Forest

1246739

Comments

  • Type your comment> @wo1f said:

    I got the lowpriv user creds but can't access the machine... What is this mystical higher port that will give me shell access? I only see S*B services pretty much and the mainstream impacket tools which give shell require write access to the share and you can't change the default ports.
    I keep getting rpc_s_access_denied.
    Any nudge is appreciated!

    for smb (as said above) you need writable admin$ or c$ to execute commands, you need to find another service

    nemesis73

  • there must be something I miss ? like many others getting the usersID's was easy but how to get the pw ? ... all those imp- scripts require a valid cred right ?

  • Type your comment> @dodosstuff said:

    there must be something I miss ? like many others getting the usersID's was easy but how to get the pw ? ... all those imp- scripts require a valid cred right ?

    One of the scripts will give you the pw ha**.

  • Hi all

    I'm im in the road for root since 2 days
    I used the dogs tool have the schema and also change pass of a user se**** and verify this with smb . But I'm stuck here can't use theses new creds to authenticate as him trying runas pow..shell or wi**m from output but nothing

    Can someone tell a nudge please
  • edited October 2019

    For those with little knowledge on the attack vector this is a great resource, in fact the whole repo is a gem:

    https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology and Resources/Active Directory Attack.md

  • heres a GREAT hint

  • did MS disable SMBshare from linux boxes ? i read somewhere that they did do ineed a windows box to do this machine ?

  • edited October 2019

    Type your comment> @wo1f said:

    I got the lowpriv user creds but can't access the machine... What is this mystical higher port that will give me shell access? I only see S*B services pretty much and the mainstream impacket tools which give shell require write access to the share and you can't change the default ports.
    I keep getting rpc_s_access_denied.
    Any nudge is appreciated!

    EDIT: Found out the port and service. Initially thought it was not something I could connect to but thanks to nudge from @PercyJackson35 I learned a new tool that I did not know before :)

    I'm in the same boat! any nudge for user shell?

    Update: got user, on to root ;)

  • I have mixed feelings about this box. On the one hand it involves some some classic windows vulnerabilities. On the other I would consider the pre-requisite knowlege too high for a meger 20 points.

    That box was all new to me and I have discovered some fantastic tools that I will be using more of.

  • edited October 2019

    why does everyone think their hints are so clever, the people generally asking for help are stuck and you aren't helping by referring to animals... regardless of the context of how it relates for you, that doesn't mean it will relate for them. Give real hints to people, JEEZ

    If anyone gets stuck PM me, I'll do my best to give quality hints without any spoilers.

  • edited October 2019

    Type your comment> @bipolarmorgan said:

    why does everyone think their hints are so clever, the people generally asking for help are stuck and you aren't helping by referring to animals... regardless of the context of how it relates for you, that doesn't mean it will relate for them. Give real hints to people, JEEZ

    If anyone gets stuck PM me, I'll do my best to give quality hints without any spoilers.

    you'll find that sort of esoteric "hint" giving is a throwback to the OSCP forums, where everyone thinks they are Mr Robot when they say "root dance" and "ENuMerAtIon iz Key!"

  • Type your comment> @RawrRadioMouse said:

    Type your comment> @bipolarmorgan said:

    why does everyone think their hints are so clever, the people generally asking for help are stuck and you aren't helping by referring to animals... regardless of the context of how it relates for you, that doesn't mean it will relate for them. Give real hints to people, JEEZ

    If anyone gets stuck PM me, I'll do my best to give quality hints without any spoilers.

    you'll find that sort of esoteric "hint" giving is a throwback to the OSCP forums, where everyone thinks they are Mr Robot when they say "root dance" and "ENuMerAtIon iz Key!"

    True... and it's rather annoying. But for realz, enumeration is the key... but finding the lock is harder than basic enumeration. You can enumerate everything and if you don't know which door has the lock to which you might find a key under the matt, you can get lost for days going down rabbit holes.

  • i'm with root and i think i found something by enumerating the AD.. but it seems like it is not alive!

  • I'm stuck on S****H****.ps1 loading. Even its exe version doesn't work for me. Can someone give me a nudge?

  • Any nudge for the privesc would be appreciated!! I worked through the https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology and Resources/Active Directory Attack.md#dumping-ad-domain-credentials-systemrootntdsntdsdit
    but I keep getting access denied everywhere. Obviously I am missing something subtle.

    Arrexel

  • Type your comment> @phat said:

    I'm stuck on S****H****.ps1 loading. Even its exe version doesn't work for me. Can someone give me a nudge?

    are you getting an error or is it just not giving any output?

  • Guys if anyone needs help with this box, this should help you:

  • No output at all. I also tried to redirect the output to a file but nothing happened
  • Spoiler Removed

  • 20 points???!!

    My advice:

    When you get to the map, don't rely too much on the arguments bloodhound gives you in it's abuse info.

  • My connection dies when i invoke b****h****.

  • Type your comment> @phat said:

    My connection dies when i invoke b****h****.

    Maybe try a more up to date version of S****H**** or remotely via python version, but beware remote version did not grab all info first time around for my gave me a false view of things.

  • rooted -- I usually try to keep away from rants or other comments about boxes here, cause i really value the learning experience of all of them. Thanks to the creators for this journey on forest but I'm really torn wether you should depict that this is an 20 pts box. Fell for a lot of rabbit holes and quirks that revelant tooling has.

  • im trying to get creds with nmap useing the brute L*** script but i get nothing it says valid creds but says empty
    can someone PM me i have been waiting 2 days for some help.
    Thanks

  • Rooted. Don't think it's a 20 pts box.
    Everything is already in the thread for user, use basic enumeration + impacket.
    For root it won't be so hard if you rooted "Reel" machine. Just don't go very far, try impacket on the very last step

    dsavitski
    PM for hints, but try to describe exactly where u are on the box and what you've tried. Don't forget about +respect button:)

  • Rooted. Seemed way more complicated to me than some of the "medium" boxes I did.

    On the topic of esoteric hints: I might be the minority here, but I like them. It's not a solution in your face, but when you find a possbile path, which "clicks" with the esoteric hint, you know it's not a rabbit hole and worth pursuing.

  • is brute force required to get a password?

  • Type your comment> @an0n said:

    is brute force required to get a password?

    Just for user, Adm... use hash

  • Type your comment> @bipolarmorgan said:

    Type your comment> @phat said:

    I'm stuck on S****H****.ps1 loading. Even its exe version doesn't work for me. Can someone give me a nudge?

    are you getting an error or is it just not giving any output?

    For me I'm just not getting any output.. Can you nudge me in the rigth direction?

Sign In to comment.