Sauna

@T13nn3s said:
Do more enumeration in the AD, you will find something default…

I think you mean r******* not AD. They are two very different things and reading your comment could send people looking in completely the wrong place.

@secucyber said:
Got user. Sorry, WinRM on the box was buggy when i tried…

Yeah WinRM on this box has been super buggy since launch. Randomly not allowing connections and not even showing up in a port scan even after resetting the box.

I raised it with HTB support and was told “people are solving the box so there cannot be anything wrong” :confused:

I am not getting any of these “easy” windows machines or the “default” tools to enum them. Someone please pm with methodology or something to read , I no longer want to touch windows machines.

@VbScrub said:

@T13nn3s said:
Do more enumeration in the AD, you will find something default…

I think you mean r******* not AD. They are two very different things and reading your comment could send people looking in completely the wrong place.

Yeah, mean the R******* and not the Active Directory. Thanks for your tip! :slight_smile:

I know that I’m over complicating root. I have user f***** and s***** but can’t seem to see the privesc to admin. I would greatly appreciate some advise from someone that has rooted this box. PM me, thanks.

Rooted…?‍♂️

Type your comment> @WarrenVos said:

Lol “EASY” sure…maybe if you’re a pro and now how to use obscure tools that few people have used where they’re hit and miss most of the time and super fussy

I found the tools to be very common, and the path to be very straightforward. What about them was confusing for you?

NVM found it

Hi there,

I’m a bit stuck with the initial phoothold.

I think I understand what I have to do, but nothing I try works or gives a result.

It should be noted that I am not a windows hero and can still learn a lot about some tools.

But I hope that someone can guide me through the process for a while. How should I think and which tools help me further?

I tried a few L…PS G…A…py and such. But none help me further. I have found one user and 6 on the web. But I don’t get a step further.

Thank you in advance

Type your comment> @seke said:

I am not getting any of these “easy” windows machines or the “default” tools to enum them. Someone please pm with methodology or something to read , I no longer want to touch windows machines.

pm me we can talk

Piuhhhh, not so easy for me.

The initial foothold and user was OK. Every hint needed was already given here.

To find the svc password I followed a checklist someone posted and learned a lot of interesting part where to look on a Win-machine. Unfortunatly I can’t find the original post anymore and don’t want to spoiler here. So if need by anyone, dm me. But it’s a huge checkiist, so some work to be done.

Then I was fooled by the hints about Doggy. Didn’t need this after all.

All I had to do was to try all my little key in my packet and don’t stick with the ones I’m already used to. Thanks @grav3m1ndbyte for the hint here!

The last hint is that you don’t always have to crack something to get a root access. Sometimes showing the badge of someone else is also fine to let you in.

I don’t care much if this is an easy box or not, neither if the riddle have been similar to other boxes. I had fun and learned a lot, so thank you @egotisticalSW

Anyone getting time skew issues working on root?

Edit: finally after several tries all using same syntax I was able to sync time and got what I was looking for lll

I‘m stuck on the root part. I found the svc password and tried some skripts from the packet. Shoud I try it more with the dog?

I’ve connection problems with GetN*******

[-] [Errno Connection error (***********-****.local:88)] [Errno 110] Connection timed out

I’m quite sure I have the correct syntax. Could someone PM please.

Type your comment> @seke said:

I am not getting any of these “easy” windows machines or the “default” tools to enum them. Someone please pm with methodology or something to read , I no longer want to touch windows machines.

takes practice. if you’re having issues DM me and i’ll provide some resources of approach. I was having issues at first, but it just takes a few boxes and a little Ippsec to get you started.

It was a cool box, learned more on windows box thanks to @egotisticalSW .
I think i can sleep now, almost 1am

C:\Users\Administrator\Desktop>hostname
SAUNA

C:\Users\Administrator\Desktop>type root.txt
////haha, stop dreamin////

Finally Rooted

Thanks to @egotisticalSW for a fun box. Windows is my weak point and researching this box taught me a ton about AD and windows in general.

Cheers

Wow I’m stuck right at after getting the h username, can anyone please give me a hint where the password can be found…?

Pretty awesome box, thanks to @egotisticalSW for putting this together @VbScrub for his comments PM me for a nudge but in all honesty this box doesnt have very many twists and turns its relatively straight forward if i had just gone through the due dillgence from the start i would have taken half the time.

My hints for those having difficulties
User 1: After a little tour on the web, you should find useful information About the person you need to enter the box, just use a good tool that is in your pocket to Get the access to this user. Your friend Johny will help you pass the evil door…
User2: After some enums, around, you’ll see a helpful person, remember his name first, then ask the guard to show you the registry of every entrance. ippsec videos will show you how to ask the guard…
Root: User2 is too talkative and won’t hesitate to share with you the secret of root if you use the good tool inside your pocket to persuade him. Once you get that secret, you can Pass THe door as root and get flag…

Hope this is not too much, had to play with my imagination ?

I have user and another set of creds but now i’m getting an error that my clock skew is too great. I’ve tried to manually set it to the machine time and ntp time but no joy.

am i on the right track or down a rabbit hole?