Forest

1356739

Comments

  • Am i right in thinking resp**der is the way to go with this?

  • edited October 2019

    rooted
    I learnt a lot

  • I have the users but struggling to find the password everyone is talking about, any nudge is much appreciated

  • Type your comment> @maimsing said:

    I have the users but struggling to find the password everyone is talking about, any nudge is much appreciated

    Same here. "Impacket" has a lot in it, a lot of example scripts and appears to cover the panoply of Windows-related services, protocols, and such. I don't want a spoiler either but a bit of context would be helpful. It sounds like one should be able to retrieve one users credentials? (That sounds fantastical, but my Windows-fu is weaksauce still.)

  • Just owned root on this box. This is my favorite Windows box so far! I really learned a lot about Active Directory and different ways to obtain Domain Admin - and that's your hint too. It's all about AD.

  • I used multiple tools > @ue4dai said:

    Type your comment> @maimsing said:

    I have the users but struggling to find the password everyone is talking about, any nudge is much appreciated

    Same here. "Impacket" has a lot in it, a lot of example scripts and appears to cover the panoply of Windows-related services, protocols, and such. I don't want a spoiler either but a bit of context would be helpful. It sounds like one should be able to retrieve one users credentials? (That sounds fantastical, but my Windows-fu is weaksauce still.)

    agreed. Can anyone provide a hint besides "rooted, great box, try harder"?

    Huejash0le

  • wwahhaaaa fun and really enjoyable machine, previous knowledge certenly helps a lot here but i still ended up getting some new dirt under my fingers.

    User: i get reminded of certain types food with this attack.
    Root: Create a map of the road through the forest, there are many roads but few which leads where you neeed to go.

    Thanks @egre55 @mrb3n

    -All hail the Potato-

  • edited October 2019

    Type your comment> @Ammit said:

    Am i right in thinking resp**der is the way to go with this?

    Responder is basically a LLMNR poisoner, so you need to be in the same network as the target. So no.

  • @syn4ps

    I dont agree with your premise that its "basically" llmnr poisoning, iv used it pleanty of times here, yes one of the features of the suite does not work due to the way the infrastructure is built, but that does not nullify all the other stuff the application offers.

    -All hail the Potato-

  • Got the password for s**********o. can't figure out what to do with it...
    p****c is no go because we don't have write access to A****$...
    I must have missed some service which I can login to with those creds.
    Nudge pls?

  • Type your comment> @DaChef said:

    Type your comment> @minimal0 said:

    Type your comment> @Crafty said:

    (Quote)
    same.
    Thanks to Dreadless, i got the pass.
    I like the box on terms of how many new tools i come across :D
    But stuck again. tried so many things, but none worked. Maybe i just need to pause a day or so.

    Does anyone has good articles of Windows pen testing? I only come across the same old exploit again and again...

    Guys to use p****c or w****c you need writable C$ or ADMIN$ share!
    Check the ports again, one of them can give you a shell if you have a set of valid creds!

    Thanks a lot! Got it
    I feel really dumb right now.... :D

  • Hi any hints on root? tried uploading the cat but through evil***** i think it doesn't work?

  • I got a valid username and password pretty easily but now I do not know where to use them. Could someone please pm me a small hint on what I could be missing? Help is much appreciated!

  • Thanks @pist4chios

    It definitely has nothing to do with responder, how embarrassing :D

  • edited October 2019

    Finally rooted forest learned A TON for AD some hints are:
    User: Check ALL ports after users list don't overthink it 3 heads are better than one ;)
    Root: Hounds and cats

    Thanks @egre55 @mrb3n

    amra13579l

  • Anyone willing to give me a nudge in the right direction for finding user's pass? I haven't been able to find a way to dump more info and i don't think i'm supposed to be brute forcing?

  • zdfzdf
    edited October 2019

    got r00t. I found an easier way to pwn the admin account which didnt even require me to interact with the powershell or do any exploitation.

    Hints :
    user - enumerate, do google researches on what you can get from the services in the open ports.
    r00t - impacket. Play with the tools. It's so simple. Just learn what they do and you will know which one you need

    Great Box.

    Hack The Box

  • Type your comment> @rbt said:

    got r00t. I found an easier way to pwn the admin account which didnt even require me to interact with the powershell or do any exploitation.

    Hints :
    user - enumerate, do google researches on what you can get from the services in the open ports.
    r00t - impacket. Play with the tools. It's so simple. Just learn what they do and you will know which one you need

    Great Box.

    Oooh. I thought that impacket was needed for user.
    Still a bit overwhelmed where to look regarding user, but I will stop mucking about with impacket for the time being then and go recon-a-go-go again-o.

  • Type your comment> @ue4dai said:

    Type your comment> @rbt said:

    got r00t. I found an easier way to pwn the admin account which didnt even require me to interact with the powershell or do any exploitation.

    Hints :
    user - enumerate, do google researches on what you can get from the services in the open ports.
    r00t - impacket. Play with the tools. It's so simple. Just learn what they do and you will know which one you need

    Great Box.

    Oooh. I thought that impacket was needed for user.
    Still a bit overwhelmed where to look regarding user, but I will stop mucking about with impacket for the time being then and go recon-a-go-go again-o.

    Impacket unlocks both user and r00t. Just different tools for each.

    Hack The Box

  • edited October 2019

    Impacket unlocks both user and r00t. Just different tools for each.

    Don't think this is fully possible for root though it's possible to get lucky...

    (EDIT: I mean only using impacket for root but please PM me if I'm wrong, would love to learn something new)

  • Spoiler Removed

  • Type your comment> @DaChef said:

    Just rooted and it was a quite amazing box!
    Hints:

    Initial: Run Basic enumeration scripts

    User: Impacket

    Root: The "Dog" will do the trick!

    Any chance you can DM me what the "Dog" is lol

    Hack The Box

  • Anyone who has used the "dog" can you help? can't seem to get it to run...

    Hack The Box

  • Really good box, learned alot!

    Here are some tips
    User: Look at all the different services available to you, research all the different techniques to exploit them. once you have creds, use the higher port to get a shell. There's a really useful tool someone posted here on the forums you can use to help.

    Root: You should know by now what the role of this machine in a network is. If you've researched privilege escalation options for this, the "dog" you need to use should be apparent. If you're having trouble getting the tool to work on the box, try switch to a meterpreter shell. From here, you should be able to see a path.

  • Can anyone confirm whether brute-forcing is necessary for user, or are there other ways?

  • Type your comment> @Klamby said:

    Can anyone confirm whether brute-forcing is necessary for user, or are there other ways?

    you must crack a hash

    c4rl3tt0

  • edited October 2019

    Hi, if someone could DM me, I have creds, but no access to anything, I will better explain in DM. Thanks :)

    edit: NVM got it. On root now

  • PM for nuggets

  • edited October 2019

    I got the lowpriv user creds but can't access the machine... What is this mystical higher port that will give me shell access? I only see S*B services pretty much and the mainstream impacket tools which give shell require write access to the share and you can't change the default ports.
    I keep getting rpc_s_access_denied.
    Any nudge is appreciated!

    EDIT: Found out the port and service. Initially thought it was not something I could connect to but thanks to nudge from @PercyJackson35 I learned a new tool that I did not know before :)

    Arrexel

  • Type your comment> @Dreadless said:

    Type your comment> @DaChef said:

    Just rooted and it was a quite amazing box!
    Hints:

    Initial: Run Basic enumeration scripts

    User: Impacket

    Root: The "Dog" will do the trick!

    Any chance you can DM me what the "Dog" is lol

    Google for a dog in the greek mythology ;)

Sign In to comment.