Finally, I got the user, it seemed complex, but after taking the box again, and checking everything calmly, I saw the way.
Type your comment> @wes0001 said:
Can someone give a nudge for root? I have the new user created and in the proper groups. I am trying to add D***** R***** to the user using P*V but cannot seems to get the syntax right.
How did you manage to add the new user to groups? I always get a access denied error
Any hints?
this might seem like a dumb question, but how does someone use the hostname when connecting to the machine instead of the IP on HTB? so far i have only been able to connect via IP to Win machines from both Linux and Windows.
Type your comment> @glassesboy said:
@theonemcp did you create the user first?
yes. I added the new user with the newest version of P*V. But when I try to add it to a group, I always get a access denied error
Type your comment> @TestUserx said:
this might seem like a dumb question, but how does someone use the hostname when connecting to the machine instead of the IP on HTB? so far i have only been able to connect via IP to Win machines from both Linux and Windows.
Use hosts file
for the root part - i think i might be messing up the domain name, every variation of forest.htb, htb.local, htb fail with the same error message āUnable to contact domain ā¦ā almost instantly, except for when i use only htb as the domain (that takes a while longer). not sure what iām doing wrong
Could someone give me some pointers on how to run Sh******nd? I canāt seem to get it to run.
Type your comment> @marchitect said:
Type your comment> @TestUserx said:
this might seem like a dumb question, but how does someone use the hostname when connecting to the machine instead of the IP on HTB? so far i have only been able to connect via IP to Win machines from both Linux and Windows.
Use hosts file
or set the remote machine as your DNS server (assuming it is a DNS server of course, but this one is). That works better for AD related stuff like this as it might need to lookup more than just the host name (full domain name, etc). I had to set the DNS server in the OpenVPN config to make it work properly.
@TestUserx said:
for the root part - i think i might be messing up the domain name, every variation of forest.htb, htb.local, htb fail with the same error message āUnable to contact domain ā¦ā almost instantly, except for when i use only htb as the domain (that takes a while longer). not sure what iām doing wrong
htb.local is the only valid name for the domain (other than the netbios flat name which will just be HTB, but you wonāt ever want to use that).
Forest is the name of the machine.
So the machineās FQDN is Forest.htb.local
If your machine is unable to resolve those names to IP addresses then you need to fix that before you can use those names. See my answer to the previous quote above for a way to do that (or you can just use hosts file)
Type your comment> @VbScrub said:
Type your comment> @marchitect said:
Type your comment> @TestUserx said:
this might seem like a dumb question, but how does someone use the hostname when connecting to the machine instead of the IP on HTB? so far i have only been able to connect via IP to Win machines from both Linux and Windows.
Use hosts file
or set the remote machine as your DNS server (assuming it is a DNS server of course, but this one is). That works better for AD related stuff like this as it might need to lookup more than just the host name (full domain name, etc). I had to set the DNS server in the OpenVPN config to make it work properly.
@TestUserx said:
for the root part - i think i might be messing up the domain name, every variation of forest.htb, htb.local, htb fail with the same error message āUnable to contact domain ā¦ā almost instantly, except for when i use only htb as the domain (that takes a while longer). not sure what iām doing wronghtb.local is the only valid name for the domain (other than the netbios flat name which will just be HTB, but you wonāt ever want to use that).
Forest is the name of the machine.
So the machineās FQDN is Forest.htb.local
If your machine is unable to resolve those names to IP addresses then you need to fix that before you can use those names. See my answer to the previous quote above for a way to do that (or you can just use hosts file)
I did the hosts file part, i added the IP as the DNS server after reading your comment. Looks like that and running the hound with fewer parameters fixed my problem.
Thank you!
Type your comment> @unmesh836 said:
Type your comment> @DeDeReporter said:
Hello Guys,
a little question. Could someone explain me what am I doing wrong with TGT?
I managed to get credentials for sv*-***o user, I cracked AS-REP response. Then I tried to gT.py and I successfully saved ticket in cache, but actually I cant do anything with that ticket.
