HTB - Sauna Writeup

Liam Geyer

๐Ÿ‘พ Machine Overview

This is a writeup of the machine Sauna from HTB , itโ€™s an easy difficulty Windows machine which featured ASREPRoasting and credential hunting.

๐Ÿ” Enumeration

An initial nmap scan of the host gave the following results:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
nmap -sV -sC 10.129.230.201
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-29 10:28 EDT
Nmap scan report for 10.129.230.201
Host is up (0.020s latency).
Not shown: 988 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http Microsoft IIS httpd 10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Egotistical Bank :: Home
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-05-29 21:29:04Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
Service Info: Host: SAUNA; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time:
| date: 2024-05-29T21:29:08
|_ start_date: N/A
|_clock-skew: 7h00m01s
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 52.47 seconds

I checked out anonymous SMB and LDAP but didnโ€™t get any quick wins there.

๐ŸŒ Egotistical Bank Website

I started by checking out the website on port 80.

Website Homepage

I fuzzed around for interesting directories, but didnโ€™t find much. Thereโ€™s a page with a bunch of employee names that we can toss into username anarchy and subsequently Get-NPUsers or Kerbrute to try to enumerate some domain users.

Employee Listing

๐Ÿฅˆ User

I built a list of their names and tossed it into username-anarchy to get various potential usernames in common formats.

Username Generation

I then threw that list into Impacketโ€™s Get-NPUsers to see if there were any valid users, or ASREPRoastable accounts. ASREPRoasting exploits a lack of Kerberos pre-authentication to get a message that can be cracked to obtain a userโ€™s password.

ASREPRoasting

Weโ€™re able to successfully ASREPRoast fsmith, I tossed the resulting output into hashcat to attempt to crack it.

Cracking fsmith

It cracked with rockyou, I used his credentials to WinRM in and grab the flag.

Shell as fsmith

๐Ÿฅ‡ Root

I started off by checking out frankโ€™s privileges and groups.

Privs and Groups

There wasnโ€™t anything super notable, SeMachineAccountPrivilege could be useful. I decided to run WinPEAS to see if it came up with anything useful.

WinPEAS

WinPEAS was able to pull cleartext autologon credentials for svc_loanmanager, but I wasnโ€™t able to use this user to WinRM into the box.

Since we werenโ€™t able to use svc_loanmanager to login, I uploaded and ran sharphound to see if the account has any notable permissions.

BloodHound

Surprisingly, BloodHound shows that svc_loanmanager is able to DCSync. Note that the username for the domain account in BloodHound is different than the local user we were able to pull credentials for.

I used the password pulled from WinPEAS with Impacketโ€™s secretsdump to dump the Administrator hash.

Secretsdump Output

Lastly I used WinRM to log in and grab the flag

Shell as Administrator

๐Ÿ“– Resources

๐Ÿ”— Hyperlink โ„น๏ธ Info
MindPoint GPP PrivEsc
ASREPRoasting Cybersec Notes
Username Anarchy Cybersec Notes
WinPEAS Windows PrivEsc Script
DCSync Cybersec Notes
  • Title: HTB - Sauna Writeup
  • Author: Liam Geyer
  • Created at : 2024-07-26 00:00:00
  • Updated at : 2024-10-10 09:01:47
  • Link: https://lfgberg.org/2024/07/26/htb/sauna/
  • License: This work is licensed under CC BY-NC-SA 4.0.