VulnNet: Roasted TryHackMe Walkthrough

Introduction

Musyoka Ian
10 min readMay 16, 2021

Hello guys back again with another walkthrough this time we’ll be tackling VulnNet: Roasted from TryHackMe. Another amazing box from TheCyb3rW0lf. This box is purely an active directory box making it so phenomenal. We start off by finding a bunch of usernames from an SMB share and mutating it a bit and trying to perform user enumeration attack using kerbrute (which takes advantage of kerberos)but it failed. We’ll latter know why but then using lookupsids a really amazing script from impacket we perform a RID brute force attack and get a bunch of usernames from the server. Then perform an asrep-roast attack to get a hash of one of the users crack it and get a clear text password. Using the password we get access to read the NETLOGON share which contains a vbs script that has credential for yet another user whose in the domain admins group. Utilizing the credential we using impackets-wmiexec to get a shell and read the user flag. user done!!!! but we can’t read the system flag since only administrator can but that user is in the domain admins group we use yet another impackets script called secretsdump to dump all the hashes of the AD box and get the administrator’s NTLM hash the use that hash to get an administrator’s shell on the box by utilizing impacket-wmiexec, read the system flag and the box is done. It’s a really fun box and we’ll also be enumerating AD using bloodhound a bit since it’s a great opportunity to learn. Without much say let’s jump in

As always we start off by doing a nmap scan of the box to find the ports that are open. Looking at the results from nmap we see a tonne of ports are open and a likelihood that we are dealing with a domain controller

On any windows box i always start by enumerating SMB shares(port 445) since we might be lucky and get some credentials stored in a share

The tools that i normally use during my enumeration are crackmapexec, smbclient and smbmap.

I always start by using smbclient since pentest tools like crackmapexec are sometimes finicky about how your arguments are placed

Looking at the result from the scan we see that there are two shares that are non-standard

1. VulnNet-Business-Anonymous
2. VulnNet-Enterprise-Anonymous

But smbclient doesn’t show us if we have read access to these shares. This is where crackmapexec comes in hand

Using the command

crackmapexec smb 10.10.175.103 -u guest -p "" --shares

We can enumerate the shares that are present on the box. Looking at the results returned by crackmapexec we see that we have read access to both of the shares

Using the spider_plus module available on crackmapexec i was able to spider the shares and see all the files present in those shares through a file which crackmapexec saved in a JSON format

Using smbclient i downloaded all of the files to my box

Looking through the files one thing stands out we have a bunch of usernames.

I decided to save those usernames into a text file

I saved the username in both small and capital letter though i know that windows is a case-insensitive operating system but it wouldn’t hurt having the wordlist in both small or capital letters.

Now it’s time to mutate the wordlist and i found a script which PinkDraconian created to be quite useful

The script mutates the usernames into a format that is mostly used by co-operations example include

1. Firstinitial.lastname
2. firstname.lastname
3. firstnamelastname
4.etc

Looking at the wordlist created by the script we see that we now have a bunch of usernames we can test

The next question is how can we know which of these usernames is valid????

There’s a tool called kerbrute written in Go that queries kerberos to determine if a username is valid or not

I downloaded the tool to my local box and using the userenum option started querying the DC

After a few seconds the script finished and it had not found any valid usernames. To know the script wasn’t playing any tricks on us i decided to add default accounts like Administrator and guest to see if kerbrute would flag those or not

Saved the wordlist again and tried user enumeration again

And looking at the output of kerbrute those two accounts were flagged

Meaning the script was working perfectly our usernames must be wrong. Since i couldn’t enumerate usernames through this method i tried to connect to the active directory box using rpcclient and see if i could get any domain users leaked usind the command(enumdomusers)

Logging in worked but when we try enumerating users we get an access denied

I had hit a dead end using rpcclient. Next i tried enumerating ldap using the ldapsearch tool and see if i could leak any SamAccount names from the active directory box using the command

ldapsearch -x -h 10.10.111.177 -b base namingcontext

But i got an error that a successful bind must be completed meaning anonymous access to ldap wasn’t allowed i had hit yet another dead end

