> For the complete documentation index, see [llms.txt](https://eslam3kl.gitbook.io/blog/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://eslam3kl.gitbook.io/blog/hack-the-box-machines/sauna-walkthrough.md).

# Sauna Walkthrough

Hello Everyone! Today we have a great machine with more techniques and tips related to attacking active directory services, but before we get started let’s take a look at its info

<figure><img src="https://cdn-images-1.medium.com/max/800/1*9Snl4qe83bA-lIGt5fXC6A.png" alt=""><figcaption></figcaption></figure>

<figure><img src="https://cdn-images-1.medium.com/max/800/1*59fHszNYq0X8KwQCUkgRuA.png" alt=""><figcaption></figcaption></figure>

As you can see, it’s similar to real-life challenges, so let’s get started…

## **Nmap scan**

As we start every time we will scan the open ports and get all services that works on them to know where we will start the enumeration process

`nmap -A -T4 -oG sauna.gnmap 10.10.10.175`

<figure><img src="https://cdn-images-1.medium.com/max/800/1*Rk0BR6S3TMPM3WoWlBFozA.png" alt=""><figcaption></figcaption></figure>

As you can see here we have a bunch of open ports but the ports which we will keep our eyes on them are `88<kerberos> / 139,445<SMB> / 80<HTTP>`

## Service Enumeration&#x20;

1\. **Enumerate HTTP**: scan the source code for vulnerable CMS's, leaked info and directory brute forcing&#x20;

2\. **Enumerate SMB/Kerberos**: for more info about domain name and server files and directories + try to get TGT or TGS using exist usernames

### **HTTP Enumeration**

For the first step, we opened port 80 as you can see here

<figure><img src="https://cdn-images-1.medium.com/max/800/1*zrVR3kmNWJBgSYZ01yG6Yw.png" alt=""><figcaption></figcaption></figure>

and found `repay` keyword, after searching for it on `exploit-db` I can’t find anything.

The source code and the endpoints also are clean, don’t have any hints or leaked data

For directory brute-forcing I’ve found these directories and nothing have useful information :(

<figure><img src="https://cdn-images-1.medium.com/max/800/1*61foLWf8xPghPYNrYSJyvQ.png" alt=""><figcaption></figcaption></figure>

Let’s go to the next step.

### **SMB/Kerberos Enumeration**

I’ve used `smbclient/smbmap` for this step to get any `Shares` which accept anonymous access by using these commands `smbmap -H 10.10.10.175` and `smbclinet -L 10.10.10.175` and it asks me for valid username so for now I’ll try to get valid username to use it to dump shares files from SMB server

We will use [`kerbrute`](https://github.com/ropnop/kerbrute) to guess and brute-force the `Kerberos` with a list of [Kerberos usernames](https://www.attackdebris.com/?p=364)

<figure><img src="https://cdn-images-1.medium.com/max/800/1*OcxZz4j06u3sWgZ4ihf8EQ.png" alt=""><figcaption></figcaption></figure>

and we know that we have `fsmith` and `administrator` are valid and existing users, so we will try to use them in data dumping

1. Let’s try to get their password by dumping their hashed from `TGT` by using `GetNPUser`

<figure><img src="https://cdn-images-1.medium.com/max/800/1*5j-qohEwIMeBmVPLQKkvrw.png" alt=""><figcaption></figcaption></figure>

Great, we have `fsmith` hashed password, let’s do the same thing with the administrator

<figure><img src="https://cdn-images-1.medium.com/max/800/1*HdHdnwpmFt8lBpSoXNnsAA.png" alt=""><figcaption></figcaption></figure>

Not allowed :( It’s an expected response but at all, we have tried

Let’s crack `fsmith` hash by using `hashcat`

<figure><img src="https://cdn-images-1.medium.com/max/800/1*bOTc6FlD5QYdauwRQXE_Sg.png" alt=""><figcaption><p>m=18200</p></figcaption></figure>

<figure><img src="https://cdn-images-1.medium.com/max/800/1*Lk2BwutOket2nQMccYkFTg.png" alt=""><figcaption></figcaption></figure>

2\. Let’s try to get all user’s `NTLM` hashes by using `secretdump` tool

<figure><img src="https://cdn-images-1.medium.com/max/800/1*YOX0YAHtmt1a9Rua2xO6TA.png" alt=""><figcaption></figcaption></figure>

