Hack The Box: Sauna using Bloodhound

Derick Neriamparambil
5 min readJul 18, 2020

Sauna is another interesting windows machine which retired recently.

Lets Start with normal NMAP scan

From the nmap results I get to know that we need to perform more enumeration on active directory services.

Port 389, used for LDAP service can be enumerated using scripts in nmap.

nmap -n -sV -script “ldap*” -p 389 10.10.10.175

I got a very long output with this command

We got the domain name as EGOTISTICAL-BANK.LOCAL

Now let’s take a look at port 80 from the browser. In the about us portion, I found few names which are interesting.

With the details from the above image I created a list of names for brute force attack

Before moving forward, take a look at the below link

Let's use GetNPUsers.py for more enumeration. You can get this script from Github

I initiated the brute force using below command

python3 GetNPUsers.py EGOTISTICAL-BANK.LOCAL/ -usersfile saunaUsers.txt -outputfile Hash.txt -dc-ip 10.10.10.175

Here saunaUsers.txt contains the combination of all usernames and the output Hash will be stored in Hash.txt