HackTheBox — Sauna


Sauna is a easy windows machine with IP



root@strike:~# nmap -sC -sV
Starting Nmap 7.70 ( https://nmap.org ) at 2020-07-19 14:55 EET
Nmap scan report for
Host is up (0.12s latency).
Not shown: 988 filtered ports
53/tcp open domain?
| fingerprint-strings:
| DNSVersionBindReqTCP:
| version
|_ bind
80/tcp open http Microsoft IIS httpd 10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Egotistical Bank :: Home
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2020-07-19 20:02:42Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
Service Info: Host: SAUNA; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 7h06m58s, deviation: 0s, median: 7h06m58s
| smb2-security-mode:
| 2.02:
|_ Message signing enabled and required
| smb2-time:
| date: 2020-07-19 22:04:56
|_ start_date: N/A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 284.27 seconds

Try to enumerate LDAP services on port 389

nmap -p 389 --script ldap-search

Now i have the domain name ‘EGOTISTICAL-BANK.local’ and one user account found ‘Hugo Smith


  • So we have a bank website and have some usernames, So i tried to dump all usernames from this website in txt file
  • After that i used getNPUsers script to get password hash of user “fsmith”
  • Dump the hash on hash.txt file to crack it
  • I used john to crack the hash

Now we have the credentials fsmith:Thestrokes23, So let’s try to connect suing Evil-WinRM

Gain user flag!

Privilege Escalation

I create file and upload ps script to enumerate the machine WindowsEnum

I found credentials for another user svc_loanmanager:Moneymakestheworldgoround!

Let’s connect with new credentials

Upload Mimikatz.exe and run to get administrator NTLM hash and try to connect with it

Gain root flag!

If u learn any thing useful from write up, Respect me on HackTheBox

THX for ur time!




CTFer | Computer Science Student

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Lendf.Me Hacked & Refunded — What is happening to DeFi? Should we still trust it?

SSH vs SSL? Difference between SSH and SSL

The Formation of the MetaAlliance

1Blocker 4.0: Now with In-App Tracker Blocking

Why is Proactive Fraud Management Important, and What Makes it Possible?

Welcoming XATA, the first project selected into the Polygon Track

How to Encrypt Email With Any Provider — Panda Security Mediacenter

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Ahmed Samir

Ahmed Samir

CTFer | Computer Science Student

More from Medium

HackTheBox: Pandora Write-up

Crocodile HackTheBox Ctf

TryHackMe Blog Writeup

Investigating Windows — TryHackMe writeup