Forest

Really good box, learned alot!

Here are some tips
User: Look at all the different services available to you, research all the different techniques to exploit them. once you have creds, use the higher port to get a shell. There’s a really useful tool someone posted here on the forums you can use to help.

Root: You should know by now what the role of this machine in a network is. If you’ve researched privilege escalation options for this, the “dog” you need to use should be apparent. If you’re having trouble getting the tool to work on the box, try switch to a meterpreter shell. From here, you should be able to see a path.

Can anyone confirm whether brute-forcing is necessary for user, or are there other ways?

Type your comment> @Klamby said:

Can anyone confirm whether brute-forcing is necessary for user, or are there other ways?

you must crack a hash

Hi, if someone could DM me, I have creds, but no access to anything, I will better explain in DM. Thanks :slight_smile:

edit: NVM got it. On root now

PM for nuggets

I got the lowpriv user creds but can’t access the machine… What is this mystical higher port that will give me shell access? I only see S*B services pretty much and the mainstream impacket tools which give shell require write access to the share and you can’t change the default ports.
I keep getting rpc_s_access_denied.
Any nudge is appreciated!

EDIT: Found out the port and service. Initially thought it was not something I could connect to but thanks to nudge from @PercyJackson35 I learned a new tool that I did not know before :slight_smile:

Type your comment> @Dreadless said:

Type your comment> @DaChef said:

Just rooted and it was a quite amazing box!
Hints:

Initial: Run Basic enumeration scripts

User: Impacket

Root: The “Dog” will do the trick!

Any chance you can DM me what the “Dog” is lol

Google for a dog in the greek mythology :wink:

Type your comment> @wo1f said:

I got the lowpriv user creds but can’t access the machine… What is this mystical higher port that will give me shell access? I only see S*B services pretty much and the mainstream impacket tools which give shell require write access to the share and you can’t change the default ports.
I keep getting rpc_s_access_denied.
Any nudge is appreciated!

for smb (as said above) you need writable admin$ or c$ to execute commands, you need to find another service

there must be something I miss ? like many others getting the usersID’s was easy but how to get the pw ? … all those imp- scripts require a valid cred right ?

Type your comment> @dodosstuff said:

there must be something I miss ? like many others getting the usersID’s was easy but how to get the pw ? … all those imp- scripts require a valid cred right ?

One of the scripts will give you the pw ha**.

Hi all

I’m im in the road for root since 2 days
I used the dogs tool have the schema and also change pass of a user se**** and verify this with smb . But I’m stuck here can’t use theses new creds to authenticate as him trying runas pow…shell or wi**m from output but nothing

Can someone tell a nudge please

For those with little knowledge on the attack vector this is a great resource, in fact the whole repo is a gem:

heres a GREAT hint HackTheBox - Active - YouTube

did MS disable SMBshare from linux boxes ? i read somewhere that they did do ineed a windows box to do this machine ?

Type your comment> @wo1f said:

I got the lowpriv user creds but can’t access the machine… What is this mystical higher port that will give me shell access? I only see S*B services pretty much and the mainstream impacket tools which give shell require write access to the share and you can’t change the default ports.
I keep getting rpc_s_access_denied.
Any nudge is appreciated!

EDIT: Found out the port and service. Initially thought it was not something I could connect to but thanks to nudge from @PercyJackson35 I learned a new tool that I did not know before :slight_smile:

I’m in the same boat! any nudge for user shell?

Update: got user, on to root :wink:

I have mixed feelings about this box. On the one hand it involves some some classic windows vulnerabilities. On the other I would consider the pre-requisite knowlege too high for a meger 20 points.

That box was all new to me and I have discovered some fantastic tools that I will be using more of.

why does everyone think their hints are so clever, the people generally asking for help are stuck and you aren’t helping by referring to animals… regardless of the context of how it relates for you, that doesn’t mean it will relate for them. Give real hints to people, JEEZ

If anyone gets stuck PM me, I’ll do my best to give quality hints without any spoilers.

Type your comment> @bipolarmorgan said:

why does everyone think their hints are so clever, the people generally asking for help are stuck and you aren’t helping by referring to animals… regardless of the context of how it relates for you, that doesn’t mean it will relate for them. Give real hints to people, JEEZ

If anyone gets stuck PM me, I’ll do my best to give quality hints without any spoilers.

you’ll find that sort of esoteric “hint” giving is a throwback to the OSCP forums, where everyone thinks they are Mr Robot when they say “root dance” and “ENuMerAtIon iz Key!”

Type your comment> @RawrRadioMouse said:

Type your comment> @bipolarmorgan said:

why does everyone think their hints are so clever, the people generally asking for help are stuck and you aren’t helping by referring to animals… regardless of the context of how it relates for you, that doesn’t mean it will relate for them. Give real hints to people, JEEZ

If anyone gets stuck PM me, I’ll do my best to give quality hints without any spoilers.

you’ll find that sort of esoteric “hint” giving is a throwback to the OSCP forums, where everyone thinks they are Mr Robot when they say “root dance” and “ENuMerAtIon iz Key!”

True… and it’s rather annoying. But for realz, enumeration is the key… but finding the lock is harder than basic enumeration. You can enumerate everything and if you don’t know which door has the lock to which you might find a key under the matt, you can get lost for days going down rabbit holes.

i’m with root and i think i found something by enumerating the AD… but it seems like it is not alive!