Sauna

Type your comment> @instasec said:

I would just like to put my two cents in, with all the misinformation out there, you do not need to guess to get the initial username needed. There are tools to find the list of usernames on this box.

Without authentication?

Finally got root. Thanks to @Sauron19 for the help with root.

Anyone having issues connecting through winrm?

** nvm. For some reason on EU-Free it didn’t work for me, switched to US and got in.

Great Box…Very cool.

User: Enum and OISNT will lead you to the way.

Root: First Enum, I found some green vegetables to be very helpful in this. Then don’t overthink it, I was able to walk the dog to see what to do, you personally might be more of a cat person though.

Type your comment> @gu4r15m0 said:

Type your comment> @instasec said:

I would just like to put my two cents in, with all the misinformation out there, you do not need to guess to get the initial username needed. There are tools to find the list of usernames on this box.

Without authentication?

Yep

is there any bruteforce required after finding username?

Type your comment> @VoltK said:

is there any bruteforce required after finding username?

Yes.

Type your comment> @DHIRAL said:

Type your comment> @VoltK said:

is there any bruteforce required after finding username?

Yes.

No! There is no bruteforce required to get the password.

@mab said:

No! There is no bruteforce required to get the password.

Are you sure about that? Did you find a way to make it appear in clear text? Or did you bruteforce it with a wordlist?

Type your comment> @mab said:

Type your comment> @DHIRAL said:

(Quote)
No! There is no bruteforce required to get the password.

I was talking about the hsh crac lol?

@DHIRAL said:

I was talking about the h******** lol?

You need either that or J***

Anybody willing to help point me in the right direction with tools etc? Just saying AD attack is way too general and about 1000 tools with most being the first time I’ve ever heard of them…just need help narrowing down the research

@TazWake said:
@mab said:

No! There is no bruteforce required to get the password.

Are you sure about that? Did you find a way to make it appear in clear text? Or did you bruteforce it with a wordlist?

No, i don’t get a plain text password here. But want to point out that you don’t need to penetrate the box with a bruteforce attack. The public servers are already under high pressure. You can take advantage of the mentioned two tools on your local client. A very common wordlist is absolute enough.

Lol “EASY” sure…maybe if you’re a pro and now how to use obscure tools that few people have used where they’re hit and miss most of the time and super fussy

Just rooted this an hour or so ago, spent ages overthinking root.
Nice little box! Definitely not as hard as I imagined it.

Hi guys,

Can you give me some nudges ? I have found user FS.h and get password with well-known python collections but can’t login with it. After enum, found the other users and specially svc-***r. Should I try to explore a way in order to find this user’s password or am i on the wrong way ?

Thanks

secucyber

Type your comment> @secucyber said:

Hi guys,

Can you give me some nudges ? I have found user FS.h and get password with well-known python collections but can’t login with it. After enum, found the other users and specially svc-***r. Should I try to explore a way in order to find this user’s password or am i on the wrong way ?

Thanks

secucyber

Do more enumeration in the AD, you will find something default…

Got user. Sorry, WinRM on the box was buggy when i tried…

Got root. Pretty simple box.

Initial foothold: As always, enumerate all the things and think like an admin for the username.

User: Use a well-known python tool for AD Attacks from a Linux box

Root: basic enum for cleartext informations

Feel free to PM if needed

secucyber

Good Box!

Just follow the leader, and this come with imp*****

Enjoy!