Sauna

Algunas de las pistas que puedo dejar:

User: Relacionado con OSINT, uno de los protocolos en AD y, combinaciones entre si.
User2: Enumeracion basica en Windows - Privilege Escalation.
Root: Puedes utilizar al doggo para obtener informacion, puede ser local o remota. Junto con esto automatizar el ataque tambien con una tool del doggo.

Rooted,

Thank you @egotisticalSW for creating this box :slight_smile:

Can someone please give me nudge? I have f***** account and password and I was able to GSU****.py to get H***** account’s password. I’m now stuck here. :frowning:

Type your comment> @moose said:

Can someone please give me nudge? I have f***** account and password and I was able to GSU****.py to get H***** account’s password. I’m now stuck here. :frowning:

Then (as mentioned plenty of time on this thread already) use something evil (on a higher port) to get in.

@acidbat said:
Type your comment> @moose said:

Can someone please give me nudge? I have f***** account and password and I was able to GSU****.py to get H***** account’s password. I’m now stuck here. :frowning:

Then (as mentioned plenty of time on this thread already) use something evil (on a higher port) to get in.

Sorry, my fault for not being more clear. I’ve been using the evil tool but I’m not too familiar with it. I can’t seem to find any good documentation for it on how to use it to get a shell.

@moose said:

@acidbat said:
Type your comment> @moose said:

Can someone please give me nudge? I have f***** account and password and I was able to GSU****.py to get H***** account’s password. I’m now stuck here. :frowning:

Then (as mentioned plenty of time on this thread already) use something evil (on a higher port) to get in.

Sorry, my fault for not being more clear. I’ve been using the evil tool but I’m not too familiar with it. I can’t seem to find any good documentation for it on how to use it to get a shell.

Nevermind. I’m an idiot. :frowning: Just need the tool, nothing extra. :slight_smile:

Type your comment> @moose said:

@moose said:

@acidbat said:
Type your comment> @moose said:

Can someone please give me nudge? I have f***** account and password and I was able to GSU****.py to get H***** account’s password. I’m now stuck here. :frowning:

Then (as mentioned plenty of time on this thread already) use something evil (on a higher port) to get in.

Sorry, my fault for not being more clear. I’ve been using the evil tool but I’m not too familiar with it. I can’t seem to find any good documentation for it on how to use it to get a shell.

Nevermind. I’m an idiot. :frowning: Just need the tool, nothing extra. :slight_smile:

:wink: sometimes the things we need are right there in-front of us :smile:

I’m having a difficult time trying to get the second user. Any tips?

Those who are having difficulty with the e*** tool , changing the ovpnfile to tcp and 443 works for me …

After completing this box, can someone tells me why the name and icon of the box are a hint as some people here mentioned ?

Feel free to PM me.

Rooted a few hours ago.
The box is indeed quite intuitive and straight.
The only issue is that it’s quite unstable.
The same tool that failed for the whole evening eventaully ran smooth the morning after.

Type your comment> @orespan said:

After completing this box, can someone tells me why the name and icon of the box are a hint as some people here mentioned ?

Feel free to PM me.

I’ve not seen anyone say that, and I wouldn’t say they are hints at all myself

I am new to HTB. I have no idea on what tools I should be using in order to get the usernames. I ran a nmap scan and found which ports are open. I tried looking for exploits for the windows version running on the server but it did not lead me anywhere. Where should I start looking? I understood by reading in the forum that i need to make a list of possible usernames and somehow check which ones actually exist.

I understood also that the “Im****et” tool should come in handy but again i have no clue on how to use it.

Type your comment> @VbScrub said:

Type your comment> @orespan said:

After completing this box, can someone tells me why the name and icon of the box are a hint as some people here mentioned ?

Feel free to PM me.

I’ve not seen anyone say that, and I wouldn’t say they are hints at all myself

@yelenz said:

I bet first blood on 27 mins…

###OBV NOT FROM ME

perhaps even faster, box name and icon is revealing too much

Ok, something i misunderstood in that comment then. Thank you :slight_smile:

Type your comment> @3zculprit said:

A very straight forward with a lot of concepts already tried and tested in different machines. I liked the initial foothold. There are multiple ways to go around it. You can guess or you can make a logical analysis with a simple script and then continue to build the attack.
Once you get to the first user, there is a very tempting attack that will eat a lot of your time if you try to execute it. However, if you pay close attention and utilize the dogs properly the root is a matter of minutes. Sometimes when you see the usernames as prefixed with those letters, there is always a window of opportunity to execute the said attack.

Enjoy the box!

When I try to use the dog, I get 0 results back using both the first and second user accounts. Is there something that I’m doing wrong?

Type your comment> @Corsemode said:

Type your comment> @3zculprit said:

A very straight forward with a lot of concepts already tried and tested in different machines. I liked the initial foothold. There are multiple ways to go around it. You can guess or you can make a logical analysis with a simple script and then continue to build the attack.
Once you get to the first user, there is a very tempting attack that will eat a lot of your time if you try to execute it. However, if you pay close attention and utilize the dogs properly the root is a matter of minutes. Sometimes when you see the usernames as prefixed with those letters, there is always a window of opportunity to execute the said attack.

Enjoy the box!

When I try to use the dog, I get 0 results back using both the first and second user accounts. Is there something that I’m doing wrong?

I am not sure, but when I ran the dog, it didnt show me any clear ways to get escpriv. I was able to do it with a different tool to get root.

If someone wants to show me another way to do something, I would be more than greatful!

Type your comment> @menorevs said:

Type your comment> @Corsemode said:

Type your comment> @3zculprit said:

A very straight forward with a lot of concepts already tried and tested in different machines. I liked the initial foothold. There are multiple ways to go around it. You can guess or you can make a logical analysis with a simple script and then continue to build the attack.
Once you get to the first user, there is a very tempting attack that will eat a lot of your time if you try to execute it. However, if you pay close attention and utilize the dogs properly the root is a matter of minutes. Sometimes when you see the usernames as prefixed with those letters, there is always a window of opportunity to execute the said attack.

Enjoy the box!

When I try to use the dog, I get 0 results back using both the first and second user accounts. Is there something that I’m doing wrong?

I am not sure, but when I ran the dog, it didnt show me any clear ways to get escpriv. I was able to do it with a different tool to get root.

If someone wants to show me another way to do something, I would be more than greatful!

[deleted]

Type your comment> @phoenix2018 said:

Clock skew too great.

Anybody know how to fix this. I get the error and tried fixing the time on the local machine based on the output of the server. Does the time zone have an impact?

Hey, did you get an answer on this? I’m having a similar issue

guys, the way to get the user is in rpcclient ? i’m stucked… someone tell where i cant find the evil tool ? links from github ?
thanks

@jbonatelli said:

guys, the way to get the user is in rpcclient ? i’m stucked… someone tell where i cant find the evil tool ? links from github ?
thanks

https://www.google.com/search?q=evil+winrm