Sauna

Show me the money!
Rooted.

Yea I’m stuck guys…I got both low priv users creds but cant find a way to execute commands on the machine…ive done a ■■■■ ton of enumeration. My dog.py is sick or something and errors when trying to enumerate the box with my two users. Can someone hit me up and give me a nudge so i can get going on this box pls and thank you all!

Rooted! What a journey. Thx to @VbScrub for the Hints.

Feel free to PM me for help :slight_smile:

Got stuck on root part. thanks to @cyberafro and @T13nn3s for guiding me.
finally rooted

having gone through a fresh piece of ■■■■ with another box that has similar ports & services to target, Sanua came with a bit less of those frustrations, or ‘growing pains’, than the aforementioned active box that i won’t name as i think its already named in the thread somewhere… but the cryptic hint is “if you take a step back, you can see THIS from the trees…”
boxes like these make me realize I have a lot to learn about Active Directory methodology and what to look for and do, etc.
advice is: stick with it and as much as you want to race to the flags, dont rush it - there is a lot of knowledge to be gained from this box and others like it. the value you will gain is worth more than the points assigned to the box, IMO

I finally got to root this and it took everything ive learned…here’s some hints…for users i was able to take “many guesses” of the users that can auth to the system. Some say they were able to enumerate this using other means but i know of a tool that can do many guesses against a very specific AD service. This tool will also let you know if you have VALID users or if users “do not exist”.

Getting the foothold: I didn’t use web or smb for this. there’s other ways to log on to the system than these and a particularly “evil” way will probably work best.

something something something…skipping stuff you gotta do…

root: cant finish this…have to take a dump…<<

Hopefully that’s not all too spoilly…

Type your comment> @VbScrub said:

Machine is working fine for me on EU Freem but so far its really kicking my ■■■ for an easy box lol can’t get an initial foothold at all.

Found plenty of open ports but absolutely nothing useful on any of them other than the domain name. Studied all the source code and HTTP requests on the website and got nothing useful, no anon access to SMB or anything else, and even though I can get some very basic info from L*** I can’t actually get any usernames or anything interesting. Dirbuster didn’t find anything on the website either and its all just plain HTML with no javascript to look at or anything like that, so I’m pretty stumped and might have to resort to just throwing random impacket scripts at it lol

In a very similar situation at the moment too, ■■■■.

@cerebro11 said:
Rooted ! :slight_smile:

Some hints :

  • For user : google “AD attacks” and try to find valid users
  • For root : basic enum and then check for AD rights

PM if you need more help !

Thanks #GonnaTryHarder!

Got working credentials! :smiley:

Finally rooted. Thanks @egotisticalSW for creating this VM. This box was one of my first Windows boxes and it certainly wasn’t an easy VM for me. I learned a lot about the three-headed dog and AD.

User 1: Take a close look at the website, google AD user naming conventions and learn how to use that script that everyone keeps talking about.

User 2: Basic Windows priv esc methods are more than enough. Be thorough. I got stuck at this point for several hours because I skipped some tips and tricks I read about.

Root: Do some more enumeration on user accounts and google AD attacks. The hound is probably overkill for this machine. Learn about AD permissions and use your knowledge to feed the cats. The rest should be straightforward.

Hey All, hoping someone can help me out. Working on rootI am trying to get the creds for the user slm*. I have used an ipt tool and it only turned up info about another user ht. Completely lost at this point.

Hey all, got the first user f****h, thanks to the help of @Arrowhead7 @Noob5RUs
@VbScrub, apologies for the newbie questions!

Nice work @superduper101 I am learning to my friend!

That one quote is funny about getting a loan and not able to pay it back. This is real life.

rooted !!! Thanks @TeRMaN

We’ve learned some other tools.

User1: Check the web, use usernames that follow the AD convections.

User2: List with some tool for Windows, if you like peas, it will be easier for you.

Root: Take advantage of the loan from user2 and try to get them to give you their secrets, then use another tool in your arsenal, to get them to let you in.

This was crazy, as a complete windows noob. Thanks for a great box and lots of new knowledge! @egotisticalSW

Could someone PM me here what misconfiguration made this (the root step) possible?

Now im gonna relax for a day and do the box again hoping to understand a bit more lol.

Type your comment> @VbScrub said:

Type your comment> @LaszloNagy said:

I’ve got plaintext credentials for the service account, but they don’t seem to be valid. Am I overlooking something, or going into a rabbithole?

yeah the username you found isn’t quite right… I think its a mistake from the box author personally, but maybe its just meant to be an extra little trick. Do some more enum in the normal place you’d find user accounts in this environment and find the correct username

Lol I noticed that too…I already had the correct one though. Could go either way.

Just rooted!

Nice box, especially if you’ve tried another, similar one before. It’s good to practice and that was what Sauna did for me. I could check my writeup and see what has been missing.

Although all seems to have been said:

User: Simple enumeration, think like an admin, guess a bit, bulk processing :slight_smile:
Root: More enum, no hounds, just being evil, asking a snake for secrets and not being that faithful with them.

IIRC, there should be another way, something more…direct? Anyhow, if anyone has info on that, I’d appreciate a quick PM with a hint on where to look for info on that.

Thanks @egotisticalSW for this nice box :slight_smile:

Type your comment> @sckull said:

Algunas de las pistas que puedo dejar:

User: Relacionado con OSINT, uno de los protocolos en AD y, combinaciones entre si.
User2: Enumeracion basica en Windows - Privilege Escalation.
Root: Puedes utilizar al doggo para obtener informacion, puede ser local o remota. Junto con esto automatizar el ataque tambien con una tool del doggo.

Gracias por los hints

Just rooted this machine. DM if you are stuck.