Forest

I am having troubles with the dog. Letā€™s see if anyone can help me with it.
While on Windows VM, and using r**as with low priv user, I changed DNS and so on, Test-Conn works, ping domain works but the dog canā€™t seem to connect no matter what arguments I use, anyone has any idea why? Thanks in advance folks!

Can someone please give me a hint for the initial foothold?

Type your comment> @Drac0l17ch said:

Type your comment> @Nikolay167 said:

Impakter is always asking for passwords for normal userā€¦ Is even normal ?

one of the tools in the example folder will give you 4 different ways to get the TGT info. I promise if you read the writeup in it, you will get a hash.
almost spoiler (for anyone who knows how to use ā€œgrepā€), thanks anyways =)

Type your comment> @v01t4ic said:

Type your comment> @Drac0l17ch said:

Type your comment> @Nikolay167 said:

Impakter is always asking for passwords for normal userā€¦ Is even normal ?

one of the tools in the example folder will give you 4 different ways to get the TGT info. I promise if you read the writeup in it, you will get a hash.
almost spoiler (for anyone who knows how to use ā€œgrepā€), thanks anyways =)

you caught that! Good on ya!

Type your comment> @RandomPerson00 said:

Can someone please give me a hint for the initial foothold?

Step 1 - Enumeration -get open ports
-get potential usernames
-get system information
-get encrypted passwords and crack
Congrats Foothold

Type your comment> @Drac0l17ch said:

Type your comment> @RandomPerson00 said:

Can someone please give me a hint for the initial foothold?

Step 1 - Enumeration -get open ports
-get potential usernames
-get system information
-get encrypted passwords and crack
Congrats Foothold

You mean: Congrats User flag :wink:

Fun so farā€¦ for user: Use the tool posted here by many people to enumerate and get an encrypted password to crack. To use said credentials make sure you donā€™t JUST scan the top ports so you can see all your available options :slight_smile:

Working on rootā€¦

rooted this ā– ā– ā– ā– ā– ā– ā–  ^^ ā€¦ getting admin took me about 5 hours in order to get the exact right syntax for the p****view function. Was a great reminder for the dog usage.

Tips:

Discovery: impacket
User: more impacket
Root: the dog will tell you all + check the exact correct syntax for your commands

Cheers.

Excellent work to @egre55 & @mrb3n.

Plenty of nudges in this thread. Cheers to @DaChef for banging his head against the keyboard with me because syntax is a thing :).

For user: Ensure you enumerate the listening services. You can use nmap, impacket, or other tools for this. Once you have some usernames. There are certain ways to use those and get some creds. Thereā€™s a ruby script that has been discussed in different Windows machines you can use as well.

For Root: AD enumeration is key. Get the ā€œdogā€ to work. Go through the output. Google what the relationships mean if youā€™re not sure. Start with what your current ā€œtouchesā€ if youā€™re lost. Once you find something nice, you can leverage impacket tools to get ya some fat hashes :).

DM me if you need nudges.

Edit: Iā€™m an idiot. Carry on.

Spoiler Removed

I donā€™t know who decided to rank this machine as Easy! This in no way whatsoever is a 20 points machine!

I think HTB should have a clear policy on how to rank machines, based on measurable criteria like ā€œNumber of commands needed to root, average time to root, average time to enumerateā€¦etcā€.

In any case, this machine should be changed to be at least Medium.

Other than that, this was a good machine, with some minor issues in its design that made it illogical.

My advise for people stuck on the machine:
For User:
-Use all the latest scripts in all tools you use, as I found older ones not to be working

For root:
Donā€™t give privileges to the account you are already using, instead, create a new account and apply everything to it.

Hello all.
So close, yet so far from getting the user flag.
I have figured out everything regarding tools, system users, system info and I guess I am missing a hash in order to fool the 3 headed doggy.
Any hints of what (obviously obvious) am I missing?
Thanks in advance!

I suck at windows boxes. Iā€™m trying to read about the different kerberos vulnerabilities and almost always end up in a position where I would need to use hashcat. Hashcat just runs through basic wordlists on the krb5. Any pointers what I am doing wrong?

Edit: My hashcat was just broken. Did it on a different machine in under 1s

Spoiler Removed

Ensure that env variables are set correspondingly Ʈn your shell.

I have mixed feelings about the rating of this box: on one hand, itā€™s easy if you have experience with AD, but if you donā€™t (like me)ā€¦ boy, youā€™re in for a ride :slight_smile:

Overall a great learning experience, but thereā€™s a specific (deliberate?) issue which made me lose a lot of time because openvpn wasnā€™t quite happy with what I did to my VM to overcome it.

All hints in this thread will set you on the right path so I wonā€™t repeat them, but I have one more for root: keep an eye on the clock, even few minutes can make a big difference!

John is not reconizing the hash from G********s.py

Type your comment> @sudophreak said:

https://www.youtube.com/watch?v=2Xfd962QfPs

For me, that was by far and so far the best hint in this forum thread.

Iā€™ve been doing a couple of retired machines, going through the videos and writeups. Hope to get there slowly, but still struggling.

ldap*****h gave me 89 users, many canā€™t be found in the 3-headed-dog-database, but Iā€™m going to hack this box, even if I have to travel to the htbā€™s datacenter to get physical access to forest, I swear. :wink:

Type your comment> @joshibeast said:

Type your comment> @Drac0l17ch said:

(Quote)
You mean: Congrats User flag :wink:

I got as far as this but Iā€™m still not sure how I get that flag.A nudge in the right direction would very much be appreciated