# HackTheBox - Sauna
## NMAP
```bash
PORT STATE SERVICE VERSION
53/tcp open domain?
| fingerprint-strings:
| DNSVersionBindReqTCP:
| version
|_ bind
80/tcp open http Microsoft IIS httpd 10.0
| http-methods:
| Supported Methods: OPTIONS TRACE GET HEAD POST
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Egotistical Bank :: Home
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2021-12-13 14:37:44Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf .NET Message Framing
49667/tcp open msrpc Microsoft Windows RPC
49673/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49674/tcp open msrpc Microsoft Windows RPC
49677/tcp open msrpc Microsoft Windows RPC
49689/tcp open msrpc Microsoft Windows RPC
49696/tcp open msrpc Microsoft Windows RPC
```
From the port 88 we can say that this is an Active directory machine because on this port kerberos runs for authenticating users also we can see LDAP service running as well
## PORT 139/445 (SMB)
We can try to list shares as an un-authenticated user using `smbmap`
But this smb is configured to only allow access to authenticated users so let's move on
## PORT 389 (LDAP)
Through LDAP and SMB I tried to use enumerate usernames by running `enum4linux-ng`
But it failed to enumerate usernames and groups
## PORT 80 (HTTP)
Going into about section , we can see few usernames that we can make a list of then try to see if either one of them has pre-authentication disabled
Other than that I ran `gobuster` , fuzzing for files and directories but didn't found anything interesting
So the list of usernames I made were
```
FSmith
fsmith
Fsmith
SCoins
scoins
Scoins
HBear
hbear
Hbear
BTaylor
btaylor
Btaylor
SDriver
Sdriver
sdriver
SKerb
Skerb
skerb
Administrator
krbtgt
administrator
```
## Foothold
We can either use impacket's `GetNPUsers.py` or use `kerbrute` to see which users have pre-authentication disabled also to verify which users are valid
And in an instant it dumped the user's hash , also we can get the same output with impacket script as well
Now we can crack this hash using `hashcat` , we can visit hashcat examples page to find out the correct mode of this hash
port 5985 is open on which winrm runs (windows remote management) through which we can remotely login to a system , so using the credentials we have let's try doing it with `evil-winrm`
We can do some basic enumeration to see in which groups this user is
So can't really do anything being in those groups , in order to enumerate the AD we can use sharphound that would collect the information and create an archive
We have this archive file generated which has the information of AD objects , we need to download this on our local machine and import this to bloodhound GUI
Running the pre-built query for finding kerberosatable accounts we see `HSmith`'s account , I tried to use `GetUserSPNs.py` but was failing in retrieving hash even after synchronizing the timezone with the machine
Then I tried running `winpeas.exe` but it didn't work
## Privilege Escalation (svc_loanmgr)
We could try to run `winpeas.bat`
This gives us clear text password , but the username here is `svc_loanmgr` so with evil-winrm we can login
## Privilege Escalation (Administrator)
Going back to bloodhound , we can mark this service account as "owned" and seeing if this user can reach to higher targets
Here this service account has `GetChangesAll` rights on the domain which means this account can request for DCSync which means that we can ask domain controller for password hashes, either we can use mimkatz or impacket so I will be showing both methods
with `secretsdump.py`
with `mimikatz.exe` (although I tried to use mimikatz.ps1 but it wasn't working)