Sauna is a fantastic beginner friendly Active Directory box that covers Windows exploitation topics like AS-REP roasting, enumerating for credentials and using tools such as Powerview to locate attack paths, DCsync and Pass the hash attacks.
Summary
Find a list of valid users with kerbrute
TGT attack on disabled pre-auth user
Extracting credentials from the registry
Utilize PowerView's ACL scanner for a DCsync attack
Pass the hash
Port Scan
Initial Enumeration
I check for anonymous smb logins, rpc binding, and finally run enum4linu with no results. If you have not used enum4linux, it is a great initial tool for external enumeration.
Typically when you see Kerberos communicating over a port on HTB, you have to enumerate and exploit this service.
There are typically 3 Kerberos errors that we are looking for during our Kerberos enumeration phase.
Present/Enabled:
KDC_ERR_PREAUTH_REQUIRED - Additional pre-authentication required
Locked/Disabled
KDC_ERR_CLIENT_REVOKED - Clients credentials have been revoked
Does not exist
KDC_ERR_C_PRINCIPAL_UNKNOWN - Client not found in Kerberos database
Several tools that have been around for a while, enable us to leverage these Kerberos responses to identify valid domain accounts through brute force methods.
The first is the standalone Java tool Krbguess.
The second is krb5-enum-users NSE script for nmap:
The third is kerbrute with a wordlist containing common usernames.
The problem with these tools is they all brute force Kerberos and are not practical in a production environment, especially if you are trying to "live off the land" and lay low. But what you could do in the real world, is instead harvest email from linked, google, etc.... and compile a list based on best naming practices.
Another trick is to utilize the tool cewl that enables us to create a wordlist from a website, and often you fuzz the end of each of those listed words with 0-9999.
During this time I felt like I maybe needed to take another approach. So I started to browse around the website more thoroughly and eventually I came across the "about,html" page which has several users.
From here I decided to make a quick word list from this page using cewl. From here I proceeded to request tickets from Kerberos for which we are hoping to see a response to the effect of "PreAuth Required", which means we could make a TGT request, and crack the ticket. ls
We utilize a tool found within the impacket security suite, GetNPUsers.py with our custom cewl wordlist.
I had allot of difficulties getting impacket to work on my Parrot OS so I switched to a Kali linux machine.
This returns a ticket for fsmith as he does not require kerberos pre-auth and we can now proceed to crack the ticket, which is the end result of a hash of the users password. Only a word list is needed, to guess this password.
There are a few tools to crack the ticket, I find the easiest to be johnny which is a graphical user interface of john.
The ticket is cracked after we select the rockyou.txt word list and load our hash into the johnny.
You could also use the following hashcat command.
hashcat --force -a 0 -m 18200 -w 3 -O hash.txt /usr/share/wordlists/rockyou.txt
Outputs the password "Thestrokes23"
Being armed with the user fsmith and his password, thanks to a sloppy administrator, we are able to use WinRM to connect into the box. and find our user flag.
Moving laterally
First order of business to load winpeas on this machine, followed by a long review process.
Well it was allot more simple than I expected when plane text credentials were found.
This never happens, but this time we are luck.
Root
We login as svc_loanmgr and I ran the
DCSync Attack
There are several accounts that can log on to the DC, so it could be possible for us to dump hashes from NTDS.dit remotely with the RPC protocol thanks to impacket secretsdump.
DCSync is an attack that empowers an attacker to simulate behaviors of the Domain Controller in order to retrieve password hashes of the entire domain through domain replication.
References - DCSync Attack :
https://medium.com/@airman604/dumping-active-directory-password-hashes-deb9468d1633
https://attack.stealthbits.com/privilege-escalation-using-mimikatz-dcsync
Reference - secretdump.py : https://github.com/SecureAuthCorp/impacket/blob/master/examples/secretsdump.py
I was having allot of difficulty running secretsdump with my Parrot OS, so I switched back over to Kali Linux to run the below command.
python3 secretsdump.py -just-dc-ntlm EGOTISTICAL-BANK.LOCAL/svc_loanmgr@10.10.10.175
We retrieve the html hash of administrator to successfully establish a connection with wmiexec.
To establish a connection with wmiexec.py use the following command.
python3 wmiexec.py -hashes :d9485863c1e9e05851aa40cbb4ab9dff administrator@10.10.10.175
Boom there is the password to login as administrator.
Comments