Sauna

Type your comment> @absolutenoob said:

@KrishnaG what do you mean by ‘default’ username/password? Have you found user credentials?

@absolutenoob said:
@KrishnaG what do you mean by ‘default’ username/password? Have you found user credentials?

Yes, i found the user credential. while trying to get access, getting “WinRM::WinRMAuthorizationError” error.

Type your comment> @KrishnaG said:

Type your comment> @absolutenoob said:

@KrishnaG what do you mean by ‘default’ username/password? Have you found user credentials?

@absolutenoob said:
@KrishnaG what do you mean by ‘default’ username/password? Have you found user credentials?

Yes, i found the user credential. while trying to get access, getting “WinRM::WinRMAuthorizationError” error.

I got the root flag.
Thanks.

I need a little nudge. I have user, but I’m thrashing a bit on where to go to get root. Went through bloodhound etc. Can someone DM me with a nudge?

I managed to get two uer accounts and a reverse shell with svc_****gr account.

Can someone give me a hint on administrator@**********l, please? I’ve been looking everywhere (I think) but can’t get from svc_*****gr account to administrator on SAUNA machine…

Reviewed FOREST (again) and a lot of other stuff from IPPSEC about Kerberos, Impacket, etc. Thanks in advance.

root was easy, similar to other AD machines for me harder was getting a foothold with proper username, I combine in the right way in firs time but its somehow get me an error and I spend a lot of time)
so for User1: make a list and don’t delete wrong names :wink:
User2: one tool can enumerate all you need.
Root: proper syntax that all you need.
and as always PM on any platform for any help.

Type your comment> @Wrebra said:

I managed to get two uer accounts and a reverse shell with svc_****gr account.

Can someone give me a hint on administrator@**********l, please? I’ve been looking everywhere (I think) but can’t get from svc_*****gr account to administrator on SAUNA machine…

Reviewed FOREST (again) and a lot of other stuff from IPPSEC about Kerberos, Impacket, etc. Thanks in advance.

Are you watching to the end that video? It has some hints. pm for more info because of its spoiler >_<

Type your comment> @applepyguy said:

User complete, on my way to root!

w00t, root dance!

Is there another way for getting on the machine with f***** user than e****-*****m?

Got root! Thanks to everyone for their tips. Good fun, learned a lot. :wink:

Got root. Thanks all.

can somone hints me please ? im stuck for finding user

At the end got root.
Here are my hints

  • user: enumerate and mix user information you found with administrator point of vire
  • root: enumerate and use new user to dump as poassword as you can.

Get a name H**** S****, is this a good start?
Now i need to convert the Name to an authentic Username…

I need some help, found user but pocket tool says I cant use it. thanks!

User:

  1. Gather names from website
  2. Build a list of possible usernames (the most popular corporate convention)
  3. Run you usernames against the one imp tool which doesn’t need a password
  4. Use evil tool or Powershell to remote

Root:

  1. Run a popular privesc script, get user2
  2. Run another imp tool to extract interesting info
  3. Pass the info

@GokuBlackSSR said:
Get a name H**** S****, is this a good start?

Not exactly, there is another S.

Alright just finished this one! User is actually not hard at all, but you have to learn to stop thinking so concretely and start thinking outside of the box a little. It’s a Windows box, using Active Directory. What are some common username naming conventions? (it took me way too long to figure this part out lol). For root, just go down the basic list of Windows privesc techniques; you’ll uncover a little more info along the way and use that to obtain admin access. I found getting admin easier than user just simply because I have seen the techniques before. PM me for help!

Getting tripped up a little bit with the user account, I’ve confirmed I have the username but I keep receiving “Name or service not known” when trying to grab the hash. Has anyone seen that before?

This was a fun box to do for me. I don’t have a lot of windows experience so it was very nice to learn more about common AD enumeration and exploitation techniques.

I suppose for the more veteran Windows pentesters this box is a piece of cake. But this box is definitely a way to learn the techniques and become a better Windows pentester.

Don’t know what I’m doing wrong I use enum4linux, ldapsearch, rpcclient and some python scripts and get 0 info. Any hint?

Edit: Also I use nullinux and still nothing

Got creds for H…S… but dont really know what to do with them, any help?