Forest

HTB Content Machines
863

Type your comment> @unmesh836 said:

Type your comment> @DeDeReporter said:

Hello Guys,
a little question. Could someone explain me what am I doing wrong with TGT?
I managed to get credentials for sv*-***o user, I cracked AS-REP response. Then I tried to gT.py and I successfully saved ticket in cache, but actually I cant do anything with that ticket.

  • I cant make smbclient with -k (i got gensec_spnego_client_negTokenInit_step: gse_krb5: creating NEG_TOKEN_INIT for cifs/htb.local failed)
  • When i tried rpcclient with -k i got Cannot connect to server. Error was NT_STATUS_LOGON_FAILURE

Basically I can`t make any benefit from ticket I got from KDC. Ive got KRB5CCNAME env with valid path to cache. I also have similar time in comparison to DC.

Can someone explain me this thing? Am I missing something?
I dont ask for guide for user, just a little explanation what am I doing wrong.
Thanks guys.

Edit: is this because I dont get any SPN that sv*-*******o have access to?

I am also stuck on the exact same point

I just got the user flag. You donā€™t need that to get it. It is way simplier. Once you got the credentials, you need to use another service to connect (check high ports). Then with one command line, itā€™s done.

i think maybe for the root flag we need to go back to TGT, TGS, etcā€¦

864

Type your comment> @VbScrub said:

htb.local is the only valid name for the domain (other than the netbios flat name which will just be HTB, but you wonā€™t ever want to use that).

Forest is the name of the machine.

So the machineā€™s FQDN is Forest.htb.local

If your machine is unable to resolve those names to IP addresses then you need to fix that before you can use those names. See my answer to the previous quote above for a way to do that (or you can just use hosts file)

@VbScrub I try to set the hosts file to get the Forest.htb.local to resolve
But when I do
nslookup Forest.htb.local

server is not found
but if I do
nslookup Forest.htb.local 10.10.10.161
the server is found

what Iā€™m doing wrong here? I just need the IP and the domain in the hosts file, right?

865

created another user added it to all the groups i had permission to, used that user with the dog and iā€™m stuck at this point. any nudge in the right direction would be appreciated.

866

i am struggling to enumerate the user list. I have been trying the tools I would expect but coming up empty. Any nudges would be appreciated.

*edit - Nevermindā€¦ i needed to read harderā€¦

867

Type your comment> @theonemcp said:

Type your comment> @VbScrub said:

htb.local is the only valid name for the domain (other than the netbios flat name which will just be HTB, but you wonā€™t ever want to use that).

Forest is the name of the machine.

So the machineā€™s FQDN is Forest.htb.local

If your machine is unable to resolve those names to IP addresses then you need to fix that before you can use those names. See my answer to the previous quote above for a way to do that (or you can just use hosts file)

@VbScrub I try to set the hosts file to get the Forest.htb.local to resolve
But when I do
nslookup Forest.htb.local

server is not found
but if I do
nslookup Forest.htb.local 10.10.10.161
the server is found

what Iā€™m doing wrong here? I just need the IP and the domain in the hosts file, right?

well, you put forest in your host file.
nslookuptalks to your DNS server.

just try ping forest.htb.local.
if that works youā€™re good to go.

868

Type your comment> @TestUserx said:

created another user added it to all the groups i had permission to, used that user with the dog and iā€™m stuck at this point. any nudge in the right direction would be appreciated.

Check out @ippsec Walkthough on HTB Active

869

~~So Iā€™m evil but I canā€™t let the dogs out. Nothing happens. I have my path set and my script seems to load but if I try to run it the script just returns to the next prompt with no output. Any nudges? I see a few people ran into this as well. ~~

I was finally able to enumerate and I think I know where I need to go with groups but Iā€™m unsure of how to do so. Any nudges that explain adding the user/groups?

870

Hi Guys,
I have questions:

1: if you create new user as new domain user is there a default password?
2: in priv esc , is ā€˜B*******Dā€™ really needed to root?
3: some of the impacket scripts needed the NTLM hash ? is there any hint to get it?

this is my first Windows. im looking for every tutorials regarding the ā€˜B*******Dā€™ but cant really find a good tuts with linux :slight_smile: thanks . guys

871

so close to the end I think but stuck with what i think is like the final command go the k***** h***/t****t (and diff versions) but stuck somehow, stuck for a couple of days actually.

872

ok nailed it, made it harder than it was, got lost, learnt heaps. Many thanks.

873

Guys, i need help. Iā€™ve install B********d and now iā€™m trying to use an ingestor called bl*******d.py. Anyway, when i provide the domain name and DC name i have a DNS error. Did you guy configure you own DNS server to be albe to resolve the name?

874

Type your comment> @kalagan76 said:

Guys, i need help. Iā€™ve install B********d and now iā€™m trying to use an ingestor called bl*******d.py. Anyway, when i provide the domain name and DC name i have a DNS error. Did you guy configure you own DNS server to be albe to resolve the name?

Try configuring DNS on your local adapter and vpn adapter (10.10.10.161)

875

Managed to add my account to two groups. Logged in using my account and executed some ps1 scripts. Anybody here can vouch gdedā€™s fix is the way in able to execute the cat? Im stuckā€¦

876

@govsec donā€™t run the ps1. Run the python counterpart

877

Anybody got a spare minute to troubleshoot with me the issue that i am not able to import data into b********d? - Edit/Add: Used E****e Suite for generating.

878

I was having a hellava time trying to get the dog to connect thru a windows machine.

I hope this helps anyone trying the same way.

Before when running IPCONFIG on the TAP adapter, DNS was pulling IPv6, so disabling it will allow your adapter to use the machine name as the DNS

Disable IPv6 on the TAP VPN Adapter
Change the DNS to the machine IP
Connect

879

Some help for root, Iā€™m a little lost, that if bldhd, that if im***et, that if pwsll, ā€¦ if someone can give me a little help to continue ā€¦

Greetings

880

My first box pwned!! This was a really intensive learning experience for me ā– ā– ā– !! But got it :))

Hint to get root: Learn about bloodhound and some evil powershell and do good research!

881

Canā€™t believe I finally ROOTED that box. Big thank you to @SEBLOG . Couldnā€™t have done it without him.
For me this box was far from easy. But I learned a lot :slight_smile:

882

Finally rooted. Donā€™t over complicate things like i did. All you need is impacket for both flags.