Sauna

I got root thanks to the suggestions on this forum, but I don’t know why.
I’m pretty bad at windows (and in general), so I do not understand what’s the difference bewteen the second user (sr) and the first user (fh) that allows the second user to get the interesting information.
I’d also like to understand how should have I found out about this without reading the forum (and possibly without using the dog).
Could anybody please be so kind to PM me an explanation for this?

Thank you very much!

@ComandanteRed PM sent

Type your comment> @VbScrub said:

@ComandanteRed PM sent

Thank you for taking the time, really appreciate it!

Rooted, and feeling pretty chuffed with myself getting this one as I didn’t need to ask for help.

(edit - just re-read this, and wow, it really wasn’t meant come off so boastful… Sauna was my 5th Windows machine, but only the first one I’ve managed to do just from knowledge recently gained, and reading info in this thread…)

OK, so with a helping hand from @idevilkz I managed to get up to using a bad/evil tool.
I walked the dog, downloaded the subsequent file and loaded it in the dog program, it shows me users/computers/etc in the DB Information window and I’ve even manually looked at the JS** files and they have information

But any query I try and run, its a blank screen. Has anyone had this issue before?


Edit, so I did some more enumeration and ran G******.py and found a family member. But the script tells me the clock Skew is too much. What is the best way of fixing it that it doesn’t ■■■■■■ anything else up?

Edit*:

I really have no idea what is going on right now:

Target Host:

C:\Users*\Documents> net time
Current time at \
.
.* is 3/12/2020 8:54:53 PM

The command completed successfully.

My Kali Machine:

mechs@kali:~$ date
Thu 12 Mar 20:54:07 GMT 2020

I keep getting “Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great)”

Nmap Check

Host script results:
|clock-skew: 6h59m36s
| smb2-security-mode:
| 2.02:
|
Message signing enabled and required
| smb2-time:
| date: 2020-03-13T03:30:43 (this was a few minutes before, ignore the minutes)
|_ start_date: N/A

Bnaging my head here! No idea what timezone is being used

Type your comment> @mechs85 said:

OK, so with a helping hand from @idevilkz I managed to get up to using a bad/evil tool.
I walked the dog, downloaded the subsequent file and loaded it in the dog program, it shows me users/computers/etc in the DB Information window and I’ve even manually looked at the JS** files and they have information

But any query I try and run, its a blank screen. Has anyone had this issue before?


Edit, so I did some more enumeration and ran G******.py and found a family member. But the script tells me the clock Skew is too much. What is the best way of fixing it that it doesn’t ■■■■■■ anything else up?

Edit*:

I really have no idea what is going on right now:

Target Host:

C:\Users*\Documents> net time
Current time at \
.
.* is 3/12/2020 8:54:53 PM

The command completed successfully.

My Kali Machine:

mechs@kali:~$ date
Thu 12 Mar 20:54:07 GMT 2020

I keep getting “Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great)”

Nmap Check

Host script results:
|clock-skew: 6h59m36s
| smb2-security-mode:
| 2.02:
|
Message signing enabled and required
| smb2-time:
| date: 2020-03-13T03:30:43 (this was a few minutes before, ignore the minutes)
|_ start_date: N/A

Bnaging my head here! No idea what timezone is being used

advice to all on this box… kerberos its the hard road… did you know? there is a lot of snakes in this world.

Sorry all it was my shiity load of BackBox the hash and rip wasnt working. spun up my kali virtual and bingo all is golden

Could anyone PM me a hint (or a right direction) for getting root flag? I obtained svc_*******r creds, I tried to exploit ricoh but it didn’t works. Maybe I am missing something important, but i don’t know what exactly. I’ve got completely confused with this machine

Type your comment> @Demi said:

Could anyone PM me a hint (or a right direction) for getting root flag? I obtained svc_*******r creds, I tried to exploit ricoh but it didn’t works. Maybe I am missing something important, but i don’t know what exactly. I’ve got completely confused with this machine

fell free to pm me if you still need assistance

Could anyone PM me for a hint on enumeration for the initial user, I have tried all basic enumeration of all ports but no luck at all

Thanks @FunkyMcBeef @kalitkd @ComandanteRed @kiaora
thanks for checking my commands and the helpful nudges!!!

Awesome box for a Newb like me!

I’m curious to know if anyone went down the CVE route to get root? I tried to get it working for a while, but eventually gave up. Had to make some changes to get it cross-compiling, but then it wouldn’t run. Also tried writing my own bat script, but never got it to trigger the vuln.

Annoyingly sniffed around with the pooch first but didn’t notice anything interesting when viewing the queries manually, so moved on to other enum. Only went back to it after seeing some of the comments on here.

You can use ntpdate to sync your local clock with a server, i.e. 10.10.10.175. Might need to install it first. You can get this attack to work, but it may not help you with the overall box :shiftyeyes:

@mechs85 said:
OK, so with a helping hand from @idevilkz I managed to get up to using a bad/evil tool.
I walked the dog, downloaded the subsequent file and loaded it in the dog program, it shows me users/computers/etc in the DB Information window and I’ve even manually looked at the JS** files and they have information

But any query I try and run, its a blank screen. Has anyone had this issue before?


Edit, so I did some more enumeration and ran G******.py and found a family member. But the script tells me the clock Skew is too much. What is the best way of fixing it that it doesn’t ■■■■■■ anything else up?

Edit*:

I really have no idea what is going on right now:

Target Host:

C:\Users*\Documents> net time
Current time at \
.
.* is 3/12/2020 8:54:53 PM

The command completed successfully.

My Kali Machine:

mechs@kali:~$ date
Thu 12 Mar 20:54:07 GMT 2020

I keep getting “Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great)”

Nmap Check

Host script results:
|clock-skew: 6h59m36s
| smb2-security-mode:
| 2.02:
|
Message signing enabled and required
| smb2-time:
| date: 2020-03-13T03:30:43 (this was a few minutes before, ignore the minutes)
|_ start_date: N/A

Bnaging my head here! No idea what timezone is being used

@OrangeHat said:
I’m curious to know if anyone went down the CVE route to get root? I tried to get it working for a while, but eventually gave up. Had to make some changes to get it cross-compiling, but then it wouldn’t run. Also tried writing my own bat script, but never got it to trigger the vuln.

If you’re talking about the printer one, I spent SO long trying to get that to work and eventually gave up. Also spoke to 2 other people on here that came to the same conclusion. Can send you my notes on why it doesn’t work and how far I got if you want.

Owned the box eventually. Overall, this box is great for beginners that wish to understand more about Windows and Active Directory environment.

Users and root are not that hard to get to, hints are provided through out this discussion forum.

Just feel free to PM me if you get stuck and want some hints !!!
Happy to help :slight_smile:
Hack The Box

Need a very small nudge on getting from f****h to s**-*****r. I know what to do once I get s-***r , but just no clue on what to do to get to s-*******r.

hey folks, stuck on svc, i have creds for svc user but do not know how to use the evil and smb are not working for this

Could I get a nudge on root please, I have tried s*********p which gave me some information , but I feel like i’m in a rabbit hole.

First time attacking AD, I usually stick to Linux boxes :blush:

Edit: Nevermind, Rooted. I’m an idiot.

well guys for user… when u find the list of names, just kep trying it took me a while to get the password but it was there in front of me

Rooted the box

to those who struggle after having user2 creds, i would say check your username it is little different if you used winpeas.