Forest

Finally, I got the user, it seemed complex, but after taking the box again, and checking everything calmly, I saw the way.

Type your comment> @wes0001 said:

Can someone give a nudge for root? I have the new user created and in the proper groups. I am trying to add D***** R***** to the user using P*V but cannot seems to get the syntax right.

How did you manage to add the new user to groups? I always get a access denied error :frowning:
Any hints?

@theonemcp did you create the user first?

this might seem like a dumb question, but how does someone use the hostname when connecting to the machine instead of the IP on HTB? so far i have only been able to connect via IP to Win machines from both Linux and Windows.

Type your comment> @glassesboy said:

@theonemcp did you create the user first?

yes. I added the new user with the newest version of P*V. But when I try to add it to a group, I always get a access denied error :frowning:

Type your comment> @TestUserx said:

this might seem like a dumb question, but how does someone use the hostname when connecting to the machine instead of the IP on HTB? so far i have only been able to connect via IP to Win machines from both Linux and Windows.

Use hosts file :slight_smile:

for the root part - i think i might be messing up the domain name, every variation of forest.htb, htb.local, htb fail with the same error message ā€œUnable to contact domain ā€¦ā€ almost instantly, except for when i use only htb as the domain (that takes a while longer). not sure what iā€™m doing wrong

Could someone give me some pointers on how to run Sh******nd? I canā€™t seem to get it to run.

Type your comment> @marchitect said:

Type your comment> @TestUserx said:

this might seem like a dumb question, but how does someone use the hostname when connecting to the machine instead of the IP on HTB? so far i have only been able to connect via IP to Win machines from both Linux and Windows.

Use hosts file :slight_smile:

or set the remote machine as your DNS server (assuming it is a DNS server of course, but this one is). That works better for AD related stuff like this as it might need to lookup more than just the host name (full domain name, etc). I had to set the DNS server in the OpenVPN config to make it work properly.

@TestUserx said:
for the root part - i think i might be messing up the domain name, every variation of forest.htb, htb.local, htb fail with the same error message ā€œUnable to contact domain ā€¦ā€ almost instantly, except for when i use only htb as the domain (that takes a while longer). not sure what iā€™m doing wrong

htb.local is the only valid name for the domain (other than the netbios flat name which will just be HTB, but you wonā€™t ever want to use that).

Forest is the name of the machine.

So the machineā€™s FQDN is Forest.htb.local

If your machine is unable to resolve those names to IP addresses then you need to fix that before you can use those names. See my answer to the previous quote above for a way to do that (or you can just use hosts file)

Type your comment> @VbScrub said:

Type your comment> @marchitect said:

Type your comment> @TestUserx said:

this might seem like a dumb question, but how does someone use the hostname when connecting to the machine instead of the IP on HTB? so far i have only been able to connect via IP to Win machines from both Linux and Windows.

Use hosts file :slight_smile:

or set the remote machine as your DNS server (assuming it is a DNS server of course, but this one is). That works better for AD related stuff like this as it might need to lookup more than just the host name (full domain name, etc). I had to set the DNS server in the OpenVPN config to make it work properly.

@TestUserx said:
for the root part - i think i might be messing up the domain name, every variation of forest.htb, htb.local, htb fail with the same error message ā€œUnable to contact domain ā€¦ā€ almost instantly, except for when i use only htb as the domain (that takes a while longer). not sure what iā€™m doing wrong

htb.local is the only valid name for the domain (other than the netbios flat name which will just be HTB, but you wonā€™t ever want to use that).

Forest is the name of the machine.

So the machineā€™s FQDN is Forest.htb.local

If your machine is unable to resolve those names to IP addresses then you need to fix that before you can use those names. See my answer to the previous quote above for a way to do that (or you can just use hosts file)

I did the hosts file part, i added the IP as the DNS server after reading your comment. Looks like that and running the hound with fewer parameters fixed my problem.
Thank you!

Type your comment> @unmesh836 said:

Type your comment> @DeDeReporter said:

Hello Guys,
a little question. Could someone explain me what am I doing wrong with TGT?
I managed to get credentials for sv*-***o user, I cracked AS-REP response. Then I tried to gT.py and I successfully saved ticket in cache, but actually I cant do anything with that ticket.

