Sauna

TazWake · June 9, 2020, 6:41pm

If you got the user names from the box, then you need to make sure you have enough variations in how usernames can be crafted.

Then its about finding the right tool to check. You might want to look at the tools which are part of i******t.

cbeitz1 · June 11, 2020, 8:16am

Evil no worky work. I got it to work once a couple of days ago…but was a fluke. I’ve sync’d clocks, switched vpn. I notice that the 5985 and 47001 ports are always filtered…maybe there is a trick? Firewall blocking it? Any thoughts?

oceanofstorms · June 11, 2020, 8:41am

after reading a few pages of this forum, is it normal for the ports to be filtered? I have ran a few different variations of NMAP scans and I can’t get anything other than “scanned ports on 10.10.10.175 are filtered”

Edit: Im dumb, my VM time was WAY off from actual time. Updated my clock and now things are working better.

Harry123 · June 11, 2020, 12:19pm

Hey guys, I need help, I have found few 3 users and a password for 1 of them. Trying evil-winrm but it is not working. It gives this error

Evil-WinRM shell v2.3

Info: Establishing connection to remote endpoint

Error: An error of type HTTPClient::ConnectTimeoutError happened, message is execution expired

Error: Exiting with code 1

I need a nudge please.
Thanks

VbScrub · June 11, 2020, 1:26pm

@Harry123 see my comment on the previous page: Sauna - #777 by VbScrub - Machines - Hack The Box :: Forums

derco0n · June 12, 2020, 7:46pm

This was a very good, but also very challenging box. It took me 4 days to root. I learned a lot about Active Directories internals on the way. A big thank you to @VbScrub for your great video series on this topic. Helped me a lot.

As i also have to deal with AD in my daily job, it is scary to see how many attackvectors there are.

My nudges:
Learn how Active Directory works: There are ton of videos on youtube…
User 1: Enum the organisations website and think about how admins choose usernames
There are tools out there that allow you to test users against AD without a password (e.g. K**e from rp). You have to be Evil to get a shell
User 2: enum, enum, enum. you may have to count all Peas and watch them closely.
root: enum your new user
This user might have some special powers.
Use them to get something that you might pass…

UGlz · June 13, 2020, 5:43pm

Rooted! Good box, helped me a lot to understand more i******t tools.

USER: search for common username policies in that kind of environment. From information on the site you can do some OSINT and build your own list, check it with some other tools to find actual usernames. Then you’ll gonna find a way to get password hashes with i******t tools. Crack it, use them to open a shell and you should get user flag.

ROOT: From user find a way to get some other credentials to change user to user2 with a pretty common tool in windows exploitation. Use another tools from i******t and get hashes for admin. Then, there’ll be another tool that is going to help you to get an admin shell without cracking hashes.

Hope this is not too much. Feel free to PM me for nudges!

Turtle529 · June 16, 2020, 3:29am

@Harry123 Solved it? I have a same problem too…

I solved it!! thank you @VbScrub

Turtle529 · June 17, 2020, 2:41am

++ Rooted!! Thanks to this space(Sauna Forum!)

D4n1aLLL · June 17, 2020, 12:53pm

I have got around 11 possible Full Names from website. I tried crafting different usernames with them and test with i******t but none of them is working. Can someone PM me on how to craft usernames correctly?

LewEl · June 17, 2020, 1:45pm

Any tips on how to find the password for user2?
I have an evil connection to F***H and the WP.E** only gives me one suggestion for priv esc, that being ac.exe

I can’t seem to find how to get passwords from it.

PM me with any nudges you are willing to send my way

side note, the cat seems to run around in circles and my dog has had a look around but not found anything. I assume … hope … he’ll have a better chance sniffing around user2

Cheers

mrf4thack · June 17, 2020, 10:26pm

Who is doing the sauna machine at this time have had progress?

mrf4thack · June 17, 2020, 11:03pm

…

wittr · June 18, 2020, 4:02am

Finally got root. Not sure why I was able to priv esc… I managed to figure it out though via hints in this forum…
Gonna go back and checkout some AD attack videos etc.
Can anyone DM me why I was able to do that as the 2nd user? Not sure what I missed during enum…
Thanks!

coiltag · June 19, 2020, 1:37am

I overthought about the root.

VbScrub · June 19, 2020, 2:35am

@wittr said:
Finally got root. Not sure why I was able to priv esc… I managed to figure it out though via hints in this forum…
Gonna go back and checkout some AD attack videos etc.
Can anyone DM me why I was able to do that as the 2nd user? Not sure what I missed during enum…
Thanks!

Will send you a PM to explain

SEB01 · June 19, 2020, 7:59pm

Hello,
I’m new in pentesting. I found a user by using G*********.py -format john.
After this I used “john --format:krb5asrep” to try to decrypt the password and 4 hours after begining I still wait for the result. Is there please another way to decrypt the password ?

Thx by advance for your help.

VbScrub · June 20, 2020, 1:22am

@SEB01 said:
Hello,
I’m new in pentesting. I found a user by using G*********.py -format john.
After this I used “john --format:krb5asrep” to try to decrypt the password and 4 hours after begining I still wait for the result. Is there please another way to decrypt the password ?

Thx by advance for your help.

Try to use a wordlist with common passwords (like rockyou.txt) with your password cracker, rather than just full on brute forcing

SEB01 · June 20, 2020, 5:20am

Thanks for your help, it took only few seconds to decrypt the password.

B1ngDa0 · June 21, 2020, 6:22am

Rooted, any hits,pm me anytime.