Sauna

This was a fun box to do for me. I donā€™t have a lot of windows experience so it was very nice to learn more about common AD enumeration and exploitation techniques.

I suppose for the more veteran Windows pentesters this box is a piece of cake. But this box is definitely a way to learn the techniques and become a better Windows pentester.

Donā€™t know what Iā€™m doing wrong I use enum4linux, ldapsearch, rpcclient and some python scripts and get 0 info. Any hint?

Edit: Also I use nullinux and still nothing

Got creds for Hā€¦Sā€¦ but dont really know what to do with them, any help?

Type your comment> @Peleg said:

Got creds for Hā€¦Sā€¦ but dont really know what to do with them, any help?

That account is notā€¦ good. Look for others

i got the gift from imp****. Our friend john is not able to do the work in my case.
Maybe im doing something wrongā€¦

Need hints to Evil via PM never ear about it ā€œI thinkā€ :persevere:

Root dance! :tongue:

This was a really good box and one that taught me quite a few new skills so thanks to the creator and also to @VbScrub for the video which got me on my way.

Lots of hints on these threads should get you all the way to root.

Type your comment> @DavidGB said:

I have f***** and sc*****mr but i have a problem using the pocket tool to get admin creds. When i run the script s****dmp.p i get this error:

[-] RemoteOperations failed: Missing required parameter ā€˜digestmodā€™.
[*] Cleaning upā€¦

When i use the GtU.p* script i already had it and it solves executing with usersfile param, but now i dont know what could it be.

Thanks

Edit 1: Solved.
Edit 2: rooted.

Hi,
How did you solve problem with I*pa**et and parameter ā€œdigestmodā€?

So Iā€™ve got second user and know that I should use Dnc attack, but Mmi** doesnā€™t work and sec***dmp has a error with parameter ā€˜digestmodā€™. What I should to do?

Rooted! Thank you @VbScrub !! Very creative box. Iā€™m learning so much about windows privesc lately! PM for any help

Hi.
When I use GetNPUsers I get KDC_ERR_WRONG_REALM. What I can do with it?

great machine tbh

@fr0ster said:

Hi.
When I use GetNPUsers I get KDC_ERR_WRONG_REALM. What I can do with it?

I am not sure but this might provide an insight into what is going wrong: GetUserSPNs: you can now specify another base DN by the-useless-one Ā· Pull Request #330 Ā· fortra/impacket Ā· GitHub

I think my brain is bricked. I am stuck at the very begin for hours and cant find a user/pw. I read the hints here but I have honestly no idea which imp***** tool to use. Is someone so kind and sends me a pm with a hint?

Type your comment> @fr0ster said:

Hi.
When I use GetNPUsers I get KDC_ERR_WRONG_REALM. What I can do with it?

That means youā€™re specifying the wrong domain name. Make sure youā€™re using the dns domain name (mydomain.local) and not the netbios domain name (MYDOMAIN)

Type your comment> @TazWake said:

@fr0ster said:

Hi.
When I use GetNPUsers I get KDC_ERR_WRONG_REALM. What I can do with it?

I am not sure but this might provide an insight into what is going wrong: GetUserSPNs: you can now specify another base DN by the-useless-one Ā· Pull Request #330 Ā· fortra/impacket Ā· GitHub

It doesnā€™t work. Itā€™s version 0.9.16 and doesnā€™t have GetNPUsers.py.
In mainstream version 0.9.22-dev0, they have GetNPUsers.py but doesnā€™t work too

@VbScrub said:
That means youā€™re specifying the wrong domain name. Make sure youā€™re using the dns domain name (mydomain.local) and not the netbios domain name (MYDOMAIN)

O my god, I lost one letter!!!

Thanks!

And thanks @egotisticalSW for interesting box :slight_smile:

finally rooted it , bloomin 'ell that was a headache. Basically bashed my head on the keyboards for two days until i did a ā€œhail maryā€ and did a reset on the box. Suddenly it worked :open_mouth:

i had serious issued with clock skew and tried pretty much everything in the book to sync my kali machine to the other box, or set my machine to the same timezone as it used, but still no dice.
Tried to use the ā€œtickets to rideā€ with anything i could get a hold of, still no dice.

So a reset and found creds with evil tool gave the needed foothold.
User was harder/more annoying than root.

Cheers for a nice box and kudos to @Watskip for the nudges on discord, much appreciated.

Iā€™m really confused by some creds on this box. Two accounts with same family name and with same password ? Have i been trolled by someone who reset the passwords ?!

Is my evil app supposed to work without me modifying anything because itā€™s just timing out.

I donā€™t understand what is going on with the domain. The one returned from nmap isā€¦ well it seems weird to me with that trailing character, and I canā€™t seem to find the ā€œrealā€ one. Can anyone point me in the right direction? @fr0ster maybe?