Sauna

I got both users. Not sure what to do next? Any hints how to get root.

Got it. thanks for help.

a friend told me a I could enum users (via active directory) with a pre installed tool on kali. researched for a week without success. can anyone advise me how to enum users, please?

can i DM someone for a nudge?

I rooted it, but I paid for it. That was my first domain controller, so I learned a ton in the process. There are a lot of great tips in the thread.

The only comment I have, and perhaps this was only my experience, but I noticed when running my windows enumeration script (Win****) that the output was not always the same. So, the first time I completely missed what I needed. I ran it a few more times to test and got different results with each attempt. May just be me, but perhaps some other soul will be spared the 2 hours of hair pulling.

Feel free to dm for nudge!

got user.txt
Stuck in the root part
i found only one user creds f*** i couldn’t found second creds
can anyone give me nudge for root

Got user, got the other user password. but what am I missing, I cant see how to get the root!

Edit : OK That was pretty straight forward’

rooted!

thanks guys. got help from others

rooted …
user part is more complicated than root part
pm for nudges

rooted

thanks to @mike0x73

pm me for support and choosing the right tools :slight_smile:

ROOTED
it’s ridiculous. I can’t find the root use net user.
Why? if you know it, please PM me.

Not sure if this box is bugged, but I swear I was looking up and down at the website (somewhere in a****.h***) for potential usernames and couldn’t find any. It was just showing up as Agent1 Agent2 Agent3.

Looked at it again today and poof there it was.

Got User. This took way too long, because the required port didn’t show up in my nmap scan. No idea why… When I scanned again, there it was! Getting the Flag was only a matter of seconds, especially if you did some other machines that have almost the same entry point…

Now on to root! :smiley:

For the root, why the kw module gives different result compared to the result from im****et? And how do they both work and give me root? Please PM me if you have any idea. Thank you!

Well it may have taken me a couple of days, but I am pretty chuffed as this is the first machine I have pwned all the way to root without checking the forum for hints. I think I wasted a huge chunk of time looking for access after I got the initial set of creds because my initial n*** didn’t show w***m was running.

That little hiccup aside, I think this box follows a pretty classic windows exploitation path, and has a pretty good set of breadcrumbs to follow. If you know your windows enum and recon tools, you shouldn’t have any trouble.

This was one of the first boxes I tried, but I got badly stuck and parked it. Came back to it yesterday and got user flag almost immediately - I had done most of the work already as it turns out.
Getting root was fun - learnt a lot about AD. Props to @VbScrub for the excellent YouTube channel. Thanks for @egotisticalSW for a fun box.
Happy to provide nudges via PM.

Type your comment> @hughesdg said:

This was one of the first boxes I tried, but I got badly stuck and parked it. Came back to it yesterday and got user flag almost immediately - I had done most of the work already as it turns out.
Getting root was fun - learnt a lot about AD. Props to @VbScrub for the excellent YouTube channel. Thanks for @egotisticalSW for a fun box.
Happy to provide nudges via PM.

Any hints on root?
I’ve got all users including the service account. I’m just not sure how to progress.
I have tried the TGT/TGS way, and it didnt work. I tried secrets dump, no luck.
Any help would be appreciated - pm’s are welcomed :smile:

UPDATE

Nevermind…

Somehow changing from /bin/bash to /bin/sh made the “dump” run - Rooted.

I am stuck at executing sharphound

i downloaded the executable at the following links

https://github.com/BloodHoundAD/BloodHound/blob/master/Ingestors/SharpHound.exe

Any hint on how to solve this ?

Finally get root with a lot of hints in this forum !!! I think it has enough hints for you to get root if you read all comments. It takes totally 8 hours for me to get root including time for reading comments lol :)))

Thanks @VbScrub for the best videos about AD in youtube. I’m really appreciate that !!! I am expected your next coming video.

This is a very fun and smart box. It helps me learn lots of things about my pocket. Thank @egotisticalSW for creating this box !!!

If you find this error from Linux:
Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great)
it because of your local time, you need to synchronise the host with the DC:
ntpdate `

It’s great to hear about your successful rooting after the challenging 5-day journey! The learning curve with AD machines can indeed be steep, but it seems like you’ve navigated it well. Shoutout to @VbScrub for the helpful videos that provided a solid foundation in understanding AD workings and attack scenarios—a definite asset in this realm. Your breakdown of the user paths and the “snake” hints coming together shows true perseverance and problem-solving skills. On a lighter note, have you ever tried exploring the diverse kfc breakfast menu ? Amidst all these tech triumphs, a delicious breakfast could be a great way to celebrate your hard-earned success!