Sauna is an easy-rated windows machine from created by egotisticalSW. Initial foothold focuses on getting a user hash that can be cracked to get user access. Discovering a password in the registry keys allows me to take over another user and privilege escalation is done by performing a dump of the admin hashes using mimikatz.
Reconnaissance
Nmap shows common ports with an Active Directory service(smb,rpc,ldap,kerberos) as well as port 80(http).
Http service shows a page of a banking institution.
Hovering over ‘Dropdown’ and clicking Our Team will give us possible users that we can compromise.
I listed the users on a file and attempted to grab their kerberos hashes with impacket’s GetNPUsers.
Gaining User Access
I was able to grab fsmith’s hash and cracked it using john.
Within a few seconds, I found fsmith’s password which is ‘Thestrokes23’.
I logged in using the found credentials with evil-winrm and grabbed the user flag.
Lateral Movement
I discovered that there is another user in the system ‘svc_loanmgr’.
After more enumeration, I found a password in one of the registry keys.
I tried using it to login to svc_loanmgr and I got in successfully.
Privilege Escalation
From here, I uploaded mimikatz and attempted to dump the admin’s hashes which was successful.
I used the hash to perform a pass the hash technique in order to login to the system as Administrator and grabbed the root flag.
That is it for Sauna. Thank you for reading and have a good day!
