π₯Sauna Writeup
Hack the Box Sauna Writeup
Lets start with an nmap scan :)
We can see right away that there are a good amount of ports open with only a few being interesting. The first I saw was port 80, http, being open. Was this going to be a web challenge for a foothold? I also saw 445 and 139 were open, so some SMB enumeration was in store as well. We can also see that this is probably a domain controller because of AD LDAP running and Kerberos.
I started by looking at the website but got nowhere with that after being stuck for a while. I switched gears and tried to get some info from LDAP where I gathered some vital information for the next phase.
This allowed me to run kerbrute on the box and get some usernames that I can leverage to try to get access.
We can try a few things with these usernames we now have and the first that comes to mind, because I did it on another box recently, was AS-REP roasting. This is where we try to see which accounts don't have Kerberos preauthentication required and then grab the ticket from them and crack it offline. To do this I'm using the handy dandy impacket repo, as all good infosec professionals do.
After trying each account we got a hit on fsmith! Now to crack it...
And there it is. fsmith's password is 'Thestrokes23'.
Login in with evil-winrm we can grab user.txt now. Onto the priv esc...
Using this info I immediately thought of the boxes name and went to Kerberoasting and I think it should have worked...should have.
I kept getting this error about the clock skew being too great. I tried everything I could to fix it. I ran 'ntpdate 10.129.95.180' and a bunch of other junk but none of it worked. I felt like this box just didn't work anymore and I wouldn't be able to solve it.
I went and took a break and came back ready to try another route. This time I started doing some deeper enumeration. Using this great blog I found about stored credentials, linked here, I found something...
In this we can see the default password for svc_loanmanager, or as I found out later after some trial and error, svc_loanmgr. We login as this new user we have access to and I do some more searching, finding nothing of use. I then made a transition to different tool...
I used sharphound to grab the data I needed and plugged it into bloodhound for analysis. After looking through I could see that we needed to do a DCSync attack. We already had the right privileges with svc_loanmgr so all we needed to do was just run secretsdump.py, another impacket tool.
We had the Administrator hash!! Lets go crack it. Oh wait... Its not in my wordlists? Welp maybe that's not the way.
After some fiddling around I tried passing the hash using crackmapexec. Boom it worked. Now all I had to do was grab the flag.
PWNED!!
Last updated