Forest

Got stuck after getting the uname and pwd. Could somebody please pm me in the right direction? Thank you in advance :slight_smile:

Finally rooted this after taking a break to learn more about AD.

https://blog.harmj0y.net/ and https://adsecurity.org/ were great resources.

My notes for root:

  • If your “dog” tool isn’t working remotely, maybe it’s easier to do it locally? (There’s an Ippsec video for this.)

  • After enumerating, it’s obvious what the “vulnerability” is, but I had trouble finding out how to exploit it. My google search terms were too abstract. When I searched the origin of that “vulnerability”, the exploit was everywhere.

  • In the final step of escalation, you don’t need to crack anything or play willy wonka.

Did anybody meet the error message ERROR_DS_DRA_BAD_DN? I believe I have made preparation well and I think I have a user owns proper rights, but two different solutions get the same error code (0x20f7) when I try to get valuable data.

Another great machine ! Learned a lot about AD (in)security.

Type your comment> @bumika said:

Did anybody meet the error message ERROR_DS_DRA_BAD_DN? I believe I have made preparation well and I think I have a user owns proper rights, but two different solutions get the same error code (0x20f7) when I try to get valuable data.

Caused by only a wrong switch value… It was a great challenge. Thank you for the author.

Type your comment> @bumika said:

Caused by only a wrong switch value… It was a great challenge. Thank you for the author.

quite literally at the same point as that, both remotely and with the cats on the box as well, same error code. Gonna go take a look at my confs again but I feel like I am so close but so far rn.

Type your comment> @btwiusearch said:

Type your comment> @bumika said:

Caused by only a wrong switch value… It was a great challenge. Thank you for the author.

quite literally at the same point as that, both remotely and with the cats on the box as well, same error code. Gonna go take a look at my confs again but I feel like I am so close but so far rn.

I simply used a wrong switch value in a dsacls command.

I would like to ask somebody who managed to run current version of S…H… successfully to send a pm for me. I used both a remote python version and an old PS but I failed to get output using current PS. Thx.

Rooted.
Tears where shed and joy was had but at the end of the day, my AD knowledge and windows exploitation is vastly improved. Three days for the root lol, just about as I was going to go to bed as well.

Has this weird thing happen to me, idk if this was the case with anyone else but just incase you are struggling with that error mentioned on the cat: you have a literal 10 second window before your privesc breaks. Might of just been me. You can use scripts to help automate this so you are in time to get something out of the cat.

F I N A L L Y !!!
Thanks go to @MrPennybag & @bipolarmorgan for helping me out when stuck!

hackthebox: Please give us more of these AD / Hound machines! I hate them really, but at least I’m learning a ton! ?

It was messy, but I managed to root it. Feel free to message me for hints.

BOOM! goes the dynamite. This was a fun and frustrating journey but learned a lot in the windows privesc world. Thanks to @Phaas03 and @btwiusearch for jogging my brain into a different way of thinking to get me over the root hill.

Rooted. If someone is doing this with WSL under Windows 10, msg me for some details about root. PM me for hints if you want.

Can anyone offer DM for hint/nudge on user? I got creds for s**-a***** and not too sure what I am missing on attempt to use these creds.

@Dabson Yeah I am right there too. Did some research but I guess I might be overlooking something. I would appreciate a DM from any of the dungeon masters.

Can anyone give me a nudge for user? I have all the open ports, see all the services. Everything I look at needs a user/pass, is the only way in via user/pass lists or bruteforce?

Amazing box, learned some good stuff !

Type your comment> @TheRamen said:

Can anyone give me a nudge for user? I have all the open ports, see all the services. Everything I look at needs a user/pass, is the only way in via user/pass lists or bruteforce?

Bruteforce = Nope (bad mojo, especially for easy\medium machines)
Try and enumerate users, see what you can find.

Ok, I give up, I need some help. I’ve got e***-**** running. I have S****-H****. I can’t however get any output whatsoever from said app. Is there a way I can get a better shell now that I’m in with e***-****? I just don’t get any output from the tool and am probably missing something really obvious.

Edit: I guess I can run said tool locally, and need to figure that out!

Finally Rooted!! What a ride! Learnt a lot. Many thanks to the box creator, very good work!