Hack the Box - Sauna
Sauna is a Windows machine at 10.10.10.175
using nmap to scan for open ports shows that Sauna's domain is EGOTISTICALBANK.LOCAL
Sauna is running an IIS web server on port 80
the web root links to /about.html, this page reveals employee names
we can now create a wordlist based on common enterprise naming conventions and these names
this list can now be used with kerbrute to enumerate valid domain users
the only user found was 'fsmith'
as stated https://www.tarlogic.com/en/blog/how-to-attack-kerberos/, GetNPUsers.py is used
to harvest non-preauth AS-REP responses. This may reveal hashes for users with this attribute.
we now have fsmith's hash in Kerberos 5 AS-REP format
johntheripper can be used to crack this hash with the rockyou.txt wordlist
johntheripper determined fsmith's password to be 'Thestrokes23'
evil-winrm is a tool which takes advantage of the windows remote management service
we can use it to start a session on Sauna as fsmith with his password
user.txt can be found in fsmith's desktop directory
'net users' is a command used to list users on a windows system
this shows some users that were not found using kerbrute
the following is a great resource for assisting with windows privilege escalation
https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20Privilege%20Escalation.md
one of the sections in this guide shows commands for finding passwords in the registry
'reg query HKLM /f password /t REG_SZ /s' shows a lot of output, but contains a password
the theme of this machine is that of a greedy bank, so we may assume that the password
'Moneymakestheworldgoround!' belongs to the user svc_loanmgr shown in 'net users' output
we can reuse evil-winrm with these credentials to gain local access as svc_loanmgr
secretsdump is a tool used to perform various techniques to dump secrets from remote machines
secretsdump is able to extract Sauna's admin hash using svc_loangmr's permissions
wmiexec.py is a tool which takes adantage of windows management instrumentation
we can use it with the administrator password to gain access as admin
we can now navigate to the administrator desktop directory to collect root.txt!
using nmap to scan for open ports shows that Sauna's domain is EGOTISTICALBANK.LOCAL
Sauna is running an IIS web server on port 80
the web root links to /about.html, this page reveals employee names
we can now create a wordlist based on common enterprise naming conventions and these names
this list can now be used with kerbrute to enumerate valid domain users
the only user found was 'fsmith'
as stated https://www.tarlogic.com/en/blog/how-to-attack-kerberos/, GetNPUsers.py is used
to harvest non-preauth AS-REP responses. This may reveal hashes for users with this attribute.
we now have fsmith's hash in Kerberos 5 AS-REP format
johntheripper can be used to crack this hash with the rockyou.txt wordlist
johntheripper determined fsmith's password to be 'Thestrokes23'
evil-winrm is a tool which takes advantage of the windows remote management service
we can use it to start a session on Sauna as fsmith with his password
user.txt can be found in fsmith's desktop directory
'net users' is a command used to list users on a windows system
this shows some users that were not found using kerbrute
the following is a great resource for assisting with windows privilege escalation
https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20Privilege%20Escalation.md
one of the sections in this guide shows commands for finding passwords in the registry
'reg query HKLM /f password /t REG_SZ /s' shows a lot of output, but contains a password
the theme of this machine is that of a greedy bank, so we may assume that the password
'Moneymakestheworldgoround!' belongs to the user svc_loanmgr shown in 'net users' output
we can reuse evil-winrm with these credentials to gain local access as svc_loanmgr
secretsdump is a tool used to perform various techniques to dump secrets from remote machines
secretsdump is able to extract Sauna's admin hash using svc_loangmr's permissions
wmiexec.py is a tool which takes adantage of windows management instrumentation
we can use it with the administrator password to gain access as admin
we can now navigate to the administrator desktop directory to collect root.txt!
Comments
Post a Comment