Need some help... I found user and the password but i need to get the SID of the user can someone tell me what tool I need for this. And maybe which service for the shell ?
Need some help... I found user and the password but i need to get the SID of the user can someone tell me what tool I need for this. And maybe which service for the shell ?
What do you need the SID for? I think it's time to take the dog for a walk.
Need some help... I found user and the password but i need to get the SID of the user can someone tell me what tool I need for this. And maybe which service for the shell ?
What do you need the SID for? I think it's time to take the dog for a walk.
If you are talking about BloodHound. everything I do i get "No DATA return from query" and i don"t have a shell and the user flag
Just want a connected shell so I can move on... Ive got the a username and password. Ive changed the other users passwords... And ive connected to the domain realm. Kerberos not working so cant escalate.
Just want a connected shell so I can move on... Ive got the a username and password. Ive changed the other users passwords... And ive connected to the domain realm. Kerberos not working so cant escalate.
Just cant find a way to get a shell.
Me too. Found the pass for s**-a******o , but got stuck there. Any hints?
Got user, got the dog running, I think I understand the path and now I'm trying to get the cat working but I always get an error although I should have sufficient rights to steal what is necessary with ds**** function from the cat. Please DM me for a nudge!
Need some help... I found user and the password but i need to get the SID of the user can someone tell me what tool I need for this. And maybe which service for the shell ?
What do you need the SID for? I think it's time to take the dog for a walk.
If you are talking about BloodHound. everything I do i get "No DATA return from query" and i don"t have a shell and the user flag
You can use Powershell to remotely run the command. 'runas /netonly xx powershell.exe' comes to mind...
Just want a connected shell so I can move on... Ive got the a username and password. Ive changed the other users passwords... And ive connected to the domain realm. Kerberos not working so cant escalate.
Just cant find a way to get a shell.
Me too. Found the pass for s**-a******o , but got stuck there. Any hints?
You've got to find a way to have a shell.
5n0wwh1t3 Help me with that one... run a full tcp scan and look between port 2000-4000...
You will need evil-***** to get the shell. You can get it on github.
I got user credential, I got a shell...
Can someone give me a link for a tuto for bloodhound... And when I run sharphound.ps1 and Invoke-Bloodhound, there is no file create. Is it normal!
Just want a connected shell so I can move on... Ive got the a username and password. Ive changed the other users passwords... And ive connected to the domain realm. Kerberos not working so cant escalate.
Just cant find a way to get a shell.
Me too. Found the pass for s**-a******o , but got stuck there. Any hints?
You've got to find a way to have a shell.
5n0wwh1t3 Help me with that one... run a full tcp scan and look between port 2000-4000...
You will need evil-***** to get the shell. You can get it on github.
Many thanks! Got a shell and the user. Tomorrow i'll go for root. The ippsec video for the Active box has a bloodhound part.
I got user credential, I got a shell...
Can someone give me a link for a tuto for bloodhound... And when I run sharphound.ps1 and Invoke-Bloodhound, there is no file create. Is it normal!
may i ask for a nudge or hint? i don't know if the tool i'm using is working because every time i issue a command there is no output if it was successfully executed. i don't even know if it's working or not. maybe you can give me some guide on what it will display if the commands were issued, either if it is successful or not?
Need a little assistance... Got user. Onto Root. was able to create a new user, ran SH.exe from a windows vm, added the new user to "E******e T*****d S*******m & E*****e W*****s P*********s" groups.
I've read on using D****.exe or P****v**w.ps1 but can someone give me some pointers... thanks,
I need a nudge for finding user creds. I have a list of users and I know how to login in once I get the creds, but I just can't find any hashes or pass for the users.
Aparently, all the impacket scripts I tried needs a valid creds first, to run properly..
Thanks to the creator of the machine, the user's part is quite simple but the root is complicated somewhat more, it is just having real information and you make it easy a greeting
Can someone give me some hint. I was able to own the user. After that i took the dog out to chain some things up. Then i was able to dump a whole lot of secrets. But the one i hoped for wasn't there. I don't know where to go from here.
I need a nudge for finding user creds. I have a list of users and I know how to login in once I get the creds, but I just can't find any hashes or pass for the users.
Aparently, all the impacket scripts I tried needs a valid creds first, to run properly..
Please PM me ..
Not all the scripts. There's one that will do the job.
this box was an animal....took me almost 3 weeks to root it. I was a Windows admin about 10 yrs ago so I have some experience with AD but that experience sort of played against me on this one (those damn graphical AD tools vs command line)!
also interesting to note, for root - some of the 'old school' techniques didnt work for me unless I got somewhat loud and sloppy...this one forced me to learn new tools (a**lp*** ) and relearn some concepts.
stuck on running bh. not exactly sure what I'm missing and reading through the comments and the config has got me in a loop I can't escape and I'm bashing my head. I believe I'm passing all the right params but there is no output. please help
Edit: Finally got the box, what a PITA, but very fun. In the end, it was just me holding myself back.
Been trying to execute B****H.exe or *.Ps1 but both just fail with out any output. could someone please DM Me. i'm using EW*** for shell. going crazy (loving the challenge, but hit a wall and i'm no longer learning) Please DM.
