# VulNet: Roasted ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MefV9CbqWw4n0HZ3fSy%2F-MefVH3rI5i3YmPeMBtf%2Fimage.png?alt=media\&token=9bb0f097-2ece-4515-841f-d82c6ed87563) ## Scanning Lets run some nmap scans to find open ports and services running on them ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MefV9CbqWw4n0HZ3fSy%2F-MefhIxM7IMvssAuwAxH%2Fimage.png?alt=media\&token=46a9ee0f-98cb-48f7-840b-11117070a654) ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MefV9CbqWw4n0HZ3fSy%2F-Mefhc62u1HkriYnSW_C%2Fimage.png?alt=media\&token=18a60eb9-1171-4f30-a6d8-823a330141ee) ## Enumeration Lets enumerate the SMB Shares using Smbmap as anonymous ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MegbxP_crB2acFo7NZX%2F-Megdc-X2gV0fLLClF_E%2Fimage.png?alt=media\&token=44be4196-5949-4257-a2de-758fa299efd4) Looks like we can read the IPC$ , lets enumerate valid domain users using impacket's lookupsid.py, lets save the output in a file called usernames. (Hit Enter for when it asks for the password) ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MegbxP_crB2acFo7NZX%2F-MegekZN6D0VEMDzdugz%2Fimage.png?alt=media\&token=91d1776c-bdff-40fa-85d2-045c724d7bb6) Now lets only get the usernames from the file and save it into the same file ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MegbxP_crB2acFo7NZX%2F-MegfMKmDXi6-Y0H4avM%2Fimage.png?alt=media\&token=4d0a4211-91c4-4029-9716-63715a57b046) Now lets use another python script from impacket that will check if there are any valid usernames and if they require Kerberos pre-authentication(PREAUTH) enabled. The domain is vulnnet-rst.local as we saw in the nmap scan. Also lets save any hashes we get in a file called asrep\_hashes.txt ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MegbxP_crB2acFo7NZX%2F-Megfyger1lyZe_xiHry%2Fimage.png?alt=media\&token=d00ed881-b7aa-4d8a-87ad-9e0ad8717336) We have a hash, lets crack it using hashcat ## Exploitation ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MegbxP_crB2acFo7NZX%2F-MeggIewEhg1qQZ-otn7%2Fimage.png?alt=media\&token=eea82e0b-0b6e-494c-9430-1466f98bccc1) We have the password. Now lets try to access the smb shares with the credentials. Lets first look at the shares. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MegbxP_crB2acFo7NZX%2F-Megi_hN6LW__zOp5Yqn%2Fimage.png?alt=media\&token=1f8c1d71-c1f4-46d2-a988-71dedc17d671) We have two new shares, lets look at NETLOGIN first and download the available files onto our machine ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MegbxP_crB2acFo7NZX%2F-Megj0_PbZkdIwDCWETj%2Fimage.png?alt=media\&token=bd1c3667-ef97-429c-8959-5f4c4f7c8fa2) Lets look at the file ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MegbxP_crB2acFo7NZX%2F-MegjIBy138IwA3VwNH-%2Fimage.png?alt=media\&token=ec7dca3c-0dee-4ce0-88e1-2111a8a42b61) We have credentials, lets login to the machine. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MegjRaWVO3cEHagWCph%2F-MegkqPd2oSBmX8yTLbl%2Fimage.png?alt=media\&token=7d959e22-8500-4294-90f3-392c44753361) Lets read the user flag ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MegjRaWVO3cEHagWCph%2F-Megl0Ic4gxeBn-eh3ZH%2Fimage.png?alt=media\&token=2f6ec32f-c0b2-4e8a-aa8c-364fe31c5dc1) ## Privilege Escalation Lets look at what this user can do in more detail ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MegjRaWVO3cEHagWCph%2F-MeglHqGyvfbHwxXWCe7%2Fimage.png?alt=media\&token=3b7487f2-4012-42df-9fcc-d0b6676429cf) We belong the the admin group, so lets dump hashes with another impacket tool ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MegjRaWVO3cEHagWCph%2F-MegmgV0TpztQUpCJtpw%2Fimage.png?alt=media\&token=52f7d5e9-86c8-4cef-b15c-f4e1724f2e15) Lets login as admin ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MegjRaWVO3cEHagWCph%2F-MegnZ2So1P3FCT-DAXc%2Fimage.png?alt=media\&token=4df65291-a787-425f-a20f-628ad5098b6e) Lets read the admin flag ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MegjRaWVO3cEHagWCph%2F-Megnh5ljzv3iXk_tpu9%2Fimage.png?alt=media\&token=58033437-81ec-4b88-ac22-320d641d1f3b)