Open in app

Sign in

Write

Sign in

HackTheBox : Sauna

0liverFlow
9 min read5 days ago

--

Summary

Sauna is a windows box in which we first gathered intelligence, then performed a AS-REP roasting attack to get an initial foothold. After that, we collected and visualized the domain information in order to find interesting attack paths that could lead to its compromission. That’s where we found uncommon principals with DCSync rights. By leveraging that misconfiguration, we performed a DCSync attack and compromise the entire domain. Lastly, we forged a golden ticket in order to maintain persistence on the domain.

Recon

Nmap

Port scanning
Nmap scripts scanning

SMB — tcp/445

First and foremost, we’re going to check if we can login to the SMB share as anonymous or guest users :

Checking Null session
Checking Guest logon

No null or guest session found!

HTTP — tcp/80

Webpage

Main page

When browsing the /about.html, we can see a list of potential employees’ usernames working at egotistical bank :

Usernames hunting

After that, we can enumerate the technologies used by the web server to check if there is no outdated technology in use :

Technology Profiling

The server is running IIS-10.0. With that information, I tried to search for some exploits but I ended up with nothing really interesting.

Directory Fuzzing

Directory Fuzzing with ffuf

DNS — tcp/53

Here we will try to perform a dns zone transfer

Dns zone transfer failed

Kerberos — tcp/88

Knowing that we have a list of potential usernames, we can try to perform an AS-Rep roasting attack. However, we may encounter a little issue here : indeed most of the companies usually use a naming convention for their employees. One of the frequent naming convention is “first.last”.

That said, there is a tool called username anarchy that can be used to generate usernames based on a specific format :

Username Anarchy usage
Plugin names and examples
Gathered usernames

FYI, you could also use namemash. However, I found username anarchy to be more customizable see that you can create your own plugins.

Once done, let’s try to perform the AS-REP roasting attack using kerbrute :

AS-REP roasting with kerbrute
AS-REP roasting with Impacket-GetNPUsers

As you can see, we got the session key that is encrypted with the username’s NT hash. Now we can try to crack it using hashcat. However, before cracking the hash, we need to know the type of hash. For that, we can use a great tool called name-that-hash :

You can install using pip : pip install name-that-hash

Hash type

As you can see, it returns the hash type for hashcat and John the Ripper.

Let’s crack the hash :

Hash cracked

Well, let’s verify if the credentials are correct using netexec :

Successful authentication using smb
Trying authentication using other protocols

Foothold

Now that we have an initial set of AD credentials, let’s first collect the domain information using ldapdomaindump or bloodhound-python :

Collecting domain information with ldapdomaindump
Collecting domain information with bloodhound-python

One of the first things I generally do after getting my first set of AD credentials is trying to dump the secrets using my compromised account then perform a password-spraying attack against the entire domain.

The password spraying attack allows me to check if the password or hash of a user was reused by other domain users.

Before trying to dump the secrets, I also always check the user privileges to have a quick idea of what I can and can’t do :

Enumerating fsmith privileges

As you can see, fsmith does not have enough privileges. It’s only part of the “Domain Users” group and the “Remote Management Users”.

Nevertheless, let’s see if we can dump secrets using his credentials :

Dumping credentials failed

Here my attempt failed because fsmith does not have enough privileges to do that.

Password Spraying

First and foremost, let’s try to list all domain users :

Get all domain user accounts
Password spraying attack

As you might notice, the attack stopped as soon as we found a valid credential (Hsmith:Thestrokes23). Indeed, this is the default behavior of netexec.

In order to keep on our spraying attack even after finding a successful login, we need to use the --continue-on-success flag :

Password spraying attack with — continue-on-success flag set

Excellent! As you can see, we got two successful logins.

Evil-Winrm

Let’s login to fsmith account using evil-winrm :

Successful login to fsmith account using winrm
Hostname
Retrieving user flag

Data Visualization With BloodHound

Well, let’s now visualize the collected domain information using bloodhound. Do not forget to launch neo4j first :)

Once done, let’s take a look at the Pre-Built Analytics Queries.

Finding all Kerberoastable accounts

Interesting! Hsmith’s account is kerberoastable. Moreover, we already know his password.

Using that information, I executed the “Shortest paths to domain admins from kerberoastable users” query but no data was returned unfortunately.

