Forest

1679111239

Comments

  • edited October 2019

    Finally got root! Thanks for the help @n4v1n @rholas and @bipolarmorgan ! This was a really fun box and I learned a lot!

    thr33per

  • Really nice machine that learned lots from, thanks @egre55 & @mrb3n .

    Took me a few days as I have zero experience of AD environments (I've been hiding in the world of Linux for far too long :)). But there are easily enough hints in the first few pages of this forum to struggle through along with the copious reading material online about AD and Kerberos (although good understanding of the latter is not really needed but is a nice to have).

    Just as a small aside, its always the "easy" boxes that are hard! But, to be fair I can understand why it was marked as an easy as its just running standard scripts - nonetheless it did highlight fundamental gaps in my knowledge.

    Click here for HTB Profile: You are welcome to contact me for a nudge, but if I help you, please consider giving respect.

  • Just as a small aside, its always the "easy" boxes that are hard! But, to be fair I can understand why it was marked as an easy as its just running standard scripts - nonetheless it did highlight fundamental gaps in my knowledge.

    I 100% agree on that.

    Always happy to help others and remember to +respect me if I helped you ; )

  • I have been stuck on root for way too long. I have the output from dog and i can see some kind of path. But the recommended exploitation paths don't work on target.
    Can anyone please PM with some hints? very new to AD.

    For asking help, please describe what you have tried so far, so i don't spoil too much.
    If you believe i was able to help, please provide feedback by giving respect:
    https://www.hackthebox.eu/home/users/profile/122308

  • I am having trouble on the last step of root. If anyone PM me with help that would be appreciated!

  • Can someone give me a nudge on how to get S*d.ps1 to run on the box i invoke the module but when I run it does not give any results.

  • Type your comment> @Nikolay167 said:

    Im really stuck at getting the user :( So i have few questions i found the user from which we can get the hash.

    I'm trying to use tool from impacket called G****T.py but after specifying -k -no-pass htb.local/{VULN USER}
    it throws me an error except the hash.

    SessionKeyDecryptionError: failed to decrypt session key: ciphertext integrity failure

    So the question, is the problem on my end(software ver etc) or im doing something wrong and i will never get that way Hash?

    did u figure it out? cause I am stack at the same thing

  • I swear boxes like these ought to have reading material attached to them so that people who want to learn more don't end up almost punching a hole in the wall.
    Easy... heh... it's as easy as walking 10 m on your hands, upside down. If you don't know how to do it, it's far from easy. If you do... well...

    Tips for user: Use basic enumeration to get a list of interesting entities. Save it for later.
    Next, one of the example scripts in a certain popular tool suite also mentioned in here, will contain a script which help text sounds too good to be true. Find it, run it and apply "Business as usual" afterwards.

    You now have what you'd think is enough to get into the box and it is. Given that you know about this OTHER tool... Your basic enumeration may reveal the next step, but in my case it wasn't really helpful (the "version enumeration script" didn't tell me anything interesting), however if you investigate which services usually run on this one particular port, you'll find your next clue.
    For this magic trick there's a popular tool - I've been told - and a helper library for a certain crystal-like scripting language. You may even be so lucky and find example usage of it. If so, getting user is trivial.

    None of the above is easy if you don't know what to look for, by the way...

    Hack The Box

  • Rooted!
    I loved this box.
    Learned a lot about Active Directory.
    I used the dogs&cats, but for me P*****V***** didn't work so I went manually.
    If someone wants to discuss, pm me

    image
    Click here for HTB Profile: You are welcome to contact me for a nudge, but if I help you, please consider giving respect.

  • edited October 2019

    Anybody else getting

    Ldap Connection Failure.
    Try again with the IgnoreLdapCert option if using SecureLDAP or check your DomainController/LdapPort option ?
    

    Edit:
    Switched to from Sharp to Blood and it worked smoothly.

    Omnisec

  • Rooted :)
    For root my advice is try changing the defaults of the dogs and it will show you the way.

  • edited October 2019

    Rooted. I'm not sure if this an easy box, it took me like 3 days and somebody had to help me. The other easy boxes I rooted where, you know, easy. User is relatively easy, for Root, you can try to add "something" to a group, like other users said, let the "Dog" guide you, then you can use impacket to get a certain hash

  • Hey Hackers !

    i have mixed feelings about this box users was not so hard but root was a long way which was frustrating most the time because nothing seems to work!

    Great Thanks to all pushed me in the right direction!

    My hints for User :

    • Enumerate with a well known tool 4linux and then use a tool which will impackt !
    • Call your old friend John and you have all what you need !

    My hints for Root :
    !! Don't use the evil !!

    • also documented before take a walk with your bloodhound when it doesn't work locally you can google for a remote solution which will work!
    • then find a path but think also what components in this network (find a attack)
    • if you know what to attack google around and there is a prog which will do the work for you to get the "Right"!
    • now its time to play with your cat...
    • if you got all what you need search for a tool that will impackt

    Hope it is helpfull to everybody who got stuck!

