Forest

Type your comment> @Uglymike said:

On the final stages, but am having trouble firing up sec*****ump.py. I keep getting:
DRSR SessionError: code: 0x20f7 - ERROR_DS_DRA_BAD_DN - The distinguished name specified for this replication operation is invalid.

Edit: Nevermind. It was me.
How did you solve this problem, I also encountered

DELETED

Is there anything I can use besides the “dog” everyone keep mentioning? The dog is fat and bloated. When I try to make the dog run by giving it commands, it stood up from it’s doghouse and broke everything. I had to increase the size of the dog house so it wouldn’t break. I also tried to play fetch with the dog but the fat bloated dog just stood there and stared at me BLANK-ly and gave me nothing at all.

Type your comment> @VbScrub said:

@Lummos my guess would be that you brute forced a password to an account that another HTB attacker created with a weak password (on this box we are able to create new user accounts). So then when the machine got reset, that user account would disappear. Send me a PM with the creds you got and I’ll tell you if they are meant to be there or not.

oh jesus, i totally forget that sometimes we need to create a new user hahhaha, i feel so stupid now :lol:

Finally rooted.

Huge shout out to @VbScrub for the nudge. If you’re unfamiliar with AD/PS/Wind0ze then I highly recommend checking out his videos. They’ve helped me a lot!

Type your comment> @threst said:

Type your comment> @Uglymike said:

On the final stages, but am having trouble firing up sec*****ump.py. I keep getting:
DRSR SessionError: code: 0x20f7 - ERROR_DS_DRA_BAD_DN - The distinguished name specified for this replication operation is invalid.

Edit: Nevermind. It was me.
How did you solve this problem, I also encountered

Hey,

I was struggling with the same error for some time and then I found on some page that

DRSR SessionError: code: 0x20f7 - ERROR_DS_DRA_BAD_DN - The distinguished name specified for this replication operation is invalid.

basically mean, that the user account does not have replicating directory changes.

Even though I was 100% sure I was granting the privileges in one of the previous steps and executed the priv.elevation script…

So out of curiosity I re-execute the priv.elevation script and it seemed to me that the permissions are gone!

So I re-added them again, immediately ran the priv.elevation script, followed by the sec…p.py scrip… All 3 commands were executed within couple of seconds. And then it worked and I got what I needed.

Just started with this machine, i’ve got an user with a password… not sure where the lock is where i can put these keys in… anyone cares to help and get some respect in return :wink:

Type your comment> @metuldann said:

Finally rooted.

Huge shout out to @VbScrub for the nudge. If you’re unfamiliar with AD/PS/Wind0ze then I highly recommend checking out his videos. They’ve helped me a lot!

No problem, glad the videos helped :slight_smile:

Rooted. Really fast machine, straight forward to the point. It was the fastest user flag I’ve ever got, just minutes.

I’ve found only one rabbit hole during privesc. I was one command away from getting root but “Access Denied” no matter what I tried. After some time I gave up, then I discovered the correct way and got root quickly.

Root “enumeration” way isn’t easy and it’s not intuitive to many, but it’s really simple to actually do the privesc. Just grab a tool that enumerates for you.

Just a heads up for anyone manually doing the dl privesc and stuck on root, the sesd.py from i***t.py was outputting a 0x5 - rpc_s_access_denied error and failing. Ran the script in metasploit with the same arg vars and it worked!

yeah, i need some help with that root part, let me know if you want to help me.

Type your comment> @3xxu5 said:

Just a heads up for anyone manually doing the dl privesc and stuck on root, the sesd.py from i***t.py was outputting a 0x5 - rpc_s_access_denied error and failing. Ran the script in metasploit with the same arg vars and it worked!

Even when the script works, it still outputs rpc_s_access_denied. Look at what comes after. If it doesn’t work it means something’s wrong.

@crash0 said:
Even when the script works, it still outputs rpc_s_access_denied. Look at what comes after. If it doesn’t work it means something’s wrong.

Only if you forget to specify the -just-dc-ntlm option. The thing with that script is that it tries to do a lot of different things, and for this attack we only actually want one of those things. So specify that flag and it will only do that method of attack :slight_smile:

got user :slight_smile:
pm for any hint :slight_smile:

Rooted!
Have much fun with enumerating and using gained info

…rooted.

User:
10 seconds if you did Sauna prior to this box

Root:

  1. roll your own evildoer
  2. As mentioned, the high port likes evil tools
  3. Add evildoer to Ggroups as mentioned in the atricle, and vids
  4. Remember to add your evildoer to the proper Lgroup in order to log in
  5. For some reason I had to step through <In**A**P.ps1> manually in order to add dsacls properly. Probably just got one of the params wrong.
  6. as said multiple times before, when step 5 is successful, just grab the Imp secrets, np need to crack, pass as is to another imp tool.

copy, paste copy paste.

Are there other ways?

Rooted :slight_smile:
Nice box many thanks to the author
Feel free to DM if you need any nudge

This box took approx 2 week, oh my…

c:\Users\Administrator\Desktop>whoami & hostname
nt authority\system
FOREST

And finally level up :slight_smile: !

Okay a bit of newbie here. Was able to pull down 2 user accounts and passwords. Don’t have any idea where to use them tried rpc, smb, etc. I’m actually familiar with SH unfortunately the python version isn’t working, so I’m spinning up a windows box. Anyway, I could really use help here, first time actually spending time in htb. If someone could PM with a hint for tools for user or if I’m completely off there .

User done. Getting to grips with the Windows/AD thing.

EDIT: Got the dog to map the box. Imported data to local dog analytics thing. Marked my owned user and experimented with those “shortest path to x” features. Very nice tool.

Studying AD and reading articles.