Sauna HTB - Writeup
another quick AD writeup involving AS-REP roasting and a DCSYNC attack, this time we find a site on port 80:
we check it out and find a contact form, checked with burpsuite and it returns us a 405 error- not very fruitful! so, we then check out the about page and find some names that could be useful. regular names don't give anything, so we permutate them around (i actually used Kerbrute to go through valid usernames) and see that Fsmith doesn't have Kerberos pre-auth required!
hashcat -m 18200 Fsmith.hash /usr/share/wordlists/rockyou.txt
we're able to crack the password to Fsmith and use this to get a shell!
the first thing i do is collect domain information from SharpHound and import to BloodHound to see if there's any possible routes from Fsmith, but we don't find any
let's run winpeas and see if there's any other way to escalate our privileges
we find autologon creds! marking this user as owned on BloodHound, we find a route to Admin by performing a DCSYNC attack:
then we just use this hash to login via evil-winrm, and get the root.txt!