HackTheBox — Sauna

Ahmed Samir
3 min readJul 19, 2020



Sauna is a easy windows machine with IP



root@strike:~# nmap -sC -sV
Starting Nmap 7.70 ( https://nmap.org ) at 2020-07-19 14:55 EET
Nmap scan report for
Host is up (0.12s latency).
Not shown: 988 filtered ports
53/tcp open domain?
| fingerprint-strings:
| DNSVersionBindReqTCP:
| version
|_ bind
80/tcp open http Microsoft IIS httpd 10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Egotistical Bank :: Home
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2020-07-19 20:02:42Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
Service Info: Host: SAUNA; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 7h06m58s, deviation: 0s, median: 7h06m58s
| smb2-security-mode:
| 2.02:
|_ Message signing enabled and required
| smb2-time:
| date: 2020-07-19 22:04:56
|_ start_date: N/A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 284.27 seconds

Try to enumerate LDAP services on port 389

nmap -p 389 --script ldap-search

Now i have the domain name ‘EGOTISTICAL-BANK.local’ and one user account found ‘Hugo Smith


  • So we have a bank website and have some usernames, So i tried to dump all usernames from this website in txt file
  • After that i used getNPUsers script to get password hash of user “fsmith”
  • Dump the hash on hash.txt file to crack it
  • I used john to crack the hash

Now we have the credentials fsmith:Thestrokes23, So let’s try to connect suing Evil-WinRM

Gain user flag!

Privilege Escalation

I create file and upload ps script to enumerate the machine WindowsEnum

I found credentials for another user svc_loanmanager:Moneymakestheworldgoround!

Let’s connect with new credentials

Upload Mimikatz.exe and run to get administrator NTLM hash and try to connect with it

Gain root flag!

If u learn any thing useful from write up, Respect me on HackTheBox

THX for ur time!



Ahmed Samir

CTFer | Computer Science Student