1. Target Overview

Machine Name: Sauna
Platform: HTB
Operating System: Windows
Objective: Gain initial access to the target, escalate privileges, and fully compromise the Active Directory environment.

Sauna is a Windows Active Directory target hosted on Hack The Box. The machine exposes several services typically associated with a domain controller, including Kerberos, LDAP, SMB, and RPC. During initial reconnaissance a web server was also discovered running IIS, which is somewhat unusual for a domain controller and therefore worth investigating further. The domain name and hostname are leaked during enumeration, providing useful information for further Active Directory attacks.

Tools Used

Nmap
Used for initial service discovery and version detection to identify exposed services on the target host.

NetExec (nxc)
Used extensively for Active Directory enumeration, including SMB share discovery, domain user enumeration, password spraying, and SMB spidering.

rpcclient
Used to attempt anonymous RPC enumeration of domain users.

Kerbrute
Used to perform Kerberos-based username enumeration to identify valid domain accounts.

Username Anarchy
Used to generate potential username permutations from employee names discovered on the website.

Impacket (GetNPUsers.py)
Used to perform AS-REP roasting against the fsmith account in order to obtain a crackable Kerberos hash.

John the Ripper
Used to crack the recovered AS-REP hash offline and recover the fsmith password.

Evil-WinRM
Used to authenticate to the target system and obtain a remote PowerShell shell using compromised credentials.

SharpHound / BloodHound
Used to enumerate Active Directory relationships, ACL permissions, and privilege escalation paths within the domain.

Impacket (secretsdump.py)
Used to perform a DCSync attack after discovering that the svc_loanmanager account had the GetChanges and GetChangesAll privileges over the domain object.

Impacket (psexec.py)
Used to perform a pass-the-hash attack using the recovered Administrator NTLM hash, resulting in a shell running as NT AUTHORITY\SYSTEM.

---

2. Enumeration

Active Directory Attack Checklist

1. Add FQDN to /etc/hosts

2. Enumerate SMB and attempt anonymous share access

---

Service Enumeration

As always, the first step is to perform a full port scan against the target to identify exposed services.

nmap -sC -sV -p- <target-ip>

The scan reveals several services that strongly indicate the host is operating as a Domain Controller.

The scan also reveals important Active Directory information:

Domain: EGOTISTICAL-BANK.LOCAL
Hostname: SAUNA

Because Active Directory authentication relies heavily on DNS and proper hostname resolution, we must first add the fully qualified domain name (FQDN) of the target to our /etc/hosts file before continuing with enumeration.

<target-ip> sauna.egotistical-bank.local sauna

This ensures our system can properly resolve the domain controller when interacting with Kerberos, LDAP, SMB, and other AD services.

SMB/ RPC Enumeration

With the domain information identified, the next step is to attempt anonymous SMB enumeration to determine whether the server allows unauthenticated access to shares.

Using NetExec, I attempted to enumerate SMB shares with null authentication.

The server responded indicating that null authentication is technically accepted, but share enumeration fails with an access error.

These results indicate that while SMB is reachable, anonymous enumeration of shares is restricted.

Since many Active Directory environments allow anonymous RPC enumeration, I attempted to enumerate domain users using rpcclient.

Inside the RPC shell, I attempted to enumerate domain users.

However, this attempt also fails with the following error:

NT_STATUS_ACCESS_DENIED

This confirms that anonymous RPC enumeration is also restricted on the domain controller.

---

Web Enumeration

Since direct enumeration of domain users is restricted, I shift my attention to the web server running on port 80.

The server is identified as Microsoft IIS 10.0, and browsing to the site reveals a simple marketing page for a fictional company called Egotistical Bank. The site appears to consist entirely of static HTML content, with no login functionality or interactive features.

While exploring the site, one page displays a list of company employees along with their full names.

Although the site itself does not present any obvious vulnerabilities, the presence of employee names is extremely useful from an attacker’s perspective. In many corporate environments, domain usernames are derived directly from employee names.

Because of this, I collect these names and use them to build a potential username wordlist.

User Enumeration

To generate possible username formats from the employee names, I used the tool Username Anarchy.

This tool generates common username permutations such as:

• fsmith

• fergus.smith

• smithf

• f.smith

With the generated username list, I then attempted Kerberos-based username enumeration using Kerbrute.

This technique works because Kerberos responses differ when a username exists versus when it does not exist, allowing valid users to be identified without needing a password.

The scan successfully identified a valid domain user:

VALID USERNAME: fsmith@EGOTISTICAL-BANK.LOCAL

This confirmed that the fsmith account exists within the domain.

---

3. Exploitation

Credential Discovery

Step 6 — AS-REP Roasting

Once a valid username is identified but no password is known, step 6 of my AD checklist is to attempt AS-REP roasting against the account.

This returned a Kerberos AS-REP hash for the user.

I saved the hash and cracked it offline using John the Ripper.

The password was successfully recovered:

Thestrokes23

This resulted in the compromise of the fsmith domain account.

