• edited January 2020
    Sry for duplicate posts, browser sent post request multiple times
  • First box I ever pen tested. Enum the username. Ripped the has but not sure I did that right. Anyone able to help over DMs. Not looking for answers.

  • edited January 2020

    manage to get user, in my packet get. rip curl smoked the hash.
    thanks for help
    will appreaciate DM hints on root?
    I have never trained any dogs.

  • edited January 2020

    Hi All.

    Ok. I think this one has beaten me. White flag raised.

    I used the greek dog to get the scv* credential and I can get in using something evil. I've used the Hound to look at possible paths, but all appear to be dead ends.

    Watched a good number of video's and learned a good number of new skills, but after days of work with no movement, I'm burnt out at this stage. I think I must be missing something fundamental. You don't know what you dont know right?

    I'm off to walk the real life dog and get some air. Maybe something will come to mind. In the meantime, any pointers would be good. Please PM me for Respect.

    Thanks in advance!

    Edit - Turns out I wasn't missing any knowledge. Turns out the remote py data collector (hint) does not collect all the data needed to show a path.

    Going Full Caveman during isolation. No shaving any hair for the duration.

  • edited January 2020

    Hey guys,

    I have transfered and import sharp doggy script throught some evil proto session but when I am trying to invoking it no output is generated and also no file. Please help guys.

    edit: I have got it I have used a .py version

  • edited January 2020


  • Finally rooted this box! Good lord, only took me a little over a week. Thanks to the creators for making this; I learned a lot about attacking AD than I thought I would! Also thanks to everyone here in the forums for all of your tips and guidance. Couldn't have done it without you!

  • Struggled with this box for roughly a month and finally rooted today thanks to the help i received. Great box to the creators.

    Hack The Box

  • Needing some help with root, someone pm please. Got my simple python server setup and sharphound ported over.. I run it, it doesnt error out. But creates nothing and when I invoke bloodhound, again it doesnt error out, but does nothing.


  • I have cracked the service account credentials, but no idea how to get the user shell. Please PM me for hints, thanks a lot
  • Finally rooted last night. Thanks to @j9allmarine17 for the help. I was on my way there but timing was key along with missing some key parts when running some of the tools needed to get to where I needed to be.

    For anyone still trying, keep in mind that some tools need essential information to run or simply run properly. Also, when working with 'the dog' timing is key along with working with a 'directory' structure.

    Hack The Box
    CISSP | eJPT

  • Finally rooted this box.
    Thanks to @royc3r , @episteme and @3zculprit for all the help !

    If you know AD stuff, its probably easy. If you know next to nothing about AD, like me, you will get to learn some shit and no longer be "Jon Snow".

    Probably Will also learn couple new tools !
    Keep trying harder !

  • edited January 2020

    Hi All.

    I have a very specific problem, but i don't want to give anything away, so I'll try and stick to what others have already outlined here.

    I am at the stage where you add a user to a certain group and then scan the AD using a certain ingestor.

    However, no matter which local version I use, they all fail. No output and no error message. I used a remote py version which does collect the data and I can throw this data into the Hound but now I see a new problem.

    After adding the user to the group, I still dont see an available attack path, which leads me to believe my ingestor is maybe not reading the domain entirely.

    If I am correct, then adding the user to the group should give it potential access to some new security rights and this should show up in the Hound after a rescan?

    Sorry.. trying to be vague. I hope some of you guys get what I'm trying to say here lol

    Any help would be greatly appreciated at this point.


    Edit - Turns out I wasn't missing any knowledge. Turns out the remote py data collector (hint) does not collect all the data needed to show a path.

    Going Full Caveman during isolation. No shaving any hair for the duration.

  • Still could use some help.. Really not sure how to get my user added to the group everyone is talking about. net localgroup does not work. I also cannot run powerview so I cannot run any powershell commands via my winrm shell. pretty stuck here. 0 experience with powershell here


  • Rooted. My head is blown after this challenge. As everybody else said: I learned a lot.

    I've been trying for days to get root.

    Here goes my hints: don't overthink too much. Don't try to complicate things.
    The dog is important to tell you where you are and that's all. From there you should Google to know what is missing for you. Try to do it RIGHT.
    Once you get it, as I said, don't complicate things.

  • Well I need a hint getting root. I can add user to the 2 Ex groups, but cannot seem to get the DCS right added properly. I am not actually sure which Domain Object I should add it to. Because the right is not added, getting secrets fails.

