Sauna

Type your comment> @idevilkz said:

Type your comment> @Kolisar said:

Type your comment> @idevilkz said:

can someone please tell me how to download files onto my kali system from evil.
I am using download filename, it says successful however nothing appears. I also tried adding /home/foo/bar but no joy.

For what it is worth, for me putting the paths in the command to start evil did me no good. I just used “download fileNameOnTarget fileNameOnKali” and the file was placed on my Kali box in the directory from which I ran evil to connect.

thanks. I must be doing something basic wrong.
I have generated the .zip within Documents folder.
I am typing download filename.zip fn.zip

it tells me check filenames or path???

Hmmm… that is odd. If filename.zip is the file on Sauna you are trying to download your kali box, that should work. Try making your evil connection without any of the “path” options.

There is a really manual way to get the file across if the evil download won’t work.
PM me if the download doesn’t work and I’ll explain.

Type your comment> @idevilkz said:

can someone please tell me how to download files onto my kali system from evil.
I am using download filename, it says successful however nothing appears. I also tried adding /home/foo/bar but no joy.

You might try running ‘sudo updatedb’ && locate ‘file you downloaded’ if the download is successful but you can’t find where it dl’d to.

EWi PS C:\Users**> download 20200312101145_***ound.zip
Info: Downloading C:\Users\s
/*****20200312101145_***ound.zip to 20200312101145_BloodHound.zip

Error: Download failed. Check filenames or paths

this is what I get

Type your comment> @johnmflynch said:

can i get some format help with the cat or the rip? anyone anyone…buller :smile:

You should be able to type the command without any arguments and it will tell you the arguments and the format it accepts.

generally, it is commandname -format type -request -ouputfile filename

okay I managed to do it. PM if anyone is struggling on this.

okay it gets interesting now. I have got the .zip file and checked it. I can see there are kerberoastable users in there however they don’t kerberoast.
what am I missing ?

I got root thanks to the suggestions on this forum, but I don’t know why.
I’m pretty bad at windows (and in general), so I do not understand what’s the difference bewteen the second user (sr) and the first user (fh) that allows the second user to get the interesting information.
I’d also like to understand how should have I found out about this without reading the forum (and possibly without using the dog).
Could anybody please be so kind to PM me an explanation for this?

Thank you very much!

@ComandanteRed PM sent

Type your comment> @VbScrub said:

@ComandanteRed PM sent

Thank you for taking the time, really appreciate it!

Rooted, and feeling pretty chuffed with myself getting this one as I didn’t need to ask for help.

(edit - just re-read this, and wow, it really wasn’t meant come off so boastful… Sauna was my 5th Windows machine, but only the first one I’ve managed to do just from knowledge recently gained, and reading info in this thread…)

OK, so with a helping hand from @idevilkz I managed to get up to using a bad/evil tool.
I walked the dog, downloaded the subsequent file and loaded it in the dog program, it shows me users/computers/etc in the DB Information window and I’ve even manually looked at the JS** files and they have information

But any query I try and run, its a blank screen. Has anyone had this issue before?


Edit, so I did some more enumeration and ran G******.py and found a family member. But the script tells me the clock Skew is too much. What is the best way of fixing it that it doesn’t ■■■■■■ anything else up?

Edit*:

I really have no idea what is going on right now:

Target Host:

C:\Users*\Documents> net time
Current time at \
.
.* is 3/12/2020 8:54:53 PM

The command completed successfully.

My Kali Machine:

mechs@kali:~$ date
Thu 12 Mar 20:54:07 GMT 2020

I keep getting “Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great)”

Nmap Check

Host script results:
|clock-skew: 6h59m36s
| smb2-security-mode:
| 2.02:
|
Message signing enabled and required
| smb2-time:
| date: 2020-03-13T03:30:43 (this was a few minutes before, ignore the minutes)
|_ start_date: N/A

Bnaging my head here! No idea what timezone is being used

Type your comment> @mechs85 said:

OK, so with a helping hand from @idevilkz I managed to get up to using a bad/evil tool.
I walked the dog, downloaded the subsequent file and loaded it in the dog program, it shows me users/computers/etc in the DB Information window and I’ve even manually looked at the JS** files and they have information

But any query I try and run, its a blank screen. Has anyone had this issue before?


