Forest

Even if you walk in knowing how to approach gaining access and priv esc on this box, there are still a bunch of moving parts, gotchas, and places for things to go wrong. This one is more complicated than the scoring gives it credit for, so don’t be discouraged!

USER: Some accounts are juicier than others and you can be handed an associated hash if you know how to ask nicely. Sifting passed the most obvious protocols will help you find where to use the cred.

ROOT: AD can be a beast, even if you are fairly comfortable with it. Best thing to do here is to dig in and identify what kind of access your account has to objects in the domain and how that access can be exploited. There are tools (mentioned all over this thread) which will help you sniff out the scent of relevant objects and permissions, but really focus on understanding how it all comes together. This one will bite you if you try to just spray commands without understanding what they are doing. Lots to learn here if you play it that way. PM me for a better nudge.

ok, all i got is user via an unprivileged ps shell through w*m with s-*******o. but now i’m stuck in the privilege escalation. anyone can give me a hint?

How to deal with this on the last stage?
Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great)

Type your comment> @Looking4 said:

How to deal with this on the last stage?
Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great)

I changed the time (and timezone) on my laptop to match the remote system.

I definitely need some help with this box, I have been just stuck at the very beginning, only have gotten one script to return a list of users.

PMs would be appreciated!

Do u really need the hound? I can’t get that to run even the py version remotely. Is there an alternative route for root?

I’ve been stuck on root since the first day this box was released. Anyone care to PM me for a nudge. I have the foothold, user, the chart, I think I know the path. Just need some bump in the right direction.

I keep getting “You cannot call a method on a null-valued expression” errors. Can someone point me in the right direction if you know what I’m messing up?

Finally rooted it.
It’s 15 years since my last pwn but honestly I never thought I became so “rusted”.
Anyway this box is not such a piece of cake even if you chewed AD before. I cant imagin how overwhelming may be for those who never faced it.
thanks @blay for nudges on going ahead

Is W*******L the path to root?

Hi, I Got the map and found a path(maybe) but I have no idea for next step for root. Some nudge

Finally rooted! 1 week studying stuff for be able to pwn this machine but in the end worth it

Thanks for the nudges @wwingcomm @Chobin73 @MrPennybag without their help probably 2/4 weeks to root this machine xD

Any help that you need ping me

I hgot a shell using Ev*******M and uploaded Sd.ps1 to the document folder of the user and I cant run Ine-B***d after Importing it as module. Any idea why?

Hi, I got the data into the dog but I just don’t know what am I supposed to look at, I know the basics of AD so this is a bit overwhelming. A nudge would be very appreciated.

Little nudge for everyone: google has really all the answers you need, and the dog can really help you pose the right question. As stated before, the AD is somehow a true beast to deal with, but nothing has been really overturned on it’s core functioning since Win2k.

I keep running into an error using sd.py. I have moved s-a****** into the E***** W***** P****** group as well.

Please PM me with suggestion!

hi guys, when i tried to use ACL***.py. I always get a “No Path Found”. My dog is running though.

Can you just please stop resetting the machine ? It keep resetting like every 30 minutes… STOP IT really…

If you don’t succeed for what you do then something is wrong but it’s not the machine itself.

I tried like 20 times yesterday, it’s really annoying…

Finally got root. FINALLY. pm is you want a nudge.

Rooted! very hard for me, but learning a lot.

Thanks @wwingcomm for for all the hits and @chm0dx for the introduction.