VulNet: Roasted
Scanning
Lets run some nmap scans to find open ports and services running on them
Enumeration
Lets enumerate the SMB Shares using Smbmap as anonymous
Looks like we can read the IPC$ , lets enumerate valid domain users using impacket's lookupsid.py, lets save the output in a file called usernames. (Hit Enter for when it asks for the password)
Now lets only get the usernames from the file and save it into the same file
Now lets use another python script from impacket that will check if there are any valid usernames and if they require Kerberos pre-authentication(PREAUTH) enabled. The domain is vulnnet-rst.local as we saw in the nmap scan. Also lets save any hashes we get in a file called asrep_hashes.txt
We have a hash, lets crack it using hashcat
Exploitation
We have the password. Now lets try to access the smb shares with the credentials. Lets first look at the shares.
We have two new shares, lets look at NETLOGIN first and download the available files onto our machine
Lets look at the file
We have credentials, lets login to the machine.
Lets read the user flag
Privilege Escalation
Lets look at what this user can do in more detail
We belong the the admin group, so lets dump hashes with another impacket tool
Lets login as admin
Lets read the admin flag
Last updated