Hack The Box - Sauna Writeup

Machine summary


Enumeration phase

Since it's a windows box I first run enum4linux with no arguments and the only information I got was the domain name: EGOTISTICALBANK

Scanning with nmap for open ports:

We can see that LDAP port is open, which means that is should be a domain controller.
BUt there is also port 80 open so it's worth taking a look at the web page:
NOthing useful here, maybe a couple of from in "Apply now" and "contact Us"
Maybe the team page can help:

Initial Foothold and User escalation 


I compiled a few combination of users like

  • s.driver
  • sdriver
  • sophie.driver
  • h.bear
  • ...
Then I used kerbrute tool to enumerate user using the created user list 



It looks like user fsmith exists

Now I used impacket GetNPUser to get information of user fsmith, if he doesn't have Kerberos preauth:

Saving the hash in a file like hash.txt and running hashcat:
 hashcat  -m 18200 --force hash.txt  rockyou.txt
It will find that password is Thestrokes23 in a few seconds:


So now we have a valid user and password confirmed by smbclient:

With this account we can run evil-winrm or any other winrm script and get access to the system a fsmith:

User fsmith also has the user flag on its desktop: 1b5520b98d97cf17f24122a55baf70cf

The next step is to enumerate users, groups and privileges on the AD

Further enumeration

Maybe some of the steps below are not needed but I wanted to get a good knowledge of the system before acting...

Now we can see that there is also a service user svc_loanmgr

I can upload Sharpound.ps1 and run it:

And the copy the result locally to analyze with Bloodhound


Below some maps by Bloodhound:



With rpcclient we can see that there are some users:

There are only standard groups:

Anbd the three non standard users (fsmith, hsmith, svc_loanmgr) are part of "domain users" groups

We can get the SIDs of these users:

Uploading Winpeas.exe we can get some possible points of escalation:
- No AV installed
- appcmd.exe is installed
- User can create folder in c:\
- LAPS not installed
- Credentialguard not enabled
- LSA Protection not enabled

Using the reg query comamnd to get default username and password settings:

We can connect

  • username: svc_loanmanager
  • password: Moneymakestheworldgoround!

He has some more privileges than a standard user:

Root escalation

With the user svc_loanmgr we can dump secrets with impacket:

once we have the NTLM hash of administrator it's easy to run psexec from impacket using 

python3 ../../impacket-master/examples/psexec.py  -hashes aad3b435b51404eeaad3b435b51404ee:d9485863c1e9e05851aa40cbb4ab9dff "EGOTISTICALBANK/administrator@10.10.10.175"

and we can get a shell as administrator:

Root flag is: f3ee04965c68257382e31502cc5e881f

By -
Labels:

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.

Subscribe to: Post Comments (Atom)