Forest

Type your comment> @xcabal said:

I am at the last step but I cannot crack the hash :cry:

You don’t need to crack the hash

Smart guys, could you tell me why EVIL rb program works, but metasploit win**_sc****_ex** does not?
What`s the difference between these two?
Thanks

Type your comment> @bertalting said:

Type your comment> @xcabal said:

I am at the last step but I cannot crack the hash :cry:

You don’t need to crack the hash

ok i think i got it,I got confused with the conversation above :slight_smile:

Is this box not loading for anybody else?

Type your comment> @xcabal said:

I am at the last step but I cannot crack the hash :cry:

If you on the last step of cracking hash for user account, for sure you need hashc**, but last step for root some impacket scripts accept hash for login.

Edited

Rooted the box, was a bit frustrating at points but now that I’m looking back on all the steps with the knowledge I now have, it makes sense.

Although, I’m hoping someone might be able to point out why the dog wouldn’t run the same way for all people. Is it a product of a Windows configuration, or just due to the nature of multiple people connecting to it?

rooted after a week of trial and error. Great box but not at all easy. learned a lot big ups to @izzie for all the help.

If anyone needs help dm me

I finally got root. Thank you @MrPennybag and @GibParadox, your guidance helped me a lot. I’ve always been a Linux guy, but getting to know the Windows side. I still have a lot to learn.

Finally got root… i have learn so many new tools and techniques from this machine.

Thank you @DaChef @RHoodCrack @Nikolay167 @lannerXIII and @j3wker for you valuable guidance and hints.

Type your comment> @Omnisec said:

Anybody else getting

Ldap Connection Failure.
Try again with the IgnoreLdapCert option if using SecureLDAP or check your DomainController/LdapPort option ?

Edit:
Switched to from Sharp to Blood and it worked smoothly.

Any idea why this error occurs?

Type your comment> @Deslight said:

Type your comment> @Omnisec said:

Anybody else getting

Ldap Connection Failure.
Try again with the IgnoreLdapCert option if using SecureLDAP or check your DomainController/LdapPort option ?

Edit:
Switched to from Sharp to Blood and it worked smoothly.

Any idea why this error occurs?

yeah specify an user and a pw

C:\Windows\system32>whoami
nt authority\system

Got stuck after getting the uname and pwd. Could somebody please pm me in the right direction? Thank you in advance :slight_smile:

Finally rooted this after taking a break to learn more about AD.

https://blog.harmj0y.net/ and https://adsecurity.org/ were great resources.

My notes for root:

  • If your “dog” tool isn’t working remotely, maybe it’s easier to do it locally? (There’s an Ippsec video for this.)

  • After enumerating, it’s obvious what the “vulnerability” is, but I had trouble finding out how to exploit it. My google search terms were too abstract. When I searched the origin of that “vulnerability”, the exploit was everywhere.

  • In the final step of escalation, you don’t need to crack anything or play willy wonka.

Did anybody meet the error message ERROR_DS_DRA_BAD_DN? I believe I have made preparation well and I think I have a user owns proper rights, but two different solutions get the same error code (0x20f7) when I try to get valuable data.

Another great machine ! Learned a lot about AD (in)security.

Type your comment> @bumika said:

Did anybody meet the error message ERROR_DS_DRA_BAD_DN? I believe I have made preparation well and I think I have a user owns proper rights, but two different solutions get the same error code (0x20f7) when I try to get valuable data.

Caused by only a wrong switch value… It was a great challenge. Thank you for the author.

Type your comment> @bumika said:

Caused by only a wrong switch value… It was a great challenge. Thank you for the author.

quite literally at the same point as that, both remotely and with the cats on the box as well, same error code. Gonna go take a look at my confs again but I feel like I am so close but so far rn.

Type your comment> @btwiusearch said:

Type your comment> @bumika said:

Caused by only a wrong switch value… It was a great challenge. Thank you for the author.

quite literally at the same point as that, both remotely and with the cats on the box as well, same error code. Gonna go take a look at my confs again but I feel like I am so close but so far rn.

I simply used a wrong switch value in a dsacls command.