Forest

Thank you for another great box. Getting pretty good at pwning windows. OSCP here I come. :smile:

Hack The Box

@mm4rk3t said:
Rooted. Thanks a lot @VbScrub for this awesome box and even more awesome videos, your content is gold. Cheers!

I didn’t make this box lol did you mean to post this in the Nest thread?

User is easy.

Root is not.

Besides the nice graph from Bl****d, ONLY USE builtin windows cmdline tools (net …, and dls); It’s not worth fighting your tools and trying every github version when robust windows tools exist for this purpose.

P*rVw did not work for me (tried almost every version).

PM for hints

Type your comment> @VbScrub said:

@mm4rk3t said:
Rooted. Thanks a lot @VbScrub for this awesome box and even more awesome videos, your content is gold. Cheers!

I didn’t make this box lol did you mean to post this in the Nest thread?

f*ck :sweat_smile: No, I actually thought you did it xD I didn’t even nmap’d Nest (was about to, tho)

I am new and late to this game. After 3 days, finally got a user password. What next? How do I get the flag? Appreciate any hint.

please i need help on user. i have the credentials but i am stuck. anyone?

Spoiler Removed

I tried psexec, it looks like the user I used works but getting error, Does anyone know what the error below means?
Unable to connect for cleanup: The server responded with error: STATUS_ACCESS_DENIED (Command=117 WordCount=0). Maybe you’ll need to manually remove \WINDOWS\Temp\mcJxNOpUDjvTpJJC.bat from the target.

@endoftime it says “ACCESS DENIED” and says maybe you’ll need to manually remove the file it mentions. Not sure how much clearer anyone could explain it really

Yeah.
PS C:\Users\Administrator\Documents> hostname
FOREST
PS C:\Users\Administrator\Documents> whoami
htb\administrator

This machine is very similar of the machine “sauna”

Hi,
Thanks for this great box.
4 brain ■■■■ day 's for a newbie

Currently stuck on root and would love some help over PM.

Got ownership on domain, but can’t get the right tool to work :-s

Nevermind rooted. Good box for learning Windows

Nice box, fun user and interesting escalation.

Random Tips:

User:
Enum.
An interesting Video can help you (one from VbScrub, in the last days here on the forum)
When you got what you need, try to use cat eyes and think evil.

Root:
It’s a long way to the top if you wanna rock and roll.
Maybe you can abuse something.
Again cats can help you.
666 copy-paste of the d-evil

hey i am trying the root but i don’t know how to start, some help?

Hi Guys, I could do with a nudge.

Firstly, the new user I created, keeps on getting deleted, probably a VM reset which is frustrating.

the user I have created, I have added it to
***te **nt Group
**nge **dow ** sions

I can see svc-**co account is a member of **vice **nts and I need to make my user member of that but I can’t see how.

also, are people using just kali or utilizing windows boxes as well to run powershell scripts ?

I have the svc-a******* account hash (type Kerberos 5 AS-REP etype 23). I am I supposed to brute it? If so can someone give me hint on the hashcat mask (char types and length) to use I have a slow laptop and it’s saying 1 day 20 hours to do an 8 char lc alpha brute. Any help much appreciated!

Type your comment> @Supremacy said:

I have the svc-a******* account hash (type Kerberos 5 AS-REP etype 23). I am I supposed to brute it? If so can someone give me hint on the hashcat mask (char types and length) to use I have a slow laptop and it’s saying 1 day 20 hours to do an 8 char lc alpha brute. Any help much appreciated!

no need to brute force. you can decrypt it

@Supremacy said:
I have the svc-a******* account hash (type Kerberos 5 AS-REP etype 23). I am I supposed to brute it? If so can someone give me hint on the hashcat mask (char types and length) to use I have a slow laptop and it’s saying 1 day 20 hours to do an 8 char lc alpha brute. Any help much appreciated!

Use a common wordlist. It will be a lot faster :wink:

@idevilkz said:
no need to brute force. you can decrypt it

Not really. The user’s password is used to encrypt the ticket. So, you basically decrypt it with each potential password and check the result for some known data :wink:

I was trying to help someone with forest. It looked like he was going down the same path I did, but he kept getting errors. I went through my notes and couldn’t get it to work this time.

Anyone else root forest without using ap ?

I didn’t change the scv acct.

I’m trying to determine if i rooted it as a side effect if someone else also on the box.