mirror of
https://github.com/AbdullahRizwan101/CTF-Writeups
synced 2024-11-22 20:13:02 +00:00
179 lines
6.1 KiB
Markdown
179 lines
6.1 KiB
Markdown
|
# HackTheBox - Sauna
|
||
|
|
||
|
## NMAP
|
||
|
|
||
|
```bash
|
||
|
PORT STATE SERVICE VERSION
|
||
|
53/tcp open domain?
|
||
|
| fingerprint-strings:
|
||
|
| DNSVersionBindReqTCP:
|
||
|
| version
|
||
|
|_ bind
|
||
|
80/tcp open http Microsoft IIS httpd 10.0
|
||
|
| http-methods:
|
||
|
| Supported Methods: OPTIONS TRACE GET HEAD POST
|
||
|
|_ Potentially risky methods: TRACE
|
||
|
|_http-server-header: Microsoft-IIS/10.0
|
||
|
|_http-title: Egotistical Bank :: Home
|
||
|
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2021-12-13 14:37:44Z)
|
||
|
135/tcp open msrpc Microsoft Windows RPC
|
||
|
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
|
||
|
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name)
|
||
|
445/tcp open microsoft-ds?
|
||
|
464/tcp open kpasswd5?
|
||
|
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
|
||
|
636/tcp open tcpwrapped
|
||
|
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name)
|
||
|
3269/tcp open tcpwrapped
|
||
|
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|
||
|
|_http-server-header: Microsoft-HTTPAPI/2.0
|
||
|
|_http-title: Not Found
|
||
|
9389/tcp open mc-nmf .NET Message Framing
|
||
|
49667/tcp open msrpc Microsoft Windows RPC
|
||
|
49673/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
|
||
|
49674/tcp open msrpc Microsoft Windows RPC
|
||
|
49677/tcp open msrpc Microsoft Windows RPC
|
||
|
49689/tcp open msrpc Microsoft Windows RPC
|
||
|
49696/tcp open msrpc Microsoft Windows RPC
|
||
|
|
||
|
|
||
|
```
|
||
|
|
||
|
From the port 88 we can say that this is an Active directory machine because on this port kerberos runs for authenticating users also we can see LDAP service running as well
|
||
|
|
||
|
## PORT 139/445 (SMB)
|
||
|
|
||
|
We can try to list shares as an un-authenticated user using `smbmap`
|
||
|
|
||
|
<img src="https://i.imgur.com/WSi7Dnb.png"/>
|
||
|
|
||
|
But this smb is configured to only allow access to authenticated users so let's move on
|
||
|
|
||
|
|
||
|
## PORT 389 (LDAP)
|
||
|
|
||
|
Through LDAP and SMB I tried to use enumerate usernames by running `enum4linux-ng`
|
||
|
|
||
|
<img src="https://i.imgur.com/Dk8kGA2.png"/>
|
||
|
|
||
|
But it failed to enumerate usernames and groups
|
||
|
|
||
|
<img src="https://i.imgur.com/A56URCw.png"/>
|
||
|
|
||
|
## PORT 80 (HTTP)
|
||
|
|
||
|
<img src="https://i.imgur.com/ZzDtBV2.png"/>
|
||
|
|
||
|
Going into about section , we can see few usernames that we can make a list of then try to see if either one of them has pre-authentication disabled
|
||
|
|
||
|
<img src="https://i.imgur.com/DDhTOIC.png"/>
|
||
|
|
||
|
Other than that I ran `gobuster` , fuzzing for files and directories but didn't found anything interesting
|
||
|
|
||
|
<img src="https://i.imgur.com/5MxUhxQ.png"/>
|
||
|
|
||
|
So the list of usernames I made were
|
||
|
|
||
|
```
|
||
|
FSmith
|
||
|
fsmith
|
||
|
Fsmith
|
||
|
SCoins
|
||
|
scoins
|
||
|
Scoins
|
||
|
HBear
|
||
|
hbear
|
||
|
Hbear
|
||
|
BTaylor
|
||
|
btaylor
|
||
|
Btaylor
|
||
|
SDriver
|
||
|
Sdriver
|
||
|
sdriver
|
||
|
SKerb
|
||
|
Skerb
|
||
|
skerb
|
||
|
Administrator
|
||
|
krbtgt
|
||
|
administrator
|
||
|
```
|
||
|
|
||
|
## Foothold
|
||
|
|
||
|
