Forest

13468939

Comments

  • edited October 2019

    Edit: I'm an idiot. Carry on.

  • Spoiler Removed

  • I don't know who decided to rank this machine as Easy! This in no way whatsoever is a 20 points machine!

    I think HTB should have a clear policy on how to rank machines, based on measurable criteria like "Number of commands needed to root, average time to root, average time to enumerate..etc".

    In any case, this machine should be changed to be at least Medium.

    Other than that, this was a good machine, with some minor issues in its design that made it illogical.

    My advise for people stuck on the machine:
    For User:
    -Use all the latest scripts in all tools you use, as I found older ones not to be working

    For root:
    Don't give privileges to the account you are already using, instead, create a new account and apply everything to it.

  • Hello all.
    So close, yet so far from getting the user flag.
    I have figured out everything regarding tools, system users, system info and I guess I am missing a hash in order to fool the 3 headed doggy.
    Any hints of what (obviously obvious) am I missing?
    Thanks in advance!

  • edited October 2019

    I suck at windows boxes. I'm trying to read about the different kerberos vulnerabilities and almost always end up in a position where I would need to use hashcat. Hashcat just runs through basic wordlists on the krb5. Any pointers what I am doing wrong?

    Edit: My hashcat was just broken. Did it on a different machine in under 1s

    Blaudoom
    Discord: Blaudoom#1254

  • Spoiler Removed

  • Ensure that env variables are set correspondingly în your shell.

  • I have mixed feelings about the rating of this box: on one hand, it's easy if you have experience with AD, but if you don't (like me)... boy, you're in for a ride :)

    Overall a great learning experience, but there's a specific (deliberate?) issue which made me lose a lot of time because openvpn wasn't quite happy with what I did to my VM to overcome it.

    All hints in this thread will set you on the right path so I won't repeat them, but I have one more for root: keep an eye on the clock, even few minutes can make a big difference!

  • John is not reconizing the hash from G********s.py

  • Type your comment> @sudophreak said:

    For me, that was by far and so far the best hint in this forum thread.

    I've been doing a couple of retired machines, going through the videos and writeups. Hope to get there slowly, but still struggling.

    ldap*****h gave me 89 users, many can't be found in the 3-headed-dog-database, but I'm going to hack this box, even if I have to travel to the htb's datacenter to get physical access to forest, I swear. ;-)

  • Type your comment> @joshibeast said:
    > Type your comment> @Drac0l17ch said:
    >
    > (Quote)
    > You mean: Congrats User flag ;)

    I got as far as this but I'm still not sure how I get that flag.A nudge in the right direction would very much be appreciated
  • Type your comment> @Nikolay167 said:

    Im really stuck at getting the user :( So i have few questions i found the user from which we can get the hash.

    I'm trying to use tool from impacket called G****T.py but after specifying -k -no-pass htb.local/{VULN USER}
    it throws me an error except the hash.

    SessionKeyDecryptionError: failed to decrypt session key: ciphertext integrity failure

    So the question, is the problem on my end(software ver etc) or im doing something wrong and i will never get that way Hash?

    use -request and you can choose the output of the hash to make it compatible.

  • edited October 2019

    Or you can use hashcat :-) I had to upgrade my version though

    Hack The Box
    Did I help you? Please return the favour and +1 respect me
    https://www.hackthebox.eu/home/users/profile/62941

  • Struggling with what i believe is last step of user.... have some users, have a password for one account. However not sure how to use it, standard windows attacks read only access blocks, can't find any thing of interest in the shares available, have been back over the services enumeration wise with the account i have but nothing more useful jumps out. Full port scan twice, have netcated to all the higher port services but nothing jumps out as offering route to a shell.
    If any one can offer a hint in the right direction please do, undoubtably over looking some thing stupid

  • Type your comment> @suls said:

    Struggling with what i believe is last step of user.... have some users, have a password for one account. However not sure how to use it, standard windows attacks read only access blocks, can't find any thing of interest in the shares available, have been back over the services enumeration wise with the account i have but nothing more useful jumps out. Full port scan twice, have netcated to all the higher port services but nothing jumps out as offering route to a shell.
    If any one can offer a hint in the right direction please do, undoubtably over looking some thing stupid

    There has been somthing EVIL used in previous HTB boxes look for that and use the credentials you have.

  • Type your comment> @bipolarmorgan said:

    if you aren't getting results from the dog, try barking at it with a regular cmd prompt instead of powershell.....

    For those stuck trying to find the user password ... impacket is very useful! it's a bit overwhelming at first, because there are so many scripts, but you'll find what you are looking for eventually. have patience, young padawan!

    I tries both PS and regular cmd but dog doesn't give me anything. No zip or json file is created. I got the pre-compiled dog from the hub.

    What am i missing?

    For asking help, please describe what you have tried so far, so i don't spoil too much.
    If you believe i was able to help, please provide feedback by giving respect:
    https://www.hackthebox.eu/home/users/profile/122308

  • edited October 2019

    I'm really struggling with getting a hash from the list of users. Looking for a bit of advice on it.

    edit: I'm dumb, wasn't formatting.

  • edited October 2019

    Spoiler Removed

    OSCP

  • Spoiler Removed

    oo3d2

  • Doggo does not do anything at all. No prints. No files....
    I am kinda lost.
    Kindly asking for help.

    nullorzero

    Would love to help you!
    Answering faster on discord: nullorzero#6975

  • i figured this out after a great hint from rolas without spoiling it for me you just need to remember the context of what your requesting and why and once that request is successfull usually during a good hunt people set loose their bloodhounds to retrieve the prize

  • what a pain... after all, here is my advice: if you feed the dog and send it to the right path, don't play around and try to dump the secret immediately. there is only a short window for that. if you miss this, you have to step back.

    SekIsBack

  • First i hated this box, because was making no progress for 1 1/2 days... and then:
    USER=>https://www.tarlogic.com/en/blog/how-to-attack-kerberos/
    And i had user. After couple of hours of reading and testing...
    ROOT=>the special AD tool with attack vectors, followed it step by step.
    did not use the cat, instead the other python framework. got the admin hash, then was easy.

    This was great experience for ppl like me who have 0 ad and krb knowledge. Now i feel more comfortable in this kind of env, thanks to the creators of the box. Very nice box for learning :)

    my advice - try to do it by yourself, best learning experience, flags are not important :)

  • Finally rooted !!

    It was very confusing and tiring for me.. cz I am literally new to this AD stuffs..
    Thanks to @21y4d and @Sekisback for the help..

  • Not getting any output from the dog as well! Any ideas?

  • Type your comment> @Cli3nt said:

    Not getting any output from the dog as well! Any ideas?

    Exactly the same place, found a differnt user to use cant find a way to use that user as a shell either from the box or via r***s from a windows box, tried py version of the dog remotely on both kali and linux but get

    The DNS operation timed out after 3.00061106682 seconds

    on both kali and windows, DNS and resolv setup correctly to point at the box so far as i can see, nslookup works ....

  • The problem is, that in the guides, they just transfer the sharp doggy to the target machine and then execute it, which creates a file. Neither my ps1-file nor my exe-file do anything (executed it from PS or via normal cmd).

  • I dont think the inital user has execution rights

  • edited October 2019

    Rooted finally! Thanks to @Sekisback and his small hints towards root.

    nullorzero

    Would love to help you!
    Answering faster on discord: nullorzero#6975

  • Anyone able to help with a hint regarding user shell? I have credentials.

Sign In to comment.