Active any hints

I get what I need to look at for getting root thanks to the hinted here, but I’m struggling to find decent reading material to learn how to perform the steps. Could someone PM me some articles or something to help me better understand?

I spent hours and my brain is washed. I was just trying my first box. Is it related to SMB? Thanks.

Got root… would say that very good hints are already provided here for both user and priv esc .

@Moliata said:
I spent hours and my brain is washed. I was just trying my first box. Is it related to SMB? Thanks.

This is not a good first box unless you already know AD, and have experience in mixed AD-Linux environments.

Got root) if someone needs a hint pm me

Got root, very interesting machine, as people has said is very real and the fact that is on Windows makes it better, thanks to @n01n02H for all the help. Pm if you need any hint!

I confirm @Blastware comment, got Domain Admin by this way during a pentest on my office.

I don’t understand why my enum is not working. I talked to another person and their s**client was working fine but I keep getting connection reset all the time…

Try using GitHub - m8sec/nullinux: Internal penetration testing tool for Linux that can be used to enumerate OS information, domain information, shares, directories, and users through SMB. instead of enum4linux :slight_smile:

In reply to @mercwri:
Which box do you recommend to start with?

Any one able to give me any hints on getting root flag.

Also I don’t know why people remove my comments as spoilers! It’s about helping people

can’t manage how to use john to do the job

@Moliata said:
In reply to @mercwri:
Which box do you recommend to start with?

Perhaps for a start you should have a glance at Jerry’s. It’s also recommended to work with the retired machines as good write-up’s and videos are out directly on the machines’s profile site or may ask aunt Google. You can learn a lot from these.

Cracking at 407.1 kH/s - Does anyone wanna give me a hand in regards to what wordlist :slight_smile:

Great box, really enjoyed it. Lots learn. I disagree with people saying all you need is Kali! There are tools out there that you will need to download to enable you to complete this. The tools I used were;
Nullinux - GitHub - m8sec/nullinux: Internal penetration testing tool for Linux that can be used to enumerate OS information, domain information, shares, directories, and users through SMB.
CME (CrackMapExec) - GitHub - Porchetta-Industries/CrackMapExec: A swiss army knife for pentesting networks
ImPacket - GitHub - fortra/impacket: Impacket is a collection of Python classes for working with network protocols.

Enjoy

@seiyathesinx said:
can’t manage how to use john to do the job

You might need a bigger version of John.

So getting root on Active was surprisingly difficult for a so few points. The hints here are useful and the tips people gave me were invaluable.

It turns out a lot of the problems were linked to the versions of software I had running. The best suggestion I can give about that is if you try something which should work but gets error messages, google the messages. You might find out it is a known problem and using version 0.9.18-dev or the Magnum version solves it.

@nullsession0x said:
Great box, really enjoyed it. Lots learn. I disagree with people saying all you need is Kali! There are tools out there that you will need to download to enable you to complete this. The tools I used were;
Nullinux - GitHub - m8sec/nullinux: Internal penetration testing tool for Linux that can be used to enumerate OS information, domain information, shares, directories, and users through SMB.
CME (CrackMapExec) - GitHub - byt3bl33d3r/CrackMapExec: A swiss army knife for pentesting networks
ImPacket - GitHub - fortra/impacket: Impacket is a collection of Python classes for working with network protocols.

Enjoy

impacket was installed but I needed to upgrade it because the installed one was not compatible with some Python library which caused a weird error … (known issue, discussed on the impacket github page)
Then I used hashcat for cracking (on another box for performance reasons) rather than installing the ‘bigger version of john’.
But other than that, I only used kali tools.

i also enjoyed this box - this example is a bit extreme of course, but in general it’s a really realistic misconfiguration. Sometimes it’s tricky to make special k******* configurations work, like delegation and including boxes on different OSs and several ‘hops’ … and you are super happy if it finally works at all. Then you probably don’t remove all your ‘test’ configurations and replace the ‘test’ password of these special accounts by something more secure…

@kekra said:

@nullsession0x said:
Great box, really enjoyed it. Lots learn. I disagree with people saying all you need is Kali! There are tools out there that you will need to download to enable you to complete this. The tools I used were;
Nullinux - GitHub - m8sec/nullinux: Internal penetration testing tool for Linux that can be used to enumerate OS information, domain information, shares, directories, and users through SMB.
CME (CrackMapExec) - GitHub - byt3bl33d3r/CrackMapExec: A swiss army knife for pentesting networks
ImPacket - GitHub - fortra/impacket: Impacket is a collection of Python classes for working with network protocols.

Enjoy

impacket was installed but I needed to upgrade it because the installed one was not compatible with some Python ASN library which caused a weird error … (known issue, discussed on the impacket github page)
Then I used hashcat for cracking (on another box for performance reasons) rather than installing the ‘bigger version of john’.
But other than that, I only used kali tools.

i also enjoyed this box - this example is a bit extreme of course, but in general it’s a really realistic misconfiguration. Sometimes it’s tricky to make special k******* configurations work, like delegation and including boxes on different OSs and several ‘hops’ … and you are super happy if it finally works at all. Then you probably don’t remove all your ‘test’ configurations and replace the ‘test’ password of these special accounts by something more secure…

What tool did you use to enumerate SMB share?