Sauna

Run nmap.

Review interesting findings

  • 9389/tcp – Active directory web services
  • 445/139/tcp – SMB ports lets run smbmapper
  • 80/tcp – web server – lets run dirb on it.
  • 3268/tcp – LDAP requests sent to port 3268 can be used to search for objects in the entire forest for the global catalog
  • 464/tcp – kpasswd – A vulnerability has been reported in Kerberos, which can be exploited by malicious people to cause a DoS (Denial of Service). The vulnerability is caused due to the kpasswd application not properly handling malformed UDP packets and can be exploited to exhaust CPU and network resources via the UDP “ping-pong” attack on port 464.
    References: [CVE-2002-2443], [SECUNIA-53375]
  • 389/tcp – LDAP
  • 593/tcp – MS Security Bulletin [MS03-026] outlines a critical Buffer Overrun RPC vulnerability that can be exploited via ports 135, 139, 445, 593 (or any other specifically configured RPC port). You should filter the above mentioned ports at the firewall level and not allow RPC over an unsecure network, such as the Internet.
  • 135/tcp – Remote Procedure Call (RPC) 
  • 88/tcp – KDC (Kerberos key distribution center) server.
  • 5985/tcp – WinRM 2.0 (Microsoft Windows Remote Management) uses port 5985/tcp for HTTP and 5986/tcp for HTTPS by default.

We can see many interesting ports to look at – the box seems to be LDAP/AD/Kerberos focused. We also see we get an nmap segmentation fault;

Checking the services

SMBmap doesn’t give us much to work with here.

Not much shown from dirb either, looks like a pretty flat site. We have a lot of other choices to check but lets spin up sparta to try and narrow down our options before we take the next step with the AD/LDAP/Kerberos enumeration. Lets see if it gives us alternative options.

While sparta is running we will also setup openvas on our machine using the guide here -https://hackertarget.com/install-openvas-gvm-on-kali/ ;

root@kali:~# apt update
root@kali:~# apt install openvas
root@kali:~# openvas-setup
kali:~# greenbone-scapdata-sync
root@kali:~# openvas-adduser
root@kali:~# gsd
[*] Creating admin user
User created with password '73a95e20-b3fd-4e77-9b6f-247a49ff695e'.

While these scans run we read up on Kerberos here; https://www.tarlogic.com/en/blog/how-kerberos-works/ this blog leads us to an interesting attack which matches the boxes name; https://attack.mitre.org/techniques/T1208/ KerbeRoasting but we need a domain account to do this. So lets try and get one with some further enumeration.

A good amount of information, usernames, including guest. Plus the domain name. Going back to the site itself we found some usernames;

We can also see many blog posts from user Admin. Finally using cme we can find some additional information.

