Forest

I got a valid username and password pretty easily but now I do not know where to use them. Could someone please pm me a small hint on what I could be missing? Help is much appreciated!

Thanks @pist4chios

It definitely has nothing to do with responder, how embarrassing :smiley:

Finally rooted forest learned A TON for AD some hints are:
User: Check ALL ports after users list don’t overthink it 3 heads are better than one :wink:
Root: Hounds and cats

Thanks @egre55 @mrb3n

Anyone willing to give me a nudge in the right direction for finding user’s pass? I haven’t been able to find a way to dump more info and i don’t think i’m supposed to be brute forcing?

got r00t. I found an easier way to pwn the admin account which didnt even require me to interact with the powershell or do any exploitation.

Hints :
user - enumerate, do google researches on what you can get from the services in the open ports.
r00t - impacket. Play with the tools. It’s so simple. Just learn what they do and you will know which one you need

Great Box.

Type your comment> @rbt said:

got r00t. I found an easier way to pwn the admin account which didnt even require me to interact with the powershell or do any exploitation.

Hints :
user - enumerate, do google researches on what you can get from the services in the open ports.
r00t - impacket. Play with the tools. It’s so simple. Just learn what they do and you will know which one you need

Great Box.

Oooh. I thought that impacket was needed for user.
Still a bit overwhelmed where to look regarding user, but I will stop mucking about with impacket for the time being then and go recon-a-go-go again-o.

Type your comment> @ue4dai said:

Type your comment> @rbt said:

got r00t. I found an easier way to pwn the admin account which didnt even require me to interact with the powershell or do any exploitation.

Hints :
user - enumerate, do google researches on what you can get from the services in the open ports.
r00t - impacket. Play with the tools. It’s so simple. Just learn what they do and you will know which one you need

Great Box.

Oooh. I thought that impacket was needed for user.
Still a bit overwhelmed where to look regarding user, but I will stop mucking about with impacket for the time being then and go recon-a-go-go again-o.

Impacket unlocks both user and r00t. Just different tools for each.

Impacket unlocks both user and r00t. Just different tools for each.

Don’t think this is fully possible for root though it’s possible to get lucky…

(EDIT: I mean only using impacket for root but please PM me if I’m wrong, would love to learn something new)

Spoiler Removed

Type your comment> @DaChef said:

Just rooted and it was a quite amazing box!
Hints:

Initial: Run Basic enumeration scripts

User: Impacket

Root: The “Dog” will do the trick!

Any chance you can DM me what the “Dog” is lol

Anyone who has used the “dog” can you help? can’t seem to get it to run…

Really good box, learned alot!

Here are some tips
User: Look at all the different services available to you, research all the different techniques to exploit them. once you have creds, use the higher port to get a shell. There’s a really useful tool someone posted here on the forums you can use to help.

Root: You should know by now what the role of this machine in a network is. If you’ve researched privilege escalation options for this, the “dog” you need to use should be apparent. If you’re having trouble getting the tool to work on the box, try switch to a meterpreter shell. From here, you should be able to see a path.

Can anyone confirm whether brute-forcing is necessary for user, or are there other ways?

Type your comment> @Klamby said:

Can anyone confirm whether brute-forcing is necessary for user, or are there other ways?

you must crack a hash

Hi, if someone could DM me, I have creds, but no access to anything, I will better explain in DM. Thanks :slight_smile:

edit: NVM got it. On root now

PM for nuggets

I got the lowpriv user creds but can’t access the machine… What is this mystical higher port that will give me shell access? I only see S*B services pretty much and the mainstream impacket tools which give shell require write access to the share and you can’t change the default ports.
I keep getting rpc_s_access_denied.
Any nudge is appreciated!

EDIT: Found out the port and service. Initially thought it was not something I could connect to but thanks to nudge from @PercyJackson35 I learned a new tool that I did not know before :slight_smile:

Type your comment> @Dreadless said:

Type your comment> @DaChef said:

Just rooted and it was a quite amazing box!
Hints:

Initial: Run Basic enumeration scripts

User: Impacket

Root: The “Dog” will do the trick!

Any chance you can DM me what the “Dog” is lol

Google for a dog in the greek mythology :wink:

Type your comment> @wo1f said:

I got the lowpriv user creds but can’t access the machine… What is this mystical higher port that will give me shell access? I only see S*B services pretty much and the mainstream impacket tools which give shell require write access to the share and you can’t change the default ports.
I keep getting rpc_s_access_denied.
Any nudge is appreciated!

for smb (as said above) you need writable admin$ or c$ to execute commands, you need to find another service

there must be something I miss ? like many others getting the usersID’s was easy but how to get the pw ? … all those imp- scripts require a valid cred right ?