    Am I on the right track?

  • Blimmin heck that was a learning curve an a half.

    Finally nailed root.

    Definitely burnt some hours on this one but dang it feels good once I got there.

    Thanks to @jenco for the the help.

    Would be keen to discuss my methodology to see what else I can learn.

  • Type your comment> @Uglymike said:

    On the final stages, but am having trouble firing up sec***** I keep getting:
    DRSR SessionError: code: 0x20f7 - ERROR_DS_DRA_BAD_DN - The distinguished name specified for this replication operation is invalid.

    Edit: Nevermind. It was me.

    i've the same error, can someone help me ?

  • i got the "dogs way graphs" , but not sure what to do next. any hints pls, im stucked for few days here -_- thx

  • Type your comment

  • i am stuck on this for few days now. Got the S****H**** py ingestor. Added new user and added the user to groups. Not sure what to do next. the dogs are not showing me the any new path. Please pm

  • Rooted.

    By far the most fun I've had with a box, ever. Thanks for creating it.

  • Rooted forest yesterday evening. What a challenge to own it and so close to real life.

    You can find write-ups and walkthroughs on my personal blog:

  • Finally made it over the line.

    This was only my third box and I had filtered the options down to easy, so after rooting two linux boxes previously, I was sure that this windows box would be quick and simple given that I've been administering windows for over ten years.

    How wrong was I? Very... let's leave it at that... lol

    This box has taught me things about windows that I never knew before. I've also learned the finer details of a number of protocols and services not to mention the sheer amount of tool experience gained navigating this machine. Plenty of advice has been offered already and the hints required are all here in this thread already, so if I can offer any advice of value it would be around tool usage and results.

    Tools get old. Make sure you are using the latest/best tools for the job. Older tool sets may error out on you. For instance, there is a certain version of an ingestor that does not collect all the data you need in order to see a certain path (hint).

    If you are not getting the results you expected. Double check your settings. Multiple times after updating something, I found my changes had not set. If multiple users are administering the same domain objects at the same time, configs can be overwritten. This is a major gotcha. Timing is important.

    Lastly, journal your journey. I often find that writing down what I have done so far can trigger thoughts around what to do/try next. It also helps a great deal when you stayed up way past your sleep time, hacking away, too tired to think properly. At least you have your notes to turn to, instead of hazy memories from the night before.

    About two to three days after gaining the user on this box, I hit a brick wall. Nothing I did was working and so I sought help from the guys here. They were excellent. No one ruined the game by giving direct instructions and many times it was at least comforting to know these guys had seen similar problems to me. Also it was nice to know I was on the right path and not as lost as I had thought I was. I'd like to thank the following users:


    Thanks also to the box creators. Not sure this should have been in the easy section though!

    Going Full Caveman during isolation. No shaving any hair for the duration.

  • Type your comment> @T13nn3s said:

    Rooted forest yesterday evening. What a challenge to own it and so close to real life.

    i rooted this box a view weeks ago but yesterday i used the tooling for a pen test :)
    so, yeah, its really close to real life

    windows 7 10 is my rig :) if it can't be done on windows, i fail.

  • any one facing this issue ? when i drag and drop the zip file to blhod it doesnt import it ask where you want to save the file ?

    OSCP | I'm not a rapper

  • I got so far with root, but now my frustration hit maximum levels :|

    A..-O..CL -Rights ... -V
    Granting 'D..' on ..=mynewuseracc
    Granting p... on ..=mynewuseracc
    Granting p.. on ..=mynewuseracc
    Granting p. .on ..=mynewuseracc

    However logging in as mynewuseracc via W..RM and trying to utilize the cat I get
    ERROR kuhl_.. ; GetNC.. 20f7 (8439)

    Adding the needed permissions to my new account seemingly succeeded.. why did the cat not? Help greatly appreciated!

  • so i got the hash but having a hard time cracking via hashcat, does it take that long or fast?

  • Just got User,

    Hints -

    The usual windows enumeration scripts should give a useful list of things.
    Use this list with some other very common package of python scripts to capture some loot.
    With this you should have enough information to use a certain evil tool as mentioned previously.

    Hope that helps someone, I struggle to hit the right balance of being helpful but not spoiling.

    On to root!


  • Type your comment> @Yuki305 said:

    so i got the hash but having a hard time cracking via hashcat, does it take that long or fast?


    Always happy to help others. 100% human

Sign In to comment.