HackTheBox - Sauna Writeup | SH∆FIQ∆IM∆N

Nmap

Like always, I’m going to scan the IP Address by using nmap but I’m going to scan the full port first. Then, I’m going to scan the only open ports.

# Nmap 7.94 scan initiated Thu Sep 28 15:06:39 2023 as: nmap -p135,139,3268,389,445,464,49667,49673,49674,49677,49689,49696,53,593,5985,80,88,9389 -sCV -oN nmap/sauna 10.10.10.175
Nmap scan report for sauna (10.10.10.175)
Host is up (0.032s latency).

PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Simple DNS Plus
80/tcp    open  http          Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-title: Egotistical Bank :: Home
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2023-09-28 14:06:45Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name)
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp  open  mc-nmf        .NET Message Framing
49667/tcp open  msrpc         Microsoft Windows RPC
49673/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49674/tcp open  msrpc         Microsoft Windows RPC
49677/tcp open  msrpc         Microsoft Windows RPC
49689/tcp open  msrpc         Microsoft Windows RPC
49696/tcp open  msrpc         Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
|_clock-skew: 6h59m58s
| smb2-time: 
|   date: 2023-09-28T14:07:34
|_  start_date: N/A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu Sep 28 15:08:14 2023 -- 1 IP address (1 host up) scanned in 95.23 seconds

The scan reveals a large number of open ports. Judging by the open ports, it appears that this is a Domain Controller. Additionally, Nmap discovered the domain name EGOTISTICAL-BANK.LOCAL0, which I added to my /etc/hosts file.

add the hostname

Http: Egotistical Bank

Next, I navigated to port 80 using my browser and was greeted with a website resembling a bank. I attempted to determine the backend language by modifying the index page extension, but it turned out to be a static HTML page.

egotistical bank webpage

While running gobuster in the background for directory brute-forcing, I did not uncover anything particularly useful. However, I did notice a potential username on the website’s about.html page. I compiled a list of these usernames and saved it as users.txt.

potential users

LDAP: ldapsearch

Remembering that LDAP ports were open on the machine, I used anonymous enumeration to find additional users. This process revealed another user, Hugo Smith, which I added to the users.txt file.

ldapsearch query user

USER: username-anarchy

I then modified the users.txt file slightly to use it with username-anarchy, which generates a list of usernames based on first and last names. The output was saved to a file called gen_usernames.txt.

list of users

generate user list

SMB: crackmapexec

Next, I executed CrackMapExec with the -k flag (which enables Kerberos authentication) to test the user list. This scan revealed that one of the users is vulnerable to an ASREPRoast attack.

fsmith vulnerable to asreproast

ASREPRoast: GetNPUsers.py

I then ran the Impacket script GetNPUsers.py to dump the hash for the fsmith user, saving it to a file named hash.txt. After successfully dumping the hash, I cracked it using hashcat.

fsmith hash

cracked fsmith hash

Evil-winrm: fsmith

Since port 5985 (Windows Remote Management, or WinRM) was open and I already had valid credentials, I connected using the fsmith user.

BloodHound

After successfully logging in, I deployed the SharpHound binary on the target machine to enumerate the Active Directory. I executed the binary and saved the output in a ZIP file.

sharphound

To retrieve the ZIP file, I started an uploadserver on my machine and used PSUpload.ps1 to transfer the file. I verified its integrity using md5sum.

transfer the zipfile

For analysis, I launched the neo4j console with sudo privileges. On a fresh neo4j installation, you must set a new password by visiting http://localhost:7474; the default credentials are neo4j:neo4j.

After logging into BloodHound, I imported the ZIP file by clicking the Upload Data button in the navigation bar. Once imported, I searched for the [email protected] node, right-clicked on it, and selected Mark User as Owned.

mark user owned

I then analyzed the data from the owned fsmith account by navigating to Shortest Paths to High Value Targets from the Analysis section.

shortest path

Although the graph view was a bit confusing, I noted that the user svc_loanmgr appeared capable of performing a DCSync attack.

graph view

Unfortunately, I couldn’t find a way to compromise the svc_loanmgr user, leaving me somewhat stumped.

First Method: PrintNightmare

SMB: printer

I then checked the SMB shares on the machine. Although listing the shares using NULL authentication failed, using valid fsmith credentials succeeded. The shares indicated that a printer was connected.

PrintNightmare

It occurred to me that I might be able to exploit the printer, given the known PrintNightmare vulnerability (assigned CVE-2021-1675 and CVE-2021-34527), which affects the print spooler service. First, I checked if the Print Spooler service was running by executing Get-Service -Name Spooler.

check printspooler running

After some research, I found an exploit for this vulnerability. I chose the reverse shell option and created a DLL payload using msfvenom.

create malicious dll

I set up a listener using Metasploit, transferred both the exploit and the payload to the target machine, and executed the exploit.

$shell as nt authority\\system$

Second Method: DCSync attack

graph view

Returning to the graph view, I saw that compromising svc_loanmgr was necessary to leverage the DCSync attack.

winPEAS

Since I was already logged in as fsmith, I uploaded the winPEAS binary to enumerate the system. winPEAS revealed plaintext AutoLogon credentials for the svc_loanmgr user.

found credentials in autologon

Impacket: secretsdump.py

With valid credentials for svc_loanmgr, I used the Impacket script secretsdump.py to dump the hashes of all users on the machine.

dump hashes

PsExec

After dumping the hashes, I employed another Impacket script, psexec.py, to log in as Administrator using a Pass-the-Hash attack.

$login as nt authority\\system$

Nmap#

Http: Egotistical Bank#

LDAP: ldapsearch#

USER: username-anarchy#

SMB: crackmapexec#

ASREPRoast: GetNPUsers.py#

Evil-winrm: fsmith#

BloodHound#

First Method: PrintNightmare#

SMB: printer#

PrintNightmare#

Second Method: DCSync attack#

winPEAS#

Impacket: secretsdump.py#

PsExec#