This was a fun box to do for me. I donāt have a lot of windows experience so it was very nice to learn more about common AD enumeration and exploitation techniques.
I suppose for the more veteran Windows pentesters this box is a piece of cake. But this box is definitely a way to learn the techniques and become a better Windows pentester.
This was a really good box and one that taught me quite a few new skills so thanks to the creator and also to @VbScrub for the video which got me on my way.
Lots of hints on these threads should get you all the way to root.
When i use the GtU.p* script i already had it and it solves executing with usersfile param, but now i dont know what could it be.
Thanks
Edit 1: Solved.
Edit 2: rooted.
Hi,
How did you solve problem with I*pa**et and parameter ādigestmodā?
So Iāve got second user and know that I should use Dnc attack, but Mmi** doesnāt work and sec***dmp has a error with parameter ādigestmodā. What I should to do?
I think my brain is bricked. I am stuck at the very begin for hours and cant find a user/pw. I read the hints here but I have honestly no idea which imp***** tool to use. Is someone so kind and sends me a pm with a hint?
Hi.
When I use GetNPUsers I get KDC_ERR_WRONG_REALM. What I can do with it?
That means youāre specifying the wrong domain name. Make sure youāre using the dns domain name (mydomain.local) and not the netbios domain name (MYDOMAIN)
It doesnāt work. Itās version 0.9.16 and doesnāt have GetNPUsers.py.
In mainstream version 0.9.22-dev0, they have GetNPUsers.py but doesnāt work too
@VbScrub said:
That means youāre specifying the wrong domain name. Make sure youāre using the dns domain name (mydomain.local) and not the netbios domain name (MYDOMAIN)
finally rooted it , bloomin 'ell that was a headache. Basically bashed my head on the keyboards for two days until i did a āhail maryā and did a reset on the box. Suddenly it worked
i had serious issued with clock skew and tried pretty much everything in the book to sync my kali machine to the other box, or set my machine to the same timezone as it used, but still no dice.
Tried to use the ātickets to rideā with anything i could get a hold of, still no dice.
So a reset and found creds with evil tool gave the needed foothold.
User was harder/more annoying than root.
Cheers for a nice box and kudos to @Watskip for the nudges on discord, much appreciated.
Iām really confused by some creds on this box. Two accounts with same family name and with same password ? Have i been trolled by someone who reset the passwords ?!
I donāt understand what is going on with the domain. The one returned from nmap isā¦ well it seems weird to me with that trailing character, and I canāt seem to find the ārealā one. Can anyone point me in the right direction? @fr0ster maybe?