Crocc Crew
https://tryhackme.com/room/crocccrew
Difficulty: Insane
Reconnaissance
Nmap Results
HTTP - Port 80
Starting to enumerate what is on port 80, we can see that a group of hackers just hacked this windows server.
So, let's start to hack back the system trying posible exiting directories like robots.txt.
We can see a db configuration backup, try to open it.
Inside the backup file we have a username and a password, this credentials can be useful further.
RDP - Port 3389
Enumerating RDP we see a sticky note with credentials too, just copy for further enumeration and exploitation.
PD: The credentials found on the web pages are not so important as the RDP founded credentials.
SMB - Port 445
Now we want to enumerate SMB, just to not make you lose your time in a rabbit hole, use the credentials founded in RDP to enumerate SMB.
You will that inside the directory Home is a user flag.
LDAP - Port 636
Use ldapdomaindump to get information the users in the domain and look for possible attack vectors.
Looking the ldap users dump, we can see a specific user have the flag "TRUSTED_TO_AUTH_FOR_DELEGATION".
AD delegation enables you to grant users the permissions to perform tasks that require elevated permissions.
Exploitation
Let' use impacket-spnuser to to find users SPNs.
Once you get the hash continue to crack it.
Useimpacket-finddelegation
to find delegation to extract more information about the delegation.
Use the impacket-getST
script to impersonate and get the ticket of the Administrator user.
In this case we are assuming the target SPN is allowed for delegation.
The output of the file will be a Administator.ccache, export it to KRB5CCNAME.
Use impacket-secretsdump
like in the image above to extract all users' hashes and save it.
Now access the server using evil-winrm and the hash of the domain administrator.
Get the flags to complete the room ; )
Last updated