TryHackMe : Year of The Owl

Intro : It is a very old Windows Machine on TryHackMe. Here we will learn SNMP enumeration and SNMP community string Brute-Forcing. Besides we will also learn miss-use of SID (Security Identifier) and SAM , SYSTEM (backups) registry hives to dump all users Hashes. So let’s start.

Nmap Scan :

So as usual we start with a simple Nmap Scan. I found multiple Ports are open.

Tip : nmap -sVC -Pn -T4 <ip> -vv

You have to use ‘-Pn’ flag or it will not respond with Nmap.

Here we found http, mysql, domain, samba services are running but from them nothing are Interesting or Vulnerable. So what next. Then I start a simple UDP scan with Nmap.

Tip : nmap -sU -Pn -T4 <ip> -vv [For UDP Port scan]

I found port 161 is running and it is ‘SNMP’ (Simple Network Management Protocol). So I think it’s time for SNMP Enumeration.

SNMP Enumeration :

So SNMP uses a Community String for verification. So we have to find it first. We can Brute-Force that using popular known SNMP Community String Wordlist. We use a tool called ‘onesixtyone’ for Brute Forcing.

Tip : sudo apt-get install onesixtyone

Tip : onesixtyone <ip> -c <wordlist_path>

At last we found a string called ‘openview’ and it is a Intel64 Family.

So now we can enumerate Users with this string. We use a tool called ‘snmpwalk’ to find users.

Note :The information stored by SNMP is in a “tree” format, and is read from left to right. For example, in the string 1.3.2, you would start at node one, then select the third node from the left out of its child nodes. Of its children, you would select the second from the left.

Tip : The default location of the username list is: 1.3.6.1.4.1.77.1.2.25

Tip: snmpwalk -c openview -v1 <ip> 1.3.6.1.4.1.77.1.2.25

User Access : Jareth

So we have 5 account or users:

Guest, Jareth, Administrator, DefaultAccount, WDAGUtilityAccount

From them ‘Jareth’ user looks Interesting because others are by default Users.

So now we have to find the password of that user. We saw ‘Microsoft Terminal Service’ is open that’s mean RDP. So we can use ‘hydra’ or ‘crackmapexec’ for finding password. So let’s Hack :)

I uses ‘Crackmapexec’.

Tip : crackmapexec smb <ip> -u Jareth -P <pass_list>

Tip : hydra -l Jareth -P <pass_list> rdp://<ip>

After a Long time I have found the Password. So recharge your own Patience.

The valid password is : sarah

Tip : Jareth : sarah

So let’s authenticate the user with ‘evil-winrm’ tool.

At last we get a User access. In Jareth’s desktop I found the ‘user_flag’.

Privilege Escalation :

So it’s time for some PrivEsc. I type the below command and I found the SID of Jareth Account.

Also in ‘C:\’ drive I have found some hidden files.

‘$Recycle.Bin’ seems interesting. I jump over there and I found the same SID of Jareth. And I jump over that folder.

We found backups of the SAM and SYSTEM registry hives here. So we dump the password hashes of every user account on the system. So I downloaded those file in my Machine.

Tip : About SAM → https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-sam#:~:text=The%20Security%20Account%20Manager%20(SAM,users%20on%20the%20local%20computer.&text=If%20you%20configure%20this%20policy,a%20SAM%20object%20is%20accessed.

Here are those 2 Files.

We can dump password Hashes using a ‘Impacket’ tool called ‘secretsdump.py’.

Tip : You can find it in → /usr/share/doc/python3-impacket/examples

Here we got our main Weapon. The Administrator Hash. But we don’t have to crack that because we can authenticate and logged in as Administrator using that hash. ‘Evil-winrm’ is the best tool for this.

Tip : evil-winrm -i <ip> -u administrator -H <hash_value>

And we logged in as Administrator. Waooooo!!!!!

In the administrator’s Desktop I found the ‘admin_flag’.

In this way we pawned our first Windows Machine. Hope, You learn something new from this article.

THANKS FOR READING!!

Happy Hacking~