• Donald Ashdown

Sauna - Hack The Box

Sauna is a fantastic beginner friendly Active Directory box that covers Windows exploitation topics like AS-REP roasting, enumerating for credentials and using tools such as Powerview to locate attack paths, DCsync and Pass the hash attacks.


  1. Find a list of valid users with kerbrute

  2. TGT attack on disabled pre-auth user

  3. Extracting credentials from the registry

  4. Utilize PowerView's ACL scanner for a DCsync attack

  5. Pass the hash

Port Scan


Initial Enumeration


I check for anonymous smb logins, rpc binding, and finally run enum4linu with no results. If you have not used enum4linux, it is a great initial tool for external enumeration.

Typically when you see Kerberos communicating over a port on HTB, you have to enumerate and exploit this service.

There are typically 3 Kerberos errors that we are looking for during our Kerberos enumeration phase.

KDC_ERR_PREAUTH_REQUIRED - Additional pre-authentication required

KDC_ERR_CLIENT_REVOKED - Clients credentials have been revoked

Does not exist
KDC_ERR_C_PRINCIPAL_UNKNOWN - Client not found in Kerberos database

Several tools that have been around for a while, enable us to leverage these Kerberos responses to identify valid domain accounts through brute force methods.

The first is the standalone Java tool Krbguess.

The second is krb5-enum-users NSE script for nmap:

The third is kerbrute with a wordlist containing common usernames.

The problem with these tools is they all brute force Kerberos and are not practical in a production environment, especially if you are trying to "live off the land" and lay low. But what you could do in the real world, is instead harvest email from linked, google, etc.... and compile a list based on best naming practices.

Another trick is to utilize the tool cewl that enables us to create a wordlist from a website, and often you fuzz the end of each of those listed words with 0-9999.

During this time I felt like I maybe needed to take another approach. So I started to browse around the website more thoroughly and eventually I came across the "about,html" page which has several users.

From here I decided to make a quick word list from this page using cewl. From here I proceeded to request tickets from Kerberos for which we are hoping to see a response to the effect of "PreAuth Required", which means we could make a TGT request, and crack the ticket. ls

We utilize a tool found within the impacket security suite, GetNPUsers.py with our custom cewl wordlist.

I had allot of difficulties getting impacket to work on my Parrot OS so I switched to a Kali linux machine.

This returns a ticket for fsmith as he does not require kerberos pre-auth and we can now proceed to crack the ticket, which is the end result of a hash of the users password. Only a word list is needed, to guess this password.

There are a few tools to crack the ticket, I find the easiest to be johnny which is a graphical user interface of john.

The ticket is cracked after we select the rockyou.txt word list and load our hash into the johnny.

You could also use the following hashcat command.

hashcat --force -a 0 -m 18200 -w 3 -O hash.txt /usr/share/wordlists/rockyou.txt

Outputs the password "Thestrokes23"

Being armed with the user fsmith and his password, thanks to a sloppy administrator, we are able to use WinRM to connect into the box. and find our user flag.

Moving laterally


First order of business to load winpeas on this machine, followed by a long review process.

Well it was allot more simple than I expected when plane text credentials were found.

This never happens, but this time we are luck.



We login as svc_loanmgr and I ran the

DCSync Attack

There are several accounts that can log on to the DC, so it could be possible for us to dump hashes from NTDS.dit remotely with the RPC protocol thanks to impacket secretsdump.

DCSync is an attack that empowers an attacker to simulate behaviors of the Domain Controller in order to retrieve password hashes of the entire domain through domain replication.

References - DCSync Attack :

  • https://medium.com/@airman604/dumping-active-directory-password-hashes-deb9468d1633

  • https://attack.stealthbits.com/privilege-escalation-using-mimikatz-dcsync

Reference - secretdump.py : https://github.com/SecureAuthCorp/impacket/blob/master/examples/secretsdump.py

I was having allot of difficulty running secretsdump with my Parrot OS, so I switched back over to Kali Linux to run the below command.

python3 secretsdump.py -just-dc-ntlm EGOTISTICAL-BANK.LOCAL/svc_loanmgr@ 

We retrieve the html hash of administrator to successfully establish a connection with wmiexec.

To establish a connection with wmiexec.py use the following command.

python3 wmiexec.py -hashes :d9485863c1e9e05851aa40cbb4ab9dff administrator@ 

Boom there is the password to login as administrator.

42 views0 comments

Recent Posts

See All