HackTheBox Sauna Writeup –

HackTheBox Sauna ( is a new Windows box released on 15th Feb. The machine is categorized as easy with 20 points. Since most Windows boxes seem to have a similar approach to get initial foothold and enumeration, users who already completed the machines like, Forest, Nest, Sniper and Resolute etc are going to have a good time.

HackTheBox Sauna Writeup –

Welcome back, here is my way of getting the Sauna Windows machine. I used the very common tools like EvilWinRM, GetNPusers, Bloodhound, Neo4J and JohnTheRipper. These are the same tools that I used in the previous HackTheBox Windows machines.


Let us begin, as always, I added the machine IP to etc/hosts file as sauna.htb and proceed with the nmap scan.

The scan reveals several Windows Server related ports like, 80, 389, 135, 445, 3268 and 3269 are open. Upon visiting the default website on 80, I noticed there is a website of “Egotistical bank” is hosted.

I tried enum4linux to gather usernames but results were not as expected, enum4linux couldnt find any users. So I proceed with other ways to get users, the plan was “guessing game”.

The “Meet The Team” section of the website has a number of employees listed, this page probably help me to proceed further. BUT, the names listed are is “FirstName%%LastName” format which I highly doubt an organization might have used this naming standard in their active directory, so I need to do some testing before the next step.

What I planned is to make my own user-list with the potential users like below screenshot. My plan is to use Impacket tool called “GetNPusers“. This is the same tool I used in the previous boxes like Forest and Resolute. As you may already know, when triggered GetNPUsers returns the TGT (Ticket Granting Ticket) ONLY if the account doesn’t need Kerberos pre-authentication.

After running the GetNPUsers.py against the domain-name “egotistical-bank.local”, I successfully obtained the user FSmith’s (again ;)) TGT, the rest users ware ignored, so I believe at the moment I have only one user to work with.

In the next step, I used the John to crack the password using Rockyou.txt as wordlist. John took like half a minute to crack the hash and revealed the password as: “Thestrokes23”

EvilWinRM to Get the User

As I already have the user FSmith’s credentials, my next approach is to get the shell using EvilWinRm.

I was successfully logged-in as FSmith and obtained the user.txt from his desktop.

Privilege Escalation

A quick look showed me that the user FSmith is not an admin user, so I need to find a right user or a service to gain more authority on the system. I used the PowerShell command Get-LocalUser to get the users in the Server as below.

I stuck again after listing the users, so decided to take some tips from the HTB forum. A user guided me in to the right direction.

Gathering Credentials From The Registry

The Windows Registry stores information that can be used by the system or other programs. The attacker can query the Registry and find credentials and passwords that have been stored auto-run programs or services, these credentials sometimes may used to run automatic login when required. Ref.

I can possibly use the following commands to get the credentials stored in the registry:

Here is the snipped results after running command as local machine:

I tried the password against the Administrator unfortunately didn’t work, but the password accepted for the user svc-loanmgr. I was successfully logged to the box as svc-loanmgr.

The next step was very clear to me, I have done the box Forest using neo4j so I decided to use my experience with Forest.


The Zip file “20200217115111_BloodHound.zip” was created successfully.

I import the zip file 20200217115111_BloodHound.zip created in the svc_loanmgr folder, upon analysing it through neo4J and Bloodhound I found out that only the member of Administrators groups and Administrator is able. Our user svc_loanmgr is not member of either groups.

So one more roadblock. I head back to HTB forum looking for tips, one of the users mentioned that we can use Aclpwn.py. This tool integrates with Bloodhound and so attacker can identify and exploit ACL based privilege escalation paths inside the windows domains.


Here is how I did it, I ran the bloodhound and the below script after few failures.

So, here I successfully managed to change the permission of the user svc_loanmgr and got all the rights to continue. I used the impacket/secretsdump to gather the Administrator password hash.

And here we have Root

As I have the hash, I will avoid cracking it. I ran Evil-WinRM again with Administrator credentials and got the root.

That’s all folks…

Thank you for reading :), See you again with another HTB write-up soon.


Hey there, I'm Navin, a passionate Info-Sec enthusiast from Bahrain. I started this blog to share my knowledge. I usually write on HackTheBox machines and challenges, cybersecurity-related articles and bug-bounty. If you are an HTB user and like my articles, please respect here: https://www.hackthebox.eu/home/users/profile/68523

View all posts by Navin →
Notify of
Newest Most Voted
Inline Feedbacks
View all comments
3 months ago

Very interesting, I didn’t use ACL privesc but went for winPEAS to get the svc password, and later continued with mimikatz for the admin hash. Thank you for posting your way of doing it.

3 months ago

Hi, thanks for this share as this provides me an alternative approach to get administrator’s hash. I was stucked with initial foothold as GetNPUsers.py, rpcclient -U “” -N, and enum4linux -a all did not return anything.. then i did another round of nmap on port 389 with ldap* script, I got a lot of information, so I gather all the usernames from the script and used GetNPUsers.py again, but again nothing. So I proceeded to go to forum, I read an hour of the forum post.. and I repeatedly see f***h, and someone gave me a hint to… Read more »

Sorry, that action is blocked.
%d bloggers like this: