# VulNet: Roasted ![](/files/-MefVH3rI5i3YmPeMBtf) ## Scanning Lets run some nmap scans to find open ports and services running on them ![](/files/-MefhIxM7IMvssAuwAxH) ![](/files/-Mefhc62u1HkriYnSW_C) ## Enumeration Lets enumerate the SMB Shares using Smbmap as anonymous ![](/files/-Megdc-X2gV0fLLClF_E) Looks like we can read the IPC$ , lets enumerate valid domain users using impacket's lookupsid.py, lets save the output in a file called usernames. (Hit Enter for when it asks for the password) ![](/files/-MegekZN6D0VEMDzdugz) Now lets only get the usernames from the file and save it into the same file ![](/files/-MegfMKmDXi6-Y0H4avM) Now lets use another python script from impacket that will check if there are any valid usernames and if they require Kerberos pre-authentication(PREAUTH) enabled. The domain is vulnnet-rst.local as we saw in the nmap scan. Also lets save any hashes we get in a file called asrep\_hashes.txt ![](/files/-Megfyger1lyZe_xiHry) We have a hash, lets crack it using hashcat ## Exploitation ![](/files/-MeggIewEhg1qQZ-otn7) We have the password. Now lets try to access the smb shares with the credentials. Lets first look at the shares. ![](/files/-Megi_hN6LW__zOp5Yqn) We have two new shares, lets look at NETLOGIN first and download the available files onto our machine ![](/files/-Megj0_PbZkdIwDCWETj) Lets look at the file ![](/files/-MegjIBy138IwA3VwNH-) We have credentials, lets login to the machine. ![](/files/-MegkqPd2oSBmX8yTLbl) Lets read the user flag ![](/files/-Megl0Ic4gxeBn-eh3ZH) ## Privilege Escalation Lets look at what this user can do in more detail ![](/files/-MeglHqGyvfbHwxXWCe7) We belong the the admin group, so lets dump hashes with another impacket tool ![](/files/-MegmgV0TpztQUpCJtpw) Lets login as admin ![](/files/-MegnZ2So1P3FCT-DAXc) Lets read the admin flag ![](/files/-Megnh5ljzv3iXk_tpu9) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://writeups.adityadindi.com/tryhackme/untitled/vulnet-roasted.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.