Forest

18911131439

Comments

  • F I N A L L Y !!!
    Thanks go to @MrPennybag & @bipolarmorgan for helping me out when stuck!

    hackthebox: Please give us more of these AD / Hound machines! I hate them really, but at least I'm learning a ton! 😋

  • It was messy, but I managed to root it. Feel free to message me for hints.

    HtB Handle: haastile

  • BOOM! goes the dynamite. This was a fun and frustrating journey but learned a lot in the windows privesc world. Thanks to @Phaas03 and @btwiusearch for jogging my brain into a different way of thinking to get me over the root hill.

  • Rooted. If someone is doing this with WSL under Windows 10, msg me for some details about root. PM me for hints if you want.

  • Can anyone offer DM for hint/nudge on user? I got creds for s**-a***** and not too sure what I am missing on attempt to use these creds.

  • @Dabson Yeah I am right there too. Did some research but I guess I might be overlooking something. I would appreciate a DM from any of the dungeon masters.

  • Can anyone give me a nudge for user? I have all the open ports, see all the services. Everything I look at needs a user/pass, is the only way in via user/pass lists or bruteforce?

  • Amazing box, learned some good stuff !

  • Type your comment> @TheRamen said:

    Can anyone give me a nudge for user? I have all the open ports, see all the services. Everything I look at needs a user/pass, is the only way in via user/pass lists or bruteforce?

    Bruteforce = Nope (bad mojo, especially for easy\medium machines)
    Try and enumerate users, see what you can find.

    Always happy to help others. 100% human

    https://www.mindfueldaily.com/livewell/thank-you/

  • edited November 2019

    Ok, I give up, I need some help. I've got e-**** running. I have S****-H****. I can't however get any output whatsoever from said app. Is there a way I can get a better shell now that I'm in with e-****? I just don't get any output from the tool and am probably missing something really obvious.

    Edit: I guess I can run said tool locally, and need to figure that out!

  • Finally Rooted!! What a ride! Learnt a lot. Many thanks to the box creator, very good work!

  • @acidbat said:

    Bruteforce = Nope (bad mojo, especially for easy\medium machines)
    Try and enumerate users, see what you can find.

    Okay thanks. I saw some other people suggesting brute-force in this thread and thought that didn't seem right - where's the value/challenge is sitting watching and waiting for a brute-force to complete?

    I will go back to the drawing board and dig deeper into enumeration.

  • Great box, thanks the creators for the nice experience

    Ch0p1n

  • Type your comment> @xcabal said:

    Type your comment> @Nikolay167 said:

    Im really stuck at getting the user :( So i have few questions i found the user from which we can get the hash.

    I'm trying to use tool from impacket called G****T.py but after specifying -k -no-pass htb.local/{VULN USER}
    it throws me an error except the hash.

    SessionKeyDecryptionError: failed to decrypt session key: ciphertext integrity failure

    So the question, is the problem on my end(software ver etc) or im doing something wrong and i will never get that way Hash?

    did u figure it out? cause I am stack at the same thing

  • edited November 2019

    I am able to run a version of S*********.ps1 from H**5. However, I am not able to upload the .zip nor the individual files to *****hound. It first states "Processing file name.csv" then followed by "Unrecognized File".
    Anyone able to provide some insight into what the problem might be?

    Thank you :)!

  • Type your comment> @CLQWN said:

    I am able to run a version of S*********.ps1 from H**5. However, I am not able to upload the .zip nor the individual files to the three headed hound. It first states "Processing file name.csv" then followed by "Unrecognized File".
    Anyone able to provide some insight into what the problem might be?

    Thank you :)!

    you are using a new version of B and and old version of S

    Rayz

  • Type your comment> @TheRamen said:

    @acidbat said:

    Bruteforce = Nope (bad mojo, especially for easy\medium machines)
    Try and enumerate users, see what you can find.

    Okay thanks. I saw some other people suggesting brute-force in this thread and thought that didn't seem right - where's the value/challenge is sitting watching and waiting for a brute-force to complete?

    I will go back to the drawing board and dig deeper into enumeration.

    No worries mate :),
    If you need a nudge, PM me.

    Always happy to help others. 100% human

    https://www.mindfueldaily.com/livewell/thank-you/

  • edited November 2019

    Anyone able to help with privesc? I'm not sure if I'm on the right track with P*********e.py

  • Hi, i need some help, i have user accounts but i am struggling to move forwards . Could someone please give me a nudge in the right direction? Thanks

  • Hi all. I managed to get the 6 user accounts. But Im currently stuck to get the hashed passwords. Tried spa**a and im**cket with different modules as well as m***sploit. Nothing. More specific details please. This is my second machine after the Heist. Thanks in advance.
  • For the root stage, I can't seem to give the Alf account the permissions that the hound suggests but I can creat my own user and give that permission. I can't however give that new account permissions to login so I'm stuck.

    Any hints please? I've been stuck on this bit for the last 3 days solid.

  • edited November 2019
    Sometimes a local group is as good as than a domain one.

    bumika

  • I've walked the dog. I've added myself to the things that link me to the thing I want. Clearly the dog says I've got what I want (three times, even), However. when I actually go to setup the object or priviledge, I'm totally lost :(

  • @btwiusearch said:
    Rooted.
    Tears where shed and joy was had but at the end of the day, my AD knowledge and windows exploitation is vastly improved. Three days for the root lol, just about as I was going to go to bed as well.

    Has this weird thing happen to me, idk if this was the case with anyone else but just incase you are struggling with that error mentioned on the cat: you have a literal 10 second window before your privesc breaks. Might of just been me. You can use scripts to help automate this so you are in time to get something out of the cat.

    I thought I was going crazy, but yes I noticed something like this...

  • Can't someone help me about the S****H******** execution plz? Nothing happened. With the -ns option too...

  • I am really stuck with root on this one. Got the B****H**** onto PS using E*W-** but it doesnt give results. Tried remotely but getting heaps of dns errors. Very lost on what to try now

  • edited November 2019

    @shakaaa said:
    I am really stuck with root on this one. Got the B****H**** onto PS using E*W-** but it doesnt give results. Tried remotely but getting heaps of dns errors. Very lost on what to try now

    there's a python thingy for the hound that works

  • Type your comment> @jones7 said:

    @shakaaa said:
    I am really stuck with root on this one. Got the B****H**** onto PS using E*W-** but it doesnt give results. Tried remotely but getting heaps of dns errors. Very lost on what to try now

    there's a python thingy for the hound that works

    that one puts .localdomain at the end of the domain name for no reason

  • Type your comment> @shakaaa said:

    I am really stuck with root on this one. Got the B****H**** onto PS using E*W-** but it doesnt give results. Tried remotely but getting heaps of dns errors. Very lost on what to try now

    I edit my host file to resolve that.

    windows 7 is my rig :) if it can't be done on windows, i fail.

  • Desperately trying to get root for days now. Just give me a nudge: do I need to create a user and login with that user or can I use remote tools to get what i need?
    Because I found an interesting privesc method, but I need to login to use it and I can't find a way to do it. It could be useful to know if I'm losing time or not.

Sign In to comment.