Vulnerability Detection Result

Here is the list of DCE/RPC or MSRPC services running on this host via the TCP protocol:
Port: 49664/tcp
     UUID: d95afe70-a6d5-4259-822e-2c84da1ddb0d, version 1
     Endpoint: ncacn_ip_tcp:10.10.10.175[49664]
Port: 49665/tcp
     UUID: f6beaff7-1e19-4fbb-9f8f-b89e2018337c, version 1
     Endpoint: ncacn_ip_tcp:10.10.10.175[49665]
     Annotation: Event log TCPIP
Port: 49666/tcp
     UUID: 3a9ef155-691d-4449-8d05-09ad57031823, version 1
     Endpoint: ncacn_ip_tcp:10.10.10.175[49666]
     UUID: 86d35949-83c9-4044-b424-db363231fd0c, version 1
     Endpoint: ncacn_ip_tcp:10.10.10.175[49666]
Port: 49667/tcp
     UUID: 0b1c2170-5732-4e0e-8cd3-d9b16f3b84d7, version 0
     Endpoint: ncacn_ip_tcp:10.10.10.175[49667]
     Annotation: RemoteAccessCheck
     UUID: 12345678-1234-abcd-ef00-01234567cffb, version 1
     Endpoint: ncacn_ip_tcp:10.10.10.175[49667]
     Named pipe : lsass
     Win32 service or process : Netlogon
     Description : Net Logon service
     UUID: 12345778-1234-abcd-ef00-0123456789ab, version 0
     Endpoint: ncacn_ip_tcp:10.10.10.175[49667]
     Named pipe : lsass
     Win32 service or process : lsass.exe
     Description : LSA access
     UUID: 12345778-1234-abcd-ef00-0123456789ac, version 1
     Endpoint: ncacn_ip_tcp:10.10.10.175[49667]
     Named pipe : lsass
     Win32 service or process : lsass.exe
     Description : SAM access
     UUID: c9ac6db5-82b7-4e55-ae8a-e464ed7b4277, version 1
     Endpoint: ncacn_ip_tcp:10.10.10.175[49667]
     Annotation: Impl friendly name
     UUID: e3514235-4b06-11d1-ab04-00c04fc2dcd2, version 4
     Endpoint: ncacn_ip_tcp:10.10.10.175[49667]
     Annotation: MS NT Directory DRS Interface
Port: 49673/tcp
     UUID: 0b1c2170-5732-4e0e-8cd3-d9b16f3b84d7, version 0
     Endpoint: ncacn_http:10.10.10.175[49673]
     Annotation: RemoteAccessCheck
     UUID: 12345678-1234-abcd-ef00-01234567cffb, version 1
     Endpoint: ncacn_http:10.10.10.175[49673]
     Named pipe : lsass
     Win32 service or process : Netlogon
     Description : Net Logon service
     UUID: 12345778-1234-abcd-ef00-0123456789ab, version 0
     Endpoint: ncacn_http:10.10.10.175[49673]
     Named pipe : lsass
     Win32 service or process : lsass.exe
     Description : LSA access
     UUID: e3514235-4b06-11d1-ab04-00c04fc2dcd2, version 4
     Endpoint: ncacn_http:10.10.10.175[49673]
     Annotation: MS NT Directory DRS Interface
Port: 49674/tcp
     UUID: 0b1c2170-5732-4e0e-8cd3-d9b16f3b84d7, version 0
     Endpoint: ncacn_ip_tcp:10.10.10.175[49674]
     Annotation: RemoteAccessCheck
     UUID: 12345678-1234-abcd-ef00-01234567cffb, version 1
     Endpoint: ncacn_ip_tcp:10.10.10.175[49674]
     Named pipe : lsass
     Win32 service or process : Netlogon
     Description : Net Logon service
     UUID: 12345778-1234-abcd-ef00-0123456789ab, version 0
     Endpoint: ncacn_ip_tcp:10.10.10.175[49674]
     Named pipe : lsass
     Win32 service or process : lsass.exe
     Description : LSA access
     UUID: 12345778-1234-abcd-ef00-0123456789ac, version 1
     Endpoint: ncacn_ip_tcp:10.10.10.175[49674]
     Named pipe : lsass
     Win32 service or process : lsass.exe
     Description : SAM access
     UUID: e3514235-4b06-11d1-ab04-00c04fc2dcd2, version 4
     Endpoint: ncacn_ip_tcp:10.10.10.175[49674]
     Annotation: MS NT Directory DRS Interface
Port: 49675/tcp
     UUID: 0b6edbfa-4a24-4fc6-8a23-942b1eca65d1, version 1
     Endpoint: ncacn_ip_tcp:10.10.10.175[49675]
     UUID: 12345678-1234-abcd-ef00-0123456789ab, version 1
     Endpoint: ncacn_ip_tcp:10.10.10.175[49675]
     Named pipe : spoolss
     Win32 service or process : spoolsv.exe
     Description : Spooler service
     UUID: 4a452661-8290-4b36-8fbe-7f4093a94978, version 1
     Endpoint: ncacn_ip_tcp:10.10.10.175[49675]
     UUID: 76f03f96-cdfd-44fc-a22c-64950a001209, version 1
     Endpoint: ncacn_ip_tcp:10.10.10.175[49675]
     UUID: ae33069b-a2a8-46ee-a235-ddfd339be281, version 1
     Endpoint: ncacn_ip_tcp:10.10.10.175[49675]
Port: 49678/tcp
     UUID: 367abb81-9844-35f1-ad32-98f038001003, version 2
     Endpoint: ncacn_ip_tcp:10.10.10.175[49678]
Port: 49686/tcp
     UUID: 50abc2a4-574d-40b3-9d66-ee4fd5fba076, version 5
     Endpoint: ncacn_ip_tcp:10.10.10.175[49686]
     Named pipe : dnsserver
     Win32 service or process : dns.exe
     Description : DNS Server
Port: 49696/tcp
     UUID: 897e2e5f-93f3-4376-9c9c-fd2277495c27, version 1
     Endpoint: ncacn_ip_tcp:10.10.10.175[49696]
     Annotation: Frs2 Service

CME doesn’t show us much and our OpenVAS scan hasn’t given us any vulnerabilities to exploit, though we did get additional enumeration information. But I think this is the extent of the info we will get so lets start trying to get in using https://www.tarlogic.com/en/blog/how-to-attack-kerberos/ and https://pentestlab.blog/2018/06/04/spn-discovery/

We will need a valid user so we create a user list using cewl and edit it to include the users above, in different standard employee formats. Ever wonder why your employer doesn’t just use $Firstname.$lastname? Now you know!

