Forest

Rooted! very hard for me, but learning a lot.

Thanks @wwingcomm for for all the hits and @chm0dx for the introduction.

Type your comment> @Andres7ll said:

Rooted! very hard for me, but learning a lot.

Thanks @wwingcomm for for all the hits and @chm0dx for the introduction.

I am still trying to root it after 3 days…
Now it seems the box is down.

While I did get root, I’m going back and still struggling to figure out why S----H----.* cannot or does not work via e–l-w—m. Is b---------.py, with opts to get more than the default, the only means to get that data to map out the way? It ended up not being particularly helpful, so a bit confused why often urged in this thread. Something is not clicking for me.

After enumerating for 2 hours, I realised I already had the user flag and hadn’t noticed. I’m currently stuck in a rabbit hole I think, trying an exploit which seems to be the one but I can’t get into the port I need.

Edit: Rooted, fun box.

User: Find the right tool, get your hashes
Root: Take the dog for a walk, but you might find something that will do the whole job for you. Once you find the treasure, pass it on.

After a lot of trouble, I’m finally pwned this machine !! Pretty hard but i’ve learn a lot :smiley:

PM if you want some help :wink:

If you are looking for easy points don’t go for this box

Hey, can someone help me with the syntax for the dog. I have it on the box but I’m getting errors, I’m 99% sure I’m right and just need to tweak the command a bit

Type your comment> @dog9w23 said:

Hey, can someone help me with the syntax for the dog. I have it on the box but I’m getting errors, I’m 99% sure I’m right and just need to tweak the command a bit

It is important that you use all relevant authentication data. I have experience with the powershell version.

Type your comment> @bumika said:

Type your comment> @dog9w23 said:

Hey, can someone help me with the syntax for the dog. I have it on the box but I’m getting errors, I’m 99% sure I’m right and just need to tweak the command a bit

It is important that you use all relevant authentication data. I have experience with the powershell version.

when I tried using the user and password settings I just got the help page thrown at me or an error saying no such object. it seems to not want to take anything I try to put in (and I’m not using evil)

Type your comment> @dog9w23 said:

Type your comment> @bumika said:

Type your comment> @dog9w23 said:

Hey, can someone help me with the syntax for the dog. I have it on the box but I’m getting errors, I’m 99% sure I’m right and just need to tweak the command a bit

It is important that you use all relevant authentication data. I have experience with the powershell version.

when I tried using the user and password settings I just got the help page thrown at me or an error saying no such object. it seems to not want to take anything I try to put in (and I’m not using evil)

Send me a PM, and I will try to help.

Finally got the dog to walk. But not sure what else to do now. See my path, but dont understand. Dog has tips to use P****-V***, but that does not work. Got a article that has a similar attack?

Just got user. If you don’t know windows, this is going to be a pain (it was for me).

If you’re using impacket scripts, grab the latest from github.

Type your comment> @ciyiw88006 said:

I hgot a shell using Ev*******M and uploaded Sd.ps1 to the document folder of the user and I cant run Ine-B***d after Importing it as module. Any idea why?

I’m having the same problem. I’ve used the bypass methods and it’s still not firing. Been reading for days. Could use some help.

I was able to get a list of user accounts. Stuck on the next steps

Just completed User on this one… finally got to use E…-W…M tool, cool! Of to Admin

Guys can anyone confirm the status of the machine? I have been trying since two days and it is showing as offline, I tried to stop/start restart, etc… nothing!

[EDIT] Nevermind, transferring the machine did the job!

Type your comment> @djbrains said:

finally, cost me over a month, 1 laptop, a desk, my relation but totaly worth it.

USER INFORMATION

User Name SID
================= ============================================
htb\administrator S-1-5-21-3072663084-364016917-1341370565-500
E**-***M PS C:\Users\Administrator\desktop>

this is also a hint, last step can be done without impact.
just lookat wat you used for the user shell

xd

Stuck on getting root. Have the pup running and am able to add to Gr— P— C-- O— group. The dog says I should be able to do a dc sync attack but doesn’t look like that’s working. Also says that I have access to change GPO. Any nudges would be amazing.

Hit me with a PM if help is needed

Thanks to @egre55 and @mrb3n to creating this machine.

I got the system but it was impossible for me without the hints from @madhack . I am using the bloodhound first time and it doesn’t show me anyhting useful or I couldn’t understand. Anyway, root part was very hard for me. It is not an “Easy” level machine.