HackTheBox — Sauna


Sauna is a easy windows machine with IP



root@strike:~# nmap -sC -sV
Starting Nmap 7.70 ( https://nmap.org ) at 2020-07-19 14:55 EET
Nmap scan report for
Host is up (0.12s latency).
Not shown: 988 filtered ports
53/tcp open domain?
| fingerprint-strings:
| DNSVersionBindReqTCP:
| version
|_ bind
80/tcp open http Microsoft IIS httpd 10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Egotistical Bank :: Home
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2020-07-19 20:02:42Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
Service Info: Host: SAUNA; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 7h06m58s, deviation: 0s, median: 7h06m58s
| smb2-security-mode:
| 2.02:
|_ Message signing enabled and required
| smb2-time:
| date: 2020-07-19 22:04:56
|_ start_date: N/A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 284.27 seconds

Try to enumerate LDAP services on port 389

nmap -p 389 --script ldap-search

Now i have the domain name ‘EGOTISTICAL-BANK.local’ and one user account found ‘Hugo Smith


  • So we have a bank website and have some usernames, So i tried to dump all usernames from this website in txt file
  • After that i used getNPUsers script to get password hash of user “fsmith”
  • Dump the hash on hash.txt file to crack it
  • I used john to crack the hash

Now we have the credentials fsmith:Thestrokes23, So let’s try to connect suing Evil-WinRM

Gain user flag!

Privilege Escalation

I create file and upload ps script to enumerate the machine WindowsEnum

I found credentials for another user svc_loanmanager:Moneymakestheworldgoround!

Let’s connect with new credentials

Upload Mimikatz.exe and run to get administrator NTLM hash and try to connect with it

Gain root flag!

If u learn any thing useful from write up, Respect me on HackTheBox

THX for ur time!




CTFer | Computer Science Student

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

The token was recently listed on the Sphynx Pad which resulted in a higher reach of the native $MBZ…

{UPDATE} Tiny Pic Quiz Hack Free Resources Generator

WAS Utility token — Tokenomics proposal

PSA: Update Zoom on Mac to fix a bug that keeps your mic on after meetings : Gadget Game News

OWASP 2021: Broken Access Control is the worst!

OWASP 2021

{UPDATE} Who is it? Guess it! • Classic Hack Free Resources Generator

My 6/1 Smart Contract BNB Miners…

{UPDATE} Sweet Dreams Hack Free Resources Generator

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Ahmed Samir

Ahmed Samir

CTFer | Computer Science Student

More from Medium

Dig Dug — A TryHackMe Writeup

HackTheBox: Pandora Write-up

Agent Sudo — TryHackMe Walkthrough

Attacktive Directory TryHackMe