Skip to content

Hack The Box Sauna

Completed HTB Sauna few hours ago and I won’t be doing a full writeup since it’s still an active box.

Few stuff learned from this box.

  1. credentials leaked when using ldap.
  2. Never overlook website content.
  3. Mimikatz is your best friend

Enumeration

Yes like it or not Enumeration is always the key to hacking. After scanning using nmap found ldap.

Used nmap against ldap got a user who use ldap. Checked the website again and saw names of some people who where working in the bank.

Made a user list and used it with GetNPUser.py, on a side note I really really really love impacket cause of the stuff they have in there. It’s really good and makes life a lot easy. Finally got the hash of one of the users.

Cracked the hashes with john. Ofcourse john can crack anything to everything.

Login into the system using evil-winrm. Evil-winrm doesn’t come with kali so have to install it. gem install evil-winrm simple as that.

Uploaded winPEAS. Another favorite tool for Privescalation. Shows everything to anything. Anyone can fall in love with tools like these.

Great now login using those credentials you found.

Privescalation

Since I never used mimikatz before, was struggling a bit. After an hour found out that I made a silly mistake in spelling. Well that’s me. Learn from mistakes. And don’t make the same mistake twice.

I think you can figure out the rest…

*Evil-WinRM* PS C:\Users\Administrator\Desktop> ipconfig

Windows IP Configuration

Ethernet adapter Ethernet0:

   Connection-specific DNS Suffix  . :

   IPv6 Address. . . . . . . . . . . : dead:beef::2017:58f7:211b:7d4

   Link-local IPv6 Address . . . . . : fe80::2017:58f7:211b:7d4%8

   IPv4 Address. . . . . . . . . . . : 10.10.10.175

   Subnet Mask . . . . . . . . . . . : 255.255.255.0

   Default Gateway . . . . . . . . . : fe80::250:56ff:feb9:3590%8

                                      

Published inHackinghackthebox

Be First to Comment

Leave a Reply

Your email address will not be published. Required fields are marked *

%d bloggers like this: