Forest

Type your comment> @Crafty said:

@3XsAGbKHsb7FPY said:
I’m stuck on creds. get a valid login-pass but couldn’t find where to use it. I tried modules like pc, w**c and other from the tool, but get permission denied. could someone give a nudge?

Im on the exact same spot !
I dont know if we need to find another user/pass… It looks like our user is at a very low privilege.

same.
Thanks to Dreadless, i got the pass.
I like the box on terms of how many new tools i come across :smiley:
But stuck again. tried so many things, but none worked. Maybe i just need to pause a day or so.

Does anyone has good articles of Windows pen testing? I only come across the same old exploit again and again…

Type your comment> @minimal0 said:

Type your comment> @Crafty said:

(Quote)
same.
Thanks to Dreadless, i got the pass.
I like the box on terms of how many new tools i come across :smiley:
But stuck again. tried so many things, but none worked. Maybe i just need to pause a day or so.

Does anyone has good articles of Windows pen testing? I only come across the same old exploit again and again…

Guys to use pc or wc you need writable C$ or ADMIN$ share!
Check the ports again, one of them can give you a shell if you have a set of valid creds!

Am i right in thinking resp**der is the way to go with this?

rooted
I learnt a lot

I have the users but struggling to find the password everyone is talking about, any nudge is much appreciated

Type your comment> @maimsing said:

I have the users but struggling to find the password everyone is talking about, any nudge is much appreciated

Same here. “Impacket” has a lot in it, a lot of example scripts and appears to cover the panoply of Windows-related services, protocols, and such. I don’t want a spoiler either but a bit of context would be helpful. It sounds like one should be able to retrieve one users credentials? (That sounds fantastical, but my Windows-fu is weaksauce still.)

Just owned root on this box. This is my favorite Windows box so far! I really learned a lot about Active Directory and different ways to obtain Domain Admin - and that’s your hint too. It’s all about AD.

I used multiple tools > @ue4dai said:

Type your comment> @maimsing said:

I have the users but struggling to find the password everyone is talking about, any nudge is much appreciated

Same here. “Impacket” has a lot in it, a lot of example scripts and appears to cover the panoply of Windows-related services, protocols, and such. I don’t want a spoiler either but a bit of context would be helpful. It sounds like one should be able to retrieve one users credentials? (That sounds fantastical, but my Windows-fu is weaksauce still.)

agreed. Can anyone provide a hint besides “rooted, great box, try harder”?

wwahhaaaa fun and really enjoyable machine, previous knowledge certenly helps a lot here but i still ended up getting some new dirt under my fingers.

User: i get reminded of certain types food with this attack.
Root: Create a map of the road through the forest, there are many roads but few which leads where you neeed to go.

Thanks @egre55 @mrb3n

Type your comment> @Ammit said:

Am i right in thinking resp**der is the way to go with this?

Responder is basically a LLMNR poisoner, so you need to be in the same network as the target. So no.

@syn4ps

I dont agree with your premise that its “basically” llmnr poisoning, iv used it pleanty of times here, yes one of the features of the suite does not work due to the way the infrastructure is built, but that does not nullify all the other stuff the application offers.

Got the password for s**o. can’t figure out what to do with it…
p
c is no go because we don’t have write access to A
$…
I must have missed some service which I can login to with those creds.
Nudge pls?

Type your comment> @DaChef said:

Type your comment> @minimal0 said:

Type your comment> @Crafty said:

(Quote)
same.
Thanks to Dreadless, i got the pass.
I like the box on terms of how many new tools i come across :smiley:
But stuck again. tried so many things, but none worked. Maybe i just need to pause a day or so.

Does anyone has good articles of Windows pen testing? I only come across the same old exploit again and again…

Guys to use pc or wc you need writable C$ or ADMIN$ share!
Check the ports again, one of them can give you a shell if you have a set of valid creds!

Thanks a lot! Got it
I feel really dumb right now… :smiley:

Hi any hints on root? tried uploading the cat but through evil***** i think it doesn’t work?

I got a valid username and password pretty easily but now I do not know where to use them. Could someone please pm me a small hint on what I could be missing? Help is much appreciated!

Thanks @pist4chios

It definitely has nothing to do with responder, how embarrassing :smiley:

Finally rooted forest learned A TON for AD some hints are:
User: Check ALL ports after users list don’t overthink it 3 heads are better than one :wink:
Root: Hounds and cats

Thanks @egre55 @mrb3n

Anyone willing to give me a nudge in the right direction for finding user’s pass? I haven’t been able to find a way to dump more info and i don’t think i’m supposed to be brute forcing?

got r00t. I found an easier way to pwn the admin account which didnt even require me to interact with the powershell or do any exploitation.

Hints :
user - enumerate, do google researches on what you can get from the services in the open ports.
r00t - impacket. Play with the tools. It’s so simple. Just learn what they do and you will know which one you need

Great Box.

Type your comment> @rbt said:

got r00t. I found an easier way to pwn the admin account which didnt even require me to interact with the powershell or do any exploitation.

Hints :
user - enumerate, do google researches on what you can get from the services in the open ports.
r00t - impacket. Play with the tools. It’s so simple. Just learn what they do and you will know which one you need

Great Box.

Oooh. I thought that impacket was needed for user.
Still a bit overwhelmed where to look regarding user, but I will stop mucking about with impacket for the time being then and go recon-a-go-go again-o.