  • I cant make smbclient with -k (i got gensec_spnego_client_negTokenInit_step: gse_krb5: creating NEG_TOKEN_INIT for cifs/htb.local failed)
  • When i tried rpcclient with -k i got Cannot connect to server. Error was NT_STATUS_LOGON_FAILURE

Basically I can`t make any benefit from ticket I got from KDC. Ive got KRB5CCNAME env with valid path to cache. I also have similar time in comparison to DC.

Can someone explain me this thing? Am I missing something?
I dont ask for guide for user, just a little explanation what am I doing wrong.
Thanks guys.

Edit: is this because I dont get any SPN that sv*-*******o have access to?

I am also stuck on the exact same point

I just got the user flag. You donā€™t need that to get it. It is way simplier. Once you got the credentials, you need to use another service to connect (check high ports). Then with one command line, itā€™s done.

i think maybe for the root flag we need to go back to TGT, TGS, etcā€¦

Type your comment> @VbScrub said:

htb.local is the only valid name for the domain (other than the netbios flat name which will just be HTB, but you wonā€™t ever want to use that).

Forest is the name of the machine.

So the machineā€™s FQDN is Forest.htb.local

If your machine is unable to resolve those names to IP addresses then you need to fix that before you can use those names. See my answer to the previous quote above for a way to do that (or you can just use hosts file)

@VbScrub I try to set the hosts file to get the Forest.htb.local to resolve
But when I do
nslookup Forest.htb.local

server is not found
but if I do
nslookup Forest.htb.local 10.10.10.161
the server is found

what Iā€™m doing wrong here? I just need the IP and the domain in the hosts file, right?

created another user added it to all the groups i had permission to, used that user with the dog and iā€™m stuck at this point. any nudge in the right direction would be appreciated.

i am struggling to enumerate the user list. I have been trying the tools I would expect but coming up empty. Any nudges would be appreciated.

*edit - Nevermindā€¦ i needed to read harderā€¦

Type your comment> @theonemcp said:

Type your comment> @VbScrub said:

htb.local is the only valid name for the domain (other than the netbios flat name which will just be HTB, but you wonā€™t ever want to use that).

Forest is the name of the machine.

So the machineā€™s FQDN is Forest.htb.local

If your machine is unable to resolve those names to IP addresses then you need to fix that before you can use those names. See my answer to the previous quote above for a way to do that (or you can just use hosts file)

@VbScrub I try to set the hosts file to get the Forest.htb.local to resolve
But when I do
nslookup Forest.htb.local

server is not found
but if I do
nslookup Forest.htb.local 10.10.10.161
the server is found

what Iā€™m doing wrong here? I just need the IP and the domain in the hosts file, right?

well, you put forest in your host file.
nslookuptalks to your DNS server.

just try ping forest.htb.local.
if that works youā€™re good to go.

Type your comment> @TestUserx said:

created another user added it to all the groups i had permission to, used that user with the dog and iā€™m stuck at this point. any nudge in the right direction would be appreciated.

Check out @ippsec Walkthough on HTB Active

~~So Iā€™m evil but I canā€™t let the dogs out. Nothing happens. I have my path set and my script seems to load but if I try to run it the script just returns to the next prompt with no output. Any nudges? I see a few people ran into this as well. ~~

I was finally able to enumerate and I think I know where I need to go with groups but Iā€™m unsure of how to do so. Any nudges that explain adding the user/groups?

Hi Guys,
I have questions:

1: if you create new user as new domain user is there a default password?
2: in priv esc , is ā€˜B*******Dā€™ really needed to root?
3: some of the impacket scripts needed the NTLM hash ? is there any hint to get it?

this is my first Windows. im looking for every tutorials regarding the ā€˜B*******Dā€™ but cant really find a good tuts with linux :slight_smile: thanks . guys

so close to the end I think but stuck with what i think is like the final command go the k***** h***/t****t (and diff versions) but stuck somehow, stuck for a couple of days actually.

ok nailed it, made it harder than it was, got lost, learnt heaps. Many thanks.