HTB - Sauna Writeup - Liam Geyer

👾 Machine Overview

This is a writeup of the machine Sauna from HTB , it’s an easy difficulty Windows machine which featured ASREPRoasting and credential hunting.

🔍 Enumeration

An initial nmap scan of the host gave the following results:

nmap -sV -sC 10.129.230.201
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-29 10:28 EDT
Nmap scan report for 10.129.230.201
Host is up (0.020s latency).
Not shown: 988 filtered tcp ports (no-response)
PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
80/tcp   open  http          Microsoft IIS httpd 10.0
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Egotistical Bank :: Home
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2024-05-29 21:29:04Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped
Service Info: Host: SAUNA; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time: 
|   date: 2024-05-29T21:29:08
|_  start_date: N/A
|_clock-skew: 7h00m01s
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 52.47 seconds

I checked out anonymous SMB and LDAP but didn’t get any quick wins there.

🌐 Egotistical Bank Website

I started by checking out the website on port 80.

Website Homepage

I fuzzed around for interesting directories, but didn’t find much. There’s a page with a bunch of employee names that we can toss into username anarchy and subsequently Get-NPUsers or Kerbrute to try to enumerate some domain users.

Employee Listing

🥈 User

I built a list of their names and tossed it into username-anarchy to get various potential usernames in common formats.

Username Generation

I then threw that list into Impacket’s Get-NPUsers to see if there were any valid users, or ASREPRoastable accounts. ASREPRoasting exploits a lack of Kerberos pre-authentication to get a message that can be cracked to obtain a user’s password.

ASREPRoasting

We’re able to successfully ASREPRoast fsmith, I tossed the resulting output into hashcat to attempt to crack it.

Cracking fsmith

It cracked with rockyou, I used his credentials to WinRM in and grab the flag.

Shell as fsmith

🥇 Root

I started off by checking out frank’s privileges and groups.

Privs and Groups

There wasn’t anything super notable, SeMachineAccountPrivilege could be useful. I decided to run WinPEAS to see if it came up with anything useful.

WinPEAS

WinPEAS was able to pull cleartext autologon credentials for svc_loanmanager, but I wasn’t able to use this user to WinRM into the box.

Since we weren’t able to use svc_loanmanager to login, I uploaded and ran sharphound to see if the account has any notable permissions.

BloodHound

Surprisingly, BloodHound shows that svc_loanmanager is able to DCSync. Note that the username for the domain account in BloodHound is different than the local user we were able to pull credentials for.

I used the password pulled from WinPEAS with Impacket’s secretsdump to dump the Administrator hash.

Secretsdump Output

Lastly I used WinRM to log in and grab the flag

Shell as Administrator

📖 Resources

🔗 Hyperlink	ℹ️ Info
MindPoint	GPP PrivEsc
ASREPRoasting	Cybersec Notes
Username Anarchy	Cybersec Notes
WinPEAS	Windows PrivEsc Script
DCSync	Cybersec Notes