HackTheBox Writeup — Sauna

Hello Guys , I am Faisal Husaini. My username on HTB is “kNgF” . Also join me on discord.

The IP of this box is 10.10.10.175

Running NMAP full port scan on it , we get

We see alot of Open Ports, also from the Ports Open we see that this is yet another Active Directory box

Moving further to the web part

Checking the web part on the browser

Checking the “About Us” section

Usually from my experiences from solving AD based machines, the users are saved in the format of “First Letter of the First Name” with “Last Name

We save the usernames in the file named users

Now we run an Impacket tool named “GetNPUsers.py

We got a Kerberos session hash for user fsmith which we will crack using john

We cracked the password for user fsmith successfully

We use Evil-WinRM to get the user shell

Now we get the user flag

Moving further to privilege escalation

We check Registry for User Autologon

We got password for user svc_loanmanager

We have svc_loanmanager user as svc_loanmgr here, so we use Evil-WinRM again to connect to the user

We now upload SharpHound.ps1 script to the box and then run

We collection data for bloodhound and now will download the zip file containing the data

Since Evil-WinRM is full of functionalities, it provides us with a download option too

We first start our neo4j console

Now we log through the browser

We connected and now get the bolt address on the bloodhound

Running Bloodhound with the address and creds we got

We dragged the zip file we got post SharpHound and then see that the current user has DCSync rights

We now use secretsdump from impacket to dump the hashes

We dumped the hashes of Administrator and now use it with wmiexec from impacket to get a shell as Administrator

We got shell as Administrator and now move into getting the root flag

Hacker | Bug Hunter | Python Coder | Gamer | Reverse Engineering Lover

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store