Forest

Can some one help me? I managed to get a list of users, for now I am stuck. I tried some enumeration. Currently I am brut***cing SM but I think I’m heading the wrong way. Please PM :frowning:

-EDIT-
Managed to get the userflag with imp****t.

Finally rooted but was forced to use S-A. Couldn’t create a user that worked with evil despite adding to remote group. Couldn’t create a PS Session with Kali pwsh either. In the end the route that i was using worked (follow path, up the reps and dump) but only after a reinstall of impacket which got rid of the rpc error message. Would appreciate a message on how to create a new user for this and allow evil to work as new to AD. Can prove root

Type your comment> @Dreadless said:

can anyone nudge me on user. I have 6 users one password for one of the users but not sure where to go with it. have been playing with smb but getting no joy. Please send me a message if you can nudge :slight_smile:

Hi, did you got password using bruteforce or there is another smart way?
To work with this box do you use only linux or it is better switch to windows? I also found users but for the moment Forest is a good name for this machine. I am exploring each tree but for the moment with no results.

thank you

Rooted at last.

Most of the nudges you need can be found in this thread. No brute force needed.

I say “most”, because @whammy helped me realise I needed to use the Imp… version of a particular tool to dump out the secretsauce, not the one installed in /usr/bin. Thanks again, Whammy.

Type your comment> @paddanada said:

Rooted at last.

Most of the nudges you need can be found in this thread. No brute force needed.

I say “most”, because @whammy helped me realise I needed to use the Imp… version of a particular tool to dump out the secretsauce, not the one installed in /usr/bin. Thanks again, Whammy.

np :wink: It tripped me up too!

Cannot Import the P--w--rUp module in the PS over the evil door.
Anyone can import it successfully for executing the Add-D--m--in--bjectA--l
to change something on the Forest?

Rooted, thanks to @DarioTwitta for the important hint, @steps0x29a and @vxa7d to give me the help.
User really simple.
Truly speaking i was in a black hole for root, without an help, especially to understand why what used by others for me was not working, I think that i could spend a lot of days to solve.
Interesting box about the vulnerability and how to abuse it.

Could someone give me a nudge on root? Running Kali & have user shell, let the hounds run, can create domain accounts & assign them to various groups. Stuck on the d**l part I think.

So i created a new user, and added to the E****** W***** P****** and S****** A***** group, but when I try to use the s*******p.*y I get this error:

DRSR SessionError: code: 0x20f7 - ERROR_DS_DRA_BAD_DN - The distinguished name specified for this replication operation is invalid.

I spent almost 15 hours to solve this, but nothing worked. Someone could give me a hint?

@g3ph4z From the error message I’d say you’re specifying the wrong domain name with s******.py but send me a PM with the exact command you’re running and I’ll see if I can spot anything else

Finally managed to root thanks to @VbScrub and @m4ud.
PM for nudges :slight_smile:

Guys im having a hard time cracking the password so i get the kerb**s hash for sv*-a**** and im trying to crack it and johnny boy takes more than a day and doesnt find the password, what am i doing wrong? was this a loophole? any hints please anyone

When I’m trying to add a new user with E***** W******* P****** group (with N**-A***** command), my e**-w**** shell is fozen out. Please help me

edit: I managed to creat a new user with proper permissions, but cannot log in with e***-w****. Why? :confused:

HOLY mackerel, that root was harder than my parents divorce. HUGE shoutout to @acidbat and @GibParadox for the help.
User: enumeration is key. Nothing fancy.
Root: the dog helps you see the path, you just have to research how to exploit it. I couldn’t do it with a supplied user - had to create my own and go from there. The cat will take you the rest of the way.

Type your comment> @Dzsanosz said:

When I’m trying to add a new user with E***** W******* P****** group (with N**-A***** command), my e**-w**** shell is fozen out. Please help me

edit: I managed to creat a new user with proper permissions, but cannot log in with e***-w****. Why? :confused:

Beacuse your new user also needs to be member of S**** A****** group.

Type your comment> @g3ph4z said:

Type your comment> @Dzsanosz said:

When I’m trying to add a new user with E***** W******* P****** group (with N**-A***** command), my e**-w**** shell is fozen out. Please help me

edit: I managed to creat a new user with proper permissions, but cannot log in with e***-w****. Why? :confused:

Beacuse your new user also needs to be member of S**** A****** group.

When I try to add it to that group as well, the shell throws an error:
Insufficient access rights to perform the operation
At line:1 char:1

  • Add-ADGroupMember “S****** A*******” pimposkefir
  •   + CategoryInfo          : NotSpecified: (Service Accounts:ADGroup) [Add-ADGroupMember], ADException
      + FullyQualifiedErrorId : ActiveDirectoryServer:8344,Microsoft.ActiveDirectory.Management.Commands.AddADGroupMember
    

Gosh, finally rooted. It’s not easy, but it was a great experience and I learned a lot.

This is the box that got me to hacker rank, and what a great machine to pwn. Felt (at least to me) to be very realistic. Also managed to get there with minimal peeking at the forum. Just two hints got me to root, 1 was to use impacket for user and the other was to use a certain canine-themed tool. You will need to do some research online, thankfully there are some great articles out there. You need to sift out the ones that start with “so assuming you’ve got a domain user’s credentials somehow…”

My hints:

  • User - find an AD enumeration guide that specifically says what you can try when you don’t have any user creds; there are only limited options. https://book.hacktricks.xyz has a great AD methodology section.
  • Root - You need to “sniff” out an avenue of attack. Seriously, this tool is the dog’s bollocks. You can run as many “enumeration” and privesc scripts as you want, follow all the windows privesc guides, and you’ll be left with sweet FA.

Can someone PM for help on root? After reading some of the other posts on here I think I have the route, but fear its all coming down to the tools…

Can someone help me with the permission part ? Thanks!