We can either use impacket's `GetNPUsers.py` or use `kerbrute` to see which users have pre-authentication disabled also to verify which users are valid
|
||
|
|
||
|
<img src="https://i.imgur.com/HuCxUEU.png"/>
|
||
|
|
||
|
And in an instant it dumped the user's hash , also we can get the same output with impacket script as well
|
||
|
|
||
|
<img src="https://i.imgur.com/5fgdIY9.png"/>
|
||
|
|
||
|
Now we can crack this hash using `hashcat` , we can visit hashcat examples page to find out the correct mode of this hash
|
||
|
|
||
|
<img src="https://i.imgur.com/q0mSzIJ.png"/>
|
||
|
|
||
|
<img src="https://i.imgur.com/9IEyoDn.png"/>
|
||
|
|
||
|
<img src="https://i.imgur.com/NJgNqeB.png"/>
|
||
|
|
||
|
port 5985 is open on which winrm runs (windows remote management) through which we can remotely login to a system , so using the credentials we have let's try doing it with `evil-winrm`
|
||
|
|
||
|
<img src="https://i.imgur.com/xhJ44RT.png"/>
|
||
|
|
||
|
We can do some basic enumeration to see in which groups this user is
|
||
|
|
||
|
<img src="https://i.imgur.com/2OTIKCJ.png"/>
|
||
|
|
||
|
So can't really do anything being in those groups , in order to enumerate the AD we can use sharphound that would collect the information and create an archive
|
||
|
|
||
|
<img src="https://i.imgur.com/2ZCmBMg.png"/>
|
||
|
|
||
|
<img src="https://i.imgur.com/Gty129C.png"/>
|
||
|
|
||
|
We have this archive file generated which has the information of AD objects , we need to download this on our local machine and import this to bloodhound GUI
|
||
|
|
||
|
<img src="https://i.imgur.com/gGQTmnN.png"/>
|
||
|
|
||
|
<img src="https://i.imgur.com/d77NCel.png"/>
|
||
|
|
||
|
<img src="https://i.imgur.com/8zZd6s1.png"/>
|
||
|
|
||
|
Running the pre-built query for finding kerberosatable accounts we see `HSmith`'s account , I tried to use `GetUserSPNs.py` but was failing in retrieving hash even after synchronizing the timezone with the machine
|
||
|
|
||
|
<img src="https://i.imgur.com/1jtaX65.png"/>
|
||
|
|
||
|
Then I tried running `winpeas.exe` but it didn't work
|
||
|
|
||
|
<img src="https://i.imgur.com/B7Vyz0z.png"/>
|
||
|
|
||
|
## Privilege Escalation (svc_loanmgr)
|
||
|
|
||
|
We could try to run `winpeas.bat`
|
||
|
|
||
|
<img src="https://i.imgur.com/Hg8jpsK.png"/>
|
||
|
|
||
|
<img src="https://i.imgur.com/VD0zuEL.png"/>
|
||
|
|
||
|
This gives us clear text password , but the username here is `svc_loanmgr` so with evil-winrm we can login
|
||
|
|
||
|
<img src="https://i.imgur.com/EBRY1SP.png"/>
|
||
|
|
||
|
## Privilege Escalation (Administrator)
|
||
|
|
||
|
Going back to bloodhound , we can mark this service account as "owned" and seeing if this user can reach to higher targets
|
||
|
|
||
|
<img src="https://i.imgur.com/t6naV7J.png"/>
|
||
|
|
||
|
Here this service account has `GetChangesAll` rights on the domain which means this account can request for DCSync which means that we can ask domain controller for password hashes, either we can use mimkatz or impacket so I will be showing both methods
|
||
|
|
||
|
with `secretsdump.py`
|
||
|
|
||
|
<img src="https://i.imgur.com/GF6IEkM.png"/>
|
||
|
|
||
|
|
||
|
<img src="https://i.imgur.com/Vrshv4l.png"/>
|
||
|
|
||
|
with `mimikatz.exe` (although I tried to use mimikatz.ps1 but it wasn't working)
|
||
|
|
||
|
<img src="https://i.imgur.com/3k7tkN2.png"/>
|