Hack the Box - Sauna
Sauna is a Windows machine at 10.10.10.175 using nmap to scan for open ports shows that Sauna's domain is EGOTISTICALBANK.LOCAL Sauna is running an IIS web server on port 80 the web root links to /about.html, this page reveals employee names we can now create a wordlist based on common enterprise naming conventions and these names this list can now be used with kerbrute to enumerate valid domain users the only user found was 'fsmith' as stated https://www.tarlogic.com/en/blog/how-to-attack-kerberos/ , GetNPUsers.py is used to harvest non-preauth AS-REP responses. This may reveal hashes for users with this attribute. we now have fsmith's hash in Kerberos 5 AS-REP format johntheripper can be used to crack this hash with the rockyou.txt wordlist johntheripper determined fsmith's password to be 'Thestrokes23' evil-winrm is a tool which takes advantage of the windows remote management service we can use it to start a ses