Hacking VulnNet:Roasted (thm)

NOTE: I am currently migrating my writeups and notes regarding hacking aka pentesting to my github - my VulnNet:Roasted writeup can be found here 

 

The vulnnet:roasted machine on thm gives us a great opportunity to mess around with active directory attacks.


We begin with the usual nmap scans and notice that port 88 is open - this suggests to us that the target machine is a domain controller for an active directory domain.


A domain in windows is just a collection of objects such as users and computers which are administered together. Domains are used everywhere as they let organizations easily manage their assets and up scale if they want to.


Active Directory is like a catalogue of all the objects in the domain and a domain controller is a server which runs active directory services. The long and short of it is this - domain controllers are high value targets as they contain lots of useful data for us to loot and mess with.


Domain controllers have port 88 open as this is the port which is used by kerberos. Kerberos is the main authorisation method used in active directory environments. The domain controller keeps user data including password hashes and therefore lots of authentication queries are made to the domain controller via kerberos over port 88.





As is normal for a machine running windows, smb is being used on port 445. It is usually a good idea to enumerate smb so that is what I did next.


First of all, I used smbclient to see if null sessions were allowed. I found they were.



I wanted to know more about the available shares, so I used smbmap. Sometimes we don't need to specify any username:password combinations and we can retrieve data, but in this case that didn't work so I used the username guest and gave it a blank string for the password - this worked and we could see that we had read access to the IPC$ share along with two custom shares.



Since it's always nice to know other tools that do the job, I tried using crackmapexec to have a look at the shares, too.




The IPC$ share is useful - it is used to let anonymous users enumerate a domain. It seemed a good idea to use this to our advantage in order to try and find some usernames.


We can use crackmapexec to do this by specifying the --rid-brute switch.




The impacket suite of tools has a way to do this, too - it is the lookupsid.py program. I used this to enumerate usernames. I then used a bit of bash to create a txt file with just the names.






Before going on to the next part of the attack chain for this box, I wanted to focus on another way we can enumerate usernames since getting valid usernames is half the battle.


On this box, we are able to retrieve valid usernames via the smb share, but what if we can't do that?


One way we could go is to first of all harvest employee names - this is usually easy since just about every website for an organization has an about us or meet the team kind of page. We can lift names from these webpages since names are often given along with photos of very happy looking workers who clearly love their jobs.


On this box, such cheery webpages are not provided, but we can retrieve the names of four employees by enumerating the smb shares more deeply. We can find txt files which include the names of employees.




It doesn't really matter how we get employee names, just so long as we get them. We can then create a txt file which contains the harvested names.




I tend to user lowercase letters since kerberos is case insensitive.


We can now mangle the harvested names to come up with combinations of them which are commonly used by organizations when they are creating active directory usernames for their employees.


I wrote a python program to do this - it creates the most common combinations used for active directory usernames so as to be more efficient. It takes a txt file of first and second names then spits out a txt file filled with mangled names.




Once we have a txt file of possible active directory usernames, we can feed the data in it to kerbrute. This is a great tool which uses kerberos to enumerate valid usernames. It does not lock out accounts and since it is written in go it is very fast.


Using enumeration, a simple python program and kerbrute, we end up with some valid usernames. This is just another way to find them just in case we can't do it via smb shares or other means.




The next step is to use the usernames to somehow get further access to the domain. One attack we can try is an as-rep roast.


When a user sends a request to the key distribution center for a ticket granting ticket, they usually need to prove who they are by including their username and a timestamp which have been encrypted using a key which has been derived from their password.


This is a form of pre-authentication which is a security feature of kerberos. If it were not there, an attacker would be able to send a fake authentication request and receive a ticket granting ticket from the key distribution center. This ticket granting ticket would include some data which has been encrypted with the user's key (password hash). The attacker would then be able to get a hold of the password hash of the victim user from this returned data and subsequently try to crack it offline in order to obtain the plaintext password.

 

Pre-authorization is therefore a useful security feature of kerberos, but it is sometimes disabled. This might be necessary if for example a user needs to authenticate to an app which does not support kerberos pre-authentication.


