HackTheBox Writeup — Sauna

Hello Guys , I am Faisal Husaini. My username on HTB is “kNgF” . Also join me on discord.

The IP of this box is

Port Scan

We see alot of Open Ports, also from the Ports Open we see that this is yet another Active Directory box

Moving further to the web part

Web Part

Checking the “About Us” section

Usually from my experiences from solving AD based machines, the users are saved in the format of “First Letter of the First Name” with “Last Name

We save the usernames in the file named users

Now we run an Impacket tool named “GetNPUsers.py

We got a Kerberos session hash for user fsmith which we will crack using john

We cracked the password for user fsmith successfully

We use Evil-WinRM to get the user shell

Now we get the user flag

Moving further to privilege escalation

Privilege Escalation

We got password for user svc_loanmanager

We have svc_loanmanager user as svc_loanmgr here, so we use Evil-WinRM again to connect to the user

We now upload SharpHound.ps1 script to the box and then run

We collection data for bloodhound and now will download the zip file containing the data

Since Evil-WinRM is full of functionalities, it provides us with a download option too

We first start our neo4j console

Now we log through the browser

We connected and now get the bolt address on the bloodhound

Running Bloodhound with the address and creds we got

We dragged the zip file we got post SharpHound and then see that the current user has DCSync rights

We now use secretsdump from impacket to dump the hashes

We dumped the hashes of Administrator and now use it with wmiexec from impacket to get a shell as Administrator

We got shell as Administrator and now move into getting the root flag

Hacker | Bug Hunter | Python Coder | Gamer | Reverse Engineering Lover