Hack The Box: Sauna using Bloodhound
--
Sauna is another interesting windows machine which retired recently.
Lets Start with normal NMAP scan
From the nmap results I get to know that we need to perform more enumeration on active directory services.
Port 389, used for LDAP service can be enumerated using scripts in nmap.
nmap -n -sV -script “ldap*” -p 389 10.10.10.175
I got a very long output with this command
We got the domain name as EGOTISTICAL-BANK.LOCAL
Now let’s take a look at port 80 from the browser. In the about us portion, I found few names which are interesting.
With the details from the above image I created a list of names for brute force attack
Before moving forward, take a look at the below link
Let's use GetNPUsers.py for more enumeration. You can get this script from Github
I initiated the brute force using below command
python3 GetNPUsers.py EGOTISTICAL-BANK.LOCAL/ -usersfile saunaUsers.txt -outputfile Hash.txt -dc-ip 10.10.10.175
Here saunaUsers.txt contains the combination of all usernames and the output Hash will be stored in Hash.txt