2 min to read
HackTheBox - Sauna
Hello Guys , I am Faisal Husaini. My username on HTB is hulegu . Also join me on discord.
The IP of this box is 10.10.10.175
Port Scan
Running NMAP full port scan on it , we get
We see alot of Open Ports, also from the Ports Open we see that this is yet another Active Directory box
Moving further to the web part
Web Part
Checking the web part on the browser
Checking the “About Us” section
Usually from my experiences from solving AD based machines, the users are saved in the format of “First Letter of the First Name” with “Last Name”
We save the usernames in the file named users
Now we run an Impacket tool named “GetNPUsers.py”
We got a Kerberos session hash for user fsmith which we will crack using john
We cracked the password for user fsmith successfully
We use Evil-WinRM to get the user shell
Moving further to privilege escalation
Privilege Escalation
We check Registry for User Autologon
We got password for user svc_loanmanager
We have svc_loanmanager user as svc_loanmgr here, so we use Evil-WinRM again to connect to the user
We now upload SharpHound.ps1 script to the box and then run
We collection data for bloodhound and now will download the zip file containing the data
Since Evil-WinRM is full of functionalities, it provides us with a download option too
We first start our neo4j console
Now we log through the browser
We connected and now get the bolt address on the bloodhound
Running Bloodhound with the address and creds we got
We dragged the zip file we got post SharpHound and then see that the current user has DCSync rights
We now use secretsdump from impacket to dump the hashes
We dumped the hashes of Administrator and now use it with wmiexec from impacket to get a shell as Administrator
We got shell as Administrator and now move into getting the root flag
Comments