Professional Documents
Culture Documents
175
by SirBroccoli (Please give “respect” in www.hackthebox.eu/home/users/profile/57519)
Enumeration
I used the tool legion to automate the enumeration process:
The most interesting ports open were: HTTP(80), Kerberos(88) and Win-RM (5985).
User
Using legion again I enumerated the Ldap port:
A lot of information was returned, but the most interesting part was:
Variations I tried:
Hugo Smith
HugoSmith
hugo.smith
h.smith
hsmith
smithh
smith.h
smith.hugo
smithhugo
smith hugo
Found user:
It’s time to take a look to the web server. In there you will only find a few html pages, some
of them contains interesting names:
So, that we know the format that is being used to create the usernames, let's check this
usernames:
fsmith
scoins
sdriver
btaylor
hbear
We found that the user “fsmith” is vulnerable to ASREProast and we have obtained the
crackable “hash”.
So, let's crack it with john and rockyou:
Now, just connect via Win-RM and grab the user flag:
Root
I started enumerating the box using WinPEAS. It found some interesting credentials inside
the Winlogon registry:
There isn’t any user called “svc_loanmanager” but there is one called “svc_loanmgr”:
svc_loanmgr:Moneymakestheworldgoround!
And you can connect to it with the password extracted from the registry:
You can also use Sharphound to enumerate the Domain and you will find that the user
svc_loanmgr has permissions to execute DCSync against the DC:
Lets abuse this privileges using mimikatz and extract the hash of the Administrator user:
Finally you can use the hash to connect as Administrator to the victim using evil-winrm:
root.txt: f3ee04965c68257382e31502cc5e881f