{"id":230,"date":"2025-07-25T19:01:00","date_gmt":"2025-07-25T19:01:00","guid":{"rendered":"https:\/\/thecyberstaff.com\/?p=230"},"modified":"2025-12-28T19:29:31","modified_gmt":"2025-12-28T19:29:31","slug":"sauna-hackthebox-lab-2","status":"publish","type":"post","link":"https:\/\/thecyberstaff.com\/?p=230","title":{"rendered":"Sauna- Hackthebox lab"},"content":{"rendered":"\n<p class=\"has-text-align-center\">Today I am working on Sauna by Hackthebox. I start out with some port scans.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"409\" src=\"https:\/\/thecyberstaff.com\/wp-content\/uploads\/2025\/07\/Pasted-image-20250725095317-1024x409.png\" alt=\"\" class=\"wp-image-418\" srcset=\"https:\/\/thecyberstaff.com\/wp-content\/uploads\/2025\/07\/Pasted-image-20250725095317-1024x409.png 1024w, https:\/\/thecyberstaff.com\/wp-content\/uploads\/2025\/07\/Pasted-image-20250725095317-300x120.png 300w, https:\/\/thecyberstaff.com\/wp-content\/uploads\/2025\/07\/Pasted-image-20250725095317-768x307.png 768w, https:\/\/thecyberstaff.com\/wp-content\/uploads\/2025\/07\/Pasted-image-20250725095317.png 1096w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"421\" height=\"80\" src=\"https:\/\/thecyberstaff.com\/wp-content\/uploads\/2025\/07\/Pasted-image-20250804155025.png\" alt=\"\" class=\"wp-image-417\" srcset=\"https:\/\/thecyberstaff.com\/wp-content\/uploads\/2025\/07\/Pasted-image-20250804155025.png 421w, https:\/\/thecyberstaff.com\/wp-content\/uploads\/2025\/07\/Pasted-image-20250804155025-300x57.png 300w\" sizes=\"auto, (max-width: 421px) 100vw, 421px\" \/><\/figure>\n\n\n\n<p class=\"has-text-align-center\">This is a Domain Controller so I looked into some common items such as null sessions and smb share enumeration. I did not have luck so I started enumerating the web server on port 80. I found the page below and used the names to enumerate Active Directory for active accounts.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"775\" src=\"https:\/\/thecyberstaff.com\/wp-content\/uploads\/2025\/07\/Pasted-image-20250725115527-1024x775.png\" alt=\"\" class=\"wp-image-419\" srcset=\"https:\/\/thecyberstaff.com\/wp-content\/uploads\/2025\/07\/Pasted-image-20250725115527-1024x775.png 1024w, https:\/\/thecyberstaff.com\/wp-content\/uploads\/2025\/07\/Pasted-image-20250725115527-300x227.png 300w, https:\/\/thecyberstaff.com\/wp-content\/uploads\/2025\/07\/Pasted-image-20250725115527-768x581.png 768w, https:\/\/thecyberstaff.com\/wp-content\/uploads\/2025\/07\/Pasted-image-20250725115527.png 1166w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p class=\"has-text-align-center\">I found one valid username with Kerbrute.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"711\" height=\"271\" src=\"https:\/\/thecyberstaff.com\/wp-content\/uploads\/2025\/07\/Pasted-image-20250725115622.png\" alt=\"\" class=\"wp-image-420\" srcset=\"https:\/\/thecyberstaff.com\/wp-content\/uploads\/2025\/07\/Pasted-image-20250725115622.png 711w, https:\/\/thecyberstaff.com\/wp-content\/uploads\/2025\/07\/Pasted-image-20250725115622-300x114.png 300w\" sizes=\"auto, (max-width: 711px) 100vw, 711px\" \/><\/figure>\n\n\n\n<p class=\"has-text-align-center\">When performing ASRepRoasting with Impackers GetNPUsers script, I was able to get a password hash for fsmith.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"720\" height=\"146\" src=\"https:\/\/thecyberstaff.com\/wp-content\/uploads\/2025\/07\/Pasted-image-20250725115928.png\" alt=\"\" class=\"wp-image-421\" srcset=\"https:\/\/thecyberstaff.com\/wp-content\/uploads\/2025\/07\/Pasted-image-20250725115928.png 720w, https:\/\/thecyberstaff.com\/wp-content\/uploads\/2025\/07\/Pasted-image-20250725115928-300x61.png 300w\" sizes=\"auto, (max-width: 720px) 100vw, 720px\" \/><\/figure>\n\n\n\n<p class=\"has-text-align-center\">I ran that hash through Hashcat and obtained the cleartext password for the account.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"736\" height=\"502\" src=\"https:\/\/thecyberstaff.com\/wp-content\/uploads\/2025\/07\/Pasted-image-20250725120251.png\" alt=\"\" class=\"wp-image-422\" srcset=\"https:\/\/thecyberstaff.com\/wp-content\/uploads\/2025\/07\/Pasted-image-20250725120251.png 736w, https:\/\/thecyberstaff.com\/wp-content\/uploads\/2025\/07\/Pasted-image-20250725120251-300x205.png 300w\" sizes=\"auto, (max-width: 736px) 100vw, 736px\" \/><\/figure>\n\n\n\n<p class=\"has-text-align-center\">I was able to connect to the box with Evil-WinRM and run WinPEAS.