Sauna
Gaining Access
Nmap scan:
$ nmap -p- --min-rate 5000 10.129.95.180
Starting Nmap 7.93 ( https://nmap.org ) at 2023-05-06 07:23 EDT
Nmap scan report for 10.129.95.180
Host is up (0.0067s latency).
Not shown: 65515 filtered tcp ports (no-response)
PORT STATE SERVICE
53/tcp open domain
80/tcp open http
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
5985/tcp open wsman
9389/tcp open adws
49667/tcp open unknown
49673/tcp open unknown
49674/tcp open unknown
49676/tcp open unknown
49685/tcp open unknown
49692/tcp open unknownLet's investigate port 80.
SMB + LDAP Enum
enum4linux reveals nothing. However, an nmap scan to enumerate LDAP does reveal the domain to us.
It seems the domain is EGOTISTICAL-BANK.LOCAL.
Bank Usernames -> ASREP-Roast
This was a bank company website:
At the bottom, we can 'Meet The Team':
Using these names, we can make use of usernamer.py to generate possible usernames for the machine:
We can use getNPUsers.py with our possible usernames and see if we get a hash.
We can crack this hash easily.
Afterwards, we can get a shell using evil-winrm.
Grab the user flag.
Privilege Escalation
AutoLogon Creds
I ran a WinPEAS scan to enumerate for me. There, I found some AutoLogon credentials for the user.
We can login as this user using evil-winrm, but there's not much there for us.
BloodHound
I enumerated the system using BloodHound using FSmith credentials.
After uploading the data, we can see what privileges this user has, and find out that he has DCSync privileges over the DC.
This means we can use secretsdump.py to read the hashes of the entire machine.
Then, just pass the hash using evil-winrm to get an administrator shell.
Last updated