TryHackMe-Hacker Of The Hill(Medium)

NMAP

PORT      STATE SERVICE       VERSION                  
80/tcp open http Microsoft IIS httpd 10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: PhotoStore - Home
81/tcp open http Microsoft IIS httpd 10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Network Monitor
82/tcp open http Microsoft IIS httpd 10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2021-03-07 17:02:28Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: troy.thm0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: troy.thm0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
3389/tcp open ms-wbt-server Microsoft Terminal Services
| rdp-ntlm-info:
| Target_Name: TROY
| NetBIOS_Domain_Name: TROY
| NetBIOS_Computer_Name: TROY-DC
| DNS_Domain_Name: troy.thm
| DNS_Computer_Name: TROY-DC.troy.thm
| DNS_Tree_Name: troy.thm
| Product_Version: 10.0.17763
|_ System_Time: 2021-03-07T17:03:27+00:00
| ssl-cert: Subject: commonName=TROY-DC.troy.thm
| Not valid before: 2021-02-18T18:07:12
|_Not valid after: 2021-08-20T18:07:12
|_ssl-date: 2021-03-07T17:04:06+00:00; +35s from scanner time.
49668/tcp open msrpc Microsoft Windows RPC
49669/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49670/tcp open msrpc Microsoft Windows RPC
49671/tcp open msrpc Microsoft Windows RPC
Service Info: Host: TROY-DC; OS: Windows; CPE: cpe:/o:microsoft:windows

PORT 139/445 (SMB)

Didn’t found any shares on the machine so now we have 3 http ports to enumerate

PORT 80 (HTTP)

I fuzzed for files and directory but found nothing interesting

We see a sign-up page

On registering an account

I uploaded an image having .jpg extension

And could see full path of the image

Also inspecting the source code we see that this using javascript

Now I used burpsuite to send this request to intruder so I could test for command injection but before doing it we need to block the javascript file which is filtering

Make sure to check tick on Disable Cache and right click on script.js and select block url and refresh the page you will be able to use spaces in text field

We can now use ping command to verify command injeciton

Using a powershell reverse shell I got rce to the machine

For convinince I generated a payload for getting a metepreter session

Ran winPeas but nothing interesting

Also I tried to upload BloodHound.ps1 to gather information about active directory

Invoke-Bloodhound -CollectionMethod All -Domain troy.thm -ZipFileName loot.zip

Now I want this zip archive on my local machine so I could see what information it found

The reason why I used metasploit : )

After having the zip archive on my local machine I started bloodhound and neo4j

Now simply drag and drop the zip archive it will automatically extract the archive and then you can run quries

On running the qurey Find All Domain Admins

Then running Kerberoastable accounts

Kerberoastable accounts of high value

Download rubeus.exe

https://github.com/r3motecontrol/Ghostpack-CompiledBinaries

On running rubeus we will immediately get a hash

Now we need to run hashcat against it and we are done because achilles is an administartor

It cracks the hash

Now we could either login with RDP ,psexec or with evil-winrm

Evil-Winrm

Psexec

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store