Finally rooted. It was my first root for windows machine and I had 0 knowledge about AD, but with a help of great people I learnt a ton. I highly recommend to watch some videos about AD security and bloodhound.
If you need any help feel free to ask me, because I know how confusing it can be if you've never done anything with AD
Comments
Need some help... I found user and the password but i need to get the SID of the user can someone tell me what tool I need for this. And maybe which service for the shell ?
Type your comment> @ghostuser835 said:
What do you need the SID for?
I think it's time to take the dog for a walk.
Type your comment> @cassn94 said:
Try and focus on 445 more. First, try to get a list of users then get a hashed password.
Spoiler Removed
Type your comment> @sta1ker said:
There is a MS command line tool - d****s - that can display and set permissions on AD objects.
Hey I am stuck on bloodhound. I have uploaded it tried different syntaxes but it either throws or does not do anything. Any hints?
Type your comment> @emptyArray said:
If you are talking about BloodHound. everything I do i get "No DATA return from query" and i don"t have a shell and the user flag
Hello, every time I connect to the server with kerberos it fails with NT_STATUS_NO_LOGON_SERVERS.
I'm connected to the realm, and smb works with standard login.
Just want a connected shell so I can move on... Ive got the a username and password. Ive changed the other users passwords... And ive connected to the domain realm. Kerberos not working so cant escalate.
Just cant find a way to get a shell.
Type your comment> @cassn94 said:
Me too. Found the pass for s**-a******o , but got stuck there. Any hints?
Got user, got the dog running, I think I understand the path and now I'm trying to get the cat working but I always get an error although I should have sufficient rights to steal what is necessary with ds**** function from the cat. Please DM me for a nudge!
Type your comment> @ghostuser835 said:
You can use Powershell to remotely run the command. 'runas /netonly xx powershell.exe' comes to mind...
Type your comment> @R4qu1C4lh0rd4 said:
You've got to find a way to have a shell.
5n0wwh1t3 Help me with that one... run a full tcp scan and look between port 2000-4000...
You will need evil-***** to get the shell. You can get it on github.
I got user credential, I got a shell...
Can someone give me a link for a tuto for bloodhound... And when I run sharphound.ps1 and Invoke-Bloodhound, there is no file create. Is it normal!
Nvm
Type your comment> @ghostuser835 said:
Many thanks! Got a shell and the user. Tomorrow i'll go for root. The ippsec video for the Active box has a bloodhound part.
Type your comment> @ghostuser835 said:
same prob here
may i ask for a nudge or hint? i don't know if the tool i'm using is working because every time i issue a command there is no output if it was successfully executed. i don't even know if it's working or not. maybe you can give me some guide on what it will display if the commands were issued, either if it is successful or not?
Need a little assistance... Got user. Onto Root. was able to create a new user, ran SH.exe from a windows vm, added the new user to "E******e T*****d S*******m & E*****e W*****s P*********s" groups.
I've read on using D****.exe or P****v**w.ps1 but can someone give me some pointers... thanks,
I need a nudge for finding user creds. I have a list of users and I know how to login in once I get the creds, but I just can't find any hashes or pass for the users.
Aparently, all the impacket scripts I tried needs a valid creds first, to run properly..
Please PM me ..
Thanks to the creator of the machine, the user's part is quite simple but the root is complicated somewhat more, it is just having real information and you make it easy a greeting
Can someone give me some hint. I was able to own the user. After that i took the dog out to chain some things up. Then i was able to dump a whole lot of secrets. But the one i hoped for wasn't there. I don't know where to go from here.
Forget that. I forgot i didn't need to do something else with the dump.
Type your comment> @inertia said:
Not all the scripts. There's one that will do the job.
this box was an animal....took me almost 3 weeks to root it. I was a Windows admin about 10 yrs ago so I have some experience with AD but that experience sort of played against me on this one (those damn graphical AD tools vs command line)!
also interesting to note, for root - some of the 'old school' techniques didnt work for me unless I got somewhat loud and sloppy...this one forced me to learn new tools (a**lp*** ) and relearn some concepts.
PM me if you need help
HINTS
User
System allows anonymous enumeration
Looks for weak Kerberos settings
Root
"Sniff" out DACL weakness
Use impacket to expose secrets
stuck on running bh. not exactly sure what I'm missing and reading through the comments and the config has got me in a loop I can't escape and I'm bashing my head. I believe I'm passing all the right params but there is no output. please help
Edit: Finally got the box, what a PITA, but very fun. In the end, it was just me holding myself back.
can someone help me in walking the dog with the snake?
Been trying to execute B****H.exe or *.Ps1 but both just fail with out any output. could someone please DM Me. i'm using EW*** for shell. going crazy (loving the challenge, but hit a wall and i'm no longer learning) Please DM.
=======================================================================
If what i send is helpful please consider clicking the 'give respect' button :-)
Finally rooted. It was my first root for windows machine and I had 0 knowledge about AD, but with a help of great people I learnt a ton. I highly recommend to watch some videos about AD security and bloodhound.
If you need any help feel free to ask me, because I know how confusing it can be if you've never done anything with AD