Forest

Finally got root!
Thanks to

SovietBeast
dawnowler

for their support !

Hey guys been stuck on this box for some time. I’ve managed to grab a vulnerable user and dumped a pass hash. Got that cracked. I have absolutely no idea on how to move forward. I’ve looked up how to use the dog, and even installed P*******ll onto kali to try and run it remotely but no luck on that front. I’ve gathered the initial foothold creds but am lost in moving forward. Any tips on moving forward? I should also note that I used the creds with smb and found nothing of value or maybe I overlooked something. I feel that I’ve been down quite a few rabbit holes. Thanks in advance for any guidance.

This machine was a struggle for me since I’m pretty sloppy with windows administration, but I’m extremely happy i went through this process, well worth every moment and extremely eye opening.

user - simple active directly enumeration with a well known AD interrogation suite if you’re weak with windows this definitely is well worth the time to hon your knowledge , there are ways to do unauthenticated queries .

root - you might not be able to escalate your privileges directly , use the dog , and think about the what groups that user is part of or if you can replicate that elsewhere.

– thanks to everyone that nudged me along the way, much respect coming your way.

Type your comment> @Nt3c said:

Hey guys! need some help.
When i run the cmd to give me Dc rights using powerview got the following error:
Warning: Error granting principal xxxxxxxxxxxxx xxxx 'D
c’ on DC=htb,DC=local : Exception calling “CommitChanges” with “0” argument(s): "A constraint violation occurred

the comand to add the ACL seams to be ok, using evil-***rm
any idias?
Thanks.

I’ve encountered this exact issue. I suspect that it’s the reason why I cannot run cat on the box. Any help? my first windows box, fourth day and many articles lectures past.

Hi all. I am having an issue with my dog. I upload the data zip to the dog, it processes the files, but then the domain information never shows up. I know that shHou worked and the files came out well, i opened and checked them. No dice when I upload to the dog though. I have the db running and open, bld**nd all set up.

Not sure what the issue is. This experience has motivated me to build a window commando attacking vm though. If anyone has any tips on using a windows hacking machine please let me know. ty

so after searching I finally found some users. got the hash for the s**********o, fed the cat but was not able to get a password. Any reason why this wouldnt work? or am i just going down a rabbit hole?

Type your comment> @Xtronum said:

so after searching I finally found some users. got the hash for the s**********o, fed the cat but was not able to get a password. Any reason why this wouldnt work? or am i just going down a rabbit hole?

Depending on what you feed the cat with, you should get that user’s password.

Still stucked at root after 4 f***ing weeks.

can someone tells me if ntx.py and pr**e.py is the way to go? (or better, PM me…)

Hey, I cracked password for s**-a*****. What should I do next action? I tried example scripts of i*******, But it doesn’t work to get a shell…

Finally rooted. Thanks, great box for AD pwn learning. Takes long time mostly because builtin instruments are not work for me. I took the first creds in 10 mins and waste over a 4 days for Dog troubleshooting. After this, i found than module of p*sploit, what i need exist only in documentation.

For user:
Any tool for enum windows machines, im****et, evil transport

For root:
Dog, basic cmd user command, powershell (for me), im****et, evil transport

Some tips:
Don’t use builtin Dog, use from repo.

■■■■ slash/backslash! When you pass domain-user pair in im****et you need use /, when you pass it in powershell, you need use \, when you pass it in evil transport, don’t use domain and slash at all.

Type your comment> @Slxyre said:

@bugeyemonster @damocles74 use version 2.0.3.1

thank you this was so helpful, now onto the next step :slight_smile:

ok so… been poking at this one for a couple days now, on and off… just FINALLY got user and geez… i think most of my issues were related to having to have things setup just perfectly to get the correct output from certain tools in certain toolsets [which have been mentioned A LOT in this long, headache of a thread for forest ha]
now that i’m on the box, i just want it to be over lol.

have some ideas on where to go from here but, if what i’ve been through already is any indicator of whats ahead, i am in for a long ride to root…

hints are: pay attention to the hints in the thread about updating your hosts file for proper resolution. a bunch of links to sites that will help ease the pain but for me it was just trial and error with testing out all the tools as AD isn’t something i’m as conmfy with but hey, that is how we learn!

