get a null session and thereby enumerate useful data? We find that we can. The IPC$ share has read access to non-authentica...
Read more

Simple CTF (tryhackme)

Image
  I started with a quick SYN scan of all ports on the target machine. The -T4 flag speeds up the scan from the default -T3 and the -p- flag specifies all ports to be scanned. As can be seen from the results, ports 21, 80 and 2222 had services listening on them. It was now time to take a closer look at those three ports, so I used the -A flag with nmap to find out more. The anonymous login allowed using FTP on port 21 seemed interesting, so I connected to it in passive mode using the username anonymous and no password ftp -p 10.10.179.144 The connection was successful, but I could not get any listing of the directories or files using ls so I turned my attention to port 80 by navigating to the home page in my browser. I was greeted with a default Apache "It Works!" page. I then checked the robots.txt file and fired up a directory buster. I used gobuster as it is fast, but dirb, dirbuster or a home-grown one would also do. The /simple directory stood out as interesting, so I na...
Read more