    Feel free to contact me if you can't get it!

    If i spoilered to much please remove the post!

  • Thank you, creators, for that amazing box, I really learned a lot.

    For me the main problem was with the right commands, you might know the logic of how it should work, but something will go wrong and a solution always be something that you never expected to be.

    For user: Please please double-check for commands, if you feel its right and it doesn't give you output please check for NULL (Even if it doesn't make sense for you, try to find what can be null in manual)

    for root: @MrPennybag above described pretty well!

    Also, I really want to say a huge thank you guys @acidbat @Chantal2019 @GibParadox @jpredo @n4v1n for giving me nudges
    and others

  • Hey I found the usernames . What should i do next should i bruteforce

  • Hey can anyone DM me with some help with S****H****.ps1 or .exe. I cant get it to run.

  • Managed to get user but now I'm having issues getting a certain dog to bark. Running either the binary or the PowerShell script returns nothing, I've tried directing all output streams to a file to see if there's an error that's not getting printed but the dog just isn't barking no matter what. I've tried a lot of different combinations of flags. Am I missing something?

  • edited October 2019

    Hello Guys,
    a little question. Could someone explain me what am I doing wrong with TGT?
    I managed to get credentials for sv*-*******o user, I cracked AS-REP response. Then I tried to g****T.py and I successfully saved ticket in cache, but actually I cant do anything with that ticket.

    • I cant make smbclient with -k (i got gensec_spnego_client_negTokenInit_step: gse_krb5: creating NEG_TOKEN_INIT for cifs/htb.local failed)
    • When i tried rpcclient with -k i got Cannot connect to server. Error was NT_STATUS_LOGON_FAILURE

    Basically I can`t make any benefit from ticket I got from KDC. Ive got KRB5CCNAME env with valid path to cache. I also have similar time in comparison to DC.

    Can someone explain me this thing? Am I missing something?
    I dont ask for guide for user, just a little explanation what am I doing wrong.
    Thanks guys.

    Edit: is this because I dont get any SPN that sv*-*******o have access to?

  • Pretty stuck on the last part, can't seem to figure out what I need to find in the "dog" program, I have all the users except admin. but my windows knowledge is lacking. it's taken me a better part of a day so far :'(

  • Thix box was hard for me cuz I'm Ignorant in AD

    all the hints are here. Just a recomendation to get root, use bh with some params, and get some research about relations

  • edited October 2019

    bh seems to be not enough. there should be something else, too.

    EDIT: bh is enough. fyi: predefined analytics sucks.

  • this youtube video may help to understand the priv esc if its spoil delete the comment:

    N3v3r Giv3Up, 3v3ry th!ng !s p0ss!ble .

  • edited October 2019

    If bh does the trick, so does Dameware NT right ? *stuck on root

    Hack The Box

  • Type your comment> @Icyb3r said:

    this youtube video may help to understand the priv esc if its spoil delete the comment:

    Great, thanks for sharing. I have watched it for better understanding BH.

  • Type your comment> @roelvb said:

    Type your comment> @Icyb3r said:

    this youtube video may help to understand the priv esc if its spoil delete the comment:

    Great, thanks for sharing. I have watched it for better understanding BH.

    You're welcome, I think here we are practice and learning, its better to have full understanding about what you are doing rather than just follow the instruction to solve the box.

    Its about how much knowledge and experience you gain. :)

    N3v3r Giv3Up, 3v3ry th!ng !s p0ss!ble .

  • edited October 2019

    Wow. Just wow. This box has had me ripping my hair out. I knew nothing about AD when I started this, today I got root. What a journey!Thanks a lot to the creators of this box, amazing how much you were able to fit into this. This box let me explore tools I've wanted to use for a long time.

    As for hints, dunno what else I can say that haven't already been said. I was stuck on root for over a week, but I was soo close the whole time (thanks to @MrPennybag for confirming my suspicions).
    There's one tool in particular you want to use after having walked the dog. This tool comes in several flavours and lets you explore paths uncovered by the dog. I experience some bugs at this stage so make sure you explore every path (with said tool)!
    When success, go back to the cat again, but make sure you don't limit yourself to krbtgt user!

    PM me if you need any help :-)

    Hack The Box
    Did I help you? Please return the favour and +1 respect me
    https://www.hackthebox.eu/home/users/profile/62941

  • I got a hash for an account, but I realized that neither John nor Hashcat seem to natively support cracking that type. Anyone have suggestions on how to crack it?

  • Why i keep getting this error with ***SPNs.py

    [-] Error in searchRequest -> referral: 0000202B: RefErr: DSID-031007F9, data 0, 1 access points ref 1: 'forest.htb'

    :s

  • Type your comment> @n0bf said:

    I got a hash for an account, but I realized that neither John nor Hashcat seem to natively support cracking that type. Anyone have suggestions on how to crack it?

    Its Hashcat for sure to crack it. Check the mode or even your hash. Maybe it's incomplete

    Hack The Box

Sign In to comment.