@VbScrub said:
That means you’re specifying the wrong domain name. Make sure you’re using the dns domain name (mydomain.local) and not the netbios domain name (MYDOMAIN)
O my god, I lost one letter!!!
Thanks!
finally rooted it , bloomin 'ell that was a headache. Basically bashed my head on the keyboards for two days until i did a “hail mary” and did a reset on the box. Suddenly it worked 
i had serious issued with clock skew and tried pretty much everything in the book to sync my kali machine to the other box, or set my machine to the same timezone as it used, but still no dice.
Tried to use the “tickets to ride” with anything i could get a hold of, still no dice.
So a reset and found creds with evil tool gave the needed foothold.
User was harder/more annoying than root.
Cheers for a nice box and kudos to @Watskip for the nudges on discord, much appreciated.
I’m really confused by some creds on this box. Two accounts with same family name and with same password ? Have i been trolled by someone who reset the passwords ?!
Is my evil app supposed to work without me modifying anything because it’s just timing out.
I don’t understand what is going on with the domain. The one returned from nmap is… well it seems weird to me with that trailing character, and I can’t seem to find the “real” one. Can anyone point me in the right direction? @fr0ster maybe?
Everything you need has been said previously. Foothold and getting the creds (usernames) right on this box can take up a lot of your time. There have been a lot of tools mentioned in this thread, but really you just need three pocket scripts, a way to be evil, and a command from a field guide (not all in that order) to get to root. I highly recommend looking at @VbScrub videos on AD attacks if you get stuck going for root. I jut finished this one, so PM me if you need a nudge.
Not as straight forward as other boxes that were mentionned here. I got the first parts right but i’m still puzzled at how the root is obtained. I’d like to know how that is possible exactly.
Type your comment> @user29 said:
I don’t understand what is going on with the domain. The one returned from nmap is… well it seems weird to me with that trailing character, and I can’t seem to find the “real” one. Can anyone point me in the right direction? @fr0ster maybe?
Mayby you need use -Pn params? What you means where say “seems weird”?
@user29 said:
I don’t understand what is going on with the domain. The one returned from nmap is… well it seems weird to me with that trailing character, and I can’t seem to find the “real” one. Can anyone point me in the right direction? @fr0ster maybe?
wouldn’t rely on nmap to give you domain names. Easy enough to get 100% accurate domain name yourself with some basic ld** queries
i am excepting nudges for root 
i have user accounts, the dog doesnt seem to be the path for me, is there a way to replicate that manually, it looks like the distance is only 2 steps… but non of the automated tools seem to be working for me.
I have a list of user to check, but dont know with wich tool should a use to get the correct user. I see people talking about pockets and scripts but dont know how to proceed.
All information for AD attacks I see in google is having and user and password.
Can someone with me a nudge?
So after a few hours I got user1 however, when I try to run any powershell scripts on my shell (either letting the evil flow through me or meterpreter) they execute but there is no output…any thoughts?
EDIT: nvm, wasn’t using syntax right smh
Just rooted, interesting machine. PM for nudges
Rooted, very fun machine to get used to AD environments. PM if you need any help.
finally rooted! I agree with the previous posts. Getting the initial foothold is probably the most difficult part imo. Once you get the first user, some basic windows AD enumeration will get you on your way to root.
If you’ve done the Forest box, this box is pretty dang similar. Thanks for a great box, PM for nudges.
Type your comment> @salt said:
Easy machine with multiple paths and tools to get the same result.
Hints:It’s good to know what’s going on in the website,
User 1: It
User 1 → User2: PP
User2 - > Root: It
Then again, I*t
The best advice that can be given for this machine. Except to get User2, i used script to find privesc. Great box, I enjoyed.
Got User1 and spent 3 hours to find a way to access the box. After reading forum found that one port is not always open…
Hi guys,
Although I worked many years with Windows boxes I realized that my knowledge is not fine enough to solve many windows boxes. For this reason I am here.
I did some other windows boxes but I having problems with Sauna. I tried to ennumerate this box using smb (not possible for me). I think the initial foot hold is AD. Even I read some nufge about AD attacks. I tried with no result and I wonder if I am using wrong approach. I tried to use IM**** which worked fine with Forest but no results. Metaexploit give only administrator which is something we already guess. So, please anyone can help me please. thanks in advance.
Type your comment> @fr0ster said:
Hi.
When I use GetNPUsers I get KDC_ERR_WRONG_REALM. What I can do with it?
Umm I guess you are not indicating the correct domain?
@Darvidor said:
Hi guys,
Although I worked many years with Windows boxes I realized that my knowledge is not fine enough to solve many windows boxes. For this reason I am here.I did some other windows boxes but I having problems with Sauna. I tried to ennumerate this box using smb (not possible for me). I think the initial foot hold is AD. Even I read some nufge about AD attacks. I tried with no result and I wonder if I am using wrong approach. I tried to use IM**** which worked fine with Forest but no results. Metaexploit give only administrator which is something we already guess. So, please anyone can help me please. thanks in advance.
Nothing as asking something to find solution I tried harder using again IM**** and finally I found something interesting. The problem is the same infromation in metaexploit display an error. MAybe my lack of knowledge and the error get me in a confusing zone. however, any nudge is welcome! 