Ra2 (THM)
TryHackMe – Ra2 Write-Up
topics: DNS Poisoning (modify DNS records with SSL certificates), web application attacks, cracking passwords, Windows Privilege Escalation, printspoofer
Enumeration
Local Privilege Escalation
System Privilege Escalation
new tools: responder, dig, pfx2john, nsupdate
Enumeration
initial autorecon
and nmap scan .././autonmap.sh $ip Full
Inspecting the scans, there are numerous ports open on this machine. However, because of certain open ports like DNS, LDAP/S, Kerberos, RDP etc we can surmise that this is a domain controller for an Active Directory environment. Additionally, we can see from the DNS enumeration alternative DC names.
Lets add these names to the hosts file and try to dig
some additional domains from this machine.
DNS
As this machine seems to be a domain controller, it would make sense to enumerate DNS first to see what information we can obtain.
dig windcorp.thm any @victimIP
We can see the additional domain name hostmaster.thm and the domain that first answers a DNS query. We can also see a flag and a text file left for us to read which provides a hint to the initial foothold.
Permitting unsecured dynamic DNS updates gives ANY computer (not just on the domain) the ability to modify or create DNS records. Meaning we can effectively change/add any subdomain name (including malicious ones) and even impersonate the server for user authentication and capture hashes.
HTTPS
We have about three unique subdomains on this domain controller, we can run a dirsearch
scan on each of them
python3 dirsearch.py -u https://$ip -e php,html,txt
The subdomain selfservice.dev.windcorp.thm returned an interesting /backup directory. Not pictured we can also see a /powershell directory on fire.windcorp but we need credentials.
Navigating to /backups on selfservice.dev.windcorp.thm
We have a cert.pfx file and an empty config file. Windows servers use .pfx files that contain public and private keys for their HTTPS certificates.
Local Privilege Escalation
With the knowledge of permission to update DNS records and obtaining the cert.pfx file, we can now impersonate the HTTPS server on the domain controller. We can add the attacking machine to a list of trusted subdomains and intercept user hashes when communicating with the controller.
Impersonating the Server
We can extract the password for the certificate with pfx2john
and john
We need to extract the contents of the pfx file to impersonate for our own key and certificate with openssl
The .pem files are now ready to impersonate the HTTPS server. Next we must:
update the DNS record of the domain controller to point to the attacking machine with
nsupdate
verify answer section with
dig
copy the cert files to the
responder
certs folderlisten with
responder -I tun0
Below are the nsupdate
commands to add our attacking machine as the new selfservice.windcorp.thm subdomain on the domain controller.
responder
has captured an HTTP event and has logged the NTLMv2 hash of the user edwardle. We can crack this with john
The credentials edwardle:!Angelus25! should be valid to use with the powershell aspx console discovered with HTTPS enumeration. I attempted evil-winrm
but it was not successful, we can assume it's disabled for now.
Domain Admin Privilege Escalation
Starting with whoami /priv
we can see we have the very critical SeImpersonatePrivilege that leverages PrintSpoofer for SYSTEM escalation
We need to:
make a c:\temp directory
craft a reverse shell with
msfvenom
and listen for itdownload printspoofer
transfer the files to the victim machine and run the program
Last updated