- I cant make smbclient with -k (i got gensec_spnego_client_negTokenInit_step: gse_krb5: creating NEG_TOKEN_INIT for cifs/htb.local failed)
- When i tried rpcclient with -k i got Cannot connect to server. Error was NT_STATUS_LOGON_FAILURE
Basically I can`t make any benefit from ticket I got from KDC. Ive got KRB5CCNAME env with valid path to cache. I also have similar time in comparison to DC.
Can someone explain me this thing? Am I missing something?
I dont ask for guide for user, just a little explanation what am I doing wrong.
Thanks guys.Edit: is this because I dont get any SPN that sv*-*******o have access to?
I am also stuck on the exact same point
I just got the user flag. You donāt need that to get it. It is way simplier. Once you got the credentials, you need to use another service to connect (check high ports). Then with one command line, itās done.
i think maybe for the root flag we need to go back to TGT, TGS, etcā¦
Type your comment> @VbScrub said:
htb.local is the only valid name for the domain (other than the netbios flat name which will just be HTB, but you wonāt ever want to use that).
Forest is the name of the machine.
So the machineās FQDN is Forest.htb.local
If your machine is unable to resolve those names to IP addresses then you need to fix that before you can use those names. See my answer to the previous quote above for a way to do that (or you can just use hosts file)
@VbScrub I try to set the hosts file to get the Forest.htb.local to resolve
But when I do
nslookup Forest.htb.local
server is not found
but if I do
nslookup Forest.htb.local 10.10.10.161
the server is found
what Iām doing wrong here? I just need the IP and the domain in the hosts file, right?
created another user added it to all the groups i had permission to, used that user with the dog and iām stuck at this point. any nudge in the right direction would be appreciated.
i am struggling to enumerate the user list. I have been trying the tools I would expect but coming up empty. Any nudges would be appreciated.
*edit - Nevermindā¦ i needed to read harderā¦
Type your comment> @theonemcp said:
Type your comment> @VbScrub said:
htb.local is the only valid name for the domain (other than the netbios flat name which will just be HTB, but you wonāt ever want to use that).
Forest is the name of the machine.
So the machineās FQDN is Forest.htb.local
If your machine is unable to resolve those names to IP addresses then you need to fix that before you can use those names. See my answer to the previous quote above for a way to do that (or you can just use hosts file)
@VbScrub I try to set the hosts file to get the Forest.htb.local to resolve
But when I do
nslookup Forest.htb.localserver is not found
but if I do
nslookup Forest.htb.local 10.10.10.161
the server is foundwhat Iām doing wrong here? I just need the IP and the domain in the hosts file, right?
well, you put forest in your host file.
nslookuptalks to your DNS server.
just try ping forest.htb.local.
if that works youāre good to go.
Type your comment> @TestUserx said:
created another user added it to all the groups i had permission to, used that user with the dog and iām stuck at this point. any nudge in the right direction would be appreciated.
Check out @ippsec Walkthough on HTB Active
~~So Iām evil but I canāt let the dogs out. Nothing happens. I have my path set and my script seems to load but if I try to run it the script just returns to the next prompt with no output. Any nudges? I see a few people ran into this as well. ~~
I was finally able to enumerate and I think I know where I need to go with groups but Iām unsure of how to do so. Any nudges that explain adding the user/groups?
Hi Guys,
I have questions:
1: if you create new user as new domain user is there a default password?
2: in priv esc , is āB*******Dā really needed to root?
3: some of the impacket scripts needed the NTLM hash ? is there any hint to get it?
this is my first Windows. im looking for every tutorials regarding the āB*******Dā but cant really find a good tuts with linux thanks . guys
so close to the end I think but stuck with what i think is like the final command go the k***** h***/t****t (and diff versions) but stuck somehow, stuck for a couple of days actually.
ok nailed it, made it harder than it was, got lost, learnt heaps. Many thanks.