TryHackMe-USTOUN

Hello everyone I hope you are doing well , in this post I will be sharing my walk through of TryHackMe’s Ustoun which was Active Directory machine but we didn’t really had to do any crazy stuff with AD just needed to brute force user using rid through “crackmapexec”

Rustscan

From the scan we can see a domain name

PORT 445 (SMB)

We can only access $IPC as anonymous but there is no use of it. So using crackmapexec we can use RID brute force which will enumerate all AD objects including users and groups by guessing every resource identifier (RID)

Here you can see SVC-Kerb might be a user we can try to brute force as MS-SQL is running we can try there

PORT 1433 (MS-SQL)

The database is Microsoft SQL so let’s brute force credentials using hydra

We found the password so we can use metasploit’s module for code execution use admin/mssql/mssql_exec

So there’s a command execution alternatively we can try do sqsh which is an opensource program for getting a interactive database shell

Here -S indicates the server where we put the IP address or the port if MS-SQL was on a different port

-U specifies the username

-P specifies the passowrd

Now to execute windows commands we are going to use xp_cmdshell which spawns a windows command shell . xp_cmdshell is an extended stored procedure provided by Microsoft and stored in the master database. So the whole command will be EXEC master ..xp_cmdshell'whoami' , here EXEC is used to execute stored procedure on a database and stored procedures are kinda like functions in mysql /mssql.

We can find the user.txt in C:\Users\SVC-Kerb.DC01

But when I tried to read it I get access denied

So first to get a proper shell I uploaded ncat64.exe you can download it from here

https://github.com/int0x33/nc.exe

Now we got a shell at least so to see what permissions does SVC-kerb has we can do net user SVC-kerb

It tells that we are just a domain user also this looks like a service account and we won’t be able to with it much since this is a Active Directory we can try to run SharpHoundp.ps1 to gather everything it could find about the domain

I transferred the file onto target machine but before run it let’s find the domain name we already know it from the nmap scan but just to be sure spawn a powershell by running powershell and run Get-ADDomain this will show you the information of the domain

Now we will import sharphound.ps1 and use it’s functions

We need to transfer this on to our local machine so we can analyze the data through BloodHound

To transfer it I tried creating a smb share on my local machine and copying the zip file there but windows gave an error that it wasn’t allowing to transfer the file so I thought of trying to get a meterpter shell through which I can download the zip file

Run neo4j console

Then starting bloodhound

I imported that zip file in blood hound but didn’t find anything interesting, so can now upload PowerUp.ps1 to enumerate for mis configurations or privilege escalation techniques

PowerUp

You can download the script from here

https://github.com/PowerShellMafia/PowerSploit/tree/master/Privesc

Also read the documentation from here

https://www.harmj0y.net/blog/powershell/powerup-a-usage-guide/

Now importing the powershell script and running Invoke-AllChecks

So here we have 2 ways of getting admin first let’s try abusing the service UsoSvc

Service Abuse

Looking at the documentation

We can abuse a service by creating a local administrator by creating a new username and then adding it local administrator group or by using the current username

Creating a new username and adding it to local administrator

To see if this user was added

Now to switch to this user we can evil-winrm to login since winrm service is running

SeImpersonatePrivilege

Running whoami /all to see what privleges the user has

Now we can abuse this service by through PrintSpoofer

Download printspoofer 64 bit verison

https://github.com/itm4n/PrintSpoofer/releases/tag/v1.0

And we can access Administrator’s directory

BS CS undergraduate | CTF Player