Open in app

Sign in

Write

Sign in

TryHackMe-K2 Walkthrough- Middle Camp (Part 2/3)

TheHiker
7 min readSep 28, 2024

--

Welcome back everyone to part 2/3 of the walkthrough for the TryHackMe room “k2” !

In the previous part we took on the “Base Camp” , where we chained together an XSS and SQLi vulnerabilities in a webserver to obtain credentials for SSH, before escalating to root via a password found in a log file!

Now it’s time to take on the “Middle Camp” !

The IT Team can’t believe that you have made it past the first server. However, they feel confident that you won’t make it much further.

Use all of the information gathered from your previous findings in order to keep making your way to the top.

Nmap Scan

As always, we start off with an NMAP scan:

Judging from the open ports, we can safely assume that we are dealing with a Domain Controller!

The main things to note from the output are the domain name of “k2.thm” and the FQDN of the server which is “K2Server.k2.thm” .

Let’s add them both to our hosts file and start exploring!

Looking for a foothold

We don’t actually have a lot to go about. There are no web services that are running, so we are on the hunt for our first set of credentials within the domain.

A good place to start would be to find valid usernames.

Now, recall that in part one of this room we found two employee names, James Bold and Rose Bud.

Companies tend to give their employers usernames that usually full into a few different naming conventions:

{first}{last}

{firstinitial}{last}

{first}{lastinitial}

And so on.

To create a list of potential usernames, I’ll use username-anarchy :

We now have a list of potential usernames.

To verify if any of them are valid, we can use kerbrute :

Nice! We found two usernames.

Back in part one we obtained quite a few passwords, including those of rose and james, so maybe they re-used the same password here?

And we have a foothold in the domain!

Let’s see if rose has access to any interesting shares:

Nothing out of the ordinary. I would normally still take a look inside the shares, but in this case there is nothing interesting there so we can move on.

Can Rose win-rm into the DC?

She can!

Let’s take a look.

Snooping Around

We land inside “C:\Users\r.bud\Documents” and find something interesting right away:

notes.txt:

Done:
1. Note was sent and James has already performed the required action. They have informed me that they kept the base password the same, they just added two more characters to meet the criteria. It is easier for James to remember it that way.

2. James’s password meets the criteria.

Pending:
1. Give James Remote Access.

note_to_james.txt:

Hello James:

Your password “rockyou” was found to only contain alphabetical characters. I have removed your Remote Access for now.

At the very least adhere to the new password policy:
1. Length of password must be in between 6–12 characters
2. Must include at least 1 special character
3. Must include at least 1 number between the range of 0–999

Let’s combine the info from the two notes:

  • James’ password used to be “rockyou”.
  • He changed the password to adhere to the password policy rules.
  • He kept the base password the same, but added two more characters.
  • Based on the policy, if he added only two characters, one must be a special character and one must be a number.

Now, to generate a list of potential passwords, I actually asked ChatGPT to quickly write me a script that would output all possible new passwords, which means adding a special character and a number at the start or at the end of “rockyou”. (I’m 100% sure that there is some tool that would do this for you, but I figured this would be quicker).

import itertools

# Define the base password
base_password = "rockyou"

# Define the range of numbers and special characters to be added
numbers = '0123456789'
special_chars = '!@#$%^&*'

# Generate all combinations of numbers and special characters
combinations = list(itertools.product(numbers, special_chars))

# Generate all possibilities by adding the number and special character before or after the base password
passwords = []

for num, special in combinations:
    # Add number and special character before the base password
    passwords.append(f"{num}{special}{base_password}")
    passwords.append(f"{special}{num}{base_password}")
    
    # Add number and special character after the base password
    passwords.append(f"{base_password}{num}{special}")
    passwords.append(f"{base_password}{special}{num}")

# Print out all generated passwords
for password in passwords:
    print(password)

Here is a quick snippet of the output:

Now that we have a potential password list, let’s see if we can find james’ password:

Success! We now have access to j.bold !

Looking for the next step

James doesn’t have remote-access enabled, which means that we can’t win-rm into the DC with his user.

This looks like a good opportunity to use bloodhound, and see if we can find the next step!

bloodhound-python -u j.bold -p “<redacted>” -d k2.thm -v — zip -c All -dc K2Server.k2.thm -ns 10.10.61.132

After carefully examining the different permissions of both r.bud and j.bold, we can see that j.bold has some control over a third user!

Click on the “j.bold” node and go to “Group Delegated Object Control” under “Outbound Object Control”:

We can see that because j.bold is a part of “IT STAFF 1” , he has a “GenericAll” privilege over j.smith!

This means that we can reset j.smith’s password:

net rpc password "j.smith" "password123@" -U "k2.thm"/"j.bold"%"<redacted>" -S "10.10.61.132"

And we can get a shell as j.smith!

Escalating to DA

We can start by checking if j.smith has any interesting privileges:

And he does!

j.smith has the “SeBackupPrivilege” and the “SeRestorePrivilege” enabled, which means we should be able to create a copy of the ntds.dit file and extract it, so we can examine it and get the Administrator’s hash!

First, I created the following script on my kali:

This script will be used with “diskshadow” to create a backup of the C:\ drive and map it to the Z:\ drive.

Before uploading it to the machine, we need to make it compatible with windows:

unix2dos priv.dsh

Now, let’s upload the file via win-rm:

And now we run the following commands on our win-rm session:

mkdir C:\Temp
cd C:\Temp
diskshadow /s C:\Users\j.smith\Documents\priv.dsh
robocopy /b z:\windows\ntds . ntds.dit
reg save hklm\system C:\Temp\System

If everything worked as intended, your C:\Temp directory should look like this:

Now download both files:

download ntds.dit
download System

All that is left to do once we have the files, is to run secretsdump:

impacket-secretsdump -system System -ntds ntds.dit local

And we can now use the NTLM hash of the administrator over win-rm to get a shell as a domain admin!

And that is the end of the middle camp!

You should now have everything you need to answer the questions in this section of the room.

A little extra

Grabbing NTLM hashes of all the domain users is fun, and can be later used for pass-the-hash attacks. But can we get the clear text password of the administrator account?

Yes we can!

This is another password that we can add to our long password list, might be useful later :)

Stay tuned for part 3 of this walkthrough, where we will take on the final boss!

Hacking
Active Directory
Tryhackme
Tryhackme Walkthrough
Bloodhound

--

--

TheHiker

Written by TheHiker

34 Followers

Currently employed as a SOC Analyst, a CTF player who decided to give back to the community by writing walkthroughs for HTB/THM machines.

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams