Forest

17810121339

Comments

  • Type your comment> @MrPennybag said:

    Hey Hackers !

    i have mixed feelings about this box users was not so hard but root was a long way which was frustrating most the time because nothing seems to work!

    Great Thanks to all pushed me in the right direction!

    My hints for User :

    • Enumerate with a well known tool 4linux and then use a tool which will impackt !
    • Call your old friend John and you have all what you need !

    My hints for Root :
    !! Don't use the evil !!

    • also documented before take a walk with your bloodhound when it doesn't work locally you can google for a remote solution which will work!
    • then find a path but think also what components in this network (find a attack)
    • if you know what to attack google around and there is a prog which will do the work for you to get the "Right"!
    • now its time to play with your cat...
    • if you got all what you need search for a tool that will impackt

    Hope it is helpfull to everybody who got stuck!

    Feel free to contact me if you can't get it!

    If i spoilered to much please remove the post!

     
    

    I used evil, and can't seem to walk the dog. Any hint on what tools should I use instead?

    Hack The Box

  • edited October 2019

    Type your comment> @devow said:

    Type your comment> @MrPennybag said:

    Hey Hackers !

    i have mixed feelings about this box users was not so hard but root was a long way which was frustrating most the time because nothing seems to work!

    Great Thanks to all pushed me in the right direction!

    My hints for User :

    • Enumerate with a well known tool 4linux and then use a tool which will impackt !
    • Call your old friend John and you have all what you need !

    My hints for Root :
    !! Don't use the evil !!

    • also documented before take a walk with your bloodhound when it doesn't work locally you can google for a remote solution which will work!
    • then find a path but think also what components in this network (find a attack)
    • if you know what to attack google around and there is a prog which will do the work for you to get the "Right"!
    • now its time to play with your cat...
    • if you got all what you need search for a tool that will impackt

    Hope it is helpfull to everybody who got stuck!

    Feel free to contact me if you can't get it!

    If i spoilered to much please remove the post!

    Stuck there as well,even resorted to other ruby scripts but still cant find a way to get anything to feed the dog.

     
    

    I used evil, and can't seem to walk the dog. Any hint on what tools should I use instead?

  • For anyone having trouble getting the dog to do anything at all, look into some different ways of executing PowerShell.

  • Connectivity question: Did something change ?

    The evil worked very well for some days. Tired today again with the exact same syntax and I get

    Info: *

    Info: *

    Error: Can't establish connection. ...

    Error: Exiting with code 1

  • Type your comment> @dodosstuff said:

    Connectivity question: Did something change ?

    The evil worked very well for some days. Tired today again with the exact same syntax and I get

    Info: *

    Info: *

    Error: Can't establish connection. ...

    Error: Exiting with code 1

    The box is resetting all the time. I think someone is trying to be funny with dos-ing the system.

    Hack The Box

  • Type your comment> @bertalting said:

    Type your comment> @n0bf said:

    I got a hash for an account, but I realized that neither John nor Hashcat seem to natively support cracking that type. Anyone have suggestions on how to crack it?

    Its Hashcat for sure to crack it. Check the mode or even your hash. Maybe it's incomplete

    Not really, I cracked it with John, check the format of the output in the step before.

  • Finally Rooted, this box is like hell, I learned lot of things, and it wasn't easy as labeled.
    anyway, Special thanks for all guys that helped me out.

    C:\>whoami nt authority\system

    N3v3r Giv3Up, 3v3ry th!ng !s p0ss!ble .

  • I am at the last step but I cannot crack the hash :'(

  • Type your comment> @xcabal said:

    I am at the last step but I cannot crack the hash :'(

    You don't need to crack the hash

    Hack The Box

  • edited October 2019

    Smart guys, could you tell me why EVIL rb program works, but metasploit win_sc****_ex does not?
    What`s the difference between these two?
    Thanks

  • Type your comment> @bertalting said:

    Type your comment> @xcabal said:

    I am at the last step but I cannot crack the hash :'(

    You don't need to crack the hash

    ok i think i got it,I got confused with the conversation above :)

  • Is this box not loading for anybody else?

  • Type your comment> @xcabal said:

    I am at the last step but I cannot crack the hash :'(

    If you on the last step of cracking hash for user account, for sure you need hashc**, but last step for root some impacket scripts accept hash for login.

