Forest

1181921232439

Comments

  • Whew, finally rooted - what a fight this one was! Thanks @VoltK

    LiveOptix

  • Rooted. nice box - Big Thanks to the creators (echoing some of the other comments) this felt to be more than an easy box, I'm guessing you need a very very solid understanding of AD for it to be easy.

    Thanks to nav1n and cassn94 for there help !!

    =======================================================================

    If what i send is helpful please consider clicking the 'give respect' button :-)

  • Having a helluva time with this Machine. I was able to get users, ports and such. But still struggling on a foothold to gain a credential to login. Mostly seem to be having issues on the cmd line part of it right now. Could use a nudge on command help if someone could please DM me

    Available to help when I can and know how to help. However do not expect responses right away on these days. Sunday - Wednesday between 7am-8pm EST (USA, Orlando, Fl) as I work those days from 7a-7p and then the ride home. Just a forewarning is all :) Other than that I'll answer ASAP, or when I get home from work.

    CompTIA A+ | Network+ | Security+ | CySA+ (pending beta Results) | PenTest+ (In Progress) | C|EH (in Progress)
  • Need a nudge for root. Could someone DM me with a little help.
    New to the dog and AD, think I know what I need to do just don't really know how to go about it. Anything helps! Thanks.

  • edited December 2019

    ** edit ** whoops lol

  • Type your comment> @Icyb3r said:

    Type your comment> @xcabal said:

    I am at the last step but I cannot crack the hash :'(

    If you on the last step of cracking hash for user account, for sure you need hashc**, but last step for root some impacket scripts accept hash for login.

    Thank you for posting this. I almost gave up when I couldn't crack the hash. This was a good learning experience but man was it rough going through the forest.

  • finally the root

  • edited December 2019

    Totally new to windows AD here.
    I got the permissions suggested by the dog but the kat doesnt work at all :( any hints? am i on the right track? (im just using the same user but with more permissions)

    Rooted! thank you @VoltK

    Note: keep in mind that a lot of people is messing around with your user.

  • edited December 2019

    hey hackers. i uploaded dog through evil ps, but when i try run .\S**pH***d.exe nothing will happen.. any ideas? ps1 either :/ thx for any nudge

  • edited December 2019

    How long did you guys run favorite cracking tool? Mine is taking forever (****cat)

    edit

    I parsed a param so it didn't use my wordlist. NVM :D

  • edited December 2019

    Has anyone come across this issue? I've tried omitted the domaincontroller option and tried all LDAP related ports. Also tried the IgnoreLdapCert.

    Ldap Connection Failure.
    Try again with the IgnoreLdapCert option if using SecureLDAP or check your DomainController/LdapPort option

    EDIT, tried harder and figured it out

  • Hi everyone,

    That's my first windows box that I really trying to solve, but I have no experience for windows pentest techs at all.

    Got user creds, logged in to some services but no luck getting shell, user flag, finding path to proceed.

    Please PM me some articles, retired writeups, any materials that can help to understand howto and what can be done here, just have no idea where to start.

    Regards,

    ekka
    Making my way from newbie to pro

  • edited December 2019

    I feel so stupid now. I completely overlooked an e***-****m little tool that I could use. Finally got user!!! Now on to root!!!

    Available to help when I can and know how to help. However do not expect responses right away on these days. Sunday - Wednesday between 7am-8pm EST (USA, Orlando, Fl) as I work those days from 7a-7p and then the ride home. Just a forewarning is all :) Other than that I'll answer ASAP, or when I get home from work.

    CompTIA A+ | Network+ | Security+ | CySA+ (pending beta Results) | PenTest+ (In Progress) | C|EH (in Progress)
  • Can someone Message me. I have been stuck on root for days and could use a hint in the right direction. I know about the two **oup* that i need to be in. I just cant figure out what final step to get access. Thanks

  • Type your comment> @mikensen said:

    hey hackers. i uploaded dog through evil ps, but when i try run .\S**pH***d.exe nothing will happen.. any ideas? ps1 either :/ thx for any nudge

    you can use blo**h***-python in order to collect data remotely

  • Hey guys, stuck on getting user. I managed to get the hash but not sure what to do with it next. I am sure bruteforcing is not the best way. Should I look into this evil little tool everyone is talking about?

