Sauna machine is a vulnerable machine with Windows operating system among retired machines. It is expected to obtain user and root flags using these vulnerabilities.
We perform a network scan with nmap to recognize the target machine.
Full Port Scan
As a result of port scanning, we detected many open ports. Important ports 53/tcp domain Simple DNS Plus, 80/tcp http Microsoft IIS httpd 10.0, 88/tcp kerberos-sec Microsoft Windows Kerberos, 389/tcp ldap Microsoft Windows Active Directory LDAP ports were detected and enumeration will be done on these ports.
As a result of the Nmap scan, it was detected that Windows active diretctory is installed and the domain address is egotıstıcal-bank.local. We note this and continue.
First, let’s run a scan through smb.
We used crackmapexec, rpcclient, smbmap, tools and did not get any results.
We provide ldap enumertion.
| ldapServiceName: EGOTOTISTICAL-BANK.LOCAL:sauna$@EGOTISTICAL-BANK.LOCAL
Then run it on the target with the ldapsearch tool
Now that we are sure of the domain name, we can use ldapsearch -x -H ldap://10.10.10.175 -b ‘DC=EGOTISTICAL-BANK,DC=LOCAL’
I use the command
We have the information but no useful information.
We provide a scan to see if the DNS port can be open dnszone
There is no dns zone.
Now we go to the enumeration part over the web.
I’m just browsing around, nothing interesting comes up. All pages are static and forms are not working.
We did a hidden file and directory scan with gpbsuter, we looked at the source code, we didn’t find anything, we only found the files that can be found on domian.
We’ve noted those that may be users.
These users can be used in the AD environment. One of the first steps in solving AD machines is to find users. We can use these users, but the users are not stored in this way, they need to be stored in a way suitable for AD. (https://activedirectorypro.com/active-directory-user-naming-convention/)
With our list of common usernames for any of them, we can see if Kerberos pre-authentication is disabled. Kerberos pre-authentication authentication protects against password guessing attacks. When Kerberos pre-authentication is not enabled, it sends a fake request to authenticate. The KDC (Key Distribution Center) will check the authentication service request (AS-REQ), verify user information, and issue a shirred Ticket Granting Ticket (TGT). The Ticket Granting Ticket (TGT) is encrypted with the NTLM hash of the corresponding account. We can generate a hash from this, or we can crack this hash.
I will use the username-anarchy (https://github.com/urbanadventurer/username-anarchy) tool to set up these users appropriately. First I save the users I get in a file and then I use them in username-anarchy.
He created 88 usernames. Now let’s try to determine if these users exist or not.
We will use the kerbrute tool for this.
Out of 88 users, kerbrute found the user fsmith@EGOTISTICAL-BANK.LOCAL.
The next step is to determine if the “Don’t require Kerberos pre-authentication” option is enabled. For this we will use the GetNPUsers.py tool.
We could not detect this in the users
We got the hash value from user fsmith
[*] Getting TGT for fsmith
Let’s break this hashi with johnthetipper
Here we have cracked the hash and obtained the password Thestrokes23.
Since port 5985.port is open, let’s try to connect to winRM with this credential. WinRM (Windows Remote Management) is a built-in remote management protocol native to Windows and is usually enabled for users who need to manage systems remotely. To use it, we connected using the evilwinrm tool.
This way we got our user flag but we didn’t have access to Adminstrator. Therefore, we provide local enumeration.
We use winpeas.exe tool to provide automation local enumeration.
Since we provided connection with Evil-WinRM, we transferred our file to the target machine by typing the “upload” command here.
Some AutoLogon credentials were found
DefaultDomainName : EGOTISTICALBANK
DefaultUserName : EGOTISTICALBANK\svc_loanmanager
DefaultPassword : Moneymakestheworldgoround!
here we saw the svc_loanmanager credential information. When we look at the users here, there is no svc_loanmanager, the closest named user is svc_loanmgr
Let’s try to connect from this user
We managed to connect from the svc_loanmgr user, but we still can’t get into the adminstrator directory.
Therefore, we continue with local enumeration.
We will use bloodhound to provide local enumeration in AD. We can identify attack chains that will allow privilege escalation on the domain. We can visualize the data we collect with Bloodhound.
We download sharphound to run it on the target.
Then we upload it to the target machine and run it.
After installing sharphound on the target, we run bloodhound on our local machine.
Then we extract the zip file created by sharphound with dowloand
We drag and drop this zip file into bloodhpund.
Here we then select the users we have owned, i.e. captured
We did the same for fshmith
Then we searched how we can seize the domain admin in the quiers section.
It said that we could seize the domain admin with dvsync.
Right click here and say help
As we see in the Help section, we see that we can get it with secretdum.py
Let’s try to implement it now
Secretdump.py did not bring us the hash information no matter what we did, so we installed and ran mimikatz on the machine and got the adminstrator hash.
C:\Users\svc_loanmgr\Documents> .\mimikatz ‘lsadump::dcsync /domain:EGOTISTICAL-BANK.LOCAL /user:administrator’ exit
Hash NTLM: 823452073d75b9d1cf70ebdf86c7f98e
ntlm- 0: 823452073d75b9d1cf70ebdf86c7f98e
ntlm- 2: 7facdc498ed1680c4fd1448319a8c04f
lm – 0: 365ca60e4aba3e9a71d78a3912caf35c
lm – 1: 7af65ae5e7103761ae828523c7713031
using this hash information we will perform a pass-the-hash attack and use psexec.py to log in to the system user
psexec.py -hashes ‘823452073d75b9d1cf70ebdf86c7f98e:823452073d75b9d1cf70ebdf86c7f98e’ -dc-ip 10.10.10.175 email@example.com
As you can see, we were able to log in from the system user and get our root flag.
If we wanted to log in from the admin user session, we would use the wmiexec.py tool.