This article is dedicated to a detailed walkthrough of the Sauna virtual machine. This material will be useful for both beginners and experienced cybersecurity professionals who want to improve their penetration testing skills. You will learn how to effectively use reconnaissance tools (Nmap, masscan), analyze the LDAP service, and conduct AS-REP Roasting and DCSync attacks.
The article discusses searching for active users via LDAP, working with autologin data, and performing AS-REP Roasting and DCSync attacks to obtain credentials.
The connection to the lab is via VPN. It is not recommended to use a work computer or device containing sensitive data, as the connection is to a private network where users with experience in information security are present.
The machine is assigned the IP address 10.10.10.175, which is added to the /etc/hosts file.
10.10.10.175 sauna.htb
First, we scan for open ports. Since scanning all ports with Nmap can take a long time, we use masscan to speed up the process. We scan all TCP and UDP ports from the tun0 interface at a rate of 500 packets per second.
masscan -e tun0 -p1-65535,U:1-65535 10.10.10.175 --rate=500
There are many ports open on the host. Now let’s scan them with nmap to filter and select the ones we need.
nmap sauna.htb -p53,593,49690,80,135,49670,88,3269,139,464,389,9389,445,49669,49667,3268,50956,636,5985
To get more detailed information about services running on open ports, run a scan with the -A option in Nmap. This allows you to determine software versions, operating system, and also identify additional vulnerabilities in the services.
nmap -A sauna.htb -p53,80,88,135,139,389,445,464,593,636,3268,3269,5985,9389
There are many services running on the host, so the first priority should be to focus on analyzing WEB, SMB, and DNS services. To work with LDAP, we use the JXplorer ldap browser, as it is convenient for viewing and analyzing LDAP data, which allows you to effectively interact with these services and obtain the necessary information.
Probably a username.
We go to the WEB and find the company’s staff.
So, the user Hugo Smith has the account hsmith.
Based on the fact that administrators try to adhere to a general principle of agreement on usernames, a list of possible accounts for other users is compiled.
And let’s repeat the attack on user data.
Among all users, only one account exists, and the attack is successful, resulting in a hash of the user’s password. Now we apply the brute force method to crack it.
Password successfully found. From the many ways to use credentials, we choose the remote management service (WinRM). We use Evil-Winrm to connect.
And we take the user.
To collect information on the host, you can use scripts for initial enumeration, in particular the most complete one is winPEAS. Download this script to the target host and run it.
Among the information it displays, we find autologin data.
However, when trying to connect, a failure occurs.
Let’s go back and check what accounts are registered in the system. Find the account name for this user.
After connecting and performing a few calculations, we load SharpHound onto the host.
And we will do it.
An archive will appear in the current directory, download it.
And we throw it into BloodHound.
Thus, we have a GetChangesAll connection through which we can obtain the relevant information.
The above message refers to the DS-Replication-Get-Changes-All privilege, which allows you to request replication of critical data from a domain controller. This can be done using the impacket package.
So, we gain access to the administrator account.
The article describes the process of hacking the Sauna virtual machine. First, the computer is scanned for open ports to detect running services. Then, using LDAP, users are found in the system and an attack is carried out to obtain passwords. After obtaining the password, the machine is connected to the special WinRM tool. Then, additional information about the system is collected using a script to elevate privileges and gain access to the administrator account. As a result, it is possible to gain control over the system. This is a step-by-step guide that explains how to test the security of computer systems.