Forest

i have a user and pass but can seem to figure where to go next a nudge would be helpful now.

Can anyone please help about this error ?
KRB_AP_ERR_SKEW(Clock skew too great)
I’m currently using Manjaro distro. I can’t find a way to set the time to match the server and the nmap take such a long time to run.

YES!!! Finally rooted this box. I think I went about it in a long way but I learned a ton. Basically use the user access you have, run the hound, find the misconfig because people have to send mail, use the right tool to exploit that misconfig and give the user account some extra privs, use those privs to find out secrets about other users, …

Like I said, probably the long way. Please PM me if there is an easier way. In anyway, thanks to the creators of this box for a fun learning and obsessing project.

Type your comment> @HeXN0P said:

Can anyone please help about this error ?
KRB_AP_ERR_SKEW(Clock skew too great)
I’m currently using Manjaro distro. I can’t find a way to set the time to match the server and the nmap take such a long time to run.

That means the domain server time and your local time are not equal. You have to set in your computer the same time that has the domain server to get granted for tickets. It’s not necessary to be extremely equal, this “allowed inequality” range between server and client is set by the defualt sysadmin, it can be seconds or minutes depending what was set but better to set your time to the most closest you can to the server time

@HexN0P You can know a domain server time running this nmap script:

nmap -p 445 --script smb2-time 10.10.10.161

Got User: ummm Enum to death! you should find a list of users, an impacket script will be helpful to get the rest if you so doth request it to do so.

Got Root: !!! That was awesome! Basically avoid all the mistakes I did. the evil man can call the dog, just gotta use the right syntax and it will work, from the machine. Once you have what you need and have run the right syntax, you will know where to go.

If you have a problem with the cat, avoid using it entirely. There is an old shell module that helps the evil man properly, uses a small part of the cat to do exactly what you need to do.

Fun box :slight_smile: pret coo

I already find a lot of users but I cant find any password !! Can someone help me ?

The machine crashes every 1.5 minutes. There’s no way to get sharp in documents. It’s either getting DOSsed or it’s the ■■■■ bruteforcers. I got user, but will probably have to give up on root until the machine will run for 5 minutes. Please stop bruteforcing all ports, that’s not the way.

I finally got user. Tip: get a ticket to the show. hack back in google will guide your path.

i have a list of valid user and I find a way to brute force it using the “dog” but when i run it, it say’s error resolving hostname ‘h**.l****l.’ to an ip address address: No such host is known and Unable to get domain controller address but I already did adding the hostname to the hosts file.Can you give me a help?

got a username and a password with low privilege. I try to do Ker*******ing and to do that I first need to enumerate those juicy Ss so I ran GNs.py with password but found no entries, then I run it again with Ks ticket but gave me the error SessionKeyDecryptionError: failed to decrypt session key: ciphertext integrity failure. Any nudges would be awesome.

stuck on user cannot walk the dog using Evil and Inv-Blo, tried different options but nothing

Edit: got it, and then stuck with bloodhound, a new account and nowhere to put it

Good morning guys, can someone guide or route to the root because I’m missing something pm

thank you very much

rooted, took me ages and I must say learnt a load about AD and windows in the meantime. Was no way an easy box. thanks to Luemmel and acidbat for the nudge.

User hints : enumerate lots to get a list of users and look to use a known weakness in how 90% of ADs are configured to get a user hash. The evil tool will help you once you have these.

Toot hints : elevate from one account and use another to run the dog. It doesn’t run too well locally so look for some other methods. When the dog shows you a path, use the 3 method to take advantage.

Thanks to the creator, a great box and probably the most real life one i have come across.

Type your comment> @Deslight said:

Type your comment> @Omnisec said:

Anybody else getting

Ldap Connection Failure.
Try again with the IgnoreLdapCert option if using SecureLDAP or check your DomainController/LdapPort option ?

Edit:
Switched to from Sharp to Blood and it worked smoothly.

Any idea why this error occurs?

I am having the same exact issue… How did you solve it ?!

Type your comment> @coolZero1473 said:

I finally got user. Tip: get a ticket to the show. hack back in google will guide your path.

Can you give me nudge? I got a ticket but it gives me an error.

@lessloveless said:
Got User: ummm Enum to death! you should find a list of users, an impacket script will be helpful to get the rest if you so doth request it to do so.

Got Root: !!! That was awesome! Basically avoid all the mistakes I did. the evil man can call the dog, just gotta use the right syntax and it will work, from the machine. Once you have what you need and have run the right syntax, you will know where to go.

If you have a problem with the cat, avoid using it entirely. There is an old shell module that helps the evil man properly, uses a small part of the cat to do exactly what you need to do.

Fun box :slight_smile: pret cool

i have the ticket and this error pops up “Kerberos SessionError: KDC_ERR_S_PRINCIPAL_UNKNOWN(Server not found in Kerberos database)” and when i change the target ip to htb.l***l it pops this error “SMB SessionError: STATUS_MORE_PROCESSING_REQUIRED({Still Busy} The specified I/O request packet (IRP) cannot be disposed of because the I/O operation is not complete.)”.

This box was amazing, thank you.

THATS MY ERROR:
[Errno Connection error (LOCAL.HTB:88)] [Errno -2] Name or service not known

i tried to change domain to:
forest.htb.local
local.htb
htb

someone? :frowning:

Can someone give me a hand to get the root I have I have the json but I’m missing something some advice thank you very much pm me