TryHackME — VulNet: Roasted
VulnNet Entertainment just deployed a new instance on their network with the newly-hired system administrators. Being a security-aware company, they as always hired you to perform a penetration test, and see how system administrators are performing.
- Difficulty: Easy
- Operating System: Windows
This is a much simpler machine, do not overthink. You can do it by following common methodologies.
Note: It might take up to 6 minutes for this machine to fully boot.
- Author: MindOverfløw
- Discord: MindOverfløw#0420
We start off by doing a rustcan scan of the box to find the ports that are open.
Looking at the results we see a lot of ports are open and a likelihood that we are dealing with a domain controller.
Let’s enumerate further. Adding ‘vulnnet-rst.local’ to our /etc/hosts.
Let’s enumerate the smb protocol.
Looking at the results, we see some files shared. We will download all the files and dig for any juicy information.
Unfortunately , we didn’t found any relevant information.
Use sudo smbmap -H ip -u anonymous. We will check for the files permissions.
We have the read access to IPC share. We are able to list the domain users as anonymous using an impacket tool called lookupsid.py.
Copy the domain users to a users.txt file.
Use sudo GetNPUsers.py -dc-ip 10.10.127.13 -usersfile users.txt -no-pass vulnnet-rst.local/.
Check for any users hash.
We discovered a hash for the user a-whitehat.
We will crack this hash to discover the password for the a-whitehat user.
Use sudo hashcat -m 13100 hash /usr/share/wordlists/rockyou.txt — show. The above command will help us to crack the krb5 hash.
Now we have the user and the password.
We will use secretsdump.py (impacket) to check for any other users and hash passwords.
Run sudo secretsdump.py firstname.lastname@example.org
Looking at above results, we discovered , users and their hash passwords, we found as well, the Administrator user and his hash password.
We will use all this information and we will check for user and system flags.
Run sudo evil-winrm -i ip -u enterprise-core-vn -H hash.
Yeahhh!!!We’ve got the user flag.
RUn sudo evil-winrm -i 10.10.127.13 -u Administrator -H c2597747aa5e43022a3a3049a3c3b09d. In that way , we will login like administrator and we can check for the system flag.
Hope you have enjoyed reading about how to hack the TryHackMe room : VulNet: Roasted.