Next stop was impacket. I knew of a great tool called lookupsids that performs a RID briteforce attack to enumerate users found on the box

Usind the command

impacket-lookupsid vulnnet-rst.local/guest@10.10.111.177

And looking at the screenshot below it worked like a charm i was able to dump domain users from the box

The reasons we weren’t able to enumerate usernames using kerbrute was because the symbol (-) was used to separate names. I saved the usernames to a text file and using awk i printed the names that were interesting

Next i tested if any of the users was asrep-roastable meaning a user didn’t require credentials to request for a TGT from the KDC. The tool that i used was GetNPUsers from impackets suite

The command that i used was

impacket-GetNPUsers vulnnet-rst.local/ -no-pass -usersfile users.txt

Before performing the attack i added the domain name to my hosts file

Then performed the attack. looking at the screenshot below we get a hash for the user t-skid

Next step is cracking the hash using john the ripper or hashcat. I’ll use john the ripper on this tutorial. Using the command

john --wordlist=~/Desktop/boxes/rockyou/rockyou.txt hash.txt

I started cracking the hash. After a few second i got a valid password. The wordlist that i used was rockyou which contains over 14 million leaked passwords

Now we have a valid credential from the box. I tried to access SMB using those credentials and looking at the screenshot below we now have read access to much more shares

But nothing was out of the ordinary at first glance. I tried seeing if i could login to the box using windows remoting but looking at the output of crackmapexec it was unsuccessful

Now i went down a rabbithole for sometime. The first thing i did was perform an active directory enumeration using bloodhound by running the cooand

python3 ~/Desktop/git/BloodHound.py/bloodhound.py -c All,LoggedOn -u "t-skid" -p "tj072889*" -d VULNNET-RST.LOCAL -ns 10.10.111.177

Bloodhound basically queries ldap to find what connection active directory users have and looking at the screenshot below i was able to get some information

I loaded the information into bloodhound

Next i marked the user t-skid since i had owned him

Querying for all domain admin we see that the user a-whitehat is one of them. This makes him a high value target since if we get his credentials we are basically admins on the active directory server

But there was not path from the owned user to a-whitehat. I decided to take a step back and go enumerate the shares which i had access too using the t-skid credentials using the spider_plus module from crackmapexec. The command i used was

crackmapexec smb 10.10.111.177 -u t-skid -p "==[snip]==" -M spider_plus

Looking at the output created by crackmapexec we see a vbs script called ResetPassword

I downloaded the script to my box using smbclient. Looking at the script we have a password for the user a-whitehat. The user we had marked as a high value target

I tested those credentials using crackmapexec. Looking at the screenshot below we get a pwned signed meaning we can use psexec to get an administrator’s shell on the box

Running impacket-psexec using the command

impacket-psexec vulnnet-rst.local/a-whitehat@10.10.111.177

We see that it just didn’t work though the shares were writeable

But using impacket-wmiexec using the command

impacket-wmiexec  vulnnet-rst.local/a-whitehat@10.10.111.177

Works and we get a shell on the box

Looking at the users enterprise-core-vn desktop folder we have the users flag of the box

You can now submit it and get the point from TryHackMe

But on trying to read the system flag we get an access denied since we are not the administrator’s user. We don’t have the password for the root user or the NTLM hash

But we(a-whitehat) are in the domain admins group meaning we can dump the entire SAM database and get access to all the hashes from any user whose on the box

I’ll use a program called secretsdump from impackets to dump all the hashes. The command that i used was

impacket-secretsdump vulnnet-rst.local/a-whitehat@10.10.111.177

Looking at the screenshot below we have a list of hashes belonging to different users but the one we are intrested in is the administrator’s NTLM hash

Using the administrator’s hash and logging into the AD using wmiexec it works

Navigating to administrator directory we have the system.txt and we also have read access to the file. We can now read the flag and submit it to TryHackMe and get the points

And the box is pretty much done i hope you enjoyed the walkthrough if so don’r forget to clap for me down below and follow me so that you wont miss ay upcoming tutorials.

--

--