Forest

1131416181939

Comments

  • edited November 2019

    Type your comment> @pourquoi said:

    @JuicyyCandy said:
    I have no idea where everyone is getting a password hash from, can't find anything at all, already using the tool everyone is mentioning, can't get any of the scripts to work.

    1. For the user list, you can use e***4****x .
    2. Try to use impacket G********S.py to get the hash.

    Yeah, got the pass earlier, can't find where to use it though.

    EDIT: Nvm, got the user flag, now just trying to get root.

  • I've managed to walk through the forest with the "dog" and i think i know where to go and what to attack but i'm not sure on how to achieve this. Any tips or help?

  • edited November 2019

    I think I've found the way to walk the dog on the machine, but I might be doing something wrong, can someone PM me?

    EDIT: Can someone give me tips on getting root flag? I can't seem to get the "dog" to work at all.

  • I'm blocked for the root flag too. The dog partially worked and I cannot go any further :(

  • ch4ch4
    edited November 2019

    Finally after a full days work, i got root! :o
    So much learning! I even have certification on Windows server 2003.. this was mindblowing :D

    yet i dont believe this is a easy server..

    0byte

  • Type your comment> @stoffern said:
    > Finally after a full days work, i got root! :o
    > So much learning! I even have certification on Windows server 2003.. this was mindblowing :D
    >
    > yet i dont believe this is a easy server..

    same here,it helped to know about AD en windows management but this is not an easy box.

    windows 7 is my rig :) if it can't be done on windows, i fail.

  • it's always tough before root and then easy

    peek

  • hi guys, wondering if anyone can help... I've got user and am logged in to victim... am using Evil... just not sure what to do next. do I need to run a specific .ps1???

  • Rooted
    Thanks to @GibParadox and @Sekisback for helping me finding the last step. Great learning experience, pretty hard for me though.

  • Can't seem to get to root, can anyone help me?

  • edited November 2019

    Can someone PM me, I Need some help with root. Trying to run P----V--W.ps1 but I am getting a cmdlet error when attempting to run Add-D******O*****A**. Anyone else have trouble getting that .ps1 to work?

  • I was able to own the user but am having trouble on where to begin to get root. Any nudge would be greatly appreciated it.

  • For the final root part, is it necessary to crack the hash? Or u can use it in some script instead of password or smth like that?

  • Looking for some help with user.. All I seem to get is errors. What am I doing wrong?

    [-] Error in bindRequest -> invalidCredentials: 8009030C: LdapErr: DSID-0C0906A1, comment: AcceptSecurityContext error, data 52e, v3839
    
    [-] SessionKeyDecryptionError: failed to decrypt session key: ciphertext integrity failure
    
  • Long got user,walked the dog and got path but still in the dark about my first move to root,anyone with a nudge please pm me

  • Finally rooted!!! This box was my first exposure to Active Directory; consequently, I found it to be quite difficult. Thanks to @Chr0x6eOs for the nudge. PMs are always welcome.

    k1llswitch
    "The master has failed more times then the beginner has even tried"

  • Type your comment> @RareNonM0tile said:

    Can someone PM me, I Need some help with root. Trying to run P----V--W.ps1 but I am getting a cmdlet error when attempting to run Add-D******O*****A**. Anyone else have trouble getting that .ps1 to work?

    The cmdlt name may change from a version of the tool to another...

  • edited November 2019

    Man, timing is everything with this box to FINALLY got root. «insert cursing here»

    Now to go through it again to make sure I have a better understanding of how/why.

  • okay.. i have a user a pass but i cant figure out what to do with it im losing my mind here

  • Can someone give me a nudge?
    I got the date imported into Bloodhound, what should I do next?

  • anyone else has this problem??
    im unable to use bloodhound
    dns.exception.Timeout: The DNS operation timed out after 3.0019030571 seconds

  • edited November 2019

    Even if you walk in knowing how to approach gaining access and priv esc on this box, there are still a bunch of moving parts, gotchas, and places for things to go wrong. This one is more complicated than the scoring gives it credit for, so don't be discouraged!

    USER: Some accounts are juicier than others and you can be handed an associated hash if you know how to ask nicely. Sifting passed the most obvious protocols will help you find where to use the cred.

    ROOT: AD can be a beast, even if you are fairly comfortable with it. Best thing to do here is to dig in and identify what kind of access your account has to objects in the domain and how that access can be exploited. There are tools (mentioned all over this thread) which will help you sniff out the scent of relevant objects and permissions, but really focus on understanding how it all comes together. This one will bite you if you try to just spray commands without understanding what they are doing. Lots to learn here if you play it that way. PM me for a better nudge.

  • edited November 2019

    ok, all i got is user via an unprivileged ps shell through w*m with s-*******o. but now i'm stuck in the privilege escalation. anyone can give me a hint?

    echo start dumb.bat > dumb.bat && dumb.bat
    doh!

  • How to deal with this on the last stage?
    Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great)

  • Type your comment> @Looking4 said:

    How to deal with this on the last stage?
    Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great)

    I changed the time (and timezone) on my laptop to match the remote system.

  • I definitely need some help with this box, I have been just stuck at the very beginning, only have gotten one script to return a list of users.

    PMs would be appreciated!

  • Do u really need the hound? I can't get that to run even the py version remotely. Is there an alternative route for root?

  • I've been stuck on root since the first day this box was released. Anyone care to PM me for a nudge. I have the foothold, user, the chart, I think I know the path. Just need some bump in the right direction.

  • I keep getting "You cannot call a method on a null-valued expression" errors. Can someone point me in the right direction if you know what I'm messing up?

Sign In to comment.