Forest

What a fun ride. I felt like red teaming all along. No amount of hints will help until you do a thorough research on your own. It’s a beautiful teaching experience, so make the most of it.

Hints:

User:
Run basic windows enum tech. One impacket script can help us do a kind of roast which will help us get user.

Root:

Bloodhound + impacket + a lot of research. By no means it will be easy if you have not worked with AD priv esc.

Enjoy. Pm for nudges. I can guide you to the right reference material

Welp, I wasted an entire day because I didnt check the download from git, downloaded an HTML file saved as sharphound.ps1 LOL, the journey continues

C:\Users\Administrator\Desktop>whoami
htb\administrator

Mad mad mad thank you to LSD4me … days this dudes been patiently guiding me with nudges.

This box was a freaking beast lol. Wanted to give up but the itch wouldn’t let me and my man never gave up!

Don’t give up, this box has a F ton of things to learn. It’s also sent me on a itch for more knowledge about AD.

Thanks!

Hi, I found users. And now I’am trying to understand Impacket. But right now I don’t know what I should do with this information. Any help would be perfect.

Ge*********.py asking for pass and giving error ??? anyclue how to get through?

I got the user credentials but i’m stuck on root tried SH and i couldn’t find any path that would help me.
i’m sure that i’m missing something , but for the first machine i think that i did well getting the user credentials by myself. it’s been 4 days, and i really want the answer.
if can someone PM me with a hint it will be appreciated.

Type your comment

Hi,
I have been stuck on root for week.
Found the path, added the right D****c using Add-*******L to a new user, remote dumping secret doesn’t work !

Can someone PM me,
H.

Can someone help me with finding the initial ntlm hash? I am not sure what I am doing wrong here

Type your comment> @fightnerd said:

Can someone help me with finding the initial ntlm hash? I am not sure what I am doing wrong here

Nevermind

Can someone assist me in one of the last steps regarding granting my user rights? I cannot seem to do it to save my life. I assume it’s a syntax issue.

EDIT: Nevermind. I was using the wrong account to run the command in the context of. I think I would have figured it out had I known the version of the powerful tool mattered when running on a remote linux box. I assuming running with runas on Windows wouldn’t need it?

Lots of new tools learned on this one. Ty @FalseProfit for giving me the tiniest tip to push me to the end! /root

so long kerberos

I though this is easy T_T Can anyone guide me atleast with the tools huhu… PM Me :cry:

Anyone available to discuss the final stages of root with me? I keep getting this error and I cannot get past it when using the cat.

ERROR kuhl_m_lsadump_dcsync ; GetNCChanges: 0x000020f7 (8439)

Any nudge after cracking the user password?
=>“Error: An error of type WinRM::WinRMHTTPTransportError happened, message is Unable to parse authorization header.”<=
Google doesn’t help me too much…

Edit: No need anymore… I was forcing evil connection on a wrong port…

I can’t get SHd.ps1 working in the el-W*M shell, PM me if you can help me

I dont know how to get into root … PM Me if you can help me~

I found user s**-a*******, but i donot know how to root.
I try to run the dog didn’t find a path to attack, and the a******.ps1 didn’t get useful information.
who can help me …

edit: got it.

Also stuck at root, tried multiple combinations for pex***.py but getting connection refused everytime.
Is the user s**-a******* to be used for that?
Thanks!