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"236\" src=\"https:\/\/thecyberstaff.com\/wp-content\/uploads\/2025\/07\/Pasted-image-20250725120559-1024x236.png\" alt=\"\" class=\"wp-image-423\" srcset=\"https:\/\/thecyberstaff.com\/wp-content\/uploads\/2025\/07\/Pasted-image-20250725120559-1024x236.png 1024w, https:\/\/thecyberstaff.com\/wp-content\/uploads\/2025\/07\/Pasted-image-20250725120559-300x69.png 300w, https:\/\/thecyberstaff.com\/wp-content\/uploads\/2025\/07\/Pasted-image-20250725120559-768x177.png 768w, https:\/\/thecyberstaff.com\/wp-content\/uploads\/2025\/07\/Pasted-image-20250725120559.png 1039w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"841\" height=\"235\" src=\"https:\/\/thecyberstaff.com\/wp-content\/uploads\/2025\/07\/Pasted-image-20250725121033.png\" alt=\"\" class=\"wp-image-424\" srcset=\"https:\/\/thecyberstaff.com\/wp-content\/uploads\/2025\/07\/Pasted-image-20250725121033.png 841w, https:\/\/thecyberstaff.com\/wp-content\/uploads\/2025\/07\/Pasted-image-20250725121033-300x84.png 300w, https:\/\/thecyberstaff.com\/wp-content\/uploads\/2025\/07\/Pasted-image-20250725121033-768x215.png 768w\" sizes=\"auto, (max-width: 841px) 100vw, 841px\" \/><\/figure>\n\n\n\n<p class=\"has-text-align-center\">While looking through the WinPEAS output, I found a cleartext password for svc_loanmanager.<\/p>\n\n\n\n<p class=\"has-text-align-center\">I got stuck here and lost my mind a bit, I used some public writeups and found a path with DC-Sync. I ran SharpHound on the host with both discovered users but could not get the result I was looking for. In the public writeups, it was discovered that svc_loanmgr has DC-Sync rights. I have no idea why the username changed. Hah.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"590\" height=\"103\" src=\"https:\/\/thecyberstaff.com\/wp-content\/uploads\/2025\/07\/Pasted-image-20250725121249.png\" alt=\"\" class=\"wp-image-425\" srcset=\"https:\/\/thecyberstaff.com\/wp-content\/uploads\/2025\/07\/Pasted-image-20250725121249.png 590w, https:\/\/thecyberstaff.com\/wp-content\/uploads\/2025\/07\/Pasted-image-20250725121249-300x52.png 300w\" sizes=\"auto, (max-width: 590px) 100vw, 590px\" \/><\/figure>\n\n\n\n<p class=\"has-text-align-center\">I connected with EvilWin-RM using the Administrator hash and got admin access to the box.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"997\" height=\"554\" src=\"https:\/\/thecyberstaff.com\/wp-content\/uploads\/2025\/07\/Pasted-image-20250725142300.png\" alt=\"\" class=\"wp-image-427\" srcset=\"https:\/\/thecyberstaff.com\/wp-content\/uploads\/2025\/07\/Pasted-image-20250725142300.png 997w, https:\/\/thecyberstaff.com\/wp-content\/uploads\/2025\/07\/Pasted-image-20250725142300-300x167.png 300w, https:\/\/thecyberstaff.com\/wp-content\/uploads\/2025\/07\/Pasted-image-20250725142300-768x427.png 768w\" sizes=\"auto, (max-width: 997px) 100vw, 997px\" \/><\/figure>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"198\" src=\"https:\/\/thecyberstaff.com\/wp-content\/uploads\/2025\/07\/Pasted-image-20250725142406-1024x198.png\" alt=\"\" class=\"wp-image-428\" srcset=\"https:\/\/thecyberstaff.com\/wp-content\/uploads\/2025\/07\/Pasted-image-20250725142406-1024x198.png 1024w, https:\/\/thecyberstaff.com\/wp-content\/uploads\/2025\/07\/Pasted-image-20250725142406-300x58.png 300w, https:\/\/thecyberstaff.com\/wp-content\/uploads\/2025\/07\/Pasted-image-20250725142406-768x148.png 768w, https:\/\/thecyberstaff.com\/wp-content\/uploads\/2025\/07\/Pasted-image-20250725142406.png 1041w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p class=\"has-text-align-center\">This box shows the importance of strong user account passwords and the importance of hardening Active Directory environments against common attacks.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Today I am working on Sauna by Hackthebox. I start out with some port scans. This is a Domain Controller so I looked into some common items such as null sessions and smb share enumeration. I did not have luck so I started enumerating the web server on port 80. [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":231,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3,4],"tags":[],"class_list":["post-230","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","category-pentesting"],"brizy_media":[],"_links":{"self":[{"href":"https:\/\/thecyberstaff.com\/index.php?rest_route=\/wp\/v2\/posts\/230","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/thecyberstaff.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/thecyberstaff.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/thecyberstaff.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/thecyberstaff.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=230"}],"version-history":[{"count":3,"href":"https:\/\/thecyberstaff.com\/index.php?rest_route=\/wp\/v2\/posts\/230\/revisions"}],"predecessor-version":[{"id":429,"href":"https:\/\/thecyberstaff.com\/index.php?rest_route=\/wp\/v2\/posts\/230\/revisions\/429"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/thecyberstaff.com\/index.php?rest_route=\/wp\/v2\/media\/231"}],"wp:attachment":[{"href":"https:\/\/thecyberstaff.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=230"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/thecyberstaff.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=230"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/thecyberstaff.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=230"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}