Forest

Type your comment> @Nikolay167 said:

Im really stuck at getting the user :frowning: So i have few questions i found the user from which we can get the hash.

I’m trying to use tool from impacket called G****T.py but after specifying -k -no-pass htb.local/{VULN USER}
it throws me an error except the hash.

SessionKeyDecryptionError: failed to decrypt session key: ciphertext integrity failure

So the question, is the problem on my end(software ver etc) or im doing something wrong and i will never get that way Hash?

did u figure it out? cause I am stack at the same thing

I swear boxes like these ought to have reading material attached to them so that people who want to learn more don’t end up almost punching a hole in the wall.
Easy… heh… it’s as easy as walking 10 m on your hands, upside down. If you don’t know how to do it, it’s far from easy. If you do… well…

Tips for user: Use basic enumeration to get a list of interesting entities. Save it for later.
Next, one of the example scripts in a certain popular tool suite also mentioned in here, will contain a script which help text sounds too good to be true. Find it, run it and apply “Business as usual” afterwards.

You now have what you’d think is enough to get into the box and it is. Given that you know about this OTHER tool… Your basic enumeration may reveal the next step, but in my case it wasn’t really helpful (the “version enumeration script” didn’t tell me anything interesting), however if you investigate which services usually run on this one particular port, you’ll find your next clue.
For this magic trick there’s a popular tool - I’ve been told - and a helper library for a certain crystal-like scripting language. You may even be so lucky and find example usage of it. If so, getting user is trivial.

None of the above is easy if you don’t know what to look for, by the way…

Rooted!
I loved this box.
Learned a lot about Active Directory.
I used the dogs&cats, but for me PV didn’t work so I went manually.
If someone wants to discuss, pm me

Anybody else getting

Ldap Connection Failure.
Try again with the IgnoreLdapCert option if using SecureLDAP or check your DomainController/LdapPort option ?

Edit:
Switched to from Sharp to Blood and it worked smoothly.

Rooted :slight_smile:
For root my advice is try changing the defaults of the dogs and it will show you the way.

Rooted. I’m not sure if this an easy box, it took me like 3 days and somebody had to help me. The other easy boxes I rooted where, you know, easy. User is relatively easy, for Root, you can try to add “something” to a group, like other users said, let the “Dog” guide you, then you can use impacket to get a certain hash

Hey Hackers !

i have mixed feelings about this box users was not so hard but root was a long way which was frustrating most the time because nothing seems to work!

Great Thanks to all pushed me in the right direction!

My hints for User :

  • Enumerate with a well known tool 4linux and then use a tool which will impackt !
  • Call your old friend John and you have all what you need !

My hints for Root :
!! Don’t use the evil !!

  • also documented before take a walk with your bloodhound when it doesn’t work locally you can google for a remote solution which will work!
  • then find a path but think also what components in this network (find a attack)
  • if you know what to attack google around and there is a prog which will do the work for you to get the “Right”!
  • now its time to play with your cat…
  • if you got all what you need search for a tool that will impackt

Hope it is helpfull to everybody who got stuck!

Feel free to contact me if you can’t get it!

If i spoilered to much please remove the post!

Thank you, creators, for that amazing box, I really learned a lot.

For me the main problem was with the right commands, you might know the logic of how it should work, but something will go wrong and a solution always be something that you never expected to be.

For user: Please please double-check for commands, if you feel its right and it doesn’t give you output please check for NULL (Even if it doesn’t make sense for you, try to find what can be null in manual)

for root: @MrPennybag above described pretty well!

Also, I really want to say a huge thank you guys @acidbat @Chantal2019 @GibParadox @jpredo @n4v1n for giving me nudges
and others

Hey I found the usernames . What should i do next should i bruteforce

Hey can anyone DM me with some help with SH.ps1 or .exe. I cant get it to run.

Managed to get user but now I’m having issues getting a certain dog to bark. Running either the binary or the PowerShell script returns nothing, I’ve tried directing all output streams to a file to see if there’s an error that’s not getting printed but the dog just isn’t barking no matter what. I’ve tried a lot of different combinations of flags. Am I missing something?

Hello Guys,
a little question. Could someone explain me what am I doing wrong with TGT?
I managed to get credentials for sv*-***o user, I cracked AS-REP response. Then I tried to gT.py and I successfully saved ticket in cache, but actually I cant do anything with that ticket.

  • I cant make smbclient with -k (i got gensec_spnego_client_negTokenInit_step: gse_krb5: creating NEG_TOKEN_INIT for cifs/htb.local failed)
  • When i tried rpcclient with -k i got Cannot connect to server. Error was NT_STATUS_LOGON_FAILURE

Basically I can`t make any benefit from ticket I got from KDC. Ive got KRB5CCNAME env with valid path to cache. I also have similar time in comparison to DC.

Can someone explain me this thing? Am I missing something?
I dont ask for guide for user, just a little explanation what am I doing wrong.
Thanks guys.

Edit: is this because I dont get any SPN that sv*-*******o have access to?

Pretty stuck on the last part, can’t seem to figure out what I need to find in the “dog” program, I have all the users except admin. but my windows knowledge is lacking. it’s taken me a better part of a day so far :cry:

Thix box was hard for me cuz I’m Ignorant in AD

all the hints are here. Just a recomendation to get root, use bh with some params, and get some research about relations

bh seems to be not enough. there should be something else, too.

EDIT: bh is enough. fyi: predefined analytics sucks.

this youtube video may help to understand the priv esc if its spoil delete the comment:

If bh does the trick, so does Dameware NT right ? *stuck on root

Type your comment> @Icyb3r said:

this youtube video may help to understand the priv esc if its spoil delete the comment:

https://www.youtube.com/watch?v=lxd2rerVsLo

Great, thanks for sharing. I have watched it for better understanding BH.

Type your comment> @roelvb said:

Type your comment> @Icyb3r said:

this youtube video may help to understand the priv esc if its spoil delete the comment:

https://www.youtube.com/watch?v=lxd2rerVsLo

Great, thanks for sharing. I have watched it for better understanding BH.

You’re welcome, I think here we are practice and learning, its better to have full understanding about what you are doing rather than just follow the instruction to solve the box.

Its about how much knowledge and experience you gain. :slight_smile:

Thanks @izzie