    N3v3r Giv3Up, 3v3ry th!ng !s p0ss!ble .

  • edited October 2019

    Edited

    twypsy

  • Rooted the box, was a bit frustrating at points but now that I'm looking back on all the steps with the knowledge I now have, it makes sense.

    Although, I'm hoping someone might be able to point out why the dog wouldn't run the same way for all people. Is it a product of a Windows configuration, or just due to the nature of multiple people connecting to it?

  • rooted after a week of trial and error. Great box but not at all easy. learned a lot big ups to @izzie for all the help.

    If anyone needs help dm me

  • I finally got root. Thank you @MrPennybag and @GibParadox, your guidance helped me a lot. I've always been a Linux guy, but getting to know the Windows side. I still have a lot to learn.

  • Finally got root.. i have learn so many new tools and techniques from this machine.

    Thank you @DaChef @RHoodCrack @Nikolay167 @lannerXIII and @j3wker for you valuable guidance and hints.

  • Type your comment> @Omnisec said:

    Anybody else getting

    Ldap Connection Failure.
    Try again with the IgnoreLdapCert option if using SecureLDAP or check your DomainController/LdapPort option ?
    

    Edit:
    Switched to from Sharp to Blood and it worked smoothly.

    Any idea why this error occurs?

  • Type your comment> @Deslight said:

    Type your comment> @Omnisec said:

    Anybody else getting

    Ldap Connection Failure.
    Try again with the IgnoreLdapCert option if using SecureLDAP or check your DomainController/LdapPort option ?
    

    Edit:
    Switched to from Sharp to Blood and it worked smoothly.

    Any idea why this error occurs?

    yeah specify an user and a pw

  • C:\Windows\system32>whoami
    nt authority\system
    
    
  • Got stuck after getting the uname and pwd. Could somebody please pm me in the right direction? Thank you in advance :)

  • edited November 2019

    Finally rooted this after taking a break to learn more about AD.

    https://blog.harmj0y.net/ and https://adsecurity.org/ were great resources.

    My notes for root:

    • If your "dog" tool isn't working remotely, maybe it's easier to do it locally? (There's an Ippsec video for this.)

    • After enumerating, it's obvious what the "vulnerability" is, but I had trouble finding out how to exploit it. My google search terms were too abstract. When I searched the origin of that "vulnerability", the exploit was everywhere.

    • In the final step of escalation, you don't need to crack anything or play willy wonka.

    Hack The Box

  • edited November 2019

    Did anybody meet the error message ERROR_DS_DRA_BAD_DN? I believe I have made preparation well and I think I have a user owns proper rights, but two different solutions get the same error code (0x20f7) when I try to get valuable data.

    bumika

  • Another great machine ! Learned a lot about AD (in)security.

    image

  • edited November 2019

    Type your comment> @bumika said:

    Did anybody meet the error message ERROR_DS_DRA_BAD_DN? I believe I have made preparation well and I think I have a user owns proper rights, but two different solutions get the same error code (0x20f7) when I try to get valuable data.

    Caused by only a wrong switch value... It was a great challenge. Thank you for the author.

    bumika

  • Type your comment> @bumika said:

    Caused by only a wrong switch value... It was a great challenge. Thank you for the author.

    quite literally at the same point as that, both remotely and with the cats on the box as well, same error code. Gonna go take a look at my confs again but I feel like I am so close but so far rn.

  • Type your comment> @btwiusearch said:

    Type your comment> @bumika said:

    Caused by only a wrong switch value... It was a great challenge. Thank you for the author.

    quite literally at the same point as that, both remotely and with the cats on the box as well, same error code. Gonna go take a look at my confs again but I feel like I am so close but so far rn.

    I simply used a wrong switch value in a dsacls command.

    bumika

  • I would like to ask somebody who managed to run current version of S....H.... successfully to send a pm for me. I used both a remote python version and an old PS but I failed to get output using current PS. Thx.

    bumika

  • Rooted.
    Tears where shed and joy was had but at the end of the day, my AD knowledge and windows exploitation is vastly improved. Three days for the root lol, just about as I was going to go to bed as well.

    Has this weird thing happen to me, idk if this was the case with anyone else but just incase you are struggling with that error mentioned on the cat: you have a literal 10 second window before your privesc breaks. Might of just been me. You can use scripts to help automate this so you are in time to get something out of the cat.

Sign In to comment.