Forest

…rooted.

User:
10 seconds if you did Sauna prior to this box

Root:

  1. roll your own evildoer
  2. As mentioned, the high port likes evil tools
  3. Add evildoer to Ggroups as mentioned in the atricle, and vids
  4. Remember to add your evildoer to the proper Lgroup in order to log in
  5. For some reason I had to step through <In**A**P.ps1> manually in order to add dsacls properly. Probably just got one of the params wrong.
  6. as said multiple times before, when step 5 is successful, just grab the Imp secrets, np need to crack, pass as is to another imp tool.

copy, paste copy paste.

Are there other ways?

Rooted :slight_smile:
Nice box many thanks to the author
Feel free to DM if you need any nudge

This box took approx 2 week, oh my…

c:\Users\Administrator\Desktop>whoami & hostname
nt authority\system
FOREST

And finally level up :slight_smile: !

Okay a bit of newbie here. Was able to pull down 2 user accounts and passwords. Don’t have any idea where to use them tried rpc, smb, etc. I’m actually familiar with SH unfortunately the python version isn’t working, so I’m spinning up a windows box. Anyway, I could really use help here, first time actually spending time in htb. If someone could PM with a hint for tools for user or if I’m completely off there .

User done. Getting to grips with the Windows/AD thing.

EDIT: Got the dog to map the box. Imported data to local dog analytics thing. Marked my owned user and experimented with those “shortest path to x” features. Very nice tool.

Studying AD and reading articles.

Added initial pwned user to the “Ex…” group. After relogin, I can confirm, but after a minute or two, that permission vanishes from this user…?

@nando740 said:
Added initial pwned user to the “Ex…” group. After relogin, I can confirm, but after a minute or two, that permission vanishes from this user…?

Don’t add that user to anything. Think about it. You’re affecting everyone else attacking this machine at the same time as you. If you grant that account extra permissions, now someone else who gets those creds after that will be starting with extra permissions they shouldn’t have. Create a new user account and do whatever you want with that.

Can anyone confirm with a certain machine E***01 should be up and running?

Created a new user, and added “w…e…p” group to him. Can’t use him to login, since its not a service account, and that group permission can’t be added. If I understand correctly, I should use this account to grant additional permissions.

@nando740 nothing to do with being a service account. There is a standard group on modern Windows machines that controls who is allowed to log in remotely with po********

Type your comment> @VbScrub said:

@nando740 nothing to do with being a service account. There is a standard group on modern Windows machines that controls who is allowed to log in remotely with po********

Thanks again. Logged in.

Tools like In****-AC**** and prex*** are failing with a lot of untreated errors. From what I understand, I need two aces in the domain object.

Ok, rooted.

To me, a fantastic box. 100% educational. Collected a lot of material to study.

Respects to @egre55 & @mrb3n, the creators, and @VbScrub for the videos and nudges.

I am quite new to hacking on Windows machines. Got the user so and can login via Em.
I created another user and can login to that via E
*******m.

Now I try do change the A*l with the P****S****t method A**-D*************l - sine the dog told me that’s the fastest way. But everytime I try to add righs with A** -D*************l the E********m kinda timeouts and the command does not succeeds.

Any nudge on this would be great.

Looking for a nudge here, I don’t see how this is possible with E01 server being down. I’ve read through countless articles about the E***** group issue and I get

socket.error: [Errno 113] No route to host

Type your comment> @LSCSG said:

Looking for a nudge here, I don’t see how this is possible with E01 server being down. I’ve read through countless articles about the E***** group issue and I get

socket.error: [Errno 113] No route to host

You don’t need access to another server for this…

Hi, i got a list of users and password for s**-a****** user but got no idea where to use it. Any hints for me please. can pm me

Rooted Finally ! My first AD box and the journey was wonderful. Ty @Louff for the nudges and @VbScrub for your videos which helped me learn a lot about AD !

Spent few days on this machine and eventually owned it. Learnt bunch of new things on Windows Active Directory. Overall, this box is one of the closet box to what you will find in the real world. Thanks to @bumika for lots of useful hints and directions.

Feel free to PM me if you get stuck and want some hints !!!
Happy to help :slight_smile:

Anyone hints me on root? Can seems to run the ACLps1 scripts, cat, SH locally… there are some errors. can pm me…

First Windows box rooted!!!
This was a super fun box, thanks to @egre55 & @mrb3n for creating this awesome box, also thanks to @nando740 for helping along the way to get root! :slight_smile:

Feel free to PM me for hints :smiley: