TryHackMe: Advent of Cyber 2023 (Day 11) Jingle Bells, Shadow Spells

“AntarctiCrafts’ technology stack was very specialised. It was primarily focused on cutting-edge climate research rather than prioritising robust cyber security measures.

As the integration of the two infrastructure systems progresses, vulnerabilities begin to surface. While AntarctiCrafts’ team displays remarkable expertise, their small size means they need to emphasise cyber security awareness.

Some users have too many permissions. We addressed most of these instances in the previous audit, but is everything now sorted out from the perspective of the HR user?”

Q1: What is the hash of the vulnerable user?

There is a script on the HR user’s desktop called PowerView which can audit the current user for any vulnerable AD permissions.

You can get that script up and running like this:

You can then use this command to run the script:

You can see here that this user has GenericWrite permissions for the vansprinkles object, another user.

There is a program on the desktop called Whisker that can be used to exploit this type of vulnerability.

This generates a certificate that will allow you to authenticate as the vansprinkles user with yet another tool on the desktop called Rubeus.

Next, copy and paste this entire thing as your next command:

Just make sure you change the beginning to “.\Rubeus.exe” so it runs correctly.

After that, you can see the hash from vansprinkles:

Q2: What is the content of flag.txt on the Administrator Desktop?

From here you can conduct a pass-the-hash attack to log in as vansprinkles, utilizing a tool called Evil_WinRM. You will need to do this from your attackbox.

Navigate to the admin desktop from the vansprinkles account to retrieve the flag.

❤