Forest

I was able to own the user but am having trouble on where to begin to get root. Any nudge would be greatly appreciated it.

root tips

For the final root part, is it necessary to crack the hash? Or u can use it in some script instead of password or smth like that?

Looking for some help with user… All I seem to get is errors. What am I doing wrong?

[-] Error in bindRequest -> invalidCredentials: 8009030C: LdapErr: DSID-0C0906A1, comment: AcceptSecurityContext error, data 52e, v3839
[-] SessionKeyDecryptionError: failed to decrypt session key: ciphertext integrity failure

Long got user,walked the dog and got path but still in the dark about my first move to root,anyone with a nudge please pm me

Finally rooted!!! This box was my first exposure to Active Directory; consequently, I found it to be quite difficult. Thanks to @Chr0x6eOs for the nudge. PMs are always welcome.

Type your comment> @RareNonM0tile said:

Can someone PM me, I Need some help with root. Trying to run P----V–W.ps1 but I am getting a cmdlet error when attempting to run Add-DOA*. Anyone else have trouble getting that .ps1 to work?

The cmdlt name may change from a version of the tool to another…

Man, timing is everything with this box to FINALLY got root. «insert cursing here»

Now to go through it again to make sure I have a better understanding of how/why.

okay… i have a user a pass but i cant figure out what to do with it im losing my mind here

Can someone give me a nudge?
I got the date imported into Bloodhound, what should I do next?

anyone else has this problem??
im unable to use bloodhound
dns.exception.Timeout: The DNS operation timed out after 3.0019030571 seconds

Even if you walk in knowing how to approach gaining access and priv esc on this box, there are still a bunch of moving parts, gotchas, and places for things to go wrong. This one is more complicated than the scoring gives it credit for, so don’t be discouraged!

USER: Some accounts are juicier than others and you can be handed an associated hash if you know how to ask nicely. Sifting passed the most obvious protocols will help you find where to use the cred.

ROOT: AD can be a beast, even if you are fairly comfortable with it. Best thing to do here is to dig in and identify what kind of access your account has to objects in the domain and how that access can be exploited. There are tools (mentioned all over this thread) which will help you sniff out the scent of relevant objects and permissions, but really focus on understanding how it all comes together. This one will bite you if you try to just spray commands without understanding what they are doing. Lots to learn here if you play it that way. PM me for a better nudge.

ok, all i got is user via an unprivileged ps shell through w*m with s-*******o. but now i’m stuck in the privilege escalation. anyone can give me a hint?

How to deal with this on the last stage?
Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great)

Type your comment> @Looking4 said:

How to deal with this on the last stage?
Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great)

I changed the time (and timezone) on my laptop to match the remote system.

I definitely need some help with this box, I have been just stuck at the very beginning, only have gotten one script to return a list of users.

PMs would be appreciated!

Do u really need the hound? I can’t get that to run even the py version remotely. Is there an alternative route for root?

I’ve been stuck on root since the first day this box was released. Anyone care to PM me for a nudge. I have the foothold, user, the chart, I think I know the path. Just need some bump in the right direction.

I keep getting “You cannot call a method on a null-valued expression” errors. Can someone point me in the right direction if you know what I’m messing up?

Finally rooted it.
It’s 15 years since my last pwn but honestly I never thought I became so “rusted”.
Anyway this box is not such a piece of cake even if you chewed AD before. I cant imagin how overwhelming may be for those who never faced it.
thanks @blay for nudges on going ahead