Forest

13334363839

Comments

  • So I managed to get User by using evil but am curious if it can be done using im******'s ps****.py script. I have been messing around with it for a couple days and am sure I am just getting the syntax wrong. Can anyone help me with the syntax?

  • Hello guys, how are you doing?!
    yeah, i kinda have a problem, so yesterday i tried to enum the machine like I use to do and i got users and I br*** them to the password and i actually got it, didn´t think that I would get it by doing that at all because almost every box we don´t need to do it, but yeah. SO the problem is: With that password i tried to do the rest of the enum and it worked but today i tried to do the exact same thing with the exact same code and it get a auth error, and i tried to br*** again and the password is not the same and it doesn´t give me a password at all.

    I tried to reset the machine and its the same, so did someone change the passwords yesterday or what happen??

  • @Lummos my guess would be that you brute forced a password to an account that another HTB attacker created with a weak password (on this box we are able to create new user accounts). So then when the machine got reset, that user account would disappear. Send me a PM with the creds you got and I'll tell you if they are meant to be there or not.

  • got user on this one, now on to root. If anyone needs help with user let me know, although I'm fairly late to the game here

    Always in need of guidance

  • edited March 2020

    Type your comment> @bipolarmorgan said:

    Type your comment> @RawrRadioMouse said:

    Type your comment> @bipolarmorgan said:

    why does everyone think their hints are so clever, the people generally asking for help are stuck and you aren't helping by referring to animals... regardless of the context of how it relates for you, that doesn't mean it will relate for them. Give real hints to people, JEEZ

    If anyone gets stuck PM me, I'll do my best to give quality hints without any spoilers.

    you'll find that sort of esoteric "hint" giving is a throwback to the OSCP forums, where everyone thinks they are Mr Robot when they say "root dance" and "ENuMerAtIon iz Key!"

    True... and it's rather annoying. But for realz, enumeration is the key... but finding the lock is harder than basic enumeration. You can enumerate everything and if you don't know which door has the lock to which you might find a key under the matt, you can get lost for days going down rabbit holes.

    indeed...real hint for references

  • Type your comment> @Uglymike said:

    On the final stages, but am having trouble firing up sec*****ump.py. I keep getting:
    DRSR SessionError: code: 0x20f7 - ERROR_DS_DRA_BAD_DN - The distinguished name specified for this replication operation is invalid.

    Edit: Nevermind. It was me.

    How did you solve this problem, I also encountered

  • edited March 2020

    DELETED

    If my comment somehow helped you, you can show your appreciation with a Respect :)
    https://www.hackthebox.eu/home/users/profile/117977

  • Is there anything I can use besides the "dog" everyone keep mentioning? The dog is fat and bloated. When I try to make the dog run by giving it commands, it stood up from it's doghouse and broke everything. I had to increase the size of the dog house so it wouldn't break. I also tried to play fetch with the dog but the fat bloated dog just stood there and stared at me BLANK-ly and gave me nothing at all.

  • edited March 2020

    Type your comment> @VbScrub said:

    @Lummos my guess would be that you brute forced a password to an account that another HTB attacker created with a weak password (on this box we are able to create new user accounts). So then when the machine got reset, that user account would disappear. Send me a PM with the creds you got and I'll tell you if they are meant to be there or not.

    oh jesus, i totally forget that sometimes we need to create a new user hahhaha, i feel so stupid now :lol:

  • Finally rooted.

    Huge shout out to @VbScrub for the nudge. If you're unfamiliar with AD/PS/Wind0ze then I highly recommend checking out his videos. They've helped me a lot!

  • Type your comment> @threst said:

    Type your comment> @Uglymike said:

    On the final stages, but am having trouble firing up sec*****ump.py. I keep getting:
    DRSR SessionError: code: 0x20f7 - ERROR_DS_DRA_BAD_DN - The distinguished name specified for this replication operation is invalid.

    Edit: Nevermind. It was me.

    How did you solve this problem, I also encountered

    Hey,

    I was struggling with the same error for some time and then I found on some page that

    DRSR SessionError: code: 0x20f7 - ERROR_DS_DRA_BAD_DN - The distinguished name specified for this replication operation is invalid.

    basically mean, that the user account does not have replicating directory changes.

    Even though I was 100% sure I was granting the privileges in one of the previous steps and executed the priv.elevation script...

    So out of curiosity I re-execute the priv.elevation script and it seemed to me that the permissions are gone!

    So I re-added them again, immediately ran the priv.elevation script, followed by the sec....p.py scrip... All 3 commands were executed within couple of seconds. And then it worked and I got what I needed.

