Forest

Type your comment> @wes0001 said:

Can someone give a nudge for root? I have the new user created and in the proper groups. I am trying to add D***** R***** to the user using P*V but cannot seems to get the syntax right.

Make sure to try the dev branch for p*v when I was using the master it wasn’t working either. Do you get an error?

@ShadowSuave
The error code I am getting is:
ERROR kull_m_rpc_drsr_CrackName ; CrackNames (name status): 0x00000002 (2) - ERROR_NOT_FOUND

hey guys, I wanna make sure im following the box correctly, but I found a user h****** that sounds veeerrry fishy. (as in, I’m not following the box correctly.) could anyone tell me if this is the right track?

Edit: found the correct user: S**-a*******

Type your comment> @theonemcp said:

Finally got USER yesterday. No an reasy road. Fell in so many rabbit holes, bbut in the end I saw the light … no on to root. I guess that will get even more complicated …

awesome, still struggling to get the initial foothold. :frowning:

Just to quick shout out to @VbScrub and @ompamo for there advice.
Learned absolutely loads.
Firist box completed, many more to go!

Initial enumeration got me a list of the domain and one user stood out as it’s something that i’ve seen in the real world and the user had some interesting groups. i bruteforced the password last night, but now that username\password don’t work. WTF? The password i had was a common keyboard walk. The box has been reset recently, so i’m guessing someone had changed the password when i cracked it?

@ShadowSuave said:

You have to get a different shell to run mimkatz, but mimikatz isn’t required to get root

Hey, can you pm me what you did to get root without mimikatz? Also what do you mean by having to get different shell to run mimikatz?
I managed to run mimikatz and get desired output even with it going into a loop, and was able to proceed further. I want to know if there are any other/better ways.

Type your comment> @marchitect said:

Initial enumeration got me a list of the domain and one user stood out as it’s something that i’ve seen in the real world and the user had some interesting groups. i bruteforced the password last night, but now that username\password don’t work. WTF? The password i had was a common keyboard walk. The box has been reset recently, so i’m guessing someone had changed the password when i cracked it?

Resets seem to be pretty frequent on this box.

Type your comment> @Radixx said:

@ShadowSuave said:

You have to get a different shell to run mimkatz, but mimikatz isn’t required to get root
Hey, can you pm me what you did to get root without mimikatz? Also what do you mean by having to get different shell to run mimikatz?
I managed to run mimikatz and get desired output even with it going into a loop, and was able to proceed further. I want to know if there are any other/better ways.

Same as me!. Please explain about different shell

Type your comment> @x573v3 said:

Crack and use an evil way to get in

how do you know you can use El W*m? Nothing in the nmap scan shows it…or i missing something?

Type your comment> @kalagan76 said:

Type your comment> @x573v3 said:

Crack and use an evil way to get in

how do you know you can use El W*m? Nothing in the nmap scan shows it…or i missing something?

It is shown in nmap, do it again and you´ll see a new service in a higher port

Did it.
User: Check Kerberos preauth vuln. (this might be a sploiler)
Root: Don’t check Abusing Exchange from dirkjamn. This one kept me from solving it. A python tool from him might pwn what you need. (don’t think this is a sploiler)

Would VERY much appreciate a little help. I’ve given my new user D****c rights but the Kat is displaying Error_kuhl_m_lsadump. I’m guessing that maybe the command that grants the rights isn’t formed properly?
Would be nice to have some hair left by the end of the weekend.

Finally, I got the user, it seemed complex, but after taking the box again, and checking everything calmly, I saw the way.

Type your comment> @wes0001 said:

Can someone give a nudge for root? I have the new user created and in the proper groups. I am trying to add D***** R***** to the user using P*V but cannot seems to get the syntax right.

How did you manage to add the new user to groups? I always get a access denied error :frowning:
Any hints?

@theonemcp did you create the user first?

this might seem like a dumb question, but how does someone use the hostname when connecting to the machine instead of the IP on HTB? so far i have only been able to connect via IP to Win machines from both Linux and Windows.

Type your comment> @glassesboy said:

@theonemcp did you create the user first?

yes. I added the new user with the newest version of P*V. But when I try to add it to a group, I always get a access denied error :frowning:

Type your comment> @TestUserx said:

this might seem like a dumb question, but how does someone use the hostname when connecting to the machine instead of the IP on HTB? so far i have only been able to connect via IP to Win machines from both Linux and Windows.

Use hosts file :slight_smile:

for the root part - i think i might be messing up the domain name, every variation of forest.htb, htb.local, htb fail with the same error message “Unable to contact domain …” almost instantly, except for when i use only htb as the domain (that takes a while longer). not sure what i’m doing wrong