[THM] VulnNet: Roated

VulnNet Roasted is an easy machine on Try Hack Me developed by TheCyb3rW0lf.

Let’s dive in and start with a port scan.

NMAP Scan

From the initial scan we can notice the domain (vulnnet-rst.local).

I used kerbrute to enumerate available users. Guest and Administrator users are found.

Kerbrute

Null session can be leveraged to access SMB.

Null Session

VulnNet-Business-Anonymous folder can be accessed but we can’t pull any data from it, however, VulnNet-Enterprise-Anonymous can be accessed and data from it can be pulled.

Pulling data from SMB

We can use crackmapexec to bruteforce the RIDs using the guest account.

RID Bruteforce

Using those accounts we just found try requesting a kerberos tickets.

Kerberos ticket requested

Crack the hash.

Hash cracking

Check for SPNs.

Requesting the SPN

That is a rabbit hole probably. Doing a little bit more enumeration we can use the t-skid account to access Netlogon SMB share and a VBS file is discovered.

Accessing NETLOGON

Using SMBMap download the file.

File download using SMBMap

Taking a look inside the VBS script a username & password is discovered.

Discovering the user & pass

Using the newly found account we can connect to the machine using WinRM.

Connecting to machine

By checking the user’s privileges we notice we are part of the Domain Admins group.

User privs

Since we are in the Domain Admins group we should be able to reset the Administrator account password.

Resetting the password

Access to the machine as Administrator should be granted now.

Connecting as Administrator

You can grab the flags now :).