Man, that was some serious learning.

Not sure what to add to what has already been said. In short:

For user: roast.
For Root: exchange is your path, and don’t rely on ready to use scripts, go thru the documented PoCs and you’ll get there.

Many thanks to the creators.

Hope everyone is great!

For those having trouble with the dog:

I first installed using the apt-get install. Which installed both dog and neo. After a few days of fighting it , it just wasn’t working for me. It wouldnt’ let me upload/ analyze the data I pulled from using shH.

I just removed it and installed the dog from source as mentioned by @AverageDave and version 3.0 is working perfectly! The data popped in there like a charm!

Anyone having trouble, i suggest following these easy steps and googling any other questions you may have. Home · BloodHoundAD/BloodHound Wiki · GitHub

You should still be able to keep your ne*** db if you have it installed already. Mine works perfect with the new version of dog.

Now if anyone wants to dm with a tip on what to do with the dog to get root that would be awesome lol. I am investigating and learning it now, it seems detailed info on manipulating AD relationships is kinda limited on the interwebs though.

alright i got the map from the dog, but how to use it to get the next step?

Rooted! For those having issues with Dog running. Don’t use the older version, get the latest one.

user own

Someone with root done via the cat or G…S.N…y method for a quick check? I’m too getting GetNCChanges: 0x000020f7 (8439) in cat after assigning the required D…c + no hash in G…y responses unless I create my own using sets…n, which makes no sense. Thanks

Finally rooteeeeeed!!!
So glad of me xD!

Hints…:

User: every single hint described here is the SOLUTION… so read comments! It’s only about which tools you are using to enumerate… (that was my only problem).

ROOT:
Remember that there is an attack that have more than 20 years, which is directly connected to SSO.
Don’t waste your time with NyanCat, it’s really fast, just remember this words (not the meaning…) while trying to root:

“A trusted exchange with a secret, is evil”
(who rooted this machine in my way I think will laugh until tomorrow)

Thank you creators.

I’ve been trying to get root for a couple of days now when I had a chance.
I got really stuck, I now the path to the exchange so I can take the dump, but it’s not working. I’m doing the user changes manually so I can use the python tool, but maybe there are too much people changing the user with scripts?

Or maybe I’m not doing the permissions right?

Please help! PM me, maybe?

This should be pretty simple.

EDIT: Rooted!!

*Evil-ToOl* PS C:\Users\Administrator\Desktop> whoami /Groups

GROUP INFORMATION -----------------

Group Name Type SID Attributes
========================================== ================ ============================================= ===============================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Administrators Alias S-1-5-32-544 Mandatory group, Enabled by default, Enabled group, Group owner
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
HTB\Group Policy Creator Owners Group S-1-5-21-3072663084-364016917-1341370565-520 Mandatory group, Enabled by default, Enabled group
HTB\Domain Admins Group S-1-5-21-3072663084-364016917-1341370565-512 Mandatory group, Enabled by default, Enabled group
HTB\Enterprise Admins Group S-1-5-21-3072663084-364016917-1341370565-519 Mandatory group, Enabled by default, Enabled group
HTB\Organization Management Group S-1-5-21-3072663084-364016917-1341370565-1104 Mandatory group, Enabled by default, Enabled group
HTB\Schema Admins Group S-1-5-21-3072663084-364016917-1341370565-518 Mandatory group, Enabled by default, Enabled group
~HTB\Denied RODC Password Replication Group Alias S-1-5-21-3072663084-364016917-1341370565-572 Mandatory group, Enabled by default, Enabled group, Local Group~
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Mandatory Label\High Mandatory Level Label S-1-16-12288

Thanks @VbScrub to pointing out my mistake, @trab3nd0 to confirm my thinking