OSCP PREPROTİONS – HTB Sauna

Sauna machine is a vulnerable machine with Windows operating system among retired machines. It is expected to obtain user and root flags using these vulnerabilities.
We perform a network scan with nmap to recognize the target machine.
Classic Scan

Full Port Scan

As a result of port scanning, we detected many open ports. Important ports 53/tcp domain Simple DNS Plus, 80/tcp http Microsoft IIS httpd 10.0, 88/tcp kerberos-sec Microsoft Windows Kerberos, 389/tcp ldap Microsoft Windows Active Directory LDAP ports were detected and enumeration will be done on these ports.
As a result of the Nmap scan, it was detected that Windows active diretctory is installed and the domain address is egotıstıcal-bank.local. We note this and continue.
First, let’s run a scan through smb.
We used crackmapexec, rpcclient, smbmap, tools and did not get any results.
We provide ldap enumertion.

rootDomainNamingContext: DC=EGOTISTICAL-BANK,DC=LOCAL
| ldapServiceName: EGOTOTISTICAL-BANK.LOCAL:sauna$@EGOTISTICAL-BANK.LOCAL

Then run it on the target with the ldapsearch tool

Now that we are sure of the domain name, we can use ldapsearch -x -H ldap://10.10.10.175 -b ‘DC=EGOTISTICAL-BANK,DC=LOCAL’
egotistical-bank
I use the command

We have the information but no useful information.
We provide a scan to see if the DNS port can be open dnszone

There is no dns zone.
Now we go to the enumeration part over the web.

I’m just browsing around, nothing interesting comes up. All pages are static and forms are not working.
We did a hidden file and directory scan with gpbsuter, we looked at the source code, we didn’t find anything, we only found the files that can be found on domian.

We’ve noted those that may be users.
Fergus Smith
Hugo Bear
Steven Kerb
Shaun Coins
Bowie Taylor
Sophie Driver

These users can be used in the AD environment. One of the first steps in solving AD machines is to find users. We can use these users, but the users are not stored in this way, they need to be stored in a way suitable for AD. (https://activedirectorypro.com/active-directory-user-naming-convention/)
With our list of common usernames for any of them, we can see if Kerberos pre-authentication is disabled. Kerberos pre-authentication authentication protects against password guessing attacks. When Kerberos pre-authentication is not enabled, it sends a fake request to authenticate. The KDC (Key Distribution Center) will check the authentication service request (AS-REQ), verify user information, and issue a shirred Ticket Granting Ticket (TGT). The Ticket Granting Ticket (TGT) is encrypted with the NTLM hash of the corresponding account. We can generate a hash from this, or we can crack this hash.
I will use the username-anarchy (https://github.com/urbanadventurer/username-anarchy) tool to set up these users appropriately. First I save the users I get in a file and then I use them in username-anarchy.

He created 88 usernames. Now let’s try to determine if these users exist or not.
We will use the kerbrute tool for this.

Out of 88 users, kerbrute found the user fsmith@EGOTISTICAL-BANK.LOCAL.
The next step is to determine if the “Don’t require Kerberos pre-authentication” option is enabled. For this we will use the GetNPUsers.py tool.
We could not detect this in the users

We got the hash value from user fsmith

[*] Getting TGT for fsmith
$krb5asrep$23$fsmith@EGOTISTICAL-BANK.LOCAL:300eab0f59bbc3a7c63afeee4fe94128$5ef9adec4387d32614da7c889204f086f4869adb8a5541925415454ff7a9323fe13d702f0cb7ffe5143d4c529e656cbfa2337bb5821067c910514d679eaf15d78aaa9ea3f7b37783031a801febd6c9e282918ff56fdb7dfd09a4200708011e80c3952f2812528b8a03adaba16d49d1a9e22cb56acff58e69893bb9b6c57f155e14ff2d0f5593149cbc0e0852245e2f6ecb84aa7cfaa01c7205d8cff436d9d2057ce8967648cfa7280f846738ea03d11f279b211119f5f090d6f37a458b15bf298b8468b8365ee9adb6ad1197de0a469ece31a4f309e0f6f141e294567fafa3ac38b87d0833d53c0dd3314588171318f350e5cc6ddf4ea893789ebb8c015ebddf

Let’s break this hashi with johnthetipper

Here we have cracked the hash and obtained the password Thestrokes23.
Since port 5985.port is open, let’s try to connect to winRM with this credential. WinRM (Windows Remote Management) is a built-in remote management protocol native to Windows and is usually enabled for users who need to manage systems remotely. To use it, we connected using the evilwinrm tool.

