HackTheBox - Sauna

00:00 - Intro
01:05 - Running Nmap
02:07 - Poking at SMB with CrackMapExec, SMBMap, and RPCClient to get nothing
04:15 - Checking out the web page
06:00 - Playing with user input in the website and getting an error "HTTP VERB used is not allowed"
08:20 - Copying names from the website
10:50 - Using some VIM/VI Magic (macro) to convert names into potential usernames
12:40 - Identifying valid usernames by using KerBrute which can enumerate valid usernames
16:00 - Running some Impacket scripts and performing an ASREP Roast to extract password hash from Active Directory
18:20 - Running GetNPUsers to get the hash for a user and then using hashcat to crack ASREP$23
20:50 - Seeing a RICOH printer share, pulling EXIF data off website to get an idea if it may be exploitable
23:10 - Using Evil-WinRM to log into the box with FSMITH and run WinPEAS to get saved credentials
29:00 - Running BloodHound
34:25 - Identifying that svc_loanmgr can perform a DCSYNC
35:40 - Running SecretsDump with svc_loanmgr to perform a DCSYNC
37:45 - Performing a Pass The Hash with the administrator user using PSExec