Armed with a list of usernames, we can check each one to see if they have kerberos pre-authentication disabled. A good tool to do this is GetNPUsers.py from the impacket suite.


When I tried using this tool to perform an as-rep roasting attack, I found one user was vulnerable to it. I therefore obtained a copy of their password hash in the returned data.




We can now attempt to crack this using hashcat with a mode of 18200.



The attack was successful and we obtained a password for the t-skid user.



With a valid set of credentials, I decided to use bloodhound to enumerate the box more. I was specifically looking for domain admin users. This step is not necessary, but it is a good idea to get familiar with using bloodhound.


After starting neo4j and bloodhound, I used an ingestor to obtain data about the targeted domain.




I then uploaded the data and found that the a-whitehat user was a domain admin - I now needed to try and find a way to compromise that user.




With nothing much else to go on, I went back to enumerate smb - this time using the valid creds for the t-skid user.


This user had more access to the shares, and we soon found an interesting .vbs file which contained just what we were looking for - a way to compromise the domain admin a-whitehat user!







I used crackmapexec to see if the password was valid - it was. I then used it to dump the sam database from the domain controller.



Armed with the hash for the Administrator user on the domain controller, I tried to gain a shell as them using a psexec tool. This did not work, so I tried a wmiexec tool - this worked and I was able to retrieve the user and system flags.






The box was pwned and I was happy because I'd had some fun hacking a domain controller! :-)


The wmiexec shell is a bit slow and limited, so it is worth knowing that we can also use the Administrator hash to gain a shell via winrm.




Thank you for reading this writeup of vulnnet:roasted, and thanks to SkyWaves for creating it! :-)

puzz00








Popular posts from this blog

Hacking Reset (thm)

Image
  NOTE: I am currently migrating my writeups and notes regarding hacking aka pentesting to  my github - my reset writeup can be found here     Reset is a fun active directory based box on thm   We start with an nmap scan which shows us that the target machine is probably a domain controller as it has port 88 open. Domain controllers typically have this port open since they are involved in kerberos based authentication. We also find some useful data regarding the domain and machine we are attacking. In addition, we find port 5985 is open - this is of interest as it is a port which is used by winrm which in turn is a service which could potentially give us a remote session on the target machine if we find valid credentials.    Since smb is being used, we start our enumeration of the haystack machine by taking a look at it - can we get a null session and thereby enumerate useful data? We find that we can. The IPC$ share has read access to non-authentica...
Read more

Hacking Year of the Owl (thm)

Image
NOTE: I am currently migrating my writeups and cybersecurity notes to  my github This writeup can be found in a new and shiny form at puzz00 year of the owl writeup  --- The Year of the Owl is a machine by MuirlandOracle on tryhackme   We start by using nmap to scan the TCP ports. The results show us that this appears to be a windows machine because we see netbios on port 139, SMB on 445 and winrm on its default port of 5985. We take a closer look but don't find much of interest. Since SMB is running, we can try a null session attack, but this does not work. We cannot connect using rpcclient without valid creds, either. Web app enumeration does not reveal anything of interest, so I have not included it in this post. We need to find another way to enumerate usernames and potential passwords. We can try common UDP ports using nmap. The results come back in the open|filtered state which is not very useful. We do not know if the ports are open or if the UDP datagrams are bei...
Read more

Simple CTF (tryhackme)

Image
  I started with a quick SYN scan of all ports on the target machine. The -T4 flag speeds up the scan from the default -T3 and the -p- flag specifies all ports to be scanned. As can be seen from the results, ports 21, 80 and 2222 had services listening on them. It was now time to take a closer look at those three ports, so I used the -A flag with nmap to find out more. The anonymous login allowed using FTP on port 21 seemed interesting, so I connected to it in passive mode using the username anonymous and no password ftp -p 10.10.179.144 The connection was successful, but I could not get any listing of the directories or files using ls so I turned my attention to port 80 by navigating to the home page in my browser. I was greeted with a default Apache "It Works!" page. I then checked the robots.txt file and fired up a directory buster. I used gobuster as it is fast, but dirb, dirbuster or a home-grown one would also do. The /simple directory stood out as interesting, so I na...
Read more