HTB | Sauna

This is the Box on Hack The Box Active Directory 101 Track. Find the box here.

Skill Learned

  • ASREP Roasting

  • Attack DCSync Attack

NMAP

IP: 10.10.10.175

nmap -sC -sV 10.10.10.175 -Pn -T5
nmap

Port 80

We found a website.

port 80

Let's run gobuster.

Found nothing.

gobuster

Port 445 & 139

SMB

Neither smbmap nor smbclient will allow me to list shares without a password:

smbclient
smbmap

RCP

I'll try to connect with null auth:

rpcclient

Looks like we do not have permission to view users and groups:

Port 389 - LDAP Enumeration

The nmap script did some basic enumeration and returned the domain EGOTISTICAL-BANK.LOCAL. I’ll dig in a bit more with ldapsearch.

This gives the domain, EGOTISTICAL-BANK.LOCAL:

ldapsearch

Now to get more info about the domain:

ldapsearch

Port 88 - Kerberos

Make a list of usernames from username-anarchy. We have a list of users from the About Me page.

about us
username.txt

Now let's run username-anarchy:

username-anarchy

Now we have the usernames, we can use either of the lists to check for AS-REP Roasting.

Foothold/shell

shell as fsmith

As-REP Roasting background

This article has a great post on attacking Kerberos that includes AS-REP Roasting. Typically, when you try to request authentication through Kerberos, first the requesting party has to authenticate itself to the DC. But there is an option, DONT_REQ_PREAUTH where the DC will just send the hash to an unauthenticated user. AS-REP Roasting is looking to see if any known users happen to have this option set.

I’ll use the list of users I collected from username-anarchy, and run GetNPUsers.py to look for vulnerable users. Three come back as not vulnerable, but one gives a hash:

GetNPUsers.py

Since we got the hash we can use hashcat to crack it:

hashcat

We got the password. Now we can use evil-winrm:

evil-winrm and user.txt

Boom! We have user.txt

Privilege Escalation

Having gained a foothold on the machine, we can use a script such as WinPEAS to automate enumeration tasks.

Run python server on Kali:

http.server

Download WinPEAS:

Run WinPEAS:

svc_loanmanager

Found svc_loanmanager cred. Examination of C:\Users\ confirms that the similarly named svc_loanmgr has logged on locally. Let's log on using evil-winrm:

evil-winrm

Since DNS is configured and reachable:

dig @10.10.10.175

If DNS is not reachable, run SharpHound.exe from the Victim Box (Sauna):

Use the following BloodHound command to get the JSON files:

bloodhound-python

Start Neo4j and BloodHound and import the JSON files.

After uploading, search for svc_loanmanager, right-click, and mark as owner:

user in bloodhoundmark user as owned

On the left, look for Outbound Object Control - items that this user has rights over. In this case, there is one:

first degree object control

Clicking the "1" adds that item to the graph:

This account has access to GetChanges and GetChangesAll on the domain. While looking at GetChanges help, we found we can abuse it using mimikatz:

DCSync

My preferred way to do a DCSync attack is using secretsdump.py, which allows me to run a DCSync attack from my Kali box, provided I can talk to the DC on TCP 445 and 135 and a high RPC port. This avoids fighting with AV, though it does create network traffic.

secretsdump.py

Now that we have the hashes, we can perform a Pass The Hash attack using psexec.py:

psexec.py

And boom, we have root:

root.txt

PreviousHTB | ForestNextHTB | Active

Last updated