Completed HTB Sauna few hours ago and I won’t be doing a full writeup since it’s still an active box.
Few stuff learned from this box.
- credentials leaked when using ldap.
- Never overlook website content.
- Mimikatz is your best friend
Yes like it or not Enumeration is always the key to hacking. After scanning using nmap found ldap.
Used nmap against ldap got a user who use ldap. Checked the website again and saw names of some people who where working in the bank.
Made a user list and used it with GetNPUser.py, on a side note I really really really love impacket cause of the stuff they have in there. It’s really good and makes life a lot easy. Finally got the hash of one of the users.
Cracked the hashes with john. Ofcourse john can crack anything to everything.
Login into the system using evil-winrm. Evil-winrm doesn’t come with kali so have to install it.
gem install evil-winrm simple as that.
Uploaded winPEAS. Another favorite tool for Privescalation. Shows everything to anything. Anyone can fall in love with tools like these.
Great now login using those credentials you found.
Since I never used mimikatz before, was struggling a bit. After an hour found out that I made a silly mistake in spelling. Well that’s me. Learn from mistakes. And don’t make the same mistake twice.
I think you can figure out the rest…
*Evil-WinRM* PS C:\Users\Administrator\Desktop> ipconfig
Windows IP Configuration
Ethernet adapter Ethernet0:
Connection-specific DNS Suffix . :
IPv6 Address. . . . . . . . . . . : dead:beef::2017:58f7:211b:7d4
Link-local IPv6 Address . . . . . : fe80::2017:58f7:211b:7d4%8
IPv4 Address. . . . . . . . . . . : 10.10.10.175
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : fe80::250:56ff:feb9:3590%8