Forest

13335373839

Comments

  • Hi there, trying get the Sha*******.ps1 one to work but it’s not running. Can anyone dm me with some pointers? Thanks.

  • Spoiler Removed

  • I am bad at Windows box , so can you give me some hint to start the box?

  • Finally got root. Couldn't have done it without @v0yager - thanks!

  • Fun machine, not sure how others ended it, pth or ptt? I used the former, after about a day trying the latter via linux. If anyone did the ptt method using kali, DM me pls. I would like to know how you did it. Machine is actually fairly easy if you have experience working in an AD environment, but like was mentioned, its better to do some things on a Windows box if your attacking another Windows machine.

    FYI, its marked as easy because you don't need any special tricks to get root, you just need a fair amount of AD knowledge, so maybe NOT a beginner box, but not medium or hard where you have to RE binaries.

    Some tips:
    All you need is impacket, powershell-empire and B*****nd + its ingestor S*******nd
    For user read through the impacket scripts used for recon in their github repository for "examples". One of them will get you started. Getting a shell from here should be self explanatory, just look at the higher ports.
    After you "Release the Hounds", here is some reading material that will help, in case you have to do the next few steps manually
    https://adsecurity.org/?p=3658
    https://blog.fox-it.com/2018/04/26/escalating-privileges-with-acls-in-active-directory/
    After you get the "permission slips" you need then you do an attack that exploits how the domain controller talks with other dcs.
    Then use the tried and tested methods of abusing window's hashbrowns. Or get something golden. golden method didn't work for me, but hashbrown method did
    Eazy Peezy, GL!

    Hack The Box

  • Hi guys I've beem coming back and forth on this box for a few weeks now. I feel like im 97% close to getting root just something is not sitting right :/ ... can i please get some help in confirming some things please and thank you

  • Great box. Thanks @melodicminor for providing more focused direction. Looking back there are a lot of hints in forum, got stuck on a component but got there in the end.

  • I've noticed that some "non-standard" user accounts seem to survive a reset; mine doesn't, and it's bloody annoying if I happen not to spot the reset alert while I'm half way through something. How is this being achieved..?

  • I am at a complete loss any help would be greatly appreciated.
    What I have done:

    1) Got user
    2) Got on the box with evil
    3)created a user and added it to Ex***** groups
    4) confirmed with hound that my user was created and was part of the necessary groups
    5) First tried to use P****view to assign the user dcnc permissions that did not work.
    6)Then switched to ntl******x and pre
    to accomplish the same thing no luck.
    7) Then I tried to use a***wn and no luck.

    Any nudges would be greatly appreciated.

  • what a ridiculous box - force feeds you to really learn a bit about AD - no cutting corners. good stuff in the end and once you get there, the path that led you there seems unreal. to anyone having trouble with any particular 'vision of power' - look for the dev branch - it made the difference for me but now that i type it, i need to doublecheck it was the case.

  • edited February 28

    Can some one help me? I managed to get a list of users, for now I am stuck. I tried some enumeration. Currently I am brut****cing SM* but I think I'm heading the wrong way. Please PM :(

    -EDIT-
    Managed to get the userflag with imp****t.

  • Finally rooted but was forced to use S-A. Couldn't create a user that worked with evil despite adding to remote group. Couldn't create a PS Session with Kali pwsh either. In the end the route that i was using worked (follow path, up the reps and dump) but only after a reinstall of impacket which got rid of the rpc error message. Would appreciate a message on how to create a new user for this and allow evil to work as new to AD. Can prove root

  • Type your comment> @Dreadless said:

    can anyone nudge me on user. I have 6 users one password for one of the users but not sure where to go with it. have been playing with smb but getting no joy. Please send me a message if you can nudge :)

    Hi, did you got password using bruteforce or there is another smart way?
    To work with this box do you use only linux or it is better switch to windows? I also found users but for the moment Forest is a good name for this machine. I am exploring each tree but for the moment with no results.

    thank you

  • Rooted at last.

    Most of the nudges you need can be found in this thread. No brute force needed.

    I say "most", because @whammy helped me realise I needed to use the Imp.... version of a particular tool to dump out the secretsauce, not the one installed in /usr/bin. Thanks again, Whammy.

  • Type your comment> @paddanada said:

    Rooted at last.

    Most of the nudges you need can be found in this thread. No brute force needed.

    I say "most", because @whammy helped me realise I needed to use the Imp.... version of a particular tool to dump out the secretsauce, not the one installed in /usr/bin. Thanks again, Whammy.

    np ;) It tripped me up too!

