OSCP PREP BOX 11: HtB Sauna

Written By Ryan Daly

Alright, today we’re going to be taking on Sauna, which is a Windows Active Directory box on Hack the Box rated as Easy, but, like most of the AD boxes, the user rankings put this more medium.

Anyways, we’re going to kick things off with our default nmap scan which shows us our usual AD open ports. So let’s dig into some enumeration.

I started off trying to dig into the DNS which just showed that we have the DC of egotistical-bank.local with a name server of sauna.egotistical-bank.local.

I tried to get some null sessions with LDAP and SMB which weren’t successful. Off to the web server.

Poking around here we can find a list of some employee names on the about page.

Let’s try fashioning that into a wordlist to use for kerbrute. When making our wordlist, we want to make sure we’re using different combinations (frank_smith, fsmith, f_smith, etc.).

In doing so, we can see that fsmith@egotistical-bank.local is a valid username. So let’s take that and see if it’s vulnerable to ASREP roasting so we can get the TGT hash.

To do this, we can use impackets, GetNPUsers.py. The command I ran was: impacket-GetNPUsers egotistical-bank.local/fsmith -dc-ip 10.10.10.175 -no-pass

Success! We have the TGT hash. Let’s see if we can crack it.

The command I ran here was: hashcat -m 18200 fsmith_asrep /usr/share/wordlists/rockyou.txt

Success again! Cruising along here. So now we have credentials for fsmith. Let’s see what we can get with that. (fsmith:Thestrokes23)

I took a look first at SMB and we can see we have a fair bit of files here we can read. I ran spider plus with cme in order to get a listing of all readable files to make sorting it easier. Unfortunately all we can really read are the usual reg policy files, GPT.ini and so on. Let’s give LDAP a shot.

So let’s try using cme to get some user enumeration with the –users flag. So we get a few users here. Let’s make a new wordlist and see if there’s any password reuse.

In doing so, we can see that fsmith and hsmith both use the same password. Let’s see if hsmith has any shares we can view. We don’t..

Alright, let’s see if we can establish a win-rm session with either of these users. One option would be to use rpcclient to enumerate groups and see who’s in a remote admin group which would allow us to winrm, but since there’s only 2 users, I can just trial and error that.

So fsmith can log in via evil-winrm. The command is very simple. Evil-winrm -u fsmith -p Thestrokes23 -I 10.10.10.175

So when we run bloodhound we can see that our user hsmith can’t really do anything. We do see however that the svc account user can DCSync to the Domain Admins Group which would own the entire domain. So my goal now is to get access to the svc account.

I started off with winPEAS and luckily we get creds right away! So now we have svc_loanmanager:Moneymakestheworldgoround!

Now it’s as easy as running secretsdump with these credentials.

secretsdump.py -outputfile egobank_hashes -just-dc egotistical-bank.local/svc_loanmgr@10.10.10.175

Now we can pass the admin hash with psexec and get a root shell!

psexec.py -hashes aad3b435b51404eeaad3b435b51404ee:823452073d75b9d1cf70ebdf86c7f98e egotistical-bank.local/administrator@10.10.10.175

From here all that’s left is to get the root flag on the admin’s desktop. Easy day.

Ryan Daly
Previous

OSCP PREP BOX 12: HtB Access
Next

OSCP PREP BOX 10: HtB Forest