If anyone can give me any nudges. I’ve figure out the rights and groups that I need to give my user in order to spill the secrets. However, the View that I’m looking at seems to work and gives me sync rights but for some reason Secrets still won’t let me in. Keep getting rpc_access denied.


I’m totally stuck since 2 days. I have s**-****o login and password but i cant e*****m or cant use this login/password.

Can someone help me please ? :slight_smile:

Ty a lot !

Could do with a hint on how to log in with new user. Can create new user and add to relevant groups but then when eviling in it doesn’t recognise that user. also if I use s-A and give rep extensions i get rpc access denied on dumping

There is a well known group that controls access to logging in with po****** (and therefore affects evil too). Make sure you’re in that group.

Working on root, am able to add a user to the specific group using evm but cannot assign the user DC rights, any assistance would be greatly appreciated.

@Xtronum I’m stuck at the same point, I’ve added a new user and the appropriate groups but I can’t allocate DCs rights. I’m not sure if it’s a bug, because I’m pretty sure my syntax is correct. I’m trying to add rights with PowV*.

FINALLY rooted this one! FOREST was my first box ever and I learned so much! Thanks a lot to the creators for building this box and having me bang my head on the keyboard way more often than I’m willing to admit :slight_smile:

Thanks a lot @Mlckha for giving me the crucial hint, would still be stuck without you, man!

User: All has been said, but enumeration is key. Three heads are better than one and if cats are not working for you, maybe a certain ripper can give you a hand and rock your world?

Root: It’s so straightforward that it’s easy to lose track of the path. Let the dog guide you (but you won’t need one with more than one head) and find the suitable rights. You can get them manually, might even be easier than using a certain view (which did not work for me at all). After that, impact is all you need. One last time being evil after that and done.

Feel free to message me for hints

Forest clearly was one of the hardest Windows Box I had to do… but understanding it taught me so much!

Any one who need a nudge / help, send a message :wink:

hi guys,
this is my first box attempt,
i have the list of users, but trouble obtaining the hash
having issues with the G*NP*****.py script. - no output
Can anyone give me a hand

Type your comment> @jaydavz00 said:

hi guys,
this is my first box attempt,
i have the list of users, but trouble obtaining the hash
having issues with the G*NP*****.py script. - no output
Can anyone give me a hand

Not all users are good for getting what you need. Be sure to include the one with less restrictions.
PM if you are stuck

Spoiler Removed

Hey guys,
Have got user but having some difficulty with root, I have sniffed with dog and have done some further steps but to no avail. PM if you are able to help :slight_smile:

I got user and am working on root. I’ve fed the dog and see a path, but am having trouble getting there. Have been trying to get PrE**** working with no success. If anyone could PM with some guidance, I’d really appreciate it. :slight_smile:

Look at me, I’m the Administrator now :sunglasses:

This was one of my favourite boxes so far!

All the hints are here already, but I will say that it pays sometimes just to do things manually. Spent way too much time on root debugging errors from scripts (I’m looking at you P*V) when I should have manually granted what I had to.

n*******x does work but not in the way I imagine most are trying.

thanks for the box, humbly experience, 3 days almost 4, what a journey, for root, if your powerstuff wont work, do it like me manually ;), works like charm, and get ur pocket friend to dump the all the goods at the end ! 10 out 10

Hi there, trying get the Sha*******.ps1 one to work but it’s not running. Can anyone dm me with some pointers? Thanks.

Spoiler Removed

I am bad at Windows box , so can you give me some hint to start the box?

Finally got root. Couldn’t have done it without @v0yager - thanks!

Fun machine, not sure how others ended it, pth or ptt? I used the former, after about a day trying the latter via linux. If anyone did the ptt method using kali, DM me pls. I would like to know how you did it. Machine is actually fairly easy if you have experience working in an AD environment, but like was mentioned, its better to do some things on a Windows box if your attacking another Windows machine.

FYI, its marked as easy because you don’t need any special tricks to get root, you just need a fair amount of AD knowledge, so maybe NOT a beginner box, but not medium or hard where you have to RE binaries.

Some tips:
All you need is impacket, powershell-empire and B*****nd + its ingestor S*******nd
For user read through the impacket scripts used for recon in their github repository for “examples”. One of them will get you started. Getting a shell from here should be self explanatory, just look at the higher ports.
After you “Release the Hounds”, here is some reading material that will help, in case you have to do the next few steps manually

After you get the “permission slips” you need then you do an attack that exploits how the domain controller talks with other dcs.
Then use the tried and tested methods of abusing window’s hashbrowns. Or get something golden. golden method didn’t work for me, but hashbrown method did
Eazy Peezy, GL!