Forest

HOLY mackerel, that root was harder than my parents divorce. HUGE shoutout to @acidbat and @GibParadox for the help.
User: enumeration is key. Nothing fancy.
Root: the dog helps you see the path, you just have to research how to exploit it. I couldn’t do it with a supplied user - had to create my own and go from there. The cat will take you the rest of the way.

Type your comment> @Dzsanosz said:

When I’m trying to add a new user with E***** W******* P****** group (with N**-A***** command), my e**-w**** shell is fozen out. Please help me

edit: I managed to creat a new user with proper permissions, but cannot log in with e***-w****. Why? :confused:

Beacuse your new user also needs to be member of S**** A****** group.

Type your comment> @g3ph4z said:

Type your comment> @Dzsanosz said:

When I’m trying to add a new user with E***** W******* P****** group (with N**-A***** command), my e**-w**** shell is fozen out. Please help me

edit: I managed to creat a new user with proper permissions, but cannot log in with e***-w****. Why? :confused:

Beacuse your new user also needs to be member of S**** A****** group.

When I try to add it to that group as well, the shell throws an error:
Insufficient access rights to perform the operation
At line:1 char:1

  • Add-ADGroupMember “S****** A*******” pimposkefir
  •   + CategoryInfo          : NotSpecified: (Service Accounts:ADGroup) [Add-ADGroupMember], ADException
      + FullyQualifiedErrorId : ActiveDirectoryServer:8344,Microsoft.ActiveDirectory.Management.Commands.AddADGroupMember
    

Gosh, finally rooted. It’s not easy, but it was a great experience and I learned a lot.

This is the box that got me to hacker rank, and what a great machine to pwn. Felt (at least to me) to be very realistic. Also managed to get there with minimal peeking at the forum. Just two hints got me to root, 1 was to use impacket for user and the other was to use a certain canine-themed tool. You will need to do some research online, thankfully there are some great articles out there. You need to sift out the ones that start with “so assuming you’ve got a domain user’s credentials somehow…”

My hints:

  • User - find an AD enumeration guide that specifically says what you can try when you don’t have any user creds; there are only limited options. https://book.hacktricks.xyz has a great AD methodology section.
  • Root - You need to “sniff” out an avenue of attack. Seriously, this tool is the dog’s bollocks. You can run as many “enumeration” and privesc scripts as you want, follow all the windows privesc guides, and you’ll be left with sweet FA.

Can someone PM for help on root? After reading some of the other posts on here I think I have the route, but fear its all coming down to the tools…

Can someone help me with the permission part ? Thanks!

So I managed to get User by using evil but am curious if it can be done using im******'s ps****.py script. I have been messing around with it for a couple days and am sure I am just getting the syntax wrong. Can anyone help me with the syntax?

Hello guys, how are you doing?!
yeah, i kinda have a problem, so yesterday i tried to enum the machine like I use to do and i got users and I br*** them to the password and i actually got it, didn´t think that I would get it by doing that at all because almost every box we don´t need to do it, but yeah. SO the problem is: With that password i tried to do the rest of the enum and it worked but today i tried to do the exact same thing with the exact same code and it get a auth error, and i tried to br*** again and the password is not the same and it doesn´t give me a password at all.

I tried to reset the machine and its the same, so did someone change the passwords yesterday or what happen??

@Lummos my guess would be that you brute forced a password to an account that another HTB attacker created with a weak password (on this box we are able to create new user accounts). So then when the machine got reset, that user account would disappear. Send me a PM with the creds you got and I’ll tell you if they are meant to be there or not.

got user on this one, now on to root. If anyone needs help with user let me know, although I’m fairly late to the game here

Type your comment> @bipolarmorgan said:

Type your comment> @RawrRadioMouse said:

Type your comment> @bipolarmorgan said:

why does everyone think their hints are so clever, the people generally asking for help are stuck and you aren’t helping by referring to animals… regardless of the context of how it relates for you, that doesn’t mean it will relate for them. Give real hints to people, JEEZ

If anyone gets stuck PM me, I’ll do my best to give quality hints without any spoilers.

you’ll find that sort of esoteric “hint” giving is a throwback to the OSCP forums, where everyone thinks they are Mr Robot when they say “root dance” and “ENuMerAtIon iz Key!”

True… and it’s rather annoying. But for realz, enumeration is the key… but finding the lock is harder than basic enumeration. You can enumerate everything and if you don’t know which door has the lock to which you might find a key under the matt, you can get lost for days going down rabbit holes.

indeed…real hint for references

indeed

Type your comment> @Uglymike said:

On the final stages, but am having trouble firing up sec*****ump.py. I keep getting:
DRSR SessionError: code: 0x20f7 - ERROR_DS_DRA_BAD_DN - The distinguished name specified for this replication operation is invalid.

Edit: Nevermind. It was me.
How did you solve this problem, I also encountered

DELETED

Is there anything I can use besides the “dog” everyone keep mentioning? The dog is fat and bloated. When I try to make the dog run by giving it commands, it stood up from it’s doghouse and broke everything. I had to increase the size of the dog house so it wouldn’t break. I also tried to play fetch with the dog but the fat bloated dog just stood there and stared at me BLANK-ly and gave me nothing at all.

Type your comment> @VbScrub said:

@Lummos my guess would be that you brute forced a password to an account that another HTB attacker created with a weak password (on this box we are able to create new user accounts). So then when the machine got reset, that user account would disappear. Send me a PM with the creds you got and I’ll tell you if they are meant to be there or not.

oh jesus, i totally forget that sometimes we need to create a new user hahhaha, i feel so stupid now :lol:

Finally rooted.

Huge shout out to @VbScrub for the nudge. If you’re unfamiliar with AD/PS/Wind0ze then I highly recommend checking out his videos. They’ve helped me a lot!

Type your comment> @threst said:

Type your comment> @Uglymike said:

On the final stages, but am having trouble firing up sec*****ump.py. I keep getting:
DRSR SessionError: code: 0x20f7 - ERROR_DS_DRA_BAD_DN - The distinguished name specified for this replication operation is invalid.

Edit: Nevermind. It was me.
How did you solve this problem, I also encountered

Hey,

I was struggling with the same error for some time and then I found on some page that

DRSR SessionError: code: 0x20f7 - ERROR_DS_DRA_BAD_DN - The distinguished name specified for this replication operation is invalid.

basically mean, that the user account does not have replicating directory changes.

Even though I was 100% sure I was granting the privileges in one of the previous steps and executed the priv.elevation script…

So out of curiosity I re-execute the priv.elevation script and it seemed to me that the permissions are gone!

So I re-added them again, immediately ran the priv.elevation script, followed by the sec…p.py scrip… All 3 commands were executed within couple of seconds. And then it worked and I got what I needed.

Just started with this machine, i’ve got an user with a password… not sure where the lock is where i can put these keys in… anyone cares to help and get some respect in return :wink: