Sauna

1192022242529

Comments

  • @KrishnaG what do you mean by 'default' username/password? Have you found user credentials?

    absolutenoob

  • In my personal view this box is much harder than other boxes with more points and I struggled a lot. But it was very good for learning about windows and now I know where I can focus my training on for a while :) Thanks for making that box

  • @egotisticalSW Thank you for this box. It has truly taken me on a joyride where I got to learn a lot about AD and loads of new tools. Definitely need more practice with Windows boxes.

  • Type your comment> @absolutenoob said:

    @KrishnaG what do you mean by 'default' username/password? Have you found user credentials?

    @absolutenoob said:
    @KrishnaG what do you mean by 'default' username/password? Have you found user credentials?

    Yes, i found the user credential. while trying to get access, getting "WinRM::WinRMAuthorizationError" error.

  • Type your comment> @KrishnaG said:

    Type your comment> @absolutenoob said:

    @KrishnaG what do you mean by 'default' username/password? Have you found user credentials?

    @absolutenoob said:
    @KrishnaG what do you mean by 'default' username/password? Have you found user credentials?

    Yes, i found the user credential. while trying to get access, getting "WinRM::WinRMAuthorizationError" error.

    I got the root flag.
    Thanks.

  • edited April 2020

    I need a little nudge. I have user, but I'm thrashing a bit on where to go to get root. Went through bloodhound etc. Can someone DM me with a nudge?

  • I managed to get two uer accounts and a reverse shell with svc_****gr account.

    Can someone give me a hint on [email protected]**********l, please? I've been looking everywhere (I think) but can't get from svc_*****gr account to administrator on SAUNA machine...

    Reviewed FOREST (again) and a lot of other stuff from IPPSEC about Kerberos, Impacket, etc. Thanks in advance.

  • root was easy, similar to other AD machines for me harder was getting a foothold with proper username, I combine in the right way in firs time but its somehow get me an error and I spend a lot of time)
    so for User1: make a list and don't delete wrong names ;)
    User2: one tool can enumerate all you need.
    Root: proper syntax that all you need.
    and as always PM on any platform for any help.

  • Type your comment> @Wrebra said:

    I managed to get two uer accounts and a reverse shell with svc_****gr account.

    Can someone give me a hint on [email protected]**********l, please? I've been looking everywhere (I think) but can't get from svc_*****gr account to administrator on SAUNA machine...

    Reviewed FOREST (again) and a lot of other stuff from IPPSEC about Kerberos, Impacket, etc. Thanks in advance.

    Are you watching to the end that video? It has some hints. pm for more info because of its spoiler >_<

  • Type your comment> @applepyguy said:

    User complete, on my way to root!

    w00t, root dance!

  • Is there another way for getting on the machine with f***** user than e****-*****m?

  • Got root! Thanks to everyone for their tips. Good fun, learned a lot. ;-)

  • edited April 2020

    Got root. Thanks all.

    CISSP
    Hack The Box
    ++Repect If you think I help =]

  • can somone hints me please ? im stuck for finding user

  • At the end got root.
    Here are my hints

    • user: enumerate and mix user information you found with administrator point of vire
    • root: enumerate and use new user to dump as poassword as you can.
  • Get a name H**** S****, is this a good start?
    Now i need to convert the Name to an authentic Username...

  • I need some help, found user but pocket tool says I cant use it. thanks!

  • User:
    1. Gather names from website
    2. Build a list of possible usernames (the most popular corporate convention)
    3. Run you usernames against the one imp tool which doesn't need a password
    4. Use evil tool or Powershell to remote

    Root:
    1. Run a popular privesc script, get user2
    2. Run another imp tool to extract interesting info
    3. Pass the info

    @GokuBlackSSR said:
    Get a name H**** S****, is this a good start?

    Not exactly, there is another S.

  • Alright just finished this one! User is actually not hard at all, but you have to learn to stop thinking so concretely and start thinking outside of the box a little. It's a Windows box, using Active Directory. What are some common username naming conventions? (it took me way too long to figure this part out lol). For root, just go down the basic list of Windows privesc techniques; you'll uncover a little more info along the way and use that to obtain admin access. I found getting admin easier than user just simply because I have seen the techniques before. PM me for help!

  • Getting tripped up a little bit with the user account, I've confirmed I have the username but I keep receiving "Name or service not known" when trying to grab the hash. Has anyone seen that before?

  • This was a fun box to do for me. I don't have a lot of windows experience so it was very nice to learn more about common AD enumeration and exploitation techniques.

    I suppose for the more veteran Windows pentesters this box is a piece of cake. But this box is definitely a way to learn the techniques and become a better Windows pentester.

    badge

  • edited April 2020

    Don't know what I'm doing wrong I use enum4linux, ldapsearch, rpcclient and some python scripts and get 0 info. Any hint?

    Edit: Also I use nullinux and still nothing

  • Got creds for H....S.... but dont really know what to do with them, any help?

  • Type your comment> @Peleg said:

    Got creds for H....S.... but dont really know what to do with them, any help?

    That account is not... good. Look for others

  • edited April 2020

    i got the gift from imp****. Our friend john is not able to do the work in my case.
    Maybe im doing something wrong...

    Need hints to Evil via PM never ear about it "I think" :persevere:

  • Root dance! :tongue:

    This was a really good box and one that taught me quite a few new skills so thanks to the creator and also to @VbScrub for the video which got me on my way.

    Lots of hints on these threads should get you all the way to root.

  • edited April 2020

    Type your comment> @DavidGB said:

    I have f***** and sc*****mr but i have a problem using the pocket tool to get admin creds. When i run the script s******dmp.p i get this error:

    [-] RemoteOperations failed: Missing required parameter 'digestmod'.
    [*] Cleaning up...

    When i use the GtU.p* script i already had it and it solves executing with usersfile param, but now i dont know what could it be.

    Thanks

    Edit 1: Solved.
    Edit 2: rooted.

    Hi,
    How did you solve problem with I*pa**et and parameter "digestmod"?

    So I've got second user and know that I should use D**nc attack, but Mmi**** doesn't work and sec****d*mp has a error with parameter 'digestmod'. What I should to do?

  • Rooted! Thank you @VbScrub !! Very creative box. I'm learning so much about windows privesc lately! PM for any help
  • Hi.
    When I use GetNPUsers I get KDC_ERR_WRONG_REALM. What I can do with it?

  • great machine tbh

    tn3k HTB profile
    OSCP/OSCE/OSWE

Sign In to comment.