---

4. Privilege Escalation

Step 7 — Check for WinRM Access

After compromising a user account, the first thing I check is whether the account has WinRM access. If available, WinRM allows us to obtain a remote shell on the target system, which significantly broadens the attack surface and makes it easier to transfer tools or binaries.

I tested the credentials using Evil-WinRM.

evil-winrm -i 10.129.7.13 -u fsmith -p 'Thestrokes23'

The authentication succeeded, confirming that fsmith has WinRM access.

---

Step 8 — Enumerate Domain Users

With valid credentials, I then enumerated all users in the domain using NetExec over SMB.

This revealed several domain accounts

I saved these users into a user list for further attacks.

---

Step 9 — Password Spraying

A common attack technique after compromising one user is to attempt password reuse against other accounts.

It is very common in enterprise environments for users or service accounts to reuse passwords.

Using the list of discovered users, I performed a password spray using the compromised password.

This revealed that the password was reused by another account:

EGOTISTICAL-BANK.LOCAL\HSmith : Thestrokes23

This resulted in the successful compromise of the HSmith account.

Step 10 — BloodHound Enumeration

Now that I had shell access to the machine, the next step in my methodology was to run BloodHound to identify potential Active Directory privilege escalation paths.

Using Evil-WinRM, I uploaded the SharpHound collector to the compromised host and executed it to gather Active Directory enumeration data.

After the collection completed, SharpHound generated a compressed archive containing the collected data.

I then used the download feature in Evil-WinRM to retrieve the archive to my attacking machine.

After importing the dataset into BloodHound, I analyzed the relationships between users, groups, and domain objects.

However, the compromised accounts did not have any useful privileges, group memberships, or outbound object control that could be abused for privilege escalation.

Because BloodHound did not reveal a viable path forward, I decided to move on to SMB enumeration to continue searching for additional attack vectors.

I attempted additional enumeration via SMB using the spider_plus module in NetExec.

nxc smb 10.129.7.13 -u hsmith -p 'Thestrokes23' -M spider_plus

Surprisingly, this returned no accessible files, making SMB a dead end.

At this point I returned to my WinRM shell to perform deeper local enumeration.

---

Step 11 — Search for AutoLogon Credentials

When performing local enumeration from a compromised Windows host, one of the quickest checks is to search for AutoLogon credentials stored in the registry.

AutoLogon is a Windows feature that allows a system to automatically log in a user account at startup. When this feature is configured, the credentials are often stored in the registry under the Winlogon configuration keys. If misconfigured, these credentials can be retrieved by attackers and used to compromise additional accounts.

To check for this, I queried the following registry location using PowerShell:

The output revealed several Winlogon configuration parameters. Two entries immediately stood out:

DefaultUserName : EGOTISTICALBANK\svc_loanmanager
DefaultPassword : MoneyMakestheworldgoround!

This indicates that the system is configured to automatically log in using the svc_loanmgr service account, and the password for that account is stored directly in the registry.

This misconfiguration provided valid credentials for a new domain service account, giving me another potential foothold for continuing the attack chain.

Identify DCSync Privileges

With the credentials for svc_loanmgr, I returned to BloodHound to analyze the permissions associated with this account.

Immediately, a critical privilege stood out: the account had both GetChanges and GetChangesAll permissions over the domain object.

In Active Directory, these permissions allow an account to replicate directory changes. When both permissions are present, the account can perform a DCSync attack.

A DCSync attack allows an attacker to impersonate a domain controller and request password hashes for any account in the domain directly from Active Directory. This effectively grants the ability to dump credentials for high-value accounts such as Administrator and krbtgt.

Because svc_loanmgr possessed these privileges, it was possible to directly retrieve domain credential hashes.

---

Dumping Domain Password Hashes

To perform the DCSync attack, I used Impacket's secretsdump tool with the compromised service account credentials.

impacket-secretsdump EGOTISTICAL-BANK.LOCAL/svc_loanmgr@10.129.7.13

Using the DRSUAPI method, the tool successfully retrieved domain password hashes from the domain controller.

Among the results was the Administrator NTLM hash:

Administrator:500:aad3b435b51404eeaad3b435b51404ee:823452073d75b9d1cf70ebdf86c7f98e:::

---

Pass-the-Hash to Obtain SYSTEM

With the Administrator NTLM hash in hand, I used Impacket's psexec tool to perform a pass-the-hash attack against the domain controller.

The attack succeeded and spawned a shell running as NT AUTHORITY\SYSTEM, confirming full compromise of the target system.

This provided complete control over the domain controller and concluded the privilege escalation phase of the attack.

5. Lessons Learned

Key Attacker Takeaways

1. Kerberos User Enumeration is Extremely Valuable

   One of the most important takeaways from this machine was the effectiveness of Kerberos-based user enumeration using Kerbrute. Even when traditional enumeration methods such as SMB, RPC, and LDAP fail due to access restrictions, Kerberos can still reveal valid usernames through differences in authentication responses. Identifying a single valid user was the key that unlocked the entire attack chain.

2. Username Anarchy is an Excellent Username Generation Tool

   The employee names discovered on the website were converted into likely username formats using Username Anarchy, which made Kerberos enumeration far more effective. Many organizations follow predictable naming conventions for usernames, and tools like Username Anarchy help automate the process of generating those patterns.

