Sauna Writeup — HackTheBox
Made by RebornSec ®
Machine Maker(s) :
Overview :
- Retrieving some information from the webpage
- Enumerating LDAP and finding users
- Getting the hash password of our wanted user
- Login as fsmith
- We get
User.txt
- Finding password in logon registry
- Login as svc_loanmgr
- Uploading mimkatz and grabbing the Administrator NLTM hash
- Login as Administrator using Evil-winrm
- We get
Root.txt
Enumeration phase :
As usual let’s start with the Nmap scan :
[~] Nmap -sC -sV 10.10.10.175
Several ports are open, let’s start with port 80 :
Seems to be a website of a bank !
Ldap is open let’s check it using nmap :
Some interresting information apears let’s dig more :
Seems to Hugo Smith is our wanted user, lets valid it by making a combination of this name usernames.lst then using impacket tool GetNPUsers.py :
hsmith is our valid user lets try to find out the password by making other combination of users existed on the website :
And we got our wanted password hash :
Let’s decrypt it using john :
We got the credential : fsmith:Thestrokes23
Now lets login using Evil-winrm :
And we got our user.txt !
Root phase :
To look for a way to root the box i uploaded enumeration tool winpeas :
When i run it i found a credential in the registry :
I tried this password with svc_loanmnager but it didn’t work so i checked the other users in the box using net user :
So our second valid user is svc_loanmgr then i tried to login with it :
Using mimikatz i could get the NTLM hash of the Administrator so i upload it to the machine, for thouse who doesn’t know mimikatz this the official project :
Running mimikatz into the user administrator i got the NTLM hash :
It’s time to login using that hash :
And we are successfully rooted the box !