TryHackMe - Crocc Crew

This is another one of those challenges I could test my Active Directory skills that I honed during OSEP. It was a tough challenge, and what made it tougher was the unusual way you get to the initial creds.

The room is called Crocc Crew, and is available at


The first thing I did was a portscan:

53/tcp    open  domain        Simple DNS Plus
80/tcp    open  http          Microsoft IIS httpd 10.0
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-server-header: Microsoft-IIS/10.0
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2021-08-22 04:58:15Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: COOCTUS.CORP0., Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
|_ssl-ccs-injection: No reply from server (TIMEOUT)
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: COOCTUS.CORP0., Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
|_ssl-ccs-injection: No reply from server (TIMEOUT)
3389/tcp  open  ms-wbt-server Microsoft Terminal Services
9389/tcp  open  mc-nmf        .NET Message Framing
49666/tcp open  msrpc         Microsoft Windows RPC
49668/tcp open  msrpc         Microsoft Windows RPC
49672/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49674/tcp open  msrpc         Microsoft Windows RPC
49679/tcp open  msrpc         Microsoft Windows RPC
49711/tcp open  msrpc         Microsoft Windows RPC
49885/tcp open  msrpc         Microsoft Windows RPC
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows

We clearly have what looks like a domain controller here.

HTTP - Port 80

As per normal, we see port 80 open, and we immediately start throwing wordlists at it.

The first interesting thing we notice is a robots.txt file.

Awesome, looks interesting.

Wow, that was easy. We already have creds and the fuzzing is still running.

And this is where the hour long rabbit hole started.

I tried through crackmapexec at it, and it didn’t want to accept the credentials.

This led me to believe there might be other virtual hosts running here, and I kept throwing things at it. Nothing yielded results.

In the meantime the fuzzing didn’t turn up anything else, but a dead-end backdoor.php.

So what do we do when we get stuck? Try Harder… and enumerate more!

MSRPC - Port 135

The only thing I could get that showed anything interesting, were and tcp_dcerpc_auditor.

The above output seemed promising, because I was at least getting something to work with.

Another few hours were wasted in this rabbit hole. The plus side is that I think I know RPC a little better now. I might have missed something here, and am looking forward to seeing other people’s solutions.

Also tried to see if I can pick up a IPv6 IP address.

Kerbrute - Port 88

I decided to through a wordlist are kerbrute, and see what interesting users I get.

After getting a valid user list, I already tried running it through crackmapexec with the password obtained from the earlier found db credentials. Nothing worked.

RDP - Port 3389

I turned my attention to RDP. I know rdesktop spits out some useful info while the connection is trying to establish, but besides a hostname which I already had, there wasn’t much.

I finally had a breakthrough, after giving up the night before, when I logged back into RDP. I think it happened by fluke, because I typed in the params wrong for rdesktop. It gave me an idea, and eventually I was presented with the following.

I recognised what looked like a username on the stickynote from my earlier enumeration. Immediately trying it using crackmapexec I had finally gotten somewhere.

SMB - Port 445

Using the found credentials, I circled back to doing all my initial enumeration again. But before that I logged into SMB to at least get my first flag.

Using enum4linux-ng I was able to get more users. A trimmed down version is below.

  username: mark                                                                              
  name: Mark                                                                                  
  acb: '0x00020010'                                                                           
  description: (null)                                                                         
  username: admCroccCrew                                                                      
  name: admCroccCrew                                                                          
  acb: '0x00000210'                                                                           
  description: (null)                                                                         
  username: cryillic                                                                          
  name: cryillic                                                                              
  acb: '0x00000210'                                                                           
  description: (null)                                                                         
  username: Varg                                                                              
  name: varg                                                                                  
  acb: '0x00000210'                                                                           
  description: (null)                                                                         
  username: password-reset                                                                    
  name: reset                                                                                 
  acb: '0x00040210'                                                                           
  description: (null)                                                                         

I turned my attention to ldapdomaindump, and was able to immediately spot something that looked familiar from my OSEP learning.


During the course we almost exclusively made use of Rubeus, and I decided to take this time to learn how to accomplish all this from my Kali box, using impacket.

It took me a while of trying different things, at failing at it, until I finally figured out what was going wrong. I needed the correct SPN.

I found this very cool writeup.

Making use of pywerview I got this user’s details.

Knowing what the SPN was, I as able to create a ticket that impersonates Administrator.

Using this ticket, I was able to dump hashes from the DC.

I immediately used the Administrator’s hash, and was able to get code execution.

Making use of the web_delivery module in msfconsole, I was able to get a meterpreter shell.

Oh yes… the flags!

I had gotten so tied up in getting the ticketing working, and doing privilege escalation, I had forgotten about the flags.

Once I was Administrator though, I was able to get all the flags.

This felt like cheating though… so I am sure there was a more intended way.

Written on August 23, 2021