• Got stuck on root part. thanks to @cyberafro and @T13nn3s for guiding me.
    finally rooted

  • having gone through a fresh piece of hell with another box that has similar ports & services to target, Sanua came with a bit less of those frustrations, or 'growing pains', than the aforementioned active box that i won't name as i think its already named in the thread somewhere... but the cryptic hint is "if you take a step back, you can see THIS from the trees..."
    boxes like these make me realize I have a lot to learn about Active Directory methodology and what to look for and do, etc.
    advice is: stick with it and as much as you want to race to the flags, dont rush it - there is a lot of knowledge to be gained from this box and others like it. the value you will gain is worth more than the points assigned to the box, IMO

  • I finally got to root this and it took everything ive's some hints....for users i was able to take "many guesses" of the users that can auth to the system. Some say they were able to enumerate this using other means but i know of a tool that can do many guesses against a very specific AD service. This tool will also let you know if you have VALID users or if users "do not exist".

    Getting the foothold: I didn't use web or smb for this. there's other ways to log on to the system than these and a particularly "evil" way will probably work best.

    something something something...skipping stuff you gotta do...

    root: cant finish this....have to take a dump....<<

    Hopefully that's not all too spoilly...

  • Type your comment> @VbScrub said:

    Machine is working fine for me on EU Freem but so far its really kicking my ass for an easy box lol can't get an initial foothold at all.

    Found plenty of open ports but absolutely nothing useful on any of them other than the domain name. Studied all the source code and HTTP requests on the website and got nothing useful, no anon access to SMB or anything else, and even though I can get some very basic info from L*** I can't actually get any usernames or anything interesting. Dirbuster didn't find anything on the website either and its all just plain HTML with no javascript to look at or anything like that, so I'm pretty stumped and might have to resort to just throwing random impacket scripts at it lol

    In a very similar situation at the moment too, lmao.

    Feel free to PM me, but please ask good questions:

  • @cerebro11 said:
    Rooted ! :)

    Some hints :

    • For user : google "AD attacks" and try to find valid users
    • For root : basic enum and then check for AD rights

    PM if you need more help !

    Thanks #GonnaTryHarder!

    Feel free to PM me, but please ask good questions:

  • Got working credentials! :smiley:

    Feel free to PM me, but please ask good questions:

  • Finally rooted. Thanks @egotisticalSW for creating this VM. This box was one of my first Windows boxes and it certainly wasn’t an easy VM for me. I learned a lot about the three-headed dog and AD.

    User 1: Take a close look at the website, google AD user naming conventions and learn how to use that script that everyone keeps talking about.

    User 2: Basic Windows priv esc methods are more than enough. Be thorough. I got stuck at this point for several hours because I skipped some tips and tricks I read about.

    Root: Do some more enumeration on user accounts and google AD attacks. The hound is probably overkill for this machine. Learn about AD permissions and use your knowledge to feed the cats. The rest should be straightforward.


  • Hey All, hoping someone can help me out. Working on rootI am trying to get the creds for the user slm***. I have used an ip****t tool and it only turned up info about another user ht. Completely lost at this point.

  • Hey all, got the first user f****h, thanks to the help of @Arrowhead7 @Noob5RUs
    @VbScrub, apologies for the newbie questions!

    Always in need of guidance

  • Nice work @superduper101 I am learning to my friend!

  • edited March 2020

    That one quote is funny about getting a loan and not able to pay it back. This is real life.

  • rooted !!!!!! Thanks @TeRMaN

    We've learned some other tools.

    User1: Check the web, use usernames that follow the AD convections.

    User2: List with some tool for Windows, if you like peas, it will be easier for you.

    Root: Take advantage of the loan from user2 and try to get them to give you their secrets, then use another tool in your arsenal, to get them to let you in.

  • This was crazy, as a complete windows noob. Thanks for a great box and lots of new knowledge! @egotisticalSW

    Could someone PM me here what misconfiguration made this (the root step) possible?

    Now im gonna relax for a day and do the box again hoping to understand a bit more lol.

  • Type your comment> @VbScrub said:

    Type your comment> @LaszloNagy said:

    I've got plaintext credentials for the service account, but they don't seem to be valid. Am I overlooking something, or going into a rabbithole?

    yeah the username you found isn't quite right... I think its a mistake from the box author personally, but maybe its just meant to be an extra little trick. Do some more enum in the normal place you'd find user accounts in this environment and find the correct username

    Lol I noticed that too...I already had the correct one though. Could go either way.

  • Just rooted!

    Nice box, especially if you've tried another, similar one before. It's good to practice and that was what Sauna did for me. I could check my writeup and see what has been missing.

    Although all seems to have been said:

    User: Simple enumeration, think like an admin, guess a bit, bulk processing :)
    Root: More enum, no hounds, just being evil, asking a snake for secrets and not being that faithful with them.

    IIRC, there should be another way, something Anyhow, if anyone has info on that, I'd appreciate a quick PM with a hint on where to look for info on that.

    Thanks @egotisticalSW for this nice box :)

  • Type your comment> @sckull said:

    Algunas de las pistas que puedo dejar:

    User: Relacionado con OSINT, uno de los protocolos en AD y, combinaciones entre si.
    User2: Enumeracion basica en Windows - Privilege Escalation.
    Root: Puedes utilizar al doggo para obtener informacion, puede ser local o remota. Junto con esto automatizar el ataque tambien con una tool del doggo.


    Gracias por los hints

  • Just rooted this machine. DM if you are stuck.


  • finally, after almost a week, rooted my first box.
    even got john working on a kali @ RPI :D
    learned a lot!
    Thanks @egotisticalSW !


  • Got User, working on root!

    Feel free to PM me, but please ask good questions:

  • Finally rooted...
    Awesome box (windows machine) to learn a lot about Active Directory, windows registry, Windows PE...

    Thanks @egotisticalSW for the fun!

  • is there someone that is willing to review my impacket command? i dont get any succesfull output, plese PM me

  • edited March 2020

    Rooted. Really fun box. I did most things from one tool.

    There's one account that doesn't do anything, but it got some time from me thinking it had to do something.

    User1: OSINT, then think like a company/bank and how their login would be. Requires an authentication protocol knowledge.
    User2: Standard enumeration on WIndows machine. Just run your everyday script and it should be clear. Requires Windows OS understanding
    Root: Standard AD attack with a few steps. The first ones aren't that usual, but the last one everyone and their cats are doing it. Basic AD skill is needed.

  • I need a nudge with this one, can someone PM if they can help ?

  • Type your comment> @Cratzor said:
    > I need a nudge with this one, can someone PM if they can help ?

    At least put without spoilers what you have enum, and the information you have gathered so far.
  • Rooted. Nudges in PM :)

  • Rooted the box! Great learning experience for a newbie, looking forward to moving onto the next box. Thanks also go to @FunkyMcBeef and @Noob5RUs for their help too.

    Always in need of guidance

  • Rooted, was a fun box, definitely learned so much about AD with this one, I have little knowledge in that area, thanks @egotisticalSW for this box! And a big shoutout to @M3rlin for the help!

  • Rooted, is is a funny box, root part is easy.

  • Rooted the machine. Thanks to @cyberafro, @FunkyMcBeef, @olsv and
    @MadBitSec for showing interesting approaches to proceed further.

  • Overall fun box, didn't really care for guessing the naming scheme, took too long to get it correct. Need to invest time on how to automate that step. (If someone has a tool share would love to check it out)

    Priv-esc was fun, was looking for a box to test this path. Glad I got the chance.

    Thanks for the box @egotisticalSW !

Sign In to comment.