🌋Sauna
https://app.hackthebox.com/machines/229
First, we do a Nmap to reveal the Domain's name
then we go for a gobuster looking for HTML pages:
and find an about page with names of employees:
Let's try enumerating with some common enterprise naming methodology like fsmith or sdriver:
GetNPUsers.py
: This is the name of the Python script from the Impacket toolkit that is being executed. It is used for extracting TGT hashes.egotistical-bank.local/fsmith
: This parameter specifies the target user account for which the TGT hash is to be extracted. In this case, the user account is "fsmith" in the domain "egotistical-bank.local."-no-pass
: This parameter indicates that no password will be provided during the request. Kerberoasting attacks involve requesting TGTs for service accounts without providing their passwords. The attack relies on weak encryption used for service tickets.
Lucky guess because it was the only one that was working:
after looking for the hash mode number (18200) we can launch our hashcat command:
So we got ourselves valid credentials:
connect with evil-winrm:
don't forget to put sauna.htb in /etc/hosts
Now we need to enumerate, so download winPEAS on your local machine and to upload it to your shell just do:
while going through the winPEAS output, we encounter some interesting stuff:
so now time to dump:
Bingo, we get admin hash
so now it's a free ride to get an admin shell:
🎉
Last updated