Sauna

i found a service account creds, are those another rabbithole? :neutral:

Type your comment> @init5 said:

i found a service account creds, are those another rabbithole? :neutral:

Depends what you mean by creds. If you just mean you discovered the username then yeah I’m pretty sure that is just a rabbit hole. If you actually found working password for that account then there’s definitely an exploit you can do based on the permissions I see set for that account on the root of the domain.

I spent ages looking at that account myself but didn’t find a password anywhere, and now I see a path to root that definitely does not involve that account. Will be finishing it tomorrow now though

Edit: you can indeed find working password for that account and get root that way but I’m persevering with my first method that doesn’t involve this account and goes straight to system as it also seems intentional (and more interesting)

Rooted! Finally! I was overcomplicating things way to much for root! PM for Nudge!
Thx @egotisticalSW It was a fun box!

Spoiler Removed

@VbScrub said:

Type your comment> @init5 said:

i found a service account creds, are those another rabbithole? :neutral:

Depends what you mean by creds. If you just mean you discovered the username then yeah I’m pretty sure that is just a rabbit hole. If you actually found working password for that account then there’s definitely an exploit you can do based on the permissions I see set for that account on the root of the domain.

I spent ages looking at that account myself but didn’t find a password anywhere, and now I see a path to root that definitely does not involve that account. Will be finishing it tomorrow now though

no i have the password as well, doesnt work with the high port even though the service account has the needed group membership. may be a RunAs could do, but i am basically operating on 20% brain power atm lol

I am stuck on the way to root … I can remote in as user f----- and have plaintext password. User h----- is apparently closely related to f-----.

I see that s–_------- has an interesting reporting line, so to speak, but am not seeing how to get ahold of them.

Can anyone give me a quick PM for user login? I think i know the final way to get the flag but my parrotOS is not letting me remote into it (maybe it’s my version or something)

@init5 said:
no i have the password as well, doesnt work with the high port even though the service account has the needed group membership. may be a RunAs could do, but i am basically operating on 20% brain power atm lol

Oh wow I’m real curious how you got the password but I’ll try figure that out after I’ve tried my current plan for priv esc tomorrow. Maybe there’s 2 ways to get root on this machine. As for your method, yeah I saw that user was a member of the required group to connect with high port so I’m not sure why you can’t get in. Have you confirmed the password is correct by testing the credentials against L*** or SM* ?

Type your comment> @squid22 said:

Type your comment> @VbScrub said:

Type your comment> @gverre said:

Is the user H… S… the good path?

That’s the only user I’ve found so I assume so, but trouble is I can’t get anything more than his full name. Can’t get username or anything like that

For the user flag, all you need is in the im-packet toolbox. As for the username … think of the name of the guy that always called Neo… “Mr. Anderson” :wink:
I hope this is not too much…

‘face palm’ i feel dumb now lol

@VbScrub said:

@init5 said:
no i have the password as well, doesnt work with the high port even though the service account has the needed group membership. may be a RunAs could do, but i am basically operating on 20% brain power atm lol

Oh wow I’m real curious how you got the password but I’ll try figure that out after I’ve tried my current plan for priv esc tomorrow. Maybe there’s 2 ways to get root on this machine. As for your method, yeah I saw that user was a member of the required group to connect with high port so I’m not sure why you can’t get in. Have you confirmed the password is correct by testing the credentials against L*** or SM* ?

tested them with metasploit but they seem to be a rabbithole, it said incorrect creds. :frowning:

Awesome box. Really enjoyed it, need to remember to look at the output of commands and not rush. Did that trying to get the initial foothold and missed getting what I wanted, and did it when I was trying to finish off root lol.

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > sysinfo
Computer        : SAUNA

is the password for initial user a guessing game? can’t seem to get it my usual ways. unless I am using the wrong user!

EDIT: Got User, Was not thinking like an admin!

Type your comment> @Dreadless said:

is the password for initial user a guessing game? can’t seem to get it my usual ways. unless I am using the wrong user!

Initial user password is not a guessing game…

Spoiler Removed

Still on my way to Root. Found a R******.p*l Is this a rabbit hole?

the only username I got so far is the one of H*** S****. Any hint on how to get the mentioned service name? e4x is not giving me anything. Same is true for Get******.py

Type your comment> @mspreitz said:

the only username I got so far is the one of H*** S****. Any hint on how to get the mentioned service name? e4x is not giving me anything. Same is true for Get******.py

I only discovered the service username after successfully connecting to the box. There are more “users”, you can get them from a more “visible” source.

Spoiler Removed

Type your comment> @mspreitz said:

the only username I got so far is the one of H*** S****. Any hint on how to get the mentioned service name? e4x is not giving me anything. Same is true for Get******.py

There is such thing as a corporate naming pattern john.doe and so on.

Type your comment> @Malvik said:

Type your comment> @Dreadless said:

is the password for initial user a guessing game? can’t seem to get it my usual ways. unless I am using the wrong user!

Initial user password is not a guessing game…

The password isn’t, but getting the correct username does involve some educated guessing (unless I missed something).