  • edited February 28

    Cannot Import the P--w--rUp module in the PS over the evil door.
    Anyone can import it successfully for executing the Add-D--m--in--bjectA--l
    to change something on the Forest?

  • Rooted, thanks to @DarioTwitta for the important hint, @steps0x29a and @vxa7d to give me the help.
    User really simple.
    Truly speaking i was in a black hole for root, without an help, especially to understand why what used by others for me was not working, I think that i could spend a lot of days to solve.
    Interesting box about the vulnerability and how to abuse it.

  • Could someone give me a nudge on root? Running Kali & have user shell, let the hounds run, can create domain accounts & assign them to various groups. Stuck on the d**l part I think.

  • edited February 28

    So i created a new user, and added to the E****** W***** P****** and S****** A***** group, but when I try to use the s*******p.*y I get this error:

    DRSR SessionError: code: 0x20f7 - ERROR_DS_DRA_BAD_DN - The distinguished name specified for this replication operation is invalid.

    I spent almost 15 hours to solve this, but nothing worked. Someone could give me a hint?

    alt text

  • edited February 28
    @g3ph4z From the error message I'd say you're specifying the wrong domain name with s******.py but send me a PM with the exact command you're running and I'll see if I can spot anything else
  • Finally managed to root thanks to @VbScrub and @m4ud.
    PM for nudges :)

  • Guys im having a hard time cracking the password so i get the kerb**s hash for sv*-a**** and im trying to crack it and johnny boy takes more than a day and doesnt find the password, what am i doing wrong? was this a loophole? any hints please anyone

  • edited March 1

    When I'm trying to add a new user with E***** W******* P****** group (with N-A***** command), my e-w**** shell is fozen out. Please help me

    edit: I managed to creat a new user with proper permissions, but cannot log in with e***-w****. Why? :/

  • HOLY mackerel, that root was harder than my parents divorce. HUGE shoutout to @acidbat and @GibParadox for the help.
    User: enumeration is key. Nothing fancy.
    Root: the dog helps you see the path, you just have to research how to exploit it. I couldn't do it with a supplied user - had to create my own and go from there. The cat will take you the rest of the way.

  • Type your comment> @Dzsanosz said:

    When I'm trying to add a new user with E***** W******* P****** group (with N-A***** command), my e-w**** shell is fozen out. Please help me

    edit: I managed to creat a new user with proper permissions, but cannot log in with e***-w****. Why? :/

    Beacuse your new user also needs to be member of S**** A****** group.

    alt text

  • Type your comment> @g3ph4z said:

    Type your comment> @Dzsanosz said:

    When I'm trying to add a new user with E***** W******* P****** group (with N-A***** command), my e-w**** shell is fozen out. Please help me

    edit: I managed to creat a new user with proper permissions, but cannot log in with e***-w****. Why? :/

    Beacuse your new user also needs to be member of S**** A****** group.

    When I try to add it to that group as well, the shell throws an error:
    Insufficient access rights to perform the operation
    At line:1 char:1

    • Add-ADGroupMember "S****** A*******" pimposkefir
    • ~~~~~~~~~~~~
      • CategoryInfo : NotSpecified: (Service Accounts:ADGroup) [Add-ADGroupMember], ADException
      • FullyQualifiedErrorId : ActiveDirectoryServer:8344,Microsoft.ActiveDirectory.Management.Commands.AddADGroupMember
  • Gosh, finally rooted. It's not easy, but it was a great experience and I learned a lot.

    alt text

  • This is the box that got me to hacker rank, and what a great machine to pwn. Felt (at least to me) to be very realistic. Also managed to get there with minimal peeking at the forum. Just two hints got me to root, 1 was to use impacket for user and the other was to use a certain canine-themed tool. You will need to do some research online, thankfully there are some great articles out there. You need to sift out the ones that start with "so assuming you've got a domain user's credentials somehow..."

    My hints:

    • User - find an AD enumeration guide that specifically says what you can try when you don't have any user creds; there are only limited options. https://book.hacktricks.xyz has a great AD methodology section.
    • Root - You need to "sniff" out an avenue of attack. Seriously, this tool is the dog's bollocks. You can run as many "enumeration" and privesc scripts as you want, follow all the windows privesc guides, and you'll be left with sweet FA.

    OrangeHat

  • Can someone PM for help on root? After reading some of the other posts on here I think I have the route, but fear its all coming down to the tools...

  • Can someone help me with the permission part ? Thanks!

Sign In to comment.