HackTheBox : Sauna
Sauna is a windows box in which we first gathered intelligence, then performed a AS-REP roasting attack to get an initial foothold. After that, we collected and visualized the domain information in order to find interesting attack paths that could lead to its compromission. That’s where we found uncommon principals with DCSync rights. By leveraging that misconfiguration, we performed a DCSync attack and compromise the entire domain. Lastly, we forged a golden ticket in order to maintain persistence on the domain.
Reconnaissance
Nmap
SMB — TCP/445
First and foremost, we’re going to check if we can login to the SMB share as anonymous or guest users :
No null or guest session found!
HTTP — TCP/80
Webpage
When browsing the /about.html, we can see a list of potential employees’ usernames working at egotistical bank :
After that, we can enumerate the technologies used by the web server to check if there is no outdated technology in use :
The server is running IIS-10.0. With that information, I tried to search for some exploits but I ended up with nothing really interesting.
Directory Fuzzing
DNS — TCP/53
Here we will try to perform a dns zone transfer
Kerberos — TCP/88
Knowing that we have a list of potential usernames, we can try to perform an AS-Rep roasting attack. However, we may encounter a little issue here : indeed most of the companies usually use a naming convention for their employees. One of the frequent naming convention is “first.last”.
That said, there is a tool called username anarchy that can be used to generate usernames based on a specific format :
FYI, you could also use namemash. However, I found username anarchy to be more customizable see that you can create your own plugins.
Once done, let’s try to perform the AS-REP roasting attack using kerbrute :
As you can see, we got the session key that is encrypted with the username’s NT hash. Now we can try to crack it using hashcat. However, before cracking the hash, we need to know the type of hash. For that, we can use a great tool called name-that-hash :
You can install using pip : pip install name-that-hash
As you can see, it returns the hash type for hashcat and John the Ripper.
Let’s crack the hash :
Well, let’s verify if the credentials are correct using netexec :
Initial Access
Now that we have an initial set of AD credentials, let’s first collect the domain information using ldapdomaindump or bloodhound-python :
One of the first things I generally do after getting my first set of AD credentials is trying to dump the secrets using my compromised account then perform a password-spraying attack against the entire domain.
The password spraying attack allows me to check if the password or hash of a user was reused by other domain users.
Before trying to dump the secrets, I also always check the user privileges to have a quick idea of what I can and can’t do :
As you can see, fsmith does not have enough privileges. It’s only part of the “Domain Users” group and the “Remote Management Users”.
Nevertheless, let’s see if we can dump secrets using his credentials :
Here my attempt failed because fsmith does not have enough privileges to do that.
Password Spraying
First and foremost, let’s try to list all domain users :
As you might notice, the attack stopped as soon as we found a valid credential (Hsmith:Thestrokes23). Indeed, this is the default behavior of netexec.
In order to keep on our spraying attack even after finding a successful login, we need to use the --continue-on-success flag :
Excellent! As you can see, we got two successful logins. Let’s now login to fsmith account using evil-winrm :
Data Visualization With BloodHound
Well, let’s now visualize the collected domain information using bloodhound. Do not forget to launch neo4j first :)
Once done, let’s take a look at the Pre-Built Analytics Queries.
Interesting! Hsmith’s account is kerberoastable. Moreover, we already know his password.
Using that information, I executed the “Shortest paths to domain admins from kerberoastable users” query but no data was returned unfortunately.
However, knowing that we owned two domain users, I also tried the query “Shortest Paths to Domain Admins from Owned Principals”.
That’s what I obtained :
After clicking the help menu on DCSync edge, here’s what I got :
DCSync is a technique used to request the passwords of any user from a domain controller through the replication protocol (DRSUAPI). This requires DS-Replication-Get-Changes and DS-Replication-Get-Changes-All privileges on the domain object, so this technique is usually used once privileges have already been lifted in the Active Directory.
Let’s now to execute the query “Find Principals with DCSync Rights” :
Awesome! As you can see here, we got a few domain users with DCSync rights in addtion to the computer account SAUNA$. However, the user svc_loanmgr caught my eye because normaly only users with Domain Admins privileges can perform a DCSync attack.
Indeed, this is possible because svc_loanmgr has the DS-Replication-Get-Changes and DS-Replication-Get-Changes-All privilege on the domain. Therefore, these two privileges allow him to perform a DCSync attack.
Note : Members of the Administrators, Domain Admins, Enterprise Admins, and Domain Controllers groups have these privileges by default.
Now that we found users with DCSync rights, we need their password or hash in order to perform the DCSync attack using impacket-secretsdump.
Well, let’s try to escalate our privileges on the SAUNA machine then check if we can move laterally until we find juicy information.
To escalate our privileges, we’re going to use winpeas :
Wonderful! We found autologon credentials.
However, we have no svc_loanmanager user but we do have a svc_loanmgr user.
Let’s check if these credentials are still valid :
As you can see, we got a successful authentication using the svc_loanmgr user.
As usual, let’s check svc_loanmgr’s privileges :
As you can see, svc_loanmgr is only part of the “Domain Users” and “Remote Management Users”. That’s right but what matters to us here is that the svc_loanmgr has the necessary privileges to perform a DCSync attack.
Therefore, what are we waiting for ? Let’s do it :
Let’s check if we can authenticate to the DC :
Persistence
In order to remain persistent on the compromised domain, we are going to generate a golden ticket. To do that we will proceed as follows :
1/ Get krbtgt password’s NT hash
2/ Find the domain’s SID
3/ Forge a golden ticket
4/ Export the golden ticket
5/ Add the DC IP to the resolv.conf file
6/ Get a session using the created golden ticket
- -no-pass : don’t ask for password.
- -k : use for kerberos authentication. Grabs credentials from ccache file (KRB5CCNAME) based on target parameters.
Note : If you got the KRB_AP_ERR_SKEW(Clock skew too great) error, just synchronize your time with the KDC using ntpdate, then generate a new ticket.
Wrapping Up
That’s it guys. Congrats on having made it so far 👏.
I hope you enjoyed the writeup.
If so, do not forget to click on the little clap icon below and subscribe to my newsletter to keep up with my latest articles.
Resources
https://github.com/ropnop/kerbrute
https://www.netexec.wiki/
https://github.com/dirkjanm/BloodHound.py
https://www.hackingarticles.in/credential-dumping-windows-autologon-password/
https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/dcsync
https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/dump-password-hashes-from-domain-controller-with-dcsync
https://threathunterplaybook.com/library/windows/active_directory_replication.html
https://learn.microsoft.com/en-us/archive/technet-wiki/23559.kerberos-pre-authentication-why-it-should-not-be-disabled
https://en.hackndo.com/kerberos-silver-golden-tickets/
https://ttp.parzival.sh/pentesting/infrastructure/active-directory/domain-dominance/create_golden_ticket
https://www.stationx.net/golden-ticket-attack/
https://attack.mitre.org/techniques/T1558/001/
Contact
GitHub : https://github.com/0liverFlow
