Sauna was an easy rated Windows box with a focus on Active Directory. A list of users was generated from a website and AS-REP roasting was used to obtain a password hash. This hash was cracked and a shell gained with WinRM as the user 'fsmith'. A plain text password was found in the registry, allowing a pivot to the user 'svc_loanmgr'. Bloodhound was used to determine that 'svc_loanmgr' has 'GetChanges' privileges which allowed us to use the DCSync attack to get the administrator's password hash. PSExec was the final step to an system shell. I added sauna.htb to my /etc/hosts file and dove in.
Enumeration
nmap scan:
![](/content/images/2020/07/image-75.png)
This looks to be a domain controller for egotistical-bank.local.
I took a look through LDAP but didn't find much other than a common name for Hugo Smith:
![](/content/images/2020/07/image-76.png)
I couldn't access SMB so checked out HTTP:
![](/content/images/2020/07/image-77.png)
There was a search box that threw errors but I couldn't get anywhere with it:
![](/content/images/2020/07/image-78.png)
![](/content/images/2020/07/image-79.png)
I tried changing it to a POST request and got nothing.
Elsewhere on the page there was a list of team members:
![](/content/images/2020/07/image-80.png)
Initial Foothold
I compiled some possible usernames for the team members:
![](/content/images/2020/07/image-81.png)
I dislike brute force attacks and tried an AS-REP roasting attack using GetNPUsers.py from the impacket suite and got a hash:
![](/content/images/2020/07/image-82.png)
It was the 8th username that got a hash so I saved it as fsmith.hash and cracked it with rockyou.txt:
![](/content/images/2020/07/image-83.png)
Evil-WinRM was used to get a shell with these creds:
![](/content/images/2020/07/image-84.png)
User flag:
![](/content/images/2020/07/image-85.png)
User Pivot
Let's see what user accounts are on the system:
![](/content/images/2020/07/image-86.png)
Part of the enumeration process on Windows machines is checking the registry for passwords and I struck gold here:
![](/content/images/2020/07/image-87.png)
I used these creds with Win-RM and now had a shell as svc_loanmgr:
![](/content/images/2020/07/image-88.png)
Privilege Escalation
I poked around the system as svc_loanmgr and couldn't find anything interesting. Bloodhound is a great tool for AD environments that lets you visualize how you can exploit permissions and group memberships. I copied the SharpHound script to Sauna and imported it:
![](/content/images/2020/07/image-89.png)
Next I ran the command to have it collect data:
![](/content/images/2020/07/image-90.png)
I transferred this zip file to my machine and imported its data into Bloodhound. The first query I ran was naturally "Find Shortest Paths to Domain Admins" which wasn't very helpful. The next query was "Find Principals with DCSync Rights":
![](/content/images/2020/07/image-91.png)
This was much more promising, showing that svc_loanmanager has both GetChanges and GetChangesAll privileges:
![](/content/images/2020/07/image-92.png)
This meant that the DCSync attack was on the table. In a nutshell, svc_loanmgr has the ability to sync account password data from the domain controller. Impacket once again came into play with secretsdump.py:
![](/content/images/2020/07/image-93.png)
With psexec.py, hashes are just as good as passwords. I fed it administrator's hash and got a shell as system:
![](/content/images/2020/07/image-94.png)
Root flag:
![](/content/images/2020/07/image-95.png)