Sauna

Holy moly finally got user. I was having technical difficulties for sure. Made it much harder than it should have lol

Got user as well but now stuck on my way to root. One rabbit hole after the other…

rooted now

anybody tips for root, got shell for both users f…h and s…g .

Do I need a windows box to get KRB5AS-REP response? Or am I in a huge rabbit hole lol

Type your comment> @dezatino said:

Do I need a windows box to get KRB5AS-REP response? Or am I in a huge rabbit hole lol

no u don’t, google kerberos attack u will find it for win and lin

Been a pretty good box so far, for those of you struggling

the website has the breadcrumbs you need to derive the initial foothold - think very common account naming conventions and apply that to common AD enumeration techniques.

Rooted!

C:\Windows\System32>hostname && whoami
SAUNA
nt authority\system

Seems to be a problem with Powershell connections to this machine again (at least on the EU-Free-1 server). The box has been reset 4 times in the last 20 minutes but still not accepting PS connections, even though it was earlier. The PS port doesn’t even show as being open in an nmap scan now, but all the other ports still work fine. You can’t get the user flag or root flag in its current state as far as I can see.

I’ve raised it with HTB support so will see if they can do anything about it.

yeah, I’m done for the rest of the day. been in a rabbit hole trying to find the right combination for user using cewl. lol, need a break.

Hey guys is clock skew giving anyone problems ?

Type your comment> @Ad0n said:

Hey guys is clock skew giving anyone problems ?

No that does not matter

Type your comment> @Ad0n said:

Hey guys is clock skew giving anyone problems ?

the people that you are trying to hangout maybe live in a different country… :wink:

Spoiler Removed

i found a service account creds, are those another rabbithole? :neutral:

Type your comment> @init5 said:

i found a service account creds, are those another rabbithole? :neutral:

Depends what you mean by creds. If you just mean you discovered the username then yeah I’m pretty sure that is just a rabbit hole. If you actually found working password for that account then there’s definitely an exploit you can do based on the permissions I see set for that account on the root of the domain.

I spent ages looking at that account myself but didn’t find a password anywhere, and now I see a path to root that definitely does not involve that account. Will be finishing it tomorrow now though

Edit: you can indeed find working password for that account and get root that way but I’m persevering with my first method that doesn’t involve this account and goes straight to system as it also seems intentional (and more interesting)

Rooted! Finally! I was overcomplicating things way to much for root! PM for Nudge!
Thx @egotisticalSW It was a fun box!

Spoiler Removed

@VbScrub said:

Type your comment> @init5 said:

i found a service account creds, are those another rabbithole? :neutral:

Depends what you mean by creds. If you just mean you discovered the username then yeah I’m pretty sure that is just a rabbit hole. If you actually found working password for that account then there’s definitely an exploit you can do based on the permissions I see set for that account on the root of the domain.

I spent ages looking at that account myself but didn’t find a password anywhere, and now I see a path to root that definitely does not involve that account. Will be finishing it tomorrow now though

no i have the password as well, doesnt work with the high port even though the service account has the needed group membership. may be a RunAs could do, but i am basically operating on 20% brain power atm lol

I am stuck on the way to root … I can remote in as user f----- and have plaintext password. User h----- is apparently closely related to f-----.

I see that s–_------- has an interesting reporting line, so to speak, but am not seeing how to get ahold of them.