3. Always Check for WinRM Access After Compromising a User

   After recovering valid credentials, verifying WinRM access immediately provided a remote shell on the system. Having interactive access to the host significantly expands the attack surface and allows attackers to perform deeper enumeration directly from within the environment.

4. Password Reuse Remains a Common Weakness

   After enumerating additional domain users, performing a password spray using the compromised credentials revealed that another account (hsmith) reused the same password. Password reuse is extremely common in real environments and is often one of the fastest ways to expand access within a domain.

5. AutoLogon Credentials Are a Common Misconfiguration

   Systems configured for automatic login often store credentials directly in the registry. If these values are readable by a compromised user, attackers can recover the associated credentials and pivot further within the domain.

6. GetChangesAll Over the Domain is Essentially a Domain Compromise

   Discovering that the svc_loanmanager account possessed GetChanges and GetChangesAll permissions over the domain object was a critical finding. These permissions allow an attacker to perform a DCSync attack, which effectively allows the attacker to impersonate a domain controller and retrieve password hashes for any account in the domain.

6. Defensive Insight

Hardening Opportunities

1. Enforce Kerberos Preauthentication

   The attack chain began with AS-REP roasting of the fsmith account. This attack is only possible when the “Do not require Kerberos preauthentication” setting is enabled for a user. Organizations should ensure that Kerberos preauthentication is enforced for all accounts unless absolutely necessary.

2. Restrict Public Exposure of Employee Information

   The initial foothold was enabled by discovering employee names on the company website. While publishing employee names is common for marketing purposes, it can provide attackers with the information needed to generate likely username formats. Organizations should carefully consider how much employee information is publicly exposed.

3. Prevent Password Reuse Across Accounts

   The compromise of hsmith occurred due to password reuse. Enforcing strong password policies and implementing password reuse prevention mechanisms can significantly reduce the risk of attackers expanding access after compromising a single account.

4. Avoid Storing AutoLogon Credentials in the Registry

   The system was configured to use AutoLogon, which stored credentials directly in the Winlogon registry key. This allowed attackers to retrieve the password for the svc_loanmanager account. Systems should avoid using AutoLogon for domain accounts, especially service accounts with elevated privileges.

5. Limit Privileged Active Directory Permissions

   The svc_loanmanager account had GetChanges and GetChangesAll permissions over the domain object. These permissions allow a user to perform a DCSync attack, effectively granting the ability to replicate password hashes from the domain controller. Such privileges should be strictly limited to legitimate domain controllers and carefully audited.

6. Audit Active Directory ACLs Regularly

   Misconfigured ACL permissions on domain objects can introduce powerful attack paths that are difficult to notice without tools like BloodHound. Organizations should routinely audit Active Directory permissions to ensure that sensitive rights such as GetChangesAll, WriteDACL, and GenericAll are not assigned to unnecessary accounts.

---

Detection Opportunities

1. Monitor Kerberos Enumeration Attempts

   Tools like Kerbrute generate a large number of Kerberos authentication attempts in a short period of time. Security monitoring solutions should detect abnormal authentication patterns that could indicate username enumeration.

2. Detect AS-REP Roasting Activity

   AS-REP roasting generates Kerberos AS-REP requests without preauthentication, which can be detected in domain controller logs. Monitoring for these events can help identify attackers attempting to exploit roastable accounts.

3. Alert on Suspicious WinRM Activity

   Unexpected WinRM logins from unusual hosts can indicate attacker lateral movement. Monitoring WinRM authentication events can help detect unauthorized remote access attempts.

4. Monitor Password Spraying Behavior

   Password spraying often generates repeated authentication attempts against multiple accounts using the same password. Detection systems should look for authentication patterns consistent with password spraying.

5. Detect DCSync Attempts

   DCSync attacks generate directory replication requests from non-domain controller systems. Monitoring for replication operations originating from unauthorized hosts can help detect this highly critical attack technique.

Useful Commands

Enumeration Commands

Initial Service Enumeration

nmap -sC -sV -p- 10.129.7.13

Anonymous SMB Enumeration

nxc smb 10.129.7.13 -u '' -p '' --shares

Anonymous RPC Enumeration

rpcclient -U "" -N 10.129.7.13
enumdomusers

Anonymous LDAP Enumeration

nxc ldap 10.129.7.13 --users

---

Username Discovery

Generate Username Permutations

username-anarchy -i user.txt > new.txt

Kerberos Username Enumeration

kerbrute userenum -d EGOTISTICAL-BANK.LOCAL --dc 10.129.7.13 new.txt

---

Exploitation Commands

AS-REP Roasting

impacket-GetNPUsers -request EGOTISTICAL-BANK.LOCAL/fsmith -no-pass -dc-ip 10.129.7.13

---

Privilege Escalation Commands

Password Spray Domain Users

nxc smb 10.129.7.13 -u user.txt -p 'Thestrokes23' --continue-on-success

BloodHound Data Collection

.\SharpHound.exe -c All

Search for AutoLogon Credentials

Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"