<figure><img src="https://cdn-images-1.medium.com/max/800/1*rVLTlzU5bF8V1Ola74LB1Q.png" alt=""><figcaption><p>To know what’s -just-dc-ntlm</p></figcaption></figure>

Unfortunately, it’s not allowed

3\. Let’s try to dump SMB shares by using `smbclient` and `smbmap` first to know `fsmith` permissionshas and we found that he have permission to read only 4 shares

<figure><img src="https://cdn-images-1.medium.com/max/800/1*iIYwQ5BZz7_Wck3mMeUSyA.png" alt=""><figcaption></figcaption></figure>

Let’s try to dump their content by using `smbmap`

`smbmap -H 10.10.10.175 -U fsmith -P <user-password> -R` → `-R` for listing all data from user’s shares

<figure><img src="https://cdn-images-1.medium.com/max/800/1*3BejPFLiY49jM_MfqiIu8Q.png" alt=""><figcaption></figcaption></figure>

and the end of this list you will find

<figure><img src="https://cdn-images-1.medium.com/max/800/1*ahz2v0fIKgscJJZ7QmAFZw.png" alt=""><figcaption></figcaption></figure>

`User` directory accessed for us but nothing returned from it, so it’s an empty directory, or we don’t have permission to access its content, whatever the reason, port `ssh/22` is not open, so let’s try to use a custom tool to get us into the server and search for any privilege escalation method

we will use `crackmapexec` → it’s a great tool that checks if you can login to the server by using services like `winrm/smb/mssql/ssh` and we will try `winrm`

<figure><img src="https://cdn-images-1.medium.com/max/800/1*x3pd2ycYY8nPQPUsU_KesQ.png" alt=""><figcaption></figcaption></figure>

So we will use this command `crackmapexe winrm 10.10.10.175 -u username -p password`

<figure><img src="https://cdn-images-1.medium.com/max/800/1*e_RQZ35B3unYX7F6TqoRmA.png" alt=""><figcaption></figcaption></figure>

Great we have access to login to the server using `winrm` so we will use `evil-winrm` tool which will get us into it

<figure><img src="https://cdn-images-1.medium.com/max/800/1*k6cNCMAMJ12m0045DR-9mg.png" alt=""><figcaption></figcaption></figure>

As you can see we’re in the server now and have user priv.

<figure><img src="https://cdn-images-1.medium.com/max/800/1*lpPylh05lrg-cAMYnBi9uQ.png" alt=""><figcaption></figcaption></figure>

Let’s try to get `root` privileges

After uploading [`WinPeas`](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite) to our vulnerable box and execute it, I’ve found this username `svc_loanmgr` with default password as you can see it.

<figure><img src="https://cdn-images-1.medium.com/max/800/1*9zgu8uuKjK0kMtosB3DQWw.png" alt=""><figcaption></figcaption></figure>

So I’ll use this username and its password to dump the users `NTLM hashes` and I hope to find the administrator hash inside them, I’ll use `secretdump` to perform this task, and I’m lucky to find the admin hash :)

<figure><img src="https://cdn-images-1.medium.com/max/800/1*FTTodugXX9yq8AFARD59zQ.png" alt=""><figcaption></figcaption></figure>

Okay, let’s try to login to the server using the user’s hash

<figure><img src="https://cdn-images-1.medium.com/max/800/1*cOH6XlTCJUNIFl0DELJYJg.png" alt=""><figcaption></figcaption></figure>

Good box with more and more benefits and new techniques and tools

## **Summary**

1. Use `smbclient / smbmap` to list and know the user’s allowed shared.
2. Use `kerbrute` to brute-force Kerberos usernames
3. Use `GetNPUser` to get `TGT` from `Kerberos authentication system` and crack it to get the password
4. Try to use `GetUserSPN` to get `TGS` if the `Kerberos` is vulnerable by `kerberoasting` “In this case you will have the same password for the admin account also but in our case it’s not vulnerable”
5. Use `secretdump` to dump `NTLM` hashed by using valid username and password
6. If the secret dump step fails, so you can use `crackmapexec` to check for your permission to login to the server by `smb/ssh/mysql/wimrm`
7. Use `evil-winrm` to get into the server itself
8. Use `WinPeas` to automate the enumeration process
9. Access the root account ❤
