Forest

So… managed to get a shell. Got the hound running through the forest.
But nothing seems to stick out.
Anyone like to push me in right direction?

Bruteforcing isnt needed at any part of the box. Remember keberos is a lot vulnerable so google what you can get from it.
For root : Powersploit is a lot powerful if you combine it with the BloodHound. At last step. Go back to where u began … impacket.

Pm for help :slight_smile:

Just finished it.

I don’t think I would have put it in the easy category.
Obviously, once you get it done, the process looks fairly straight forward, but finding the way and the tools…
I did learn from it, tho, so thanking the creators is in order. And also @Ketil and @polarbearer of course.

Hints:
User: You have most likely already done something very similar in other boxed (I can think of two at least).
Root: As mentioned before, the hound will find the way for you :wink:

Happy to assist if anyone needs a push.

Type your comment> @idomino said:

Rooted. Seemed way more complicated to me than some of the “medium” boxes I did.

On the topic of esoteric hints: I might be the minority here, but I like them. It’s not a solution in your face, but when you find a possbile path, which “clicks” with the esoteric hint, you know it’s not a rabbit hole and worth pursuing.

I wouldn’t really say being esoterically reaffirmed you aren’t in a rabbit hole is that much of a hint, and it certainly does nothing to help those who need genuine direction.

and yes this box was not 20 points IMO, sniper was way easier than this

Spoiler Removed

Impakter is always asking for passwords for normal user… Is even normal ?

Type your comment> @Nikolay167 said:

Impakter is always asking for passwords for normal user… Is even normal ?

one of the tools in the example folder will give you 4 different ways to get the TGT info. I promise if you read the writeup in it, you will get a hash.

I tried all kinds of shells, including meterpreter, but cannot get any output from the dog. Any hints please, am I doing it wrong or what?

if you aren’t getting results from the dog, try barking at it with a regular cmd prompt instead of powershell…

For those stuck trying to find the user password … impacket is very useful! it’s a bit overwhelming at first, because there are so many scripts, but you’ll find what you are looking for eventually. have patience, young padawan!

I am having troubles with the dog. Let’s see if anyone can help me with it.
While on Windows VM, and using r**as with low priv user, I changed DNS and so on, Test-Conn works, ping domain works but the dog can’t seem to connect no matter what arguments I use, anyone has any idea why? Thanks in advance folks!

Can someone please give me a hint for the initial foothold?

Type your comment> @Drac0l17ch said:

Type your comment> @Nikolay167 said:

Impakter is always asking for passwords for normal user… Is even normal ?

one of the tools in the example folder will give you 4 different ways to get the TGT info. I promise if you read the writeup in it, you will get a hash.
almost spoiler (for anyone who knows how to use “grep”), thanks anyways =)

Type your comment> @v01t4ic said:

Type your comment> @Drac0l17ch said:

Type your comment> @Nikolay167 said:

Impakter is always asking for passwords for normal user… Is even normal ?

one of the tools in the example folder will give you 4 different ways to get the TGT info. I promise if you read the writeup in it, you will get a hash.
almost spoiler (for anyone who knows how to use “grep”), thanks anyways =)

you caught that! Good on ya!

Type your comment> @RandomPerson00 said:

Can someone please give me a hint for the initial foothold?

Step 1 - Enumeration -get open ports
-get potential usernames
-get system information
-get encrypted passwords and crack
Congrats Foothold

Type your comment> @Drac0l17ch said:

Type your comment> @RandomPerson00 said:

Can someone please give me a hint for the initial foothold?

Step 1 - Enumeration -get open ports
-get potential usernames
-get system information
-get encrypted passwords and crack
Congrats Foothold

You mean: Congrats User flag :wink:

Fun so far… for user: Use the tool posted here by many people to enumerate and get an encrypted password to crack. To use said credentials make sure you don’t JUST scan the top ports so you can see all your available options :slight_smile:

Working on root…

rooted this ■■■■■■■ ^^ … getting admin took me about 5 hours in order to get the exact right syntax for the p****view function. Was a great reminder for the dog usage.

Tips:

Discovery: impacket
User: more impacket
Root: the dog will tell you all + check the exact correct syntax for your commands

Cheers.

Excellent work to @egre55 & @mrb3n.

Plenty of nudges in this thread. Cheers to @DaChef for banging his head against the keyboard with me because syntax is a thing :).

For user: Ensure you enumerate the listening services. You can use nmap, impacket, or other tools for this. Once you have some usernames. There are certain ways to use those and get some creds. There’s a ruby script that has been discussed in different Windows machines you can use as well.

For Root: AD enumeration is key. Get the “dog” to work. Go through the output. Google what the relationships mean if you’re not sure. Start with what your current “touches” if you’re lost. Once you find something nice, you can leverage impacket tools to get ya some fat hashes :).

DM me if you need nudges.

Edit: I’m an idiot. Carry on.

Spoiler Removed