Sauna

Rooted !
It was not that much easy for me.
Anyway, i’ve learned lot off stuff from it since i’m not a Windows guys.

For user : Enumerate everything, you are an attacker so act like so !
For Root : Enumerate, Translate and feed the cats

Rooted! Great box to refresh knowledge. Thanks @egotisticalSW

Cant find a password anywhere, we are not supposed to brute this right?

Nope, no bf’ing on this one

I would just like to put my two cents in, with all the misinformation out there, you do not need to guess to get the initial username needed. There are tools to find the list of usernames on this box.

Really nice machine, not easy!

p*h doesn’t work for me.

NT AUTHORITY\SYSTEM @ SAUNA 10.10.14.X:4444 → 10.10.10.175:56794 (10.10.10.175)

Rooted, it was a fun box. Thanks @egotisticalSW, it definitely improved my AD skillz! :naughty:

PS C:> whoami
************\administrator
PS C:>

Type your comment> @instasec said:

I would just like to put my two cents in, with all the misinformation out there, you do not need to guess to get the initial username needed. There are tools to find the list of usernames on this box.

Really? I tried all of the usual things and only found one user account that ended up not being any use. Care to send me a PM me with what you did to get list of usernames initially? I’ve already got user flag and know how to get root, so no worries of spoilers

Type your comment> @VbScrub said:

Type your comment> @instasec said:

I would just like to put my two cents in, with all the misinformation out there, you do not need to guess to get the initial username needed. There are tools to find the list of usernames on this box.

Really? I tried all of the usual things and only found one user account that ended up not being any use. Care to send me a PM me with what you did to get list of usernames initially? I’ve already got user flag and know how to get root, so no worries of spoilers

there is some staff and companies do use naming patters. You just need to figure out which one

Rooted :slight_smile: Only used well known scripts to own this box

Type your comment> @olsv said:

there is some staff and companies do use naming patters. You just need to figure out which one

yeah I already did that and got the user flag, but the guy I was replying to said he used a tool that enumerated the usernames without having to do that bit of guesswork (its an educated guess sure, but its still a guess)

I’m clueless after finding user. PM me if anyone wants to help.

really spent a lot of time over-thinking root; took some time to walk away and that helped.

Type your comment> @instasec said:

I would just like to put my two cents in, with all the misinformation out there, you do not need to guess to get the initial username needed. There are tools to find the list of usernames on this box.

Without authentication?

Finally got root. Thanks to @Sauron19 for the help with root.

Anyone having issues connecting through winrm?

** nvm. For some reason on EU-Free it didn’t work for me, switched to US and got in.

Great Box…Very cool.

User: Enum and OISNT will lead you to the way.

Root: First Enum, I found some green vegetables to be very helpful in this. Then don’t overthink it, I was able to walk the dog to see what to do, you personally might be more of a cat person though.

Type your comment> @gu4r15m0 said:

Type your comment> @instasec said:

I would just like to put my two cents in, with all the misinformation out there, you do not need to guess to get the initial username needed. There are tools to find the list of usernames on this box.

Without authentication?

Yep

is there any bruteforce required after finding username?

Type your comment> @VoltK said:

is there any bruteforce required after finding username?

Yes.