Forest

Hey guys,
Have got user but having some difficulty with root, I have sniffed with dog and have done some further steps but to no avail. PM if you are able to help :slight_smile:

I got user and am working on root. I’ve fed the dog and see a path, but am having trouble getting there. Have been trying to get PrE****e.py working with no success. If anyone could PM with some guidance, I’d really appreciate it. :slight_smile:

Look at me, I’m the Administrator now :sunglasses:

This was one of my favourite boxes so far!

All the hints are here already, but I will say that it pays sometimes just to do things manually. Spent way too much time on root debugging errors from scripts (I’m looking at you P*V) when I should have manually granted what I had to.

n*******x does work but not in the way I imagine most are trying.

thanks for the box, humbly experience, 3 days almost 4, what a journey, for root, if your powerstuff wont work, do it like me manually ;), works like charm, and get ur pocket friend to dump the all the goods at the end ! 10 out 10

Hi there, trying get the Sha*******.ps1 one to work but it’s not running. Can anyone dm me with some pointers? Thanks.

Spoiler Removed

I am bad at Windows box , so can you give me some hint to start the box?

Finally got root. Couldn’t have done it without @v0yager - thanks!

Fun machine, not sure how others ended it, pth or ptt? I used the former, after about a day trying the latter via linux. If anyone did the ptt method using kali, DM me pls. I would like to know how you did it. Machine is actually fairly easy if you have experience working in an AD environment, but like was mentioned, its better to do some things on a Windows box if your attacking another Windows machine.

FYI, its marked as easy because you don’t need any special tricks to get root, you just need a fair amount of AD knowledge, so maybe NOT a beginner box, but not medium or hard where you have to RE binaries.

Some tips:
All you need is impacket, powershell-empire and B*****nd + its ingestor S*******nd
For user read through the impacket scripts used for recon in their github repository for “examples”. One of them will get you started. Getting a shell from here should be self explanatory, just look at the higher ports.
After you “Release the Hounds”, here is some reading material that will help, in case you have to do the next few steps manually

After you get the “permission slips” you need then you do an attack that exploits how the domain controller talks with other dcs.
Then use the tried and tested methods of abusing window’s hashbrowns. Or get something golden. golden method didn’t work for me, but hashbrown method did
Eazy Peezy, GL!

Hi guys I’ve beem coming back and forth on this box for a few weeks now. I feel like im 97% close to getting root just something is not sitting right :confused: … can i please get some help in confirming some things please and thank you

Great box. Thanks @melodicminor for providing more focused direction. Looking back there are a lot of hints in forum, got stuck on a component but got there in the end.

I’ve noticed that some “non-standard” user accounts seem to survive a reset; mine doesn’t, and it’s ■■■■■■ annoying if I happen not to spot the reset alert while I’m half way through something. How is this being achieved…?

I am at a complete loss any help would be greatly appreciated.
What I have done:

  1. Got user
  2. Got on the box with evil
    3)created a user and added it to Ex***** groups
  3. confirmed with hound that my user was created and was part of the necessary groups
  4. First tried to use Pview to assign the user dcnc permissions that did not work.
    6)Then switched to ntl
    x and pre** to accomplish the same thing no luck.
  5. Then I tried to use a***wn and no luck.

Any nudges would be greatly appreciated.

what a ridiculous box - force feeds you to really learn a bit about AD - no cutting corners. good stuff in the end and once you get there, the path that led you there seems unreal. to anyone having trouble with any particular ‘vision of power’ - look for the dev branch - it made the difference for me but now that i type it, i need to doublecheck it was the case.

Can some one help me? I managed to get a list of users, for now I am stuck. I tried some enumeration. Currently I am brut***cing SM but I think I’m heading the wrong way. Please PM :frowning:

-EDIT-
Managed to get the userflag with imp****t.

Finally rooted but was forced to use S-A. Couldn’t create a user that worked with evil despite adding to remote group. Couldn’t create a PS Session with Kali pwsh either. In the end the route that i was using worked (follow path, up the reps and dump) but only after a reinstall of impacket which got rid of the rpc error message. Would appreciate a message on how to create a new user for this and allow evil to work as new to AD. Can prove root

Type your comment> @Dreadless said:

can anyone nudge me on user. I have 6 users one password for one of the users but not sure where to go with it. have been playing with smb but getting no joy. Please send me a message if you can nudge :slight_smile:

Hi, did you got password using bruteforce or there is another smart way?
To work with this box do you use only linux or it is better switch to windows? I also found users but for the moment Forest is a good name for this machine. I am exploring each tree but for the moment with no results.

thank you

Rooted at last.

Most of the nudges you need can be found in this thread. No brute force needed.

I say “most”, because @whammy helped me realise I needed to use the Imp… version of a particular tool to dump out the secretsauce, not the one installed in /usr/bin. Thanks again, Whammy.

Type your comment> @paddanada said:

Rooted at last.

Most of the nudges you need can be found in this thread. No brute force needed.

I say “most”, because @whammy helped me realise I needed to use the Imp… version of a particular tool to dump out the secretsauce, not the one installed in /usr/bin. Thanks again, Whammy.

np :wink: It tripped me up too!

Cannot Import the P--w--rUp module in the PS over the evil door.
Anyone can import it successfully for executing the Add-D--m--in--bjectA--l
to change something on the Forest?