2. HackTheBox. Level Easy: Passing Sauna. LDAP, AS-REP Roasting, AutoLogon, DCSync attack

5 December 2024 5 minutes Author: Lady Liberty

This article is dedicated to a detailed walkthrough of the Sauna virtual machine. This material will be useful for both beginners and experienced cybersecurity professionals who want to improve their penetration testing skills. You will learn how to effectively use reconnaissance tools (Nmap, masscan), analyze the LDAP service, and conduct AS-REP Roasting and DCSync attacks.

Step-by-step analysis of the “Sauna” hack

The article discusses searching for active users via LDAP, working with autologin data, and performing AS-REP Roasting and DCSync attacks to obtain credentials.

The connection to the lab is via VPN. It is not recommended to use a work computer or device containing sensitive data, as the connection is to a private network where users with experience in information security are present.

Recon

The machine is assigned the IP address 10.10.10.175, which is added to the /etc/hosts file.

10.10.10.175	sauna.htb

First, we scan for open ports. Since scanning all ports with Nmap can take a long time, we use masscan to speed up the process. We scan all TCP and UDP ports from the tun0 interface at a rate of 500 packets per second.

masscan -e tun0 -p1-65535,U:1-65535 10.10.10.175     --rate=500

There are many ports open on the host. Now let’s scan them with nmap to filter and select the ones we need.

nmap sauna.htb -p53,593,49690,80,135,49670,88,3269,139,464,389,9389,445,49669,49667,3268,50956,636,5985

To get more detailed information about services running on open ports, run a scan with the -A option in Nmap. This allows you to determine software versions, operating system, and also identify additional vulnerabilities in the services.

nmap -A sauna.htb -p53,80,88,135,139,389,445,464,593,636,3268,3269,5985,9389

There are many services running on the host, so the first priority should be to focus on analyzing WEB, SMB, and DNS services. To work with LDAP, we use the JXplorer ldap browser, as it is convenient for viewing and analyzing LDAP data, which allows you to effectively interact with these services and obtain the necessary information.

Probably a username.

We go to the WEB and find the company’s staff.

There is a list of possible users, but it is not known which of them has an account and what its name is. However, using LDAP, a user has been found who does have an account. Now a list of possible names for this entry is being compiled.

To check if an account exists, you can try an AS-REP Roasting attack. If the account does not exist in the system, you will receive a corresponding message. If the account does exist, the result of the attack will depend on the DONT_REQ_PREAUTH flag in the UAC of this account, which indicates whether Kerberos pre-authentication is required. The attack can be performed using the GetNPUsers script from the impacket package.

So, the user Hugo Smith has the account hsmith.

USER

Based on the fact that administrators try to adhere to a general principle of agreement on usernames, a list of possible accounts for other users is compiled.

And let’s repeat the attack on user data.

Among all users, only one account exists, and the attack is successful, resulting in a hash of the user’s password. Now we apply the brute force method to crack it.

Password successfully found. From the many ways to use credentials, we choose the remote management service (WinRM). We use Evil-Winrm to connect.

And we take the user.

USER2

To collect information on the host, you can use scripts for initial enumeration, in particular the most complete one is winPEAS. Download this script to the target host and run it.

Among the information it displays, we find autologin data.

However, when trying to connect, a failure occurs.

Let’s go back and check what accounts are registered in the system. Find the account name for this user.

ROOT

After connecting and performing a few calculations, we load SharpHound onto the host.

And we will do it.

An archive will appear in the current directory, download it.

And we throw it into BloodHound.

Thus, we have a GetChangesAll connection through which we can obtain the relevant information.

The above message refers to the DS-Replication-Get-Changes-All privilege, which allows you to request replication of critical data from a domain controller. This can be done using the impacket package.

We have obtained the administrator hash. With Evil-Winrm, you can connect using this hash.

So, we gain access to the administrator account.

Conclusion

The article describes the process of hacking the Sauna virtual machine. First, the computer is scanned for open ports to detect running services. Then, using LDAP, users are found in the system and an attack is carried out to obtain passwords. After obtaining the password, the machine is connected to the special WinRM tool. Then, additional information about the system is collected using a script to elevate privileges and gain access to the administrator account. As a result, it is possible to gain control over the system. This is a step-by-step guide that explains how to test the security of computer systems.

Other related articles
Found an error?
If you find an error, take a screenshot and send it to the bot.