Edit, so I did some more enumeration and ran G******.py and found a family member. But the script tells me the clock Skew is too much. What is the best way of fixing it that it doesn’t ■■■■■■ anything else up?

Edit*:

I really have no idea what is going on right now:

Target Host:

C:\Users*\Documents> net time
Current time at \
.
.* is 3/12/2020 8:54:53 PM

The command completed successfully.

My Kali Machine:

mechs@kali:~$ date
Thu 12 Mar 20:54:07 GMT 2020

I keep getting “Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great)”

Nmap Check

Host script results:
|clock-skew: 6h59m36s
| smb2-security-mode:
| 2.02:
|
Message signing enabled and required
| smb2-time:
| date: 2020-03-13T03:30:43 (this was a few minutes before, ignore the minutes)
|_ start_date: N/A

Bnaging my head here! No idea what timezone is being used

advice to all on this box… kerberos its the hard road… did you know? there is a lot of snakes in this world.

Sorry all it was my shiity load of BackBox the hash and rip wasnt working. spun up my kali virtual and bingo all is golden

Could anyone PM me a hint (or a right direction) for getting root flag? I obtained svc_*******r creds, I tried to exploit ricoh but it didn’t works. Maybe I am missing something important, but i don’t know what exactly. I’ve got completely confused with this machine

Type your comment> @Demi said:

Could anyone PM me a hint (or a right direction) for getting root flag? I obtained svc_*******r creds, I tried to exploit ricoh but it didn’t works. Maybe I am missing something important, but i don’t know what exactly. I’ve got completely confused with this machine

fell free to pm me if you still need assistance

Could anyone PM me for a hint on enumeration for the initial user, I have tried all basic enumeration of all ports but no luck at all

Thanks @FunkyMcBeef @kalitkd @ComandanteRed @kiaora
thanks for checking my commands and the helpful nudges!!!

Awesome box for a Newb like me!

I’m curious to know if anyone went down the CVE route to get root? I tried to get it working for a while, but eventually gave up. Had to make some changes to get it cross-compiling, but then it wouldn’t run. Also tried writing my own bat script, but never got it to trigger the vuln.

Annoyingly sniffed around with the pooch first but didn’t notice anything interesting when viewing the queries manually, so moved on to other enum. Only went back to it after seeing some of the comments on here.

You can use ntpdate to sync your local clock with a server, i.e. 10.10.10.175. Might need to install it first. You can get this attack to work, but it may not help you with the overall box :shiftyeyes:

@mechs85 said:
OK, so with a helping hand from @idevilkz I managed to get up to using a bad/evil tool.
I walked the dog, downloaded the subsequent file and loaded it in the dog program, it shows me users/computers/etc in the DB Information window and I’ve even manually looked at the JS** files and they have information

But any query I try and run, its a blank screen. Has anyone had this issue before?


Edit, so I did some more enumeration and ran G******.py and found a family member. But the script tells me the clock Skew is too much. What is the best way of fixing it that it doesn’t ■■■■■■ anything else up?

Edit*:

I really have no idea what is going on right now:

Target Host:

C:\Users*\Documents> net time
Current time at \
.
.* is 3/12/2020 8:54:53 PM

The command completed successfully.

My Kali Machine:

mechs@kali:~$ date
Thu 12 Mar 20:54:07 GMT 2020

I keep getting “Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great)”

Nmap Check

Host script results:
|clock-skew: 6h59m36s
| smb2-security-mode:
| 2.02:
|
Message signing enabled and required
| smb2-time:
| date: 2020-03-13T03:30:43 (this was a few minutes before, ignore the minutes)
|_ start_date: N/A

Bnaging my head here! No idea what timezone is being used

@OrangeHat said:
I’m curious to know if anyone went down the CVE route to get root? I tried to get it working for a while, but eventually gave up. Had to make some changes to get it cross-compiling, but then it wouldn’t run. Also tried writing my own bat script, but never got it to trigger the vuln.

If you’re talking about the printer one, I spent SO long trying to get that to work and eventually gave up. Also spoke to 2 other people on here that came to the same conclusion. Can send you my notes on why it doesn’t work and how far I got if you want.