    If my comment somehow helped you, you can show your appreciation with a Respect :)
    https://www.hackthebox.eu/home/users/profile/117977

  • Just started with this machine, i've got an user with a password... not sure where the lock is where i can put these keys in... anyone cares to help and get some respect in return ;-)

  • Type your comment> @metuldann said:

    Finally rooted.

    Huge shout out to @VbScrub for the nudge. If you're unfamiliar with AD/PS/Wind0ze then I highly recommend checking out his videos. They've helped me a lot!

    No problem, glad the videos helped :)

  • edited March 2020

    Rooted. Really fast machine, straight forward to the point. It was the fastest user flag I've ever got, just minutes.

    I've found only one rabbit hole during privesc. I was one command away from getting root but "Access Denied" no matter what I tried. After some time I gave up, then I discovered the correct way and got root quickly.

    Root "enumeration" way isn't easy and it's not intuitive to many, but it's really simple to actually do the privesc. Just grab a tool that enumerates for you.

  • Just a heads up for anyone manually doing the d**l privesc and stuck on root, the se****sd***.py from i******t.py was outputting a 0x5 - rpc_s_access_denied error and failing. Ran the script in metasploit with the same arg vars and it worked!

  • yeah, i need some help with that root part, let me know if you want to help me.

  • Type your comment> @3xxu5 said:

    Just a heads up for anyone manually doing the d**l privesc and stuck on root, the se****sd***.py from i******t.py was outputting a 0x5 - rpc_s_access_denied error and failing. Ran the script in metasploit with the same arg vars and it worked!

    Even when the script works, it still outputs rpc_s_access_denied. Look at what comes after. If it doesn't work it means something's wrong.

  • @crash0 said:
    Even when the script works, it still outputs rpc_s_access_denied. Look at what comes after. If it doesn't work it means something's wrong.

    Only if you forget to specify the -just-dc-ntlm option. The thing with that script is that it tries to do a lot of different things, and for this attack we only actually want one of those things. So specify that flag and it will only do that method of attack :)

  • got user :)
    pm for any hint :)


    Hack The Box

    You can pm me on discord sh4d0wless#6154

  • Rooted!
    Have much fun with enumerating and using gained info

    Hack The Box

  • edited March 2020

    ....rooted.

    User:
    10 seconds if you did Sauna prior to this box

    Root:
    1. roll your own evildoer
    2. As mentioned, the high port likes evil tools
    3. Add evildoer to Ggroups as mentioned in the atricle, and vids
    4. Remember to add your evildoer to the proper Lgroup in order to log in
    5. For some reason I had to step through <In**A**P.ps1> manually in order to add dsacls properly. Probably just got one of the params wrong.
    6. as said multiple times before, when step 5 is successful, just grab the Imp secrets, np need to crack, pass as is to another imp tool.

    copy, paste copy paste.

    Are there other ways?

    Please give respect if I have helped:
    https://www.hackthebox.eu/home/users/profile/121891

  • Rooted :)
    Nice box many thanks to the author
    Feel free to DM if you need any nudge

  • This box took approx 2 week, oh my....

    c:\Users\Administrator\Desktop>whoami & hostname
    nt authority\system
    FOREST
    

    And finally level up :) !

    Kirzaks

  • Okay a bit of newbie here. Was able to pull down 2 user accounts and passwords. Don't have any idea where to use them tried rpc, smb, etc. I'm actually familiar with S****H**** unfortunately the python version isn't working, so I'm spinning up a windows box. Anyway, I could really use help here, first time actually spending time in htb. If someone could PM with a hint for tools for user or if I'm completely off there .

  • edited March 2020

    User done. Getting to grips with the Windows/AD thing.

    EDIT: Got the dog to map the box. Imported data to local dog analytics thing. Marked my owned user and experimented with those "shortest path to x" features. Very nice tool.

    Studying AD and reading articles.

  • Added initial pwned user to the "Ex..." group. After relogin, I can confirm, but after a minute or two, that permission vanishes from this user...?

  • @nando740 said:
    Added initial pwned user to the "Ex..." group. After relogin, I can confirm, but after a minute or two, that permission vanishes from this user...?

    Don't add that user to anything. Think about it. You're affecting everyone else attacking this machine at the same time as you. If you grant that account extra permissions, now someone else who gets those creds after that will be starting with extra permissions they shouldn't have. Create a new user account and do whatever you want with that.

  • Can anyone confirm with a certain machine E***01 should be up and running?

  • Created a new user, and added "w..e...p" group to him. Can't use him to login, since its not a service account, and that group permission can't be added. If I understand correctly, I should use this account to grant additional permissions.

Sign In to comment.