Foothold

Initial foothold shows we are using the wrong domain, to the glee of a friend who is getting into the habit of saying stop being stooopid.

Interestingly it looks like fsmith is a user and we now have there hash. Bouncing back to the blogs we are able to move along this chain to crack this hash. Using hashcat we run;

hashcat -m 18200 --force -a 0 hashes.asreproast /usr/share/wordlists/rockyou.txt

With that we have the password and the SPN for

ServicePrincipalName                      Name    MemberOf  PasswordLastSet             LastLogon  Delegation 
----------------------------------------  ------  --------  --------------------------  ---------  ----------
SAUNA/HSmith.EGOTISTICALBANK.LOCAL:60111  HSmith            2020-01-23 00:54:34.140321  <never>               

HSmith is showing instead of fsmith interestingly. I need to read up more on SPNs though it probably wont be needed for this box. Microsoft has some good documentation here; https://docs.microsoft.com/en-us/windows/win32/ad/service-principal-names

A service principal name (SPN) is a unique identifier of a service instance. SPNs are used by Kerberos authentication to associate a service instance with a service logon account. This allows a client application to request that the service authenticate an account even if the client does not have the account name.

It looks like hsmith will be the service account we will be targeting. Initially we were getting an error when trying to run this command “[-] SPN:  – Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great)” but after doing an ntpupdate 10.10.10.175 we fixed this. Running the command above again we get the hash and now we just need to.. ah roast it.

We crack it successfully but the password is Thestrokes23.. same as for fsmith, maybe this was a false positive. Lets log in.

Looks like we can smb login as hsmith and fsmith.

We see a RICOH printer drive which is interesting but there doesnt seem to be any vulnerabilities we can use. Going back over the nmap results we see winrm running on this server on its default port, so lets try Evil-Winrm to see if we can get a shell with these users. We use this guide to setup Evil-Winrm – https://github.com/Hackplayers/evil-winrm

Bingo! We have access for FSmith, but we cant access winrm from hsmith. So lets try some enumeration to get root, bloodhound might be good here. Using ireds tutorial we setup bloodhound; https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/abusing-active-directory-with-bloodhound-on-kali-linux

While this is being set up we enumerate some more.

 We can see a svc account is available.. we will try to kerberoast it.

Doesn’t work so let enumerate some more;

Some good information. We alse run these commands from C:\

findstr /si password *.txt
findstr /si password *.xml
findstr /si password *.ini

We get a lot of results but nothing seems relevant. After a while we find a blog with additional enumeration steps; https://pentestlab.blog/2017/04/19/stored-credentials/ ;

I am not associated with https://pentestlab.blog/ but I owe her so many beers by now.

DefaultUserName    REG_SZ    EGOTISTICALBANK\svc_loanmanager
DefaultPassword    REG_SZ    Moneymakestheworldgoround!

We now have User 1, and User 2 but how do we get root… Lets go over our enumeration with impactet and these new user credentials.

We have a ticket granting ticket. Lets kerberoast the service account incase we get something new. But we don’t.

Sadly this isn’t helping us. So lets go back to enumeration, we have a domain account so let use bloodhound to enumeration all things AD;

Going through the information generated we see Unconstrained delegation is enabled, allowing for this attack; https://blog.stealthbits.com/unconstrained-delegation-permissions/ this might help us. Unfortunately it doesn’t.

But the information from just FSmiths account is limited, so lets login as svc_loanmgr and see what information we get.

After spending some time navigating bloodhound, as nice as having a gui is for the point-click admins, I hate it – but after much searching, blood, sweat and sanity I finally see that svc_loanmgr has both getchanges and getchangesall privileges allowing for a DCSync attack.

We will attack it using the impacket tool secretsdump.py, described in the blog https://spookysec.net/2019-12-01-domain-controller-sync/ (sent our way by a friend who stops us being stoopid).

From here we just need to use the hash with evil-rm as administrator to get the flag.

Game set and match, but in saying that I was working on this on-off for about 4 days before it clicked, strangely it was the seeing the vulnerability in bloodhound that I had the most trouble with, which if you go by the comments in the HTB forums was the easy bit! 😀

Such is life.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s