This way we got our user flag but we didn’t have access to Adminstrator. Therefore, we provide local enumeration.
We use winpeas.exe tool to provide automation local enumeration.
https://github.com/carlospolop/PEASS-ng/blob/master/winPEAS/winPEASexe/README.md
Since we provided connection with Evil-WinRM, we transferred our file to the target machine by typing the “upload” command here.

Some AutoLogon credentials were found
DefaultDomainName : EGOTISTICALBANK
DefaultUserName : EGOTISTICALBANK\svc_loanmanager
DefaultPassword : Moneymakestheworldgoround!
here we saw the svc_loanmanager credential information. When we look at the users here, there is no svc_loanmanager, the closest named user is svc_loanmgr

Let’s try to connect from this user

We managed to connect from the svc_loanmgr user, but we still can’t get into the adminstrator directory.
Therefore, we continue with local enumeration.
We will use bloodhound to provide local enumeration in AD. We can identify attack chains that will allow privilege escalation on the domain. We can visualize the data we collect with Bloodhound.
We download sharphound to run it on the target.

Then we upload it to the target machine and run it.

After installing sharphound on the target, we run bloodhound on our local machine.
Then we extract the zip file created by sharphound with dowloand

We drag and drop this zip file into bloodhpund.

Here we then select the users we have owned, i.e. captured

We did the same for fshmith
Then we searched how we can seize the domain admin in the quiers section.
It said that we could seize the domain admin with dvsync.

Right click here and say help

As we see in the Help section, we see that we can get it with secretdum.py

Let’s try to implement it now
Secretdump.py did not bring us the hash information no matter what we did, so we installed and ran mimikatz on the machine and got the adminstrator hash.
C:\Users\svc_loanmgr\Documents> .\mimikatz ‘lsadump::dcsync /domain:EGOTISTICAL-BANK.LOCAL /user:administrator’ exit

Credentials:
Hash NTLM: 823452073d75b9d1cf70ebdf86c7f98e
ntlm- 0: 823452073d75b9d1cf70ebdf86c7f98e
ntlm-1: d9485863c1e9e05851aa40cbb4ab9dff
ntlm- 2: 7facdc498ed1680c4fd1448319a8c04f
lm – 0: 365ca60e4aba3e9a71d78a3912caf35c
lm – 1: 7af65ae5e7103761ae828523c7713031
using this hash information we will perform a pass-the-hash attack and use psexec.py to log in to the system user
psexec.py -hashes ‘823452073d75b9d1cf70ebdf86c7f98e:823452073d75b9d1cf70ebdf86c7f98e’ -dc-ip 10.10.10.175 administrator@10.10.10.175

As you can see, we were able to log in from the system user and get our root flag.
If we wanted to log in from the admin user session, we would use the wmiexec.py tool.

Comments

  1. dobry sklep

    Wow, fantastic weblog structure! How lengthy have you been running a blog for?
    you made running a blog glance easy. The overall glance of your web site is magnificent, let alone the content
    material! You can see similar here dobry sklep

  2. sklep

    A fascinating discussion is definitely worth comment.
    There’s no doubt that that you should publish more on this subject,
    it might not be a taboo subject but generally people don’t discuss such topics.

    To the next! Cheers!! I saw similar here:
    Sklep online

  3. najlepszy sklep

    Hi! Do you know if they make any plugins to assist with Search Engine Optimization? I’m trying to get my blog
    to rank for some targeted keywords but I’m not seeing very good results.
    If you know of any please share. Thanks! You can read similar art here:
    E-commerce

  4. Szpiegowskie Telefonu

    Może to być denerwujące, gdy twoje relacje są zakłócone, a jej telefonu nie można śledzić. Teraz możesz łatwo wykonać tę czynność za pomocą aplikacji szpiegowskiej. Te aplikacje monitorujące są bardzo skuteczne i niezawodne i mogą określić, czy twoja żona cię oszukuje.

  5. AA List

    Hey! Do you know if they make any plugins to assist with SEO?
    I’m trying to get my website to rank for some targeted
    keywords but I’m not seeing very good success. If you know of any please
    share. Thanks! I saw similar text here: Link Building

Bir yanıt yazın

E-posta adresiniz yayınlanmayacak. Gerekli alanlar * ile işaretlenmişlerdir