  • Alright, I am currently playing with the dog but somehow the system is not letting me... nothing comes back ..any hints?

    SiV4rPent3st

  • Trying to get ROOT LOOPZ on this SOB.

    Why do I error when I try find secrets?!?

    DM assistance please !

    someone confirm there are alternate routes please?

  • Rooted, thanks @VoltK for the help.

    tip for root: after finding the path with the dog, consider using someone other than s********o to do what you need to. Makes things a bit easier when there are others on the box.

  • Ohh, got the user. This was... so many new tools. Next step - root and, possible, another new tool...

    Kirzaks

  • Type your comment> @0daybot said:

    Rooted, thanks @VoltK for the help.

    tip for root: after finding the path with the dog, consider using someone other than s********o to do what you need to. Makes things a bit easier when there are others on the box.

    I strongly recommend for everybody to create a new user and support it instead "promoting" s*********o. If somebody solves the task using latter method, he/she should reset the machine since that status doesn't reflect the original conditions and other hackers can solve the task without understanding the original concept.

    bumika

  • I'm trying to run I*****-*****n but keep getting null errors? Anybody have a solution for this issue?

  • Man how the F do you get this box without having to go into windows and use AD**E*** like... ok got the account.. Now what exactly do I do from giving it the Exc**** Privs and then using sec***du***.py lol like this box is driving me freaking mad. I'm at the final gate and just can't get this s#$# to work right.

    Any help for linux pwning?

  • Hi,

    Need help for root flag !!! I'm pretty sure i have done 95% of the job but I cannot figure why this sh** don't work.

    I have a new user created and granted this with "EXCH*** WIND*** PERM" rights. Then, abuse dacl for this user like suggested by Blood in order to have DCSync rights. It seems good but when i want to remotely dcsync with sec-d.py this don't work...Any ideas ???

    Thanks for your help

  • edited December 2019

    I am currently stuck on the part where you need to give a user some permissions. I walked the dog, found the w******** vulnerability and I created a new user that I want to give the replicating permissions to but I am having trouble with this.

    Any help is appreciated! Thanks!

    Edit: Thanks to @gverre and @sta1ker for the help! Much appreciated! If anyone needs help, feel free to PM me. Lots of little things I was missing.

    Root: One hint I can give is be sure you're authenticating with the right service and you are passing the right arguments.

  • What a fun ride. I felt like red teaming all along. No amount of hints will help until you do a thorough research on your own. It's a beautiful teaching experience, so make the most of it.

    Hints:

    User:
    Run basic windows enum tech. One impacket script can help us do a kind of roast which will help us get user.

    Root:

    Bloodhound + impacket + a lot of research. By no means it will be easy if you have not worked with AD priv esc.

    Enjoy. Pm for nudges. I can guide you to the right reference material

    3zCulprit

  • Welp, I wasted an entire day because I didnt check the download from git, downloaded an HTML file saved as sharphound.ps1 LOL, the journey continues

  • C:\Users\Administrator\Desktop>whoami
    htb\administrator

    Mad mad mad thank you to LSD4me ... days this dudes been patiently guiding me with nudges.

    This box was a freaking beast lol. Wanted to give up but the itch wouldn't let me and my man never gave up!

    Don't give up, this box has a F ton of things to learn. It's also sent me on a itch for more knowledge about AD.

    Thanks!

  • Hi, I found users. And now I'am trying to understand Impacket. But right now I don't know what I should do with this information. Any help would be perfect.

  • Ge*********.py asking for pass and giving error ??? anyclue how to get through?

Sign In to comment.