Forest

got user on this one, now on to root. If anyone needs help with user let me know, although I’m fairly late to the game here

Type your comment> @bipolarmorgan said:

Type your comment> @RawrRadioMouse said:

Type your comment> @bipolarmorgan said:

why does everyone think their hints are so clever, the people generally asking for help are stuck and you aren’t helping by referring to animals… regardless of the context of how it relates for you, that doesn’t mean it will relate for them. Give real hints to people, JEEZ

If anyone gets stuck PM me, I’ll do my best to give quality hints without any spoilers.

you’ll find that sort of esoteric “hint” giving is a throwback to the OSCP forums, where everyone thinks they are Mr Robot when they say “root dance” and “ENuMerAtIon iz Key!”

True… and it’s rather annoying. But for realz, enumeration is the key… but finding the lock is harder than basic enumeration. You can enumerate everything and if you don’t know which door has the lock to which you might find a key under the matt, you can get lost for days going down rabbit holes.

indeed…real hint for references

indeed

Type your comment> @Uglymike said:

On the final stages, but am having trouble firing up sec*****ump.py. I keep getting:
DRSR SessionError: code: 0x20f7 - ERROR_DS_DRA_BAD_DN - The distinguished name specified for this replication operation is invalid.

Edit: Nevermind. It was me.
How did you solve this problem, I also encountered

DELETED

Is there anything I can use besides the “dog” everyone keep mentioning? The dog is fat and bloated. When I try to make the dog run by giving it commands, it stood up from it’s doghouse and broke everything. I had to increase the size of the dog house so it wouldn’t break. I also tried to play fetch with the dog but the fat bloated dog just stood there and stared at me BLANK-ly and gave me nothing at all.

Type your comment> @VbScrub said:

@Lummos my guess would be that you brute forced a password to an account that another HTB attacker created with a weak password (on this box we are able to create new user accounts). So then when the machine got reset, that user account would disappear. Send me a PM with the creds you got and I’ll tell you if they are meant to be there or not.

oh jesus, i totally forget that sometimes we need to create a new user hahhaha, i feel so stupid now :lol:

Finally rooted.

Huge shout out to @VbScrub for the nudge. If you’re unfamiliar with AD/PS/Wind0ze then I highly recommend checking out his videos. They’ve helped me a lot!

Type your comment> @threst said:

Type your comment> @Uglymike said:

On the final stages, but am having trouble firing up sec*****ump.py. I keep getting:
DRSR SessionError: code: 0x20f7 - ERROR_DS_DRA_BAD_DN - The distinguished name specified for this replication operation is invalid.

Edit: Nevermind. It was me.
How did you solve this problem, I also encountered

Hey,

I was struggling with the same error for some time and then I found on some page that

DRSR SessionError: code: 0x20f7 - ERROR_DS_DRA_BAD_DN - The distinguished name specified for this replication operation is invalid.

basically mean, that the user account does not have replicating directory changes.

Even though I was 100% sure I was granting the privileges in one of the previous steps and executed the priv.elevation script…

So out of curiosity I re-execute the priv.elevation script and it seemed to me that the permissions are gone!

So I re-added them again, immediately ran the priv.elevation script, followed by the sec…p.py scrip… All 3 commands were executed within couple of seconds. And then it worked and I got what I needed.

Just started with this machine, i’ve got an user with a password… not sure where the lock is where i can put these keys in… anyone cares to help and get some respect in return :wink:

Type your comment> @metuldann said:

Finally rooted.

Huge shout out to @VbScrub for the nudge. If you’re unfamiliar with AD/PS/Wind0ze then I highly recommend checking out his videos. They’ve helped me a lot!

No problem, glad the videos helped :slight_smile:

Rooted. Really fast machine, straight forward to the point. It was the fastest user flag I’ve ever got, just minutes.

I’ve found only one rabbit hole during privesc. I was one command away from getting root but “Access Denied” no matter what I tried. After some time I gave up, then I discovered the correct way and got root quickly.

Root “enumeration” way isn’t easy and it’s not intuitive to many, but it’s really simple to actually do the privesc. Just grab a tool that enumerates for you.

Just a heads up for anyone manually doing the dl privesc and stuck on root, the sesd.py from i***t.py was outputting a 0x5 - rpc_s_access_denied error and failing. Ran the script in metasploit with the same arg vars and it worked!

yeah, i need some help with that root part, let me know if you want to help me.

Type your comment> @3xxu5 said:

Just a heads up for anyone manually doing the dl privesc and stuck on root, the sesd.py from i***t.py was outputting a 0x5 - rpc_s_access_denied error and failing. Ran the script in metasploit with the same arg vars and it worked!

Even when the script works, it still outputs rpc_s_access_denied. Look at what comes after. If it doesn’t work it means something’s wrong.

@crash0 said:
Even when the script works, it still outputs rpc_s_access_denied. Look at what comes after. If it doesn’t work it means something’s wrong.

Only if you forget to specify the -just-dc-ntlm option. The thing with that script is that it tries to do a lot of different things, and for this attack we only actually want one of those things. So specify that flag and it will only do that method of attack :slight_smile:

got user :slight_smile:
pm for any hint :slight_smile:

Rooted!
Have much fun with enumerating and using gained info

…rooted.

User:
10 seconds if you did Sauna prior to this box

Root:

  1. roll your own evildoer
  2. As mentioned, the high port likes evil tools
  3. Add evildoer to Ggroups as mentioned in the atricle, and vids
  4. Remember to add your evildoer to the proper Lgroup in order to log in
  5. For some reason I had to step through <In**A**P.ps1> manually in order to add dsacls properly. Probably just got one of the params wrong.
  6. as said multiple times before, when step 5 is successful, just grab the Imp secrets, np need to crack, pass as is to another imp tool.

copy, paste copy paste.

Are there other ways?

Rooted :slight_smile:
Nice box many thanks to the author
Feel free to DM if you need any nudge