Forest

Hey I found the usernames . What should i do next should i bruteforce

Hey can anyone DM me with some help with SH.ps1 or .exe. I cant get it to run.

Managed to get user but now I’m having issues getting a certain dog to bark. Running either the binary or the PowerShell script returns nothing, I’ve tried directing all output streams to a file to see if there’s an error that’s not getting printed but the dog just isn’t barking no matter what. I’ve tried a lot of different combinations of flags. Am I missing something?

Hello Guys,
a little question. Could someone explain me what am I doing wrong with TGT?
I managed to get credentials for sv*-***o user, I cracked AS-REP response. Then I tried to gT.py and I successfully saved ticket in cache, but actually I cant do anything with that ticket.

  • I cant make smbclient with -k (i got gensec_spnego_client_negTokenInit_step: gse_krb5: creating NEG_TOKEN_INIT for cifs/htb.local failed)
  • When i tried rpcclient with -k i got Cannot connect to server. Error was NT_STATUS_LOGON_FAILURE

Basically I can`t make any benefit from ticket I got from KDC. Ive got KRB5CCNAME env with valid path to cache. I also have similar time in comparison to DC.

Can someone explain me this thing? Am I missing something?
I dont ask for guide for user, just a little explanation what am I doing wrong.
Thanks guys.

Edit: is this because I dont get any SPN that sv*-*******o have access to?

Pretty stuck on the last part, can’t seem to figure out what I need to find in the “dog” program, I have all the users except admin. but my windows knowledge is lacking. it’s taken me a better part of a day so far :cry:

Thix box was hard for me cuz I’m Ignorant in AD

all the hints are here. Just a recomendation to get root, use bh with some params, and get some research about relations

bh seems to be not enough. there should be something else, too.

EDIT: bh is enough. fyi: predefined analytics sucks.

this youtube video may help to understand the priv esc if its spoil delete the comment:

If bh does the trick, so does Dameware NT right ? *stuck on root

Type your comment> @Icyb3r said:

this youtube video may help to understand the priv esc if its spoil delete the comment:

https://www.youtube.com/watch?v=lxd2rerVsLo

Great, thanks for sharing. I have watched it for better understanding BH.

Type your comment> @roelvb said:

Type your comment> @Icyb3r said:

this youtube video may help to understand the priv esc if its spoil delete the comment:

https://www.youtube.com/watch?v=lxd2rerVsLo

Great, thanks for sharing. I have watched it for better understanding BH.

You’re welcome, I think here we are practice and learning, its better to have full understanding about what you are doing rather than just follow the instruction to solve the box.

Its about how much knowledge and experience you gain. :slight_smile:

Thanks @izzie

Wow. Just wow. This box has had me ripping my hair out. I knew nothing about AD when I started this, today I got root. What a journey!Thanks a lot to the creators of this box, amazing how much you were able to fit into this. This box let me explore tools I’ve wanted to use for a long time.

As for hints, dunno what else I can say that haven’t already been said. I was stuck on root for over a week, but I was soo close the whole time (thanks to @MrPennybag for confirming my suspicions).
There’s one tool in particular you want to use after having walked the dog. This tool comes in several flavours and lets you explore paths uncovered by the dog. I experience some bugs at this stage so make sure you explore every path (with said tool)!
When success, go back to the cat again, but make sure you don’t limit yourself to krbtgt user!

PM me if you need any help :slight_smile:

I got a hash for an account, but I realized that neither John nor Hashcat seem to natively support cracking that type. Anyone have suggestions on how to crack it?

Why i keep getting this error with ***SPNs.py

[-] Error in searchRequest → referral: 0000202B: RefErr: DSID-031007F9, data 0, 1 access points ref 1: ‘forest.htb’

:s

Type your comment> @n0bf said:

I got a hash for an account, but I realized that neither John nor Hashcat seem to natively support cracking that type. Anyone have suggestions on how to crack it?

Its Hashcat for sure to crack it. Check the mode or even your hash. Maybe it’s incomplete

Type your comment> @MrPennybag said:

Hey Hackers !

i have mixed feelings about this box users was not so hard but root was a long way which was frustrating most the time because nothing seems to work!

Great Thanks to all pushed me in the right direction!

My hints for User :

  • Enumerate with a well known tool 4linux and then use a tool which will impackt !
  • Call your old friend John and you have all what you need !

My hints for Root :
!! Don’t use the evil !!

  • also documented before take a walk with your bloodhound when it doesn’t work locally you can google for a remote solution which will work!
  • then find a path but think also what components in this network (find a attack)
  • if you know what to attack google around and there is a prog which will do the work for you to get the “Right”!
  • now its time to play with your cat…
  • if you got all what you need search for a tool that will impackt

Hope it is helpfull to everybody who got stuck!

Feel free to contact me if you can’t get it!

If i spoilered to much please remove the post!

I used evil, and can’t seem to walk the dog. Any hint on what tools should I use instead?

Type your comment> @devow said:

Type your comment> @MrPennybag said:

Hey Hackers !

i have mixed feelings about this box users was not so hard but root was a long way which was frustrating most the time because nothing seems to work!

Great Thanks to all pushed me in the right direction!

My hints for User :

  • Enumerate with a well known tool 4linux and then use a tool which will impackt !
  • Call your old friend John and you have all what you need !

My hints for Root :
!! Don’t use the evil !!

  • also documented before take a walk with your bloodhound when it doesn’t work locally you can google for a remote solution which will work!
  • then find a path but think also what components in this network (find a attack)
  • if you know what to attack google around and there is a prog which will do the work for you to get the “Right”!
  • now its time to play with your cat…
  • if you got all what you need search for a tool that will impackt

Hope it is helpfull to everybody who got stuck!

Feel free to contact me if you can’t get it!

If i spoilered to much please remove the post!
Stuck there as well,even resorted to other ruby scripts but still cant find a way to get anything to feed the dog.

I used evil, and can’t seem to walk the dog. Any hint on what tools should I use instead?

For anyone having trouble getting the dog to do anything at all, look into some different ways of executing PowerShell.

Connectivity question: Did something change ?

The evil worked very well for some days. Tired today again with the exact same syntax and I get

Info: *

Info: *

Error: Can’t establish connection. …

Error: Exiting with code 1