HTB : Sauna

Network Enumeration

To begin our exploration of the network, let’s initiate an nmap scan in order to identify open ports.

WEB Enumeration

Use gobuster to find for directories.

Cant find anything interesting in the directory enumeration.

Port 80

In the about us section we find some potential users.

Let’s take note of the names.

SMB Enumeration

I tried using smbmap and crackmapexec to find for null sessions.

Looks like we need to use the user names found in the website to generate some users.

Nevertheless, it is widely acknowledged that the accounts within Active Directory employ diverse name permutations. Hence, to address this, we shall utilize a script to generate multiple usernames.

import sys

# Get the input file name from the command line arguments
if len(sys.argv) < 2:
    print("Please specify an input file")

input_file = sys.argv[1]

# Open the input text file containing the list of names
with open(input_file) as f:
    # Read the contents of the file and split it into a list of names
    names =

# Open the output text file for writing
with open('output.txt', 'w') as f:
    # Loop through each name in the list
    for name in names:
        # Split the name into first and last name
        first_name, last_name = name.split()

        # Get the first letter of the first name
        first_letter = first_name[0]

        # Write the first letter and full last name to the output file

The end result will be the following.


Since we got a user list and port 88 (Kerberos) is open. Let’s try to find some users without Kerberos pre-authentication. Use the Impacket GetNPU moduel.

Impacket is a tool that allows attackers to perform a type of password spraying attack against Active Directory environments. It enables the querying of ASReproastable accounts from the Key Distribution Center. All that is required to query these accounts is a valid set of saved usernames.

Lets crack the hash with hashcat in our local windows machine.

./hashcat.exe -a 0 -m 18200 hash.txt rockyou.txt


Initial SHELL

Since we got a user and the password let’s try gaining a shell with evil-winrm.

We can find the user flag in the desktop.

I transferred winpeas into the user and ran the scan.

Found some creds for autologon.

Tried finding the user but found something close.

Let’s try to get a shell with this user.

Privilege Escalation

Once the new user shell is gain, I tried uploading winpeas again but it showed the same results. I decided to use bloodhound to do more enumerating.

Frist upload sharphound.exe to collect the data.

Transfer the data to bloodhound and query the shortest paths to high value targets with the svc_loanmgr user.

We could see that we are able to use the DCSync to reach the DC.

DCSync Attack

DCSync is a cyberattack that obtains sensitive information from an Active Directory domain controller by synchronizing password hashes. Attackers can use these hashes for pass-the-hash attacks, but require administrative privileges or a compromised account.

We can use two methods for this.

First is by using the secrets dump module from Impacket.

The second is by uploading mimikatz and doing a lsadump which will result in the hash.

Root Shell

We can use evil-winrm to gain the admin shell.

The root flag will be in desktop.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Comments (



Create a website or blog at

%d bloggers like this: