Introduction to the Sauna CTF

The Sauna CTF on Hack The Box presents a challenging scenario centered around Active Directory (AD) exploitation. This machine is designed to test a penetration tester's skills in enumerating AD environments, identifying vulnerabilities, and escalating privileges to gain domain administrator access. Understanding Active Directory is crucial for modern cybersecurity professionals, as it forms the backbone of many enterprise networks. This walkthrough dissects the process of compromising the Sauna machine, from initial reconnaissance to achieving root-level control within the domain.

The journey begins with a standard network scan to identify open ports and services. A common starting point is using Nmap with service version detection and default script execution. For the Sauna CTF, the initial scan against the target IP address (10.129.95.180) reveals several key services:

nmap -sV -sC 10.129.95.180
Starting Nmap 7.98 ( https://nmap.org ) at 2026–07–03 13:16 -0400
Nmap scan report for 10.129.95.180
Host is up (0.21s latency).
Not shown: 987 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Egotistical Bank :: Home
| http-methods:
|_ Potentially risky methods: TRACE
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2026–07–04 00:16:58Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BAN...

The scan indicates that the target is running Microsoft IIS on port 80, along with standard Windows services like DNS (53), Kerberos (88), RPC (135), NetBIOS (139), and LDAP (389). The domain name appears to be EGOTISTICAL-BANK. This immediately suggests an Active Directory environment, a common target for penetration tests.

Nmap scan results showing open ports and services on the Sauna CTF machine

Enumerating the Web Server

With port 80 active and serving a Microsoft IIS web server, the next logical step is to explore the web application. The title "Egotistical Bank :: Home" suggests a financial institution. Initial web reconnaissance should involve checking for common vulnerabilities, directory brute-forcing, and examining the source code for any clues. Tools like Gobuster or Dirb can be employed to discover hidden directories and files.

During the enumeration of the web server, it's important to look for any specific technologies or frameworks being used, as these can often have known exploits. The presence of IIS on Windows Server is a common configuration. The `http-methods` output from Nmap also indicates that the TRACE method is potentially enabled, which can sometimes be a vector for cross-site scripting (XSS) attacks, though less common in modern IIS configurations.

Active Directory Enumeration

The core of the Sauna CTF lies in exploiting Active Directory. With services like LDAP, Kerberos, and NetBIOS running, we have multiple avenues for AD enumeration. Tools like BloodHound, SharpHound, or even simple command-line utilities like `enum4linux` or `ldapsearch` are invaluable here.

The LDAP service, running on port 389, is particularly rich in information. It allows querying the domain's directory for users, groups, computers, and their relationships. Understanding the domain structure, user accounts, and group memberships is critical for identifying potential privilege escalation paths. For instance, finding users with weak passwords, unconstrained delegation settings, or membership in overly privileged groups can lead to a compromise.

NetBIOS (port 139) can also provide hostnames, domain information, and share listings, which might reveal sensitive files or configurations accessible over the network. Kerberos (port 88) is the authentication protocol for AD, and while direct exploitation is complex, understanding its presence is key to AD security.

Exploitation Vectors

Based on the enumeration, several exploitation vectors might be available:

  • Web Application Vulnerabilities: Exploiting any found web vulnerabilities (e.g., SQL injection, file inclusion, or misconfigurations) on the IIS server could lead to initial compromise or information disclosure.
  • SMB/NetBIOS Exploitation: If shares are found with weak permissions, sensitive data might be accessible.
  • LDAP Information Disclosure: Extracting user lists and group structures can inform brute-force attacks or Kerberoasting attempts.
  • Kerberoasting: If a user account has a Service Principal Name (SPN) registered and can be accessed, an attacker can attempt to obtain the Kerberos ticket for that SPN and crack the associated password offline to gain access to the service account.
  • Password Spraying/Brute-Force: Using the enumerated user list, attackers can attempt to guess passwords, especially if common or default passwords are suspected.

The specific path to compromise on the Sauna CTF often involves identifying a service account that has been granted excessive permissions or has a weak password. For example, finding a user with the ability to reset passwords for other administrative accounts, or a service account whose password can be easily guessed or brute-forced.

Privilege Escalation

Once initial access is gained, the focus shifts to privilege escalation within the domain. This could involve moving from a user account to a domain administrator. Techniques include:

  • Exploiting Group Policies: Certain misconfigurations in Group Policy Objects (GPOs) can allow for privilege escalation.
  • Abusing Unconstrained Delegation: If a computer account is configured for unconstrained delegation, an attacker can potentially impersonate other users.
  • Pass-the-Hash/Ticket: Using captured credentials or Kerberos tickets to authenticate as other users or administrators.
  • Exploiting Service Vulnerabilities: If a specific service running on a domain controller or other critical server has a known vulnerability, it could be exploited.

The ultimate goal is to obtain the credentials or tickets for a Domain Administrator account, which grants full control over the Active Directory environment. This often involves a combination of enumeration, credential harvesting, and exploiting misconfigurations specific to the AD setup.

Gaining Domain Administrator Access

The final step in a CTF like Sauna typically involves achieving Domain Admin privileges. This is usually done by compromising a user account that has administrative rights or by exploiting a vulnerability that directly grants such access. For instance, if a user account is found to be a member of the 'Domain Admins' group, compromising that single account is sufficient to win the box.

The lessons learned from the Sauna CTF highlight the importance of robust Active Directory security. Regularly auditing user privileges, securing service accounts, implementing strong password policies, and disabling unnecessary protocols are essential steps for any organization.