TryHackMe - Crocc Crew
This is another one of those challenges I could test my Active Directory skills that I honed during OSEP. It was a tough challenge, and what made it tougher was the unusual way you get to the initial creds.
The room is called Crocc Crew, and is available at https://tryhackme.com/room/crocccrew.
The first thing I did was a portscan:
PORT STATE SERVICE VERSION 53/tcp open domain Simple DNS Plus 80/tcp open http Microsoft IIS httpd 10.0 |_http-csrf: Couldn't find any CSRF vulnerabilities. |_http-dombased-xss: Couldn't find any DOM based XSS. |_http-server-header: Microsoft-IIS/10.0 |_http-stored-xss: Couldn't find any stored XSS vulnerabilities. 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2021-08-22 04:58:15Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: COOCTUS.CORP0., Site: Default-First-Site-Name) |_sslv2-drown: 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open tcpwrapped |_ssl-ccs-injection: No reply from server (TIMEOUT) |_sslv2-drown: 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: COOCTUS.CORP0., Site: Default-First-Site-Name) |_sslv2-drown: 3269/tcp open tcpwrapped |_ssl-ccs-injection: No reply from server (TIMEOUT) |_sslv2-drown: 3389/tcp open ms-wbt-server Microsoft Terminal Services |_sslv2-drown: 9389/tcp open mc-nmf .NET Message Framing 49666/tcp open msrpc Microsoft Windows RPC 49668/tcp open msrpc Microsoft Windows RPC 49672/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 49674/tcp open msrpc Microsoft Windows RPC 49679/tcp open msrpc Microsoft Windows RPC 49711/tcp open msrpc Microsoft Windows RPC 49885/tcp open msrpc Microsoft Windows RPC Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows
We clearly have what looks like a domain controller here.
HTTP - Port 80
As per normal, we see port 80 open, and we immediately start throwing wordlists at it.
The first interesting thing we notice is a
Awesome, looks interesting.
Wow, that was easy. We already have creds and the fuzzing is still running.
And this is where the hour long rabbit hole started.
I tried through
crackmapexec at it, and it didn’t want to accept the credentials.
This led me to believe there might be other virtual hosts running here, and I kept throwing things at it. Nothing yielded results.
In the meantime the fuzzing didn’t turn up anything else, but a dead-end
So what do we do when we get stuck? Try Harder… and enumerate more!
MSRPC - Port 135
The only thing I could get that showed anything interesting, were
The above output seemed promising, because I was at least getting something to work with.
Another few hours were wasted in this rabbit hole. The plus side is that I think I know RPC a little better now. I might have missed something here, and am looking forward to seeing other people’s solutions.
Also tried to see if I can pick up a IPv6 IP address.
Kerbrute - Port 88
I decided to through a wordlist are kerbrute, and see what interesting users I get.
After getting a valid user list, I already tried running it through
crackmapexec with the password obtained from the earlier found db credentials. Nothing worked.
RDP - Port 3389
I turned my attention to RDP. I know rdesktop spits out some useful info while the connection is trying to establish, but besides a hostname which I already had, there wasn’t much.
I finally had a breakthrough, after giving up the night before, when I logged back into RDP. I think it happened by fluke, because I typed in the params wrong for rdesktop. It gave me an idea, and eventually I was presented with the following.
I recognised what looked like a username on the stickynote from my earlier enumeration. Immediately trying it using
crackmapexec I had finally gotten somewhere.
SMB - Port 445
Using the found credentials, I circled back to doing all my initial enumeration again. But before that I logged into SMB to at least get my first flag.
enum4linux-ng I was able to get more users. A trimmed down version is below.
'1115': username: mark name: Mark acb: '0x00020010' description: (null) '1121': username: admCroccCrew name: admCroccCrew acb: '0x00000210' description: (null) '1124': username: cryillic name: cryillic acb: '0x00000210' description: (null) '1129': username: Varg name: varg acb: '0x00000210' description: (null) '1134': username: password-reset name: reset acb: '0x00040210' description: (null)
I turned my attention to
ldapdomaindump, and was able to immediately spot something that looked familiar from my OSEP learning.
We had a user with TRUSTED_TO_AUTH_FOR_DELEGATION.
During the course we almost exclusively made use of Rubeus, and I decided to take this time to learn how to accomplish all this from my Kali box, using
It took me a while of trying different things, at failing at it, until I finally figured out what was going wrong. I needed the correct SPN.
I found this very cool writeup. http://blog.redxorblue.com/2019/12/no-shells-required-using-impacket-to.html
Making use of
pywerview I got this user’s details.
Knowing what the SPN was, I as able to create a ticket that impersonates Administrator.
Using this ticket, I was able to dump hashes from the DC.
I immediately used the Administrator’s hash, and was able to get code execution.
Making use of the web_delivery module in msfconsole, I was able to get a meterpreter shell.
Oh yes… the flags!
I had gotten so tied up in getting the ticketing working, and doing privilege escalation, I had forgotten about the flags.
Once I was Administrator though, I was able to get all the flags.
This felt like cheating though… so I am sure there was a more intended way.