I swear boxes like these ought to have reading material attached to them so that people who want to learn more don’t end up almost punching a hole in the wall.
Easy… heh… it’s as easy as walking 10 m on your hands, upside down. If you don’t know how to do it, it’s far from easy. If you do… well…
Tips for user: Use basic enumeration to get a list of interesting entities. Save it for later.
Next, one of the example scripts in a certain popular tool suite also mentioned in here, will contain a script which help text sounds too good to be true. Find it, run it and apply “Business as usual” afterwards.
You now have what you’d think is enough to get into the box and it is. Given that you know about this OTHER tool… Your basic enumeration may reveal the next step, but in my case it wasn’t really helpful (the “version enumeration script” didn’t tell me anything interesting), however if you investigate which services usually run on this one particular port, you’ll find your next clue.
For this magic trick there’s a popular tool - I’ve been told - and a helper library for a certain crystal-like scripting language. You may even be so lucky and find example usage of it. If so, getting user is trivial.
None of the above is easy if you don’t know what to look for, by the way…
Rooted!
I loved this box.
Learned a lot about Active Directory.
I used the dogs&cats, but for me PV didn’t work so I went manually.
If someone wants to discuss, pm me
Rooted. I’m not sure if this an easy box, it took me like 3 days and somebody had to help me. The other easy boxes I rooted where, you know, easy. User is relatively easy, for Root, you can try to add “something” to a group, like other users said, let the “Dog” guide you, then you can use impacket to get a certain hash
Thank you, creators, for that amazing box, I really learned a lot.
For me the main problem was with the right commands, you might know the logic of how it should work, but something will go wrong and a solution always be something that you never expected to be.
For user: Please please double-check for commands, if you feel its right and it doesn’t give you output please check for NULL (Even if it doesn’t make sense for you, try to find what can be null in manual)
for root: @MrPennybag above described pretty well!
Managed to get user but now I’m having issues getting a certain dog to bark. Running either the binary or the PowerShell script returns nothing, I’ve tried directing all output streams to a file to see if there’s an error that’s not getting printed but the dog just isn’t barking no matter what. I’ve tried a lot of different combinations of flags. Am I missing something?
Hello Guys,
a little question. Could someone explain me what am I doing wrong with TGT?
I managed to get credentials for sv*-***o user, I cracked AS-REP response. Then I tried to gT.py and I successfully saved ticket in cache, but actually I cant do anything with that ticket.
I cant make smbclient with -k (i got gensec_spnego_client_negTokenInit_step: gse_krb5: creating NEG_TOKEN_INIT for cifs/htb.local failed)
When i tried rpcclient with -k i got Cannot connect to server. Error was NT_STATUS_LOGON_FAILURE
Basically I can`t make any benefit from ticket I got from KDC. Ive got KRB5CCNAME env with valid path to cache. I also have similar time in comparison to DC.
Can someone explain me this thing? Am I missing something?
I dont ask for guide for user, just a little explanation what am I doing wrong.
Thanks guys.
Edit: is this because I dont get any SPN that sv*-*******o have access to?
Pretty stuck on the last part, can’t seem to figure out what I need to find in the “dog” program, I have all the users except admin. but my windows knowledge is lacking. it’s taken me a better part of a day so far
Great, thanks for sharing. I have watched it for better understanding BH.
You’re welcome, I think here we are practice and learning, its better to have full understanding about what you are doing rather than just follow the instruction to solve the box.
Its about how much knowledge and experience you gain.