Forest

I am bad at Windows box , so can you give me some hint to start the box?

Finally got root. Couldn’t have done it without @v0yager - thanks!

Fun machine, not sure how others ended it, pth or ptt? I used the former, after about a day trying the latter via linux. If anyone did the ptt method using kali, DM me pls. I would like to know how you did it. Machine is actually fairly easy if you have experience working in an AD environment, but like was mentioned, its better to do some things on a Windows box if your attacking another Windows machine.

FYI, its marked as easy because you don’t need any special tricks to get root, you just need a fair amount of AD knowledge, so maybe NOT a beginner box, but not medium or hard where you have to RE binaries.

Some tips:
All you need is impacket, powershell-empire and B*****nd + its ingestor S*******nd
For user read through the impacket scripts used for recon in their github repository for “examples”. One of them will get you started. Getting a shell from here should be self explanatory, just look at the higher ports.
After you “Release the Hounds”, here is some reading material that will help, in case you have to do the next few steps manually

After you get the “permission slips” you need then you do an attack that exploits how the domain controller talks with other dcs.
Then use the tried and tested methods of abusing window’s hashbrowns. Or get something golden. golden method didn’t work for me, but hashbrown method did
Eazy Peezy, GL!

Hi guys I’ve beem coming back and forth on this box for a few weeks now. I feel like im 97% close to getting root just something is not sitting right :confused: … can i please get some help in confirming some things please and thank you

Great box. Thanks @melodicminor for providing more focused direction. Looking back there are a lot of hints in forum, got stuck on a component but got there in the end.

I’ve noticed that some “non-standard” user accounts seem to survive a reset; mine doesn’t, and it’s ■■■■■■ annoying if I happen not to spot the reset alert while I’m half way through something. How is this being achieved…?

I am at a complete loss any help would be greatly appreciated.
What I have done:

  1. Got user
  2. Got on the box with evil
    3)created a user and added it to Ex***** groups
  3. confirmed with hound that my user was created and was part of the necessary groups
  4. First tried to use Pview to assign the user dcnc permissions that did not work.
    6)Then switched to ntl
    x and pre** to accomplish the same thing no luck.
  5. Then I tried to use a***wn and no luck.

Any nudges would be greatly appreciated.

what a ridiculous box - force feeds you to really learn a bit about AD - no cutting corners. good stuff in the end and once you get there, the path that led you there seems unreal. to anyone having trouble with any particular ‘vision of power’ - look for the dev branch - it made the difference for me but now that i type it, i need to doublecheck it was the case.

Can some one help me? I managed to get a list of users, for now I am stuck. I tried some enumeration. Currently I am brut***cing SM but I think I’m heading the wrong way. Please PM :frowning:

-EDIT-
Managed to get the userflag with imp****t.

Finally rooted but was forced to use S-A. Couldn’t create a user that worked with evil despite adding to remote group. Couldn’t create a PS Session with Kali pwsh either. In the end the route that i was using worked (follow path, up the reps and dump) but only after a reinstall of impacket which got rid of the rpc error message. Would appreciate a message on how to create a new user for this and allow evil to work as new to AD. Can prove root

Type your comment> @Dreadless said:

can anyone nudge me on user. I have 6 users one password for one of the users but not sure where to go with it. have been playing with smb but getting no joy. Please send me a message if you can nudge :slight_smile:

Hi, did you got password using bruteforce or there is another smart way?
To work with this box do you use only linux or it is better switch to windows? I also found users but for the moment Forest is a good name for this machine. I am exploring each tree but for the moment with no results.

thank you

Rooted at last.

Most of the nudges you need can be found in this thread. No brute force needed.

I say “most”, because @whammy helped me realise I needed to use the Imp… version of a particular tool to dump out the secretsauce, not the one installed in /usr/bin. Thanks again, Whammy.

Type your comment> @paddanada said:

Rooted at last.

Most of the nudges you need can be found in this thread. No brute force needed.

I say “most”, because @whammy helped me realise I needed to use the Imp… version of a particular tool to dump out the secretsauce, not the one installed in /usr/bin. Thanks again, Whammy.

np :wink: It tripped me up too!

Cannot Import the P--w--rUp module in the PS over the evil door.
Anyone can import it successfully for executing the Add-D--m--in--bjectA--l
to change something on the Forest?

Rooted, thanks to @DarioTwitta for the important hint, @steps0x29a and @vxa7d to give me the help.
User really simple.
Truly speaking i was in a black hole for root, without an help, especially to understand why what used by others for me was not working, I think that i could spend a lot of days to solve.
Interesting box about the vulnerability and how to abuse it.

Could someone give me a nudge on root? Running Kali & have user shell, let the hounds run, can create domain accounts & assign them to various groups. Stuck on the d**l part I think.

So i created a new user, and added to the E****** W***** P****** and S****** A***** group, but when I try to use the s*******p.*y I get this error:

DRSR SessionError: code: 0x20f7 - ERROR_DS_DRA_BAD_DN - The distinguished name specified for this replication operation is invalid.

I spent almost 15 hours to solve this, but nothing worked. Someone could give me a hint?

@g3ph4z From the error message I’d say you’re specifying the wrong domain name with s******.py but send me a PM with the exact command you’re running and I’ll see if I can spot anything else

Finally managed to root thanks to @VbScrub and @m4ud.
PM for nudges :slight_smile:

Guys im having a hard time cracking the password so i get the kerb**s hash for sv*-a**** and im trying to crack it and johnny boy takes more than a day and doesnt find the password, what am i doing wrong? was this a loophole? any hints please anyone