Forest

1151618202127

Comments

  • Hit me with a PM if help is needed

  • Thanks to @egre55 and @mrb3n to creating this machine.

    I got the system but it was impossible for me without the hints from @madhack . I am using the bloodhound first time and it doesn't show me anyhting useful or I couldn't understand. Anyway, root part was very hard for me. It is not an "Easy" level machine.

  • I'm getting the following with the remote py tool, despite using various parameters and making changes to my hosts file. Obviously I'm missing something, is someone able to discuss by PM?

    dns.exception.Timeout: The DNS operation timed out after 3.00170922279 seconds

  • Hello everyone, I already have the user but I have lost hours with the root if someone could help me.

    have a nice day

  • i have a user and pass but can seem to figure where to go next a nudge would be helpful now.

  • Can anyone please help about this error ?
    KRB_AP_ERR_SKEW(Clock skew too great)
    I'm currently using Manjaro distro. I can't find a way to set the time to match the server and the nmap take such a long time to run.

  • YES!!! Finally rooted this box. I think I went about it in a long way but I learned a ton. Basically use the user access you have, run the hound, find the misconfig because people have to send mail, use the right tool to exploit that misconfig and give the user account some extra privs, use those privs to find out secrets about other users, ...

    Like I said, probably the long way. Please PM me if there is an easier way. In anyway, thanks to the creators of this box for a fun learning and obsessing project.

  • Type your comment> @HeXN0P said:

    Can anyone please help about this error ?
    KRB_AP_ERR_SKEW(Clock skew too great)
    I'm currently using Manjaro distro. I can't find a way to set the time to match the server and the nmap take such a long time to run.

    That means the domain server time and your local time are not equal. You have to set in your computer the same time that has the domain server to get granted for tickets. It's not necessary to be extremely equal, this "allowed inequality" range between server and client is set by the defualt sysadmin, it can be seconds or minutes depending what was set but better to set your time to the most closest you can to the server time

  • @HexN0P You can know a domain server time running this nmap script:

    nmap -p 445 --script smb2-time 10.10.10.161

  • Got User: ummm Enum to death! you should find a list of users, an impacket script will be helpful to get the rest if you so doth request it to do so.

    Got Root: !!!!!!!!!!!!!!!!!!!!!!!!! That was awesome! Basically avoid all the mistakes I did. the evil man can call the dog, just gotta use the right syntax and it will work, from the machine. Once you have what you need and have run the right syntax, you will know where to go.

    If you have a problem with the cat, avoid using it entirely. There is an old shell module that helps the evil man properly, uses a small part of the cat to do exactly what you need to do.

    Fun box :) pret coo

  • I already find a lot of users but I cant find any password !! Can someone help me ?

  • The machine crashes every 1.5 minutes. There's no way to get sharp in documents. It's either getting DOSsed or it's the damn bruteforcers. I got user, but will probably have to give up on root until the machine will run for 5 minutes. Please stop bruteforcing all ports, that's not the way.

  • I finally got user. Tip: get a ticket to the show. hack back in google will guide your path.

  • i have a list of valid user and I find a way to brute force it using the "dog" but when i run it, it say's error resolving hostname 'h**.l****l.' to an ip address address: No such host is known and Unable to get domain controller address but I already did adding the hostname to the hosts file.Can you give me a help?

  • got a username and a password with low privilege. I try to do Ker*******ing and to do that I first need to enumerate those juicy S**s so I ran G********Ns.py with password but found no entries, then I run it again with K******s ticket but gave me the error SessionKeyDecryptionError: failed to decrypt session key: ciphertext integrity failure. Any nudges would be awesome.

  • edited December 2019

    stuck on user cannot walk the dog using Evil and Inv-Blo, tried different options but nothing

    Edit: got it, and then stuck with bloodhound, a new account and nowhere to put it

  • Good morning guys, can someone guide or route to the root because I'm missing something pm

    thank you very much

  • rooted, took me ages and I must say learnt a load about AD and windows in the meantime. Was no way an easy box. thanks to Luemmel and acidbat for the nudge.

    User hints : enumerate lots to get a list of users and look to use a known weakness in how 90% of ADs are configured to get a user hash. The evil tool will help you once you have these.

    Toot hints : elevate from one account and use another to run the dog. It doesn't run too well locally so look for some other methods. When the dog shows you a path, use the 3 method to take advantage.

    Thanks to the creator, a great box and probably the most real life one i have come across.
  • Type your comment> @Deslight said:

    Type your comment> @Omnisec said:

    Anybody else getting

    Ldap Connection Failure.
    Try again with the IgnoreLdapCert option if using SecureLDAP or check your DomainController/LdapPort option ?
    

    Edit:
    Switched to from Sharp to Blood and it worked smoothly.

    Any idea why this error occurs?

    I am having the same exact issue.. How did you solve it ?!

    SIG

  • Type your comment> @coolZero1473 said:

    I finally got user. Tip: get a ticket to the show. hack back in google will guide your path.

    Can you give me nudge? I got a ticket but it gives me an error.

  • @lessloveless said:
    Got User: ummm Enum to death! you should find a list of users, an impacket script will be helpful to get the rest if you so doth request it to do so.

    Got Root: !!!!!!!!!!!!!!!!!!!!!!!!! That was awesome! Basically avoid all the mistakes I did. the evil man can call the dog, just gotta use the right syntax and it will work, from the machine. Once you have what you need and have run the right syntax, you will know where to go.

    If you have a problem with the cat, avoid using it entirely. There is an old shell module that helps the evil man properly, uses a small part of the cat to do exactly what you need to do.

    Fun box :) pret cool

    i have the ticket and this error pops up "Kerberos SessionError: KDC_ERR_S_PRINCIPAL_UNKNOWN(Server not found in Kerberos database)" and when i change the target ip to htb.l***l it pops this error "SMB SessionError: STATUS_MORE_PROCESSING_REQUIRED({Still Busy} The specified I/O request packet (IRP) cannot be disposed of because the I/O operation is not complete.)".

  • edited December 2019

    This box was amazing, thank you.

  • THATS MY ERROR:
    [Errno Connection error (LOCAL.HTB:88)] [Errno -2] Name or service not known

    i tried to change domain to:
    forest.htb.local
    local.htb
    htb

    someone? :(

  • Can someone give me a hand to get the root I have I have the json but I'm missing something some advice thank you very much pm me

  • @OtzLyGotzLy I have the same error, can anyone help with this?

  • Type your comment> @Ma1ware said:

    @OtzLyGotzLy I have the same error, can anyone help with this?

    PM i fix that

  • edited December 2019

    This machine being labeled as easy is the biggest lie on HTB.

  • edited December 2019

    was using e***-w**** to get initial foothold but now its not working. Could someone DM me on how to use imp****t.

    nvm got it

  • Wasted too much time on root now... Feels like I’m always command away but that command doesn’t work ☹️
    PM me please
  • Anyone free to help me with root. I understand about how to use the dog, but I feel I have missed a step in progressing.

    Hack The Box
    Discord: AzAxIaL#8633

Sign In to comment.