Forest

whew, what an experience on tnhis box. Learned a ton of some windows skills! Thnx to @Chantal2019 , @GibParadox and @jpredo for assistance along the way. Have a great weekend all!

got a username and password . Whats next

:slight_smile:

Finally got root! Thanks for the help @n4v1n @rholas and @bipolarmorgan ! This was a really fun box and I learned a lot!

Really nice machine that learned lots from, thanks @egre55 & @mrb3n .

Took me a few days as I have zero experience of AD environments (I’ve been hiding in the world of Linux for far too long :)). But there are easily enough hints in the first few pages of this forum to struggle through along with the copious reading material online about AD and Kerberos (although good understanding of the latter is not really needed but is a nice to have).

Just as a small aside, its always the “easy” boxes that are hard! But, to be fair I can understand why it was marked as an easy as its just running standard scripts - nonetheless it did highlight fundamental gaps in my knowledge.

Just as a small aside, its always the “easy” boxes that are hard! But, to be fair I can understand why it was marked as an easy as its just running standard scripts - nonetheless it did highlight fundamental gaps in my knowledge.

I 100% agree on that.

I have been stuck on root for way too long. I have the output from dog and i can see some kind of path. But the recommended exploitation paths don’t work on target.
Can anyone please PM with some hints? very new to AD.

I am having trouble on the last step of root. If anyone PM me with help that would be appreciated!

Can someone give me a nudge on how to get S*d.ps1 to run on the box i invoke the module but when I run it does not give any results.

Type your comment> @Nikolay167 said:

Im really stuck at getting the user :frowning: So i have few questions i found the user from which we can get the hash.

I’m trying to use tool from impacket called G****T.py but after specifying -k -no-pass htb.local/{VULN USER}
it throws me an error except the hash.

SessionKeyDecryptionError: failed to decrypt session key: ciphertext integrity failure

So the question, is the problem on my end(software ver etc) or im doing something wrong and i will never get that way Hash?

did u figure it out? cause I am stack at the same thing

I swear boxes like these ought to have reading material attached to them so that people who want to learn more don’t end up almost punching a hole in the wall.
Easy… heh… it’s as easy as walking 10 m on your hands, upside down. If you don’t know how to do it, it’s far from easy. If you do… well…

Tips for user: Use basic enumeration to get a list of interesting entities. Save it for later.
Next, one of the example scripts in a certain popular tool suite also mentioned in here, will contain a script which help text sounds too good to be true. Find it, run it and apply “Business as usual” afterwards.

You now have what you’d think is enough to get into the box and it is. Given that you know about this OTHER tool… Your basic enumeration may reveal the next step, but in my case it wasn’t really helpful (the “version enumeration script” didn’t tell me anything interesting), however if you investigate which services usually run on this one particular port, you’ll find your next clue.
For this magic trick there’s a popular tool - I’ve been told - and a helper library for a certain crystal-like scripting language. You may even be so lucky and find example usage of it. If so, getting user is trivial.

None of the above is easy if you don’t know what to look for, by the way…

Rooted!
I loved this box.
Learned a lot about Active Directory.
I used the dogs&cats, but for me PV didn’t work so I went manually.
If someone wants to discuss, pm me

Anybody else getting

Ldap Connection Failure.
Try again with the IgnoreLdapCert option if using SecureLDAP or check your DomainController/LdapPort option ?

Edit:
Switched to from Sharp to Blood and it worked smoothly.

Rooted :slight_smile:
For root my advice is try changing the defaults of the dogs and it will show you the way.

Rooted. I’m not sure if this an easy box, it took me like 3 days and somebody had to help me. The other easy boxes I rooted where, you know, easy. User is relatively easy, for Root, you can try to add “something” to a group, like other users said, let the “Dog” guide you, then you can use impacket to get a certain hash

Hey Hackers !

i have mixed feelings about this box users was not so hard but root was a long way which was frustrating most the time because nothing seems to work!

Great Thanks to all pushed me in the right direction!

My hints for User :

  • Enumerate with a well known tool 4linux and then use a tool which will impackt !
  • Call your old friend John and you have all what you need !

My hints for Root :
!! Don’t use the evil !!

  • also documented before take a walk with your bloodhound when it doesn’t work locally you can google for a remote solution which will work!
  • then find a path but think also what components in this network (find a attack)
  • if you know what to attack google around and there is a prog which will do the work for you to get the “Right”!
  • now its time to play with your cat…
  • if you got all what you need search for a tool that will impackt

Hope it is helpfull to everybody who got stuck!

Feel free to contact me if you can’t get it!

If i spoilered to much please remove the post!

Thank you, creators, for that amazing box, I really learned a lot.

For me the main problem was with the right commands, you might know the logic of how it should work, but something will go wrong and a solution always be something that you never expected to be.

For user: Please please double-check for commands, if you feel its right and it doesn’t give you output please check for NULL (Even if it doesn’t make sense for you, try to find what can be null in manual)

for root: @MrPennybag above described pretty well!

Also, I really want to say a huge thank you guys @acidbat @Chantal2019 @GibParadox @jpredo @n4v1n for giving me nudges
and others

Hey I found the usernames . What should i do next should i bruteforce

Hey can anyone DM me with some help with SH.ps1 or .exe. I cant get it to run.

Managed to get user but now I’m having issues getting a certain dog to bark. Running either the binary or the PowerShell script returns nothing, I’ve tried directing all output streams to a file to see if there’s an error that’s not getting printed but the dog just isn’t barking no matter what. I’ve tried a lot of different combinations of flags. Am I missing something?