HackTheBox Sauna Writeup
By Greenjam94
Sauna is another “easy” Windows machine on HackTheBox. However I definitely fell down my fair share of rabbit holes on this one. There’s a static website hosted here, so I thought it’d start with a web shell. However, this box turned out to to be entire about domains and LDAP. Which I have very little experience with to date. While this blog may sound like a straight path, it’s well edited to be stream lined. I’ll include the blogs and posts I found most helpful while trying to get into Sauna.
Lessons learned:
- nmap scripts for domain enumeration
- username enumeration / wordlist generation
- impacket usage
- evil-winrm usage
- windows automated enum with winPEAs
- mimikatz and lsadump
Information Gathering
As always I started with a basic nmap scan to see what was listening.
- domain
- http
- msrpc (metasploit target?)
- ldap
Scanning dns on port 53 didn’t return much so I move right onto HTTP. The website looked like the company homepage / marketing for a “Egotistical Bank”. I spun up GoBuster to run in the background enumerating files and directories as I manually explored the site. The target was an employee login portal, or some identifying information of a framework in use that may be vulnerable. After no such luck, I gave up and had to look at the other services on the box.
The remaining services were all windows based and to be honest, I still don’t know the best way to attack most of them. port 88 was the next available one and nmap said it involved kerberos. The first google result for “nmap 88 kerberos” is the krb5-enum-users NSE script. Running the script requires a few parameters: a list of possible users and the domain to check against.
The website on the box had an about page that included employee names. I created a text file of the names mentioned and googled “windows domain username conventions”. There was a company blog post that listed common conventions, so I converted the full names to match what was possible.
The common conventions were as follows:
- First name and last name with a hyphen or period: john.smith
- First Initial and last name: jsmith
- Three letters of each name: johsmi
- Three random letters, Three random numbers: abc123
While it’s possible to build a likely wordlist from the about page, if it was the last option, we could generate a massive wordlist using crunch 6 6 -t @@@%%% -o possible_usernames.txt
To find the domain, I ran enum4linux 10.10.10.175 and found it was EGOTISTICALBANK.
Since LDAP is another service on the machine, another option to find more information about the domain would be to also use a tool called ldapsearch.
Exploitation
Now that we had a domain user, I had to figure out how that was useful. Thanks to TJnull’s Pentesting Template, which I’m expanding into a personal playbook of enumeration and attack techniques, I learned about impacket. One of the features of impacket is to check for Kerberoasting. There is a file called getNPUsers.py that takes domain users as a parameter.
After a quick google, the github shows the source of the impacket script and it says:
john --wordlist=/usr/share/wordlists/rockyou.txt --format=krb5asrep gotnpusers.txt
We see that the password for jsmith is Thestrokes23.
Now that we have creds, we need to find a way to login to the box with them. Googling for “kali kerberos remote shell” one of the results on the first page points to a github repo that allows linux machines to log into windows boxes using WinRM (Windows Remote Management). Also known as the Microsoft implementation of WS-Management Protocol.
evil-winrm -i 10.10.10.175 -u FSmith -p Thestrokes23
Privilege Escalation
There are many ways to get higher privileges on a Windows box. In my last writeup, I learned how to with DLL Hijacking. All good privesc should start with solid enumeration. The more we know about the box, the better we can exploit it.
I started exploring the filesystem, like seeing what users were listed in c:\Users. Simple commands like set, net users, and systeminfo can give a lot of context. First, by attempting to list DLLs but didn’t have permissions. Secondly, by creating a payload with msfvenom to connect with a meterpreter shell, running the exploitsuggester module also didn’t give me any leads. Thirdly, even automated scripts like JAWs or Sherlock were not giving much. Unfortunately, I was stuck here for a while.
While googling I found https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#useful-tools and the first line says it all: the best tool is winPEAs.
After downloading the executable onto Sauna with certutil, I ran the script and it gave a lot of information. One section showed that the machine had stored credentials for another user.
<pre class="wp-block-preformatted">...
[+] Looking for AutoLogon credentials(T1012)
Some AutoLogon credentials were found!!
DefaultDomainName : 35mEGOTISTICALBANK
DefaultUserName : 35mEGOTISTICALBANK\svc_loanmanager
DefaultPassword : Moneymakestheworldgoround!
...
From user enumeration, we know the user is svc_loanmgr and the password from above is Moneymakestheworldgoround!
We can again use evil-winrm to login as this user.