However, knowing that we owned two domain users, I also tried the query “Shortest Paths to Domain Admins from Owned Principals”.

That’s what I obtained :

Shortest paths to Domain Admins from owned principal

After clicking the help menu on DCSync edge, here’s what I got :

DCSync explanation

DCSync is a technique used to request the passwords of any user from a domain controller through the replication protocol (DRSUAPI). This requires DS-Replication-Get-Changes and DS-Replication-Get-Changes-All privileges on the domain object, so this technique is usually used once privileges have already been lifted in the Active Directory.

Let’s now to execute the query “Find Principals with DCSync Rights” :

Finding principals with DCSync rights

Awesome! As you can see here, we got a few domain users with DCSync rights in addtion to the computer account SAUNA$. However, the user svc_loanmgr caught my eye because normaly only users with Domain Admins privileges can perform a DCSync attack.

Indeed, this is possible because svc_loanmgr has the DS-Replication-Get-Changes and DS-Replication-Get-Changes-All privilege on the domain. Therefore, these two privileges allow him to perform a DCSync attack.

Reasons explaining why svc_loanmgr can perform a DCSync attack

Note : Members of the Administrators, Domain Admins, Enterprise Admins, and Domain Controllers groups have these privileges by default.

Now that we found users with DCSync rights, we need their password or hash in order to perform the DCSync attack using impacket-secretsdump.

Well, let’s try to escalate our privileges on the SAUNA machine then check if we can move laterally until we find juicy information.

To escalate our privileges, we’re going to use winpeas :

Python web server
Downloading winpeas on SAUNA machine
Executing winpeas
Autologon credentials found

Wonderful! We found autologon credentials.

However, we have no svc_loanmanager user but we do have a svc_loanmgr user.

Let’s check if these credentials are still valid :

Authentication check

As you can see, we got a successful authentication using the svc_loanmgr user.

Checking other authentication methods

As usual, let’s check svc_loanmgr’s privileges :

Checking svc_loanmgr privileges

As you can see, svc_loanmgr is only part of the “Domain Users” and “Remote Management Users”. That’s right but what matters to us here is that the svc_loanmgr has the necessary privileges to perform a DCSync attack.

Therefore, what are we waiting for ? Let’s do it :

Dumping ntds.dit database
Dumping secrets with secretsdump

Let’s check if we can authenticate to the DC :

Authentication checking
Successful remote login using psexec
Root flag

Persistence

In order to remain persistent on the compromised domain, we are going to generate a golden ticket. To do that we will proceed as follows :

1/ Get krbtgt password’s NT hash

Dumping krbtgt NT hash

2/ Find the domain’s SID

Finding the Domain SID

3/ Forge a golden ticket

Generating a golden ticket

4/ Export the golden ticket

Exporting the golden ticket

5/ Add the DC IP to the resolv.conf file

Adding DC IP to the resolv.conf file
Checking DNS lookup

6/ Get a session using the created golden ticket

Authenticating as haxor
  • -no-pass : don’t ask for password.
  • -k : use for kerberos authentication. Grabs credentials from ccache file (KRB5CCNAME) based on target parameters.

Note : If you got the KRB_AP_ERR_SKEW(Clock skew too great) error, just synchronize your time with the KDC using ntpdate, then generate a new ticket.

Mission Accomplished

Resources

https://github.com/ropnop/kerbrute
https://www.netexec.wiki/
https://github.com/dirkjanm/BloodHound.py
https://www.hackingarticles.in/credential-dumping-windows-autologon-password/
https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/dcsync
https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/dump-password-hashes-from-domain-controller-with-dcsync
https://threathunterplaybook.com/library/windows/active_directory_replication.html
https://learn.microsoft.com/en-us/archive/technet-wiki/23559.kerberos-pre-authentication-why-it-should-not-be-disabled
https://en.hackndo.com/kerberos-silver-golden-tickets/
https://ttp.parzival.sh/pentesting/infrastructure/active-directory/domain-dominance/create_golden_ticket
https://www.stationx.net/golden-ticket-attack/
https://attack.mitre.org/techniques/T1558/001/

Contact

GitHub : https://github.com/0liverFlow

Hackthebox
Sauna
Windows
Active Directory
Ctf Writeup

--

--

0liverFlow

Written by 0liverFlow

93 Followers

Cybersecurity Enthusiast | Enjoy breaking and building stuffs

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams