I finally got to root this and it took everything ive learned…here’s some hints…for users i was able to take “many guesses” of the users that can auth to the system. Some say they were able to enumerate this using other means but i know of a tool that can do many guesses against a very specific AD service. This tool will also let you know if you have VALID users or if users “do not exist”.
Getting the foothold: I didn’t use web or smb for this. there’s other ways to log on to the system than these and a particularly “evil” way will probably work best.
something something something…skipping stuff you gotta do…
Machine is working fine for me on EU Freem but so far its really kicking my ■■■ for an easy box lol can’t get an initial foothold at all.
Found plenty of open ports but absolutely nothing useful on any of them other than the domain name. Studied all the source code and HTTP requests on the website and got nothing useful, no anon access to SMB or anything else, and even though I can get some very basic info from L*** I can’t actually get any usernames or anything interesting. Dirbuster didn’t find anything on the website either and its all just plain HTML with no javascript to look at or anything like that, so I’m pretty stumped and might have to resort to just throwing random impacket scripts at it lol
In a very similar situation at the moment too, ■■■■.
Finally rooted. Thanks @egotisticalSW for creating this VM. This box was one of my first Windows boxes and it certainly wasn’t an easy VM for me. I learned a lot about the three-headed dog and AD.
User 1: Take a close look at the website, google AD user naming conventions and learn how to use that script that everyone keeps talking about.
User 2: Basic Windows priv esc methods are more than enough. Be thorough. I got stuck at this point for several hours because I skipped some tips and tricks I read about.
Root: Do some more enumeration on user accounts and google AD attacks. The hound is probably overkill for this machine. Learn about AD permissions and use your knowledge to feed the cats. The rest should be straightforward.
Hey All, hoping someone can help me out. Working on rootI am trying to get the creds for the user slm*. I have used an ipt tool and it only turned up info about another user ht. Completely lost at this point.
User1: Check the web, use usernames that follow the AD convections.
User2: List with some tool for Windows, if you like peas, it will be easier for you.
Root: Take advantage of the loan from user2 and try to get them to give you their secrets, then use another tool in your arsenal, to get them to let you in.
I’ve got plaintext credentials for the service account, but they don’t seem to be valid. Am I overlooking something, or going into a rabbithole?
yeah the username you found isn’t quite right… I think its a mistake from the box author personally, but maybe its just meant to be an extra little trick. Do some more enum in the normal place you’d find user accounts in this environment and find the correct username
Lol I noticed that too…I already had the correct one though. Could go either way.
Nice box, especially if you’ve tried another, similar one before. It’s good to practice and that was what Sauna did for me. I could check my writeup and see what has been missing.
Although all seems to have been said:
User: Simple enumeration, think like an admin, guess a bit, bulk processing
Root: More enum, no hounds, just being evil, asking a snake for secrets and not being that faithful with them.
IIRC, there should be another way, something more…direct? Anyhow, if anyone has info on that, I’d appreciate a quick PM with a hint on where to look for info on that.
User: Relacionado con OSINT, uno de los protocolos en AD y, combinaciones entre si. User2: Enumeracion basica en Windows - Privilege Escalation. Root: Puedes utilizar al doggo para obtener informacion, puede ser local o remota. Junto con esto automatizar el ataque tambien con una tool del doggo.
Rooted. Really fun box. I did most things from one tool.
There’s one account that doesn’t do anything, but it got some time from me thinking it had to do something.
User1: OSINT, then think like a company/bank and how their login would be. Requires an authentication protocol knowledge.
User2: Standard enumeration on WIndows machine. Just run your everyday script and it should be clear. Requires Windows OS understanding
Root: Standard AD attack with a few steps. The first ones aren’t that usual, but the last one everyone and their cats are doing it. Basic AD skill is needed.