Forest

yeah, i need some help with that root part, let me know if you want to help me.

Type your comment> @3xxu5 said:

Just a heads up for anyone manually doing the dl privesc and stuck on root, the sesd.py from i***t.py was outputting a 0x5 - rpc_s_access_denied error and failing. Ran the script in metasploit with the same arg vars and it worked!

Even when the script works, it still outputs rpc_s_access_denied. Look at what comes after. If it doesn’t work it means something’s wrong.

@crash0 said:
Even when the script works, it still outputs rpc_s_access_denied. Look at what comes after. If it doesn’t work it means something’s wrong.

Only if you forget to specify the -just-dc-ntlm option. The thing with that script is that it tries to do a lot of different things, and for this attack we only actually want one of those things. So specify that flag and it will only do that method of attack :slight_smile:

got user :slight_smile:
pm for any hint :slight_smile:

Rooted!
Have much fun with enumerating and using gained info

…rooted.

User:
10 seconds if you did Sauna prior to this box

Root:

  1. roll your own evildoer
  2. As mentioned, the high port likes evil tools
  3. Add evildoer to Ggroups as mentioned in the atricle, and vids
  4. Remember to add your evildoer to the proper Lgroup in order to log in
  5. For some reason I had to step through <In**A**P.ps1> manually in order to add dsacls properly. Probably just got one of the params wrong.
  6. as said multiple times before, when step 5 is successful, just grab the Imp secrets, np need to crack, pass as is to another imp tool.

copy, paste copy paste.

Are there other ways?

Rooted :slight_smile:
Nice box many thanks to the author
Feel free to DM if you need any nudge

This box took approx 2 week, oh my…

c:\Users\Administrator\Desktop>whoami & hostname
nt authority\system
FOREST

And finally level up :slight_smile: !

Okay a bit of newbie here. Was able to pull down 2 user accounts and passwords. Don’t have any idea where to use them tried rpc, smb, etc. I’m actually familiar with SH unfortunately the python version isn’t working, so I’m spinning up a windows box. Anyway, I could really use help here, first time actually spending time in htb. If someone could PM with a hint for tools for user or if I’m completely off there .

User done. Getting to grips with the Windows/AD thing.

EDIT: Got the dog to map the box. Imported data to local dog analytics thing. Marked my owned user and experimented with those “shortest path to x” features. Very nice tool.

Studying AD and reading articles.

Added initial pwned user to the “Ex…” group. After relogin, I can confirm, but after a minute or two, that permission vanishes from this user…?

@nando740 said:
Added initial pwned user to the “Ex…” group. After relogin, I can confirm, but after a minute or two, that permission vanishes from this user…?

Don’t add that user to anything. Think about it. You’re affecting everyone else attacking this machine at the same time as you. If you grant that account extra permissions, now someone else who gets those creds after that will be starting with extra permissions they shouldn’t have. Create a new user account and do whatever you want with that.

Can anyone confirm with a certain machine E***01 should be up and running?

Created a new user, and added “w…e…p” group to him. Can’t use him to login, since its not a service account, and that group permission can’t be added. If I understand correctly, I should use this account to grant additional permissions.

@nando740 nothing to do with being a service account. There is a standard group on modern Windows machines that controls who is allowed to log in remotely with po********

Type your comment> @VbScrub said:

@nando740 nothing to do with being a service account. There is a standard group on modern Windows machines that controls who is allowed to log in remotely with po********

Thanks again. Logged in.

Tools like In****-AC**** and prex*** are failing with a lot of untreated errors. From what I understand, I need two aces in the domain object.

Ok, rooted.

To me, a fantastic box. 100% educational. Collected a lot of material to study.

Respects to @egre55 & @mrb3n, the creators, and @VbScrub for the videos and nudges.

I am quite new to hacking on Windows machines. Got the user so and can login via Em.
I created another user and can login to that via E
*******m.

Now I try do change the A*l with the P****S****t method A**-D*************l - sine the dog told me that’s the fastest way. But everytime I try to add righs with A** -D*************l the E********m kinda timeouts and the command does not succeeds.

Any nudge on this would be great.

Looking for a nudge here, I don’t see how this is possible with E01 server being down. I’ve read through countless articles about the E***** group issue and I get

socket.error: [Errno 113] No route to host

Type your comment> @LSCSG said:

Looking for a nudge here, I don’t see how this is possible with E01 server being down. I’ve read through countless articles about the E***** group issue and I get

socket.error: [Errno 113] No route to host

You don’t need access to another server for this…