Forest

Hi All.

I have a very specific problem, but i don’t want to give anything away, so I’ll try and stick to what others have already outlined here.

I am at the stage where you add a user to a certain group and then scan the AD using a certain ingestor.

However, no matter which local version I use, they all fail. No output and no error message. I used a remote py version which does collect the data and I can throw this data into the Hound but now I see a new problem.

After adding the user to the group, I still dont see an available attack path, which leads me to believe my ingestor is maybe not reading the domain entirely.

If I am correct, then adding the user to the group should give it potential access to some new security rights and this should show up in the Hound after a rescan?

Sorry… trying to be vague. I hope some of you guys get what I’m trying to say here lol

Any help would be greatly appreciated at this point.

Cheers!

Edit - Turns out I wasn’t missing any knowledge. Turns out the remote py data collector (hint) does not collect all the data needed to show a path.

Still could use some help… Really not sure how to get my user added to the group everyone is talking about. net localgroup does not work. I also cannot run powerview so I cannot run any powershell commands via my winrm shell. pretty stuck here. 0 experience with powershell here

Rooted. My head is blown after this challenge. As everybody else said: I learned a lot.

I’ve been trying for days to get root.

Here goes my hints: don’t overthink too much. Don’t try to complicate things.
The dog is important to tell you where you are and that’s all. From there you should Google to know what is missing for you. Try to do it RIGHT.
Once you get it, as I said, don’t complicate things.

Well I need a hint getting root. I can add user to the 2 Ex groups, but cannot seem to get the DCS right added properly. I am not actually sure which Domain Object I should add it to. Because the right is not added, getting secrets fails.

Am I on the right track?
Thanks

Blimmin heck that was a learning curve an a half.

Finally nailed root.

Definitely burnt some hours on this one but dang it feels good once I got there.

Thanks to @jenco for the the help.

Would be keen to discuss my methodology to see what else I can learn.

Type your comment> @Uglymike said:

On the final stages, but am having trouble firing up sec*****ump.py. I keep getting:
DRSR SessionError: code: 0x20f7 - ERROR_DS_DRA_BAD_DN - The distinguished name specified for this replication operation is invalid.

Edit: Nevermind. It was me.

i’ve the same error, can someone help me ?

i got the “dogs way graphs” , but not sure what to do next. any hints pls, im stucked for few days here -_- thx

Type your comment

i am stuck on this for few days now. Got the SH py ingestor. Added new user and added the user to groups. Not sure what to do next. the dogs are not showing me the any new path. Please pm

Rooted.

By far the most fun I’ve had with a box, ever. Thanks for creating it.

Rooted forest yesterday evening. What a challenge to own it and so close to real life.

Finally made it over the line.

This was only my third box and I had filtered the options down to easy, so after rooting two linux boxes previously, I was sure that this windows box would be quick and simple given that I’ve been administering windows for over ten years.

How wrong was I? Very… let’s leave it at that… lol

This box has taught me things about windows that I never knew before. I’ve also learned the finer details of a number of protocols and services not to mention the sheer amount of tool experience gained navigating this machine. Plenty of advice has been offered already and the hints required are all here in this thread already, so if I can offer any advice of value it would be around tool usage and results.

Tools get old. Make sure you are using the latest/best tools for the job. Older tool sets may error out on you. For instance, there is a certain version of an ingestor that does not collect all the data you need in order to see a certain path (hint).

If you are not getting the results you expected. Double check your settings. Multiple times after updating something, I found my changes had not set. If multiple users are administering the same domain objects at the same time, configs can be overwritten. This is a major gotcha. Timing is important.

Lastly, journal your journey. I often find that writing down what I have done so far can trigger thoughts around what to do/try next. It also helps a great deal when you stayed up way past your sleep time, hacking away, too tired to think properly. At least you have your notes to turn to, instead of hazy memories from the night before.

About two to three days after gaining the user on this box, I hit a brick wall. Nothing I did was working and so I sought help from the guys here. They were excellent. No one ruined the game by giving direct instructions and many times it was at least comforting to know these guys had seen similar problems to me. Also it was nice to know I was on the right path and not as lost as I had thought I was. I’d like to thank the following users:

@mswdr2
@DJBrains
@MADE
@Inertia
@RodriguePascal
@R0xas
@Rene866

Thanks also to the box creators. Not sure this should have been in the easy section though!

Type your comment> @T13nn3s said:

Rooted forest yesterday evening. What a challenge to own it and so close to real life.

i rooted this box a view weeks ago but yesterday i used the tooling for a pen test :slight_smile:
so, yeah, its really close to real life

any one facing this issue ? when i drag and drop the zip file to blhod it doesnt import it ask where you want to save the file ?

I got so far with root, but now my frustration hit maximum levels :expressionless:

A…-O…CL -Rights … -V
Granting ‘D…’ on …=mynewuseracc
Granting p… on …=mynewuseracc
Granting p… on …=mynewuseracc
Granting p. .on …=mynewuseracc

However logging in as mynewuseracc via W…RM and trying to utilize the cat I get
ERROR kuhl_… ; GetNC… 20f7 (8439)

Adding the needed permissions to my new account seemingly succeeded… why did the cat not? Help greatly appreciated!

so i got the hash but having a hard time cracking via hashcat, does it take that long or fast?

Just got User,

Hints -

The usual windows enumeration scripts should give a useful list of things.
Use this list with some other very common package of python scripts to capture some loot.
With this you should have enough information to use a certain evil tool as mentioned previously.

Hope that helps someone, I struggle to hit the right balance of being helpful but not spoiling.

On to root!

Type your comment> @Yuki305 said:

so i got the hash but having a hard time cracking via hashcat, does it take that long or fast?

PTH

Is this machine running like a hamster on a wheel for everyone or just me?

Got it finally, I probably hold the record for the SLOWEST root. Thanks heaps to @FatPotato and @episteme