4 min read
July 18, 2020

HackTheBox Writeup: Sauna

HackTheBox Writeup: Sauna

Sauna was an easy rated Windows box with a focus on Active Directory. A list of users was generated from a website and AS-REP roasting was used to obtain a password hash. This hash was cracked and a shell gained with WinRM as the user 'fsmith'. A plain text password was found in the registry, allowing a pivot to the user 'svc_loanmgr'. Bloodhound was used to determine that 'svc_loanmgr' has 'GetChanges' privileges which allowed us to use the DCSync attack to get the administrator's password hash. PSExec was the final step to an system shell. I added sauna.htb to my /etc/hosts file and dove in.


nmap scan:

This looks to be a domain controller for egotistical-bank.local.

I took a look through LDAP but didn't find much other than a common name for Hugo Smith:

I couldn't access SMB so checked out HTTP:

There was a search box that threw errors but I couldn't get anywhere with it:

I tried changing it to a POST request and got nothing.

Elsewhere on the page there was a list of team members:

Initial Foothold

I compiled some possible usernames for the team members:

I dislike brute force attacks and tried an AS-REP roasting attack using GetNPUsers.py from the impacket suite and got a hash:

It was the 8th username that got a hash so I saved it as fsmith.hash and cracked it with rockyou.txt:

Evil-WinRM was used to get a shell with these creds:

User flag:

User Pivot

Let's see what user accounts are on the system:

Part of the enumeration process on Windows machines is checking the registry for passwords and I struck gold here:

I used these creds with Win-RM and now had a shell as svc_loanmgr:

Privilege Escalation

I poked around the system as svc_loanmgr and couldn't find anything interesting. Bloodhound is a great tool for AD environments that lets you visualize how you can exploit permissions and group memberships. I copied the SharpHound script to Sauna and imported it:

Next I ran the command to have it collect data:

I transferred this zip file to my machine and imported its data into Bloodhound. The first query I ran was naturally "Find Shortest Paths to Domain Admins" which wasn't very helpful. The next query was "Find Principals with DCSync Rights":

This was much more promising, showing that svc_loanmanager has both GetChanges and GetChangesAll privileges:

This meant that the DCSync attack was on the table. In a nutshell, svc_loanmgr has the ability to sync account password data from the domain controller. Impacket once again came into play with secretsdump.py:

With psexec.py, hashes are just as good as passwords. I fed it administrator's hash and got a shell as system:

Root flag: