I got the lowpriv user creds but can't access the machine... What is this mystical higher port that will give me shell access? I only see S*B services pretty much and the mainstream impacket tools which give shell require write access to the share and you can't change the default ports.
I keep getting rpc_s_access_denied.
Any nudge is appreciated!
for smb (as said above) you need writable admin$ or c$ to execute commands, you need to find another service
there must be something I miss ? like many others getting the usersID's was easy but how to get the pw ? ... all those imp- scripts require a valid cred right ?
there must be something I miss ? like many others getting the usersID's was easy but how to get the pw ? ... all those imp- scripts require a valid cred right ?
I'm im in the road for root since 2 days
I used the dogs tool have the schema and also change pass of a user se**** and verify this with smb . But I'm stuck here can't use theses new creds to authenticate as him trying runas pow..shell or wi**m from output but nothing
I got the lowpriv user creds but can't access the machine... What is this mystical higher port that will give me shell access? I only see S*B services pretty much and the mainstream impacket tools which give shell require write access to the share and you can't change the default ports.
I keep getting rpc_s_access_denied.
Any nudge is appreciated!
EDIT: Found out the port and service. Initially thought it was not something I could connect to but thanks to nudge from @PercyJackson35 I learned a new tool that I did not know before
I have mixed feelings about this box. On the one hand it involves some some classic windows vulnerabilities. On the other I would consider the pre-requisite knowlege too high for a meger 20 points.
That box was all new to me and I have discovered some fantastic tools that I will be using more of.
why does everyone think their hints are so clever, the people generally asking for help are stuck and you aren't helping by referring to animals... regardless of the context of how it relates for you, that doesn't mean it will relate for them. Give real hints to people, JEEZ
If anyone gets stuck PM me, I'll do my best to give quality hints without any spoilers.
why does everyone think their hints are so clever, the people generally asking for help are stuck and you aren't helping by referring to animals... regardless of the context of how it relates for you, that doesn't mean it will relate for them. Give real hints to people, JEEZ
If anyone gets stuck PM me, I'll do my best to give quality hints without any spoilers.
you'll find that sort of esoteric "hint" giving is a throwback to the OSCP forums, where everyone thinks they are Mr Robot when they say "root dance" and "ENuMerAtIon iz Key!"
why does everyone think their hints are so clever, the people generally asking for help are stuck and you aren't helping by referring to animals... regardless of the context of how it relates for you, that doesn't mean it will relate for them. Give real hints to people, JEEZ
If anyone gets stuck PM me, I'll do my best to give quality hints without any spoilers.
you'll find that sort of esoteric "hint" giving is a throwback to the OSCP forums, where everyone thinks they are Mr Robot when they say "root dance" and "ENuMerAtIon iz Key!"
True... and it's rather annoying. But for realz, enumeration is the key... but finding the lock is harder than basic enumeration. You can enumerate everything and if you don't know which door has the lock to which you might find a key under the matt, you can get lost for days going down rabbit holes.
Maybe try a more up to date version of S****H**** or remotely via python version, but beware remote version did not grab all info first time around for my gave me a false view of things.
rooted -- I usually try to keep away from rants or other comments about boxes here, cause i really value the learning experience of all of them. Thanks to the creators for this journey on forest but I'm really torn wether you should depict that this is an 20 pts box. Fell for a lot of rabbit holes and quirks that revelant tooling has.
im trying to get creds with nmap useing the brute L*** script but i get nothing it says valid creds but says empty
can someone PM me i have been waiting 2 days for some help.
Thanks
Rooted. Don't think it's a 20 pts box.
Everything is already in the thread for user, use basic enumeration + impacket.
For root it won't be so hard if you rooted "Reel" machine. Just don't go very far, try impacket on the very last step
PM for hints, but try to describe exactly where u are on the box and what you've tried. Don't forget about +respect button:)
Rooted. Seemed way more complicated to me than some of the "medium" boxes I did.
On the topic of esoteric hints: I might be the minority here, but I like them. It's not a solution in your face, but when you find a possbile path, which "clicks" with the esoteric hint, you know it's not a rabbit hole and worth pursuing.
Comments
Type your comment> @wo1f said:
for smb (as said above) you need writable admin$ or c$ to execute commands, you need to find another service
there must be something I miss ? like many others getting the usersID's was easy but how to get the pw ? ... all those imp- scripts require a valid cred right ?
