Forest

1235739

Comments

  • Spoiler Removed

  • Can someone PM me for root. I've done the prerequisites for the final touch of root but not getting anywhere after going for a walk with the Dog..

  • can someone PM a hint on the password?
    got a bunch of users but everything i want to connect to needs a password..
    was bruteforcing against some service but feels needless.

  • Type your comment> @p3tj3v said:

    can someone PM a hint on the password?
    got a bunch of users but everything i want to connect to needs a password..
    was bruteforcing against some service but feels needless.

    Same here. A lot of users but no password

    stats

  • Type your comment> @rholas said:

    Type your comment> @an0n said:

    is brute force required to get a password?

    Just for user, Adm... use hash

    tried, but without success. probably i am doing something wrong...

  • Type your comment> @YOLOnline said:

    Type your comment> @p3tj3v said:

    can someone PM a hint on the password?
    got a bunch of users but everything i want to connect to needs a password..
    was bruteforcing against some service but feels needless.

    Same here. A lot of users but no password

    maybe we need some custom wordlists, idk.

  • Type your comment> @an0n said:

    Type your comment> @YOLOnline said:

    Type your comment> @p3tj3v said:

    can someone PM a hint on the password?
    got a bunch of users but everything i want to connect to needs a password..
    was bruteforcing against some service but feels needless.

    Same here. A lot of users but no password

    maybe we need some custom wordlists, idk.

    Hint: The Three Headed Dog :)

  • Can someone PM me, I found the users i done a lot of enumerations but i wasn't able to gather credential to go deeper... can you give me some hint ?

  • can someone please PM me i been looking for help for days

  • This is a good box.

    To get creds: once you have compiled a list of valid accounts. Look into different roasting techniques. Make sure your libraries and tools are up to date/latest version.

    Root: I tripped myself up here and went deep down some powershell internals rabbit holes - so my advice is - after putting all the pieces together, make sure to log-off and then log-back on.

    delosucks

  • Spoiler Removed

  • Hi all,

    If someone has a post or hint discussing the methods used to extract a hash from that service, I would greatly appreciate it! Spent hours researching to no avail. I have a number of usernames, which service needs to be exploited and what toolset is used. Just haven't been able to put the pieces together. Feel like I've totally hit a wall.

    Thanks strangers!

  • So.. managed to get a shell. Got the hound running through the forest.
    But nothing seems to stick out.
    Anyone like to push me in right direction?

  • Bruteforcing isnt needed at any part of the box. Remember keberos is a lot vulnerable so google what you can get from it.
    For root : Powersploit is a lot powerful if you combine it with the BloodHound. At last step. Go back to where u began ... impacket.

    Pm for help :)

    Hack The Box

  • Just finished it.

    I don't think I would have put it in the easy category.
    Obviously, once you get it done, the process looks fairly straight forward, but finding the way and the tools...
    I did learn from it, tho, so thanking the creators is in order. And also @Ketil and @polarbearer of course.

    Hints:
    User: You have most likely already done something very similar in other boxed (I can think of two at least).
    Root: As mentioned before, the hound will find the way for you ;)

    Happy to assist if anyone needs a push.

  • Type your comment> @idomino said:

    Rooted. Seemed way more complicated to me than some of the "medium" boxes I did.

    On the topic of esoteric hints: I might be the minority here, but I like them. It's not a solution in your face, but when you find a possbile path, which "clicks" with the esoteric hint, you know it's not a rabbit hole and worth pursuing.

    I wouldn't really say being esoterically reaffirmed you aren't in a rabbit hole is that much of a hint, and it certainly does nothing to help those who need genuine direction.

    and yes this box was not 20 points IMO, sniper was way easier than this

  • edited October 2019

    Spoiler Removed

  • Impakter is always asking for passwords for normal user... Is even normal ?

  • Type your comment> @Nikolay167 said:

    Impakter is always asking for passwords for normal user... Is even normal ?

    one of the tools in the example folder will give you 4 different ways to get the TGT info. I promise if you read the writeup in it, you will get a hash.

  • I tried all kinds of shells, including meterpreter, but cannot get any output from the dog. Any hints please, am I doing it wrong or what?

  • if you aren't getting results from the dog, try barking at it with a regular cmd prompt instead of powershell.....

    For those stuck trying to find the user password ... impacket is very useful! it's a bit overwhelming at first, because there are so many scripts, but you'll find what you are looking for eventually. have patience, young padawan!

  • I am having troubles with the dog. Let's see if anyone can help me with it.
    While on Windows VM, and using r**as with low priv user, I changed DNS and so on, Test-Conn works, ping domain works but the dog can't seem to connect no matter what arguments I use, anyone has any idea why? Thanks in advance folks!

  • Can someone please give me a hint for the initial foothold?

  • edited October 2019

    Type your comment> @Drac0l17ch said:

    Type your comment> @Nikolay167 said:

    Impakter is always asking for passwords for normal user... Is even normal ?

    one of the tools in the example folder will give you 4 different ways to get the TGT info. I promise if you read the writeup in it, you will get a hash.

    almost spoiler (for anyone who knows how to use "grep"), thanks anyways =)

  • Type your comment> @v01t4ic said:

    Type your comment> @Drac0l17ch said:

    Type your comment> @Nikolay167 said:

    Impakter is always asking for passwords for normal user... Is even normal ?

    one of the tools in the example folder will give you 4 different ways to get the TGT info. I promise if you read the writeup in it, you will get a hash.

    almost spoiler (for anyone who knows how to use "grep"), thanks anyways =)

    you caught that! Good on ya!

  • Type your comment> @RandomPerson00 said:

    Can someone please give me a hint for the initial foothold?

    Step 1 - Enumeration -get open ports
    -get potential usernames
    -get system information
    -get encrypted passwords and crack
    Congrats Foothold

  • Type your comment> @Drac0l17ch said:

    Type your comment> @RandomPerson00 said:

    Can someone please give me a hint for the initial foothold?

    Step 1 - Enumeration -get open ports
    -get potential usernames
    -get system information
    -get encrypted passwords and crack
    Congrats Foothold

    You mean: Congrats User flag ;)

  • Fun so far.. for user: Use the tool posted here by many people to enumerate and get an encrypted password to crack. To use said credentials make sure you don't JUST scan the top ports so you can see all your available options :)

    Working on root..

  • rooted this bastard ^^ ... getting admin took me about 5 hours in order to get the exact right syntax for the p****view function. Was a great reminder for the dog usage.

    Tips:

    Discovery: impacket
    User: more impacket
    Root: the dog will tell you all + check the exact correct syntax for your commands

    Cheers.

  • Excellent work to @egre55 & @mrb3n.

    Plenty of nudges in this thread. Cheers to @DaChef for banging his head against the keyboard with me because syntax is a thing :).

    For user: Ensure you enumerate the listening services. You can use nmap, impacket, or other tools for this. Once you have some usernames. There are certain ways to use those and get some creds. There's a ruby script that has been discussed in different Windows machines you can use as well.

    For Root: AD enumeration is key. Get the "dog" to work. Go through the output. Google what the relationships mean if you're not sure. Start with what your current "touches" if you're lost. Once you find something nice, you can leverage impacket tools to get ya some fat hashes :).

    DM me if you need nudges.

    "ClickmedotEXE"
    CISSP | OSCP
    arodtube

Sign In to comment.