Hack the Box Sauna Walkthrough

Today we are going to solve another boot2root challenge called “Sauna”.  It’s available at HackTheBox for penetration testing. This is an easy level lab.

The credit for making this lab goes to egotisticalSW. Let’s get started and learn how to successfully break it down.

Level: Easy

Penetration Testing Methodology



  • Employee web corporation


  • GetNPUsers.py
  • John The Ripper
  • Evil-winRM

Privilege Escalation

  • Obtaining credentials with WinPeas
  • Dumper hash NTLM with Mimikatz
  • Passthehash with Evil-winRM
  • Capture the flag



So, let’s start by running map with OS detection, software versions, scripts and traceroute.


We explore the web service that lists the corporation’s employees on the web page.

Exploiting (flag user)

Insert everything in a file with name “users.txt“.

Since we already have a list of users and the Kerberos service is enabled, we will use the “GetNPUsers.py” tool that will allow us to capture the users’ hashes.

We have been lucky! We have captured the hash of the user “fsmith“, now we will use JohnTheRipper and the dictionary “rockyou” to get the password.

We connect to the machine using the “evil-winrm” tool and the credentials obtained. We read the user flag.

Privilege Escalation (root)

We download into the victim machine “WinPeas.exe” and run it, check the results and see other credentials appear.

We authenticate with these new credentials, upload “mimikatz.exe” and run it specifying the user “Administrator“. At the bottom, the NTLM hash will appear.

Knowing the hash of the administrator, we can use the “-H” option of evil-winrm to connect remotely by doing a “passthehash“.  This way we will be the administrator and we can read the root flag.

Author: David Utón is Penetration Tester and security auditor for Web applications, perimeter networks, internal and industrial corporate infrastructures, and wireless networks Contacted on LinkedIn and Twitter.