Sauna - Hack The Box
Enumeration
Nmap
Nmap scan results showed services like LDAP and Kerberos, which are commonly used in Active Directory. This indicates the target is likely a Domain Controller.
Trying Anonymous LDAP
While attempting an anonymous LDAP enumeration, I discovered several usernames. However, these proved to be unhelpful, as subsequent attacks using Kerbrute, user enumeration, and SPN hunting yielded no useful results.
Web Enumeration
During website enumeration, I discovered a list of members. Using username-anarchy, I generated a custom username wordlist based on that information.
Exploitation
ASRep Roasting
Using the generated wordlist, I ran the GetNPUsers script to identify accounts with Kerberos pre-authentication disabled. This allowed me to perform an AS-REP Roasting attack, extract the encrypted TGTs, and then brute-force them offline to retrieve the corresponding plaintext passwords.
The brute-force attack using Hashcat was successful in recovering the password.
I was then able to gain access as the user.
Privilege Escalation
After gaining user-level access, I executed SharpHound to collect Active Directory data and analyzed it using BloodHound. This revealed that the service account svc_loanmgr had DCSync permissions over the domain.
AutoLogon Credentials
I then ran WinPEAS, which revealed that the service account had AutoLogon enabled, allowing me to retrieve the cleartext password from the registry.
Using the recovered credentials, I successfully logged in as the service account.
DCSync
With access to the service account, I performed a DCSync attack using secretsdump.py to retrieve the NTLM hash of the Administrator account.
Pass The Hash
Finally, I used the Pass-the-Hash technique with PsExec to gain a privileged administrative shell.
In conclusion, the machine was fully compromised.