Kerberos

Overview Fusion corp is a hard rated box on tryhackme. After some basic enumeration fails, we find a backup file on the web server that contains a list of usernames. One of these users, lparker, is vulnerable to AS-REP Roasting because they have Kerberos pre-authentication disabled. We get their hash, crack it, and get a shell on the box. From there, post-exploitation enumeration reveals another user, jmurphy, with their password stored in the user account’s comment field. This user is a member of the Backup Operators group. We abuse this privilege to create a shadow copy of the C: drive and exfiltrate the ntds.dit and SYSTEM hives. Finally, we use secretsdump.py to dump all the domain hashes, get the administrator’s hash, and use it to get the final flag. ...

Overview Ra is a Hard machine on TryHackme it started with exploiting a weak password reset mechanism on a web application. After finding employee names and guessing a security question based on a pet’s name found in an image file, we get our initial credentials. This leads us to an SMB share with an installer for a vulnerable Spark XMPP client. The real challenge begins here: we have to set up a sandboxed environment to run the client, debug Java and audio errors within Docker, and finally exploit a Cross-Site Scripting (XSS) vulnerability (CVE-2020-12772) to capture another user’s NTLM hash. ...