Forest

Type your comment> @Enlil said:

Взял рут, если нужны подсказки обращайтесь.
Rooted

подсказки, пожалуйста.
(probably wrong, but i only took1 year русский)

Type your comment> @djbrains said:

Type your comment> @Enlil said:

Взял рут, если нужны подсказки обращайтесь.
Rooted

подсказки, пожалуйста.
(probably wrong, but i only took1 year русский)

ahahahhah its correct!

Type your comment> @BrunoSardine said:

Anyone willing to give me a nudge towards user? I have an account and a cracked hash but I’m not sure where to go next. I’ve been trying like 2 different methods using these credentials but I’m honestly not sure whether or not I even need to be trying what I’m trying.

RM THE EVIL

i obtain users list with kerberos_enumusers but i cannot discover hash for crack and access to machine.
can you help?

Hi! I already got root but I really want to try it with privex…py as well! If anyone got it that way as well please message me

hey guys, struck with root. already found the path via dogs what I should do escalate to get the root. but dunno how to do it? any hints please. Thanks

whew, what an experience on tnhis box. Learned a ton of some windows skills! Thnx to @Chantal2019 , @GibParadox and @jpredo for assistance along the way. Have a great weekend all!

got a username and password . Whats next

:slight_smile:

Finally got root! Thanks for the help @n4v1n @rholas and @bipolarmorgan ! This was a really fun box and I learned a lot!

Really nice machine that learned lots from, thanks @egre55 & @mrb3n .

Took me a few days as I have zero experience of AD environments (I’ve been hiding in the world of Linux for far too long :)). But there are easily enough hints in the first few pages of this forum to struggle through along with the copious reading material online about AD and Kerberos (although good understanding of the latter is not really needed but is a nice to have).

Just as a small aside, its always the “easy” boxes that are hard! But, to be fair I can understand why it was marked as an easy as its just running standard scripts - nonetheless it did highlight fundamental gaps in my knowledge.

Just as a small aside, its always the “easy” boxes that are hard! But, to be fair I can understand why it was marked as an easy as its just running standard scripts - nonetheless it did highlight fundamental gaps in my knowledge.

I 100% agree on that.

I have been stuck on root for way too long. I have the output from dog and i can see some kind of path. But the recommended exploitation paths don’t work on target.
Can anyone please PM with some hints? very new to AD.

I am having trouble on the last step of root. If anyone PM me with help that would be appreciated!

Can someone give me a nudge on how to get S*d.ps1 to run on the box i invoke the module but when I run it does not give any results.

Type your comment> @Nikolay167 said:

Im really stuck at getting the user :frowning: So i have few questions i found the user from which we can get the hash.

I’m trying to use tool from impacket called G****T.py but after specifying -k -no-pass htb.local/{VULN USER}
it throws me an error except the hash.

SessionKeyDecryptionError: failed to decrypt session key: ciphertext integrity failure

So the question, is the problem on my end(software ver etc) or im doing something wrong and i will never get that way Hash?

did u figure it out? cause I am stack at the same thing

I swear boxes like these ought to have reading material attached to them so that people who want to learn more don’t end up almost punching a hole in the wall.
Easy… heh… it’s as easy as walking 10 m on your hands, upside down. If you don’t know how to do it, it’s far from easy. If you do… well…

Tips for user: Use basic enumeration to get a list of interesting entities. Save it for later.
Next, one of the example scripts in a certain popular tool suite also mentioned in here, will contain a script which help text sounds too good to be true. Find it, run it and apply “Business as usual” afterwards.

You now have what you’d think is enough to get into the box and it is. Given that you know about this OTHER tool… Your basic enumeration may reveal the next step, but in my case it wasn’t really helpful (the “version enumeration script” didn’t tell me anything interesting), however if you investigate which services usually run on this one particular port, you’ll find your next clue.
For this magic trick there’s a popular tool - I’ve been told - and a helper library for a certain crystal-like scripting language. You may even be so lucky and find example usage of it. If so, getting user is trivial.

None of the above is easy if you don’t know what to look for, by the way…

Rooted!
I loved this box.
Learned a lot about Active Directory.
I used the dogs&cats, but for me PV didn’t work so I went manually.
If someone wants to discuss, pm me

Anybody else getting

Ldap Connection Failure.
Try again with the IgnoreLdapCert option if using SecureLDAP or check your DomainController/LdapPort option ?

Edit:
Switched to from Sharp to Blood and it worked smoothly.

Rooted :slight_smile:
For root my advice is try changing the defaults of the dogs and it will show you the way.