Synopsis:
Sauna is an easy Linux box. The box includes:
1. Grabbing username from the web.
2. Abusing Kerberos using impacket.
3. Dumping hash of Administrator using secretdump.py.
Scripts/Tools used:
1. evil-winrm: gem install evil-winrm
2. nmap: https://nmap.org/download.html
3. secretdump.py: https://github.com/SecureAuthCorp/impacket
4. GetNPUser.py: https://github.com/SecureAuthCorp/impacket
1. Portscan:
The portscan result shows all Active Directory ports are open.
2. USER
2.2 WEB Enumeration:
Visiting the web, we can see the members of the team under about.html page.
I saved them as:
fsmith
scoins
hbear
....
....
2.1 LDAP Enumeration:
As the LDAP port is also open. I manually enumerate the service using python and found the domain name "egotistical-bank.local".
2.2 Initial Foothold:
Till now we have a list of users, domain name and Kerberos running on port 88.so, I tried to grab Kerberos TGT using impacket tool "GetNPUsers.py".
And we have a successful hit on fsmith.
2.3 User Flag:
Cracking the TGT of fsmith with john.
And we own User.
3. Root
Through basic enumeration like searching for clear text passwords in Registry reveals the password of one user.
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon"
There is not any user named "svc_loanmanager" but there is "svc_loanmgr".
Next, I used secretdump.py tool to obtain hashes of all the users.
using the hash to login with evil-winrm.
Thank you for reading.
Comments
Post a Comment