Type your comment> @dodosstuff said:
One of the scripts will give you the pw ha**.
I'm im in the road for root since 2 days
I used the dogs tool have the schema and also change pass of a user se**** and verify this with smb . But I'm stuck here can't use theses new creds to authenticate as him trying runas pow..shell or wi**m from output but nothing
Can someone tell a nudge please
For those with little knowledge on the attack vector this is a great resource, in fact the whole repo is a gem:
https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology and Resources/Active Directory Attack.md
heres a GREAT hint
did MS disable SMBshare from linux boxes ? i read somewhere that they did do ineed a windows box to do this machine ?
Type your comment> @wo1f said:
I'm in the same boat! any nudge for user shell?
Update: got user, on to root
I have mixed feelings about this box. On the one hand it involves some some classic windows vulnerabilities. On the other I would consider the pre-requisite knowlege too high for a meger 20 points.
That box was all new to me and I have discovered some fantastic tools that I will be using more of.
why does everyone think their hints are so clever, the people generally asking for help are stuck and you aren't helping by referring to animals... regardless of the context of how it relates for you, that doesn't mean it will relate for them. Give real hints to people, JEEZ
If anyone gets stuck PM me, I'll do my best to give quality hints without any spoilers.
If you like my advice, please give me some respect! Just click the badge and find the respect button on my profile. Thanks!
Find me on discord for a faster response!
Type your comment> @bipolarmorgan said:
you'll find that sort of esoteric "hint" giving is a throwback to the OSCP forums, where everyone thinks they are Mr Robot when they say "root dance" and "ENuMerAtIon iz Key!"
Type your comment> @RawrRadioMouse said:
True... and it's rather annoying. But for realz, enumeration is the key... but finding the lock is harder than basic enumeration. You can enumerate everything and if you don't know which door has the lock to which you might find a key under the matt, you can get lost for days going down rabbit holes.
If you like my advice, please give me some respect! Just click the badge and find the respect button on my profile. Thanks!
Find me on discord for a faster response!
i'm with root and i think i found something by enumerating the AD.. but it seems like it is not alive!
If you like my advice, please give me some respect! Just click the badge and find the respect button on my profile. Thanks!
I'm stuck on S****H****.ps1 loading. Even its exe version doesn't work for me. Can someone give me a nudge?
Any nudge for the privesc would be appreciated!! I worked through the https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology and Resources/Active Directory Attack.md#dumping-ad-domain-credentials-systemrootntdsntdsdit
but I keep getting access denied everywhere. Obviously I am missing something subtle.
Type your comment> @phat said:
are you getting an error or is it just not giving any output?
If you like my advice, please give me some respect! Just click the badge and find the respect button on my profile. Thanks!
Find me on discord for a faster response!
Guys if anyone needs help with this box, this should help you:
Spoiler Removed
20 points???!!
My advice:
When you get to the map, don't rely too much on the arguments bloodhound gives you in it's abuse info.
My connection dies when i invoke b****h****.
Type your comment> @phat said:
Maybe try a more up to date version of S****H**** or remotely via python version, but beware remote version did not grab all info first time around for my gave me a false view of things.
rooted -- I usually try to keep away from rants or other comments about boxes here, cause i really value the learning experience of all of them. Thanks to the creators for this journey on forest but I'm really torn wether you should depict that this is an 20 pts box. Fell for a lot of rabbit holes and quirks that revelant tooling has.
im trying to get creds with nmap useing the brute L*** script but i get nothing it says valid creds but says empty
can someone PM me i have been waiting 2 days for some help.
Thanks
Rooted. Don't think it's a 20 pts box.
Everything is already in the thread for user, use basic enumeration + impacket.
For root it won't be so hard if you rooted "Reel" machine. Just don't go very far, try impacket on the very last step
PM for hints, but try to describe exactly where u are on the box and what you've tried. Don't forget about +respect button:)
Rooted. Seemed way more complicated to me than some of the "medium" boxes I did.
On the topic of esoteric hints: I might be the minority here, but I like them. It's not a solution in your face, but when you find a possbile path, which "clicks" with the esoteric hint, you know it's not a rabbit hole and worth pursuing.
is brute force required to get a password?
Type your comment> @an0n said:
Just for user, Adm... use hash
Type your comment> @bipolarmorgan said:
For me I'm just not getting any output.. Can you nudge me in the rigth direction?