HTB - Sauna

Nmap - All Ports

Nmap -sC -sV -p- -oN allports 10.10.10.175

Port 80

Potential usernames found on 10.10.10.175/about.

Next thing we can do is try and guess a username that will be used.

For this we will need to place all these names into a text and edit in a format that is made for AD environments.

As an example I did the following for each user:

Hugo Bear

Hugo.Bear

HBear

H.Bear

 

Kerbrute

This is an amazing tool! If you don’t got an executable you can go and get it from here: https://github.com/ropnop/kerbrute/releases/tag/v1.0.3

Run: kerbrute userenum --dc 10.10.10.175 -d EGOTISTICAL-BANK.local users.txt

 

We now know FSmith is valid username.

Getting a hash

We can use a tool called impacket-GetNPUsers. This queries the target domain for users who do not require Kerberos pre-authentication and exports their TGT’s.

 

Password Cracking

Now we have a hash we can crack. I prefer to use hashcat for this.

Run: hashcat -m 18200 hash /usr/share/wordlists/rockyou.txt

Awesome we got a password, time to start trying to see what we foothold we can get.

 

Gaining access

Use Crackmap.exe. This is a great tool to see what you can and cant access with or without credentials. It has an option to check if winrm will work.

Run: crackmapexec winrm 10.10.10.175 -u FSmith -p (password)

Run: evil-winrm -I 10.10.10.175 -u FSmith -p (password)

 

Privilege escalation

After having quick manual look around, I decided upload winpeas.exe and run that on the target.

Using winrm you can just use the command upload and you can upload and file from your host to the target and use the command download to retrieve a file.

It has exposed a service account

 

    

I also decided to run sharphound so I can use bloodhound to find a way that we can escalate our privileges. 

After you have uploaded a sharphound.exe file, Run: ./sharphound.exe -c all.

Grab the zip file and upload it to bloodhound.

Bloodhound

First you will want to make sure we tell bloodhound which users we have “owned” to make sure when we run queries through bloodhound, it will provide more information on how we can exploit target.

I ran a few of the prebuilt queries in bloodhound, and the only query that gave me something that we can do, was “Find Principals with DCSync rights”.

We have access to svc_loanmgr so it is possible to run. So, having this capability to run a DC Sync allows us grab hashes.

If you follow the abuse tab on the link between svc-loanmgr and egotistical-bank.local. It will suggest you use mimikatz. I tried to run mimikatz on the target but the tends to error out. However, there is an impacket tool called impacket-secretsdump, which we can also use.

Run: impacket-secretsdump egotistical-bank.local/svc_loanmgr@10.10.10.175

 

We now have the administrator hash now we can go and claim the root flag.

Run: impacket-psexec administrator@10.10.10.175 -hashes (hash)