Sauna Machine Walkthrough

Sauna Hackthebox Machine Detailed Walkthrough

“Technology is just a tool. In terms of getting the kids working together and motivating them, the teacher is the most important.” - Bill Gates

Machine Matrix

Machine Summary

Box has an webapplication running, from which we enumerated the usernames. We made certain modifications on the usernames and ran GetNPUsers.py from impacket library inorder to check whether any user has kerberos pre-authentication disabled. As expected one (fsmith) user as kerberos pre-authentication disabled and using winrm we get the user shell. Now for privilege escalation, we find that there is a default crendentials stored for a user (svs_loanmgr) but that that is not the administrator. We use secretsdump.py again from impacket library to dump the crendentials of all the user including the administrator.

Nmap Scan

I started the enumeration with nmap scan

nmap -sC -sV 10.10.10.10.175

The Box had 12 ports open

PortService
53domain
80http IIS Server
88kerberos-sec
135msrpc
139netbios-ssn
389ldap
445microsoft-ds
464kpasswd5
593ncacan_http
636tcpwrapped
3268ldap
3269tcpwrapped

Enumeration on port 80

I enumerated on the webapplication to check if there is any misconfigurations that could lead us to initial foothold but that didnt end well. We have potential names of the employees and check with any of the user have kerberos pre-authentication disabled.

fergus smith
shaun coins
sophie driver
bowie taylor
hugo bear
steven kerb

Enumerating with usernames

I formed a list of usernames of the Active Directory, i formed the list using certain naming conventions such as username for John Melon can be

j.melon 
jmelon
johnm
john.melon
john.m

Kerberos Pre-Authentication

The Key Distribution Center (KDC) is available as part of the domain controller and performs two key functions which are: Authentication Service (AS) and Ticket-Granting Service (TGS)

By default the KDC requires all accounts to use pre-authentication. This is a security feature which offers protection against password-guessing attacks. The AS request identifies the client to the KDC in plain text. If pre-authentication is enabled, a time stamp will be encrypted using the user’s password hash as an encryption key. If the KDC reads a valid time when using the user’s password hash, which is available in the Active Directory, to decrypt the time stamp, the KDC knows that request isn’t a replay of a previous request.

When you do not enforce pre-authentication, a malicious attacker can directly send a dummy request for authentication. The KDC will return an encrypted TGT and the attacker can brute force it offline.

Acquring User Shell

Some time kerberos pre-authentication is disabled for the domain users. As mentioned earlier we can get the encrypted TGT with a dumy query using GetNPUsers.py from impacket library with the username list that i have formed.

GetNPUsers.py EGOTISTICAL-BANK.LOCAL/ -usersfile usernames.txt -no-pass -format john -outputfile hash.txt

I was able to retrive the kerberos hash for the username fsmith

I cracked the obtained hash of fsmith using john, the password for fsmith was Thestrokes23

Now i used evil-winrm tool with the username as fsmith and password as Thestrokes23 to get the shell.

Privilege Escalation

As usual i ran winpeas for enumerating on the privilege escalation, found there was an autologon credentials for the user svc_loanmanager

we can also manually verify it using the command:

REG QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon" /v DefaultPassword

or

REG QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon" /v DefaultPassword /reg:64
Auto Logon Credentials
username: svc_loanmanager
password: Moneymakestheworldgoround!

Getting the administrator access won’t be this simple, i was not able to get the shell for the user svc_loanmanager. The user’s folder had only fmsith, svc_loanmgr, administrator (enumerated using the fsmith access). Now i tried with the username svc_loanmgr, got the shell I manually enumerated it and found that it is a part of domain controlle

So i ran secretsdump.py to dump the credentials of all the users.

secretsdump.py EGOTISTICAL-BANK.local/svc_loanmgr@EGOTISTICAL-BANK.local

Now i used the NTLM hash of the administrator directly in evil-winrm to get the shell

evil-winrm -i 10.10.10.175 -u administrator -H {HASH}

Happy Hacking!


© 2020. All rights reserved to r3dw0lf_sec.

Powered by Hydejack v9.0.0-rc.6