Hello!
Got s**-a******* password, now looking for shell. Scanned whole host, trying to do something with R** by r**client - no result. Should I use some exploit to get in?
Edit: Got user
https://ar-infosec.com/the-powers-of-windows/
Take a look at āpermissionsā.
Very important to understand windows prior to going down rabbit holes.
On the final stages, but am having trouble firing up sec*****ump.py. I keep getting:
DRSR SessionError: code: 0x20f7 - ERROR_DS_DRA_BAD_DN - The distinguished name specified for this replication operation is invalid.
Edit: Nevermind. It was me.
Got root. NOT an easy box.
Thanks to @memo @kiaora and @qkx for helping at various stages of this monster.
Happy to pay it forward. PM me for help if you are stuck.
Got root. I work with AD nearly on a daily basis but this was still a massive learning curve for me.
Thanks to @kiaora and @SnarkyWolf for their nudges! Very much appreciated.
I am also receiving a DNS timeout exception using b********d-p****n even with the -d flag set as the FQDN.
@Uglymike @somberlain @D8ll0 @secucyber @glassesboy @amartinr @3zculprit Thank you for the hints and nudges you all rock! Took me 3 days but I would not trade it for the world! I probably traded my marriage for this box but hey root! now to keep on researching!
Finally got root. My tips (for root):
If you are using a tool to enumerate, but you donāt get output try looking at Get-Help and adding options one by one to make the command more explicit. It works and I wasted a ton of time thinking it didnāt because I let my own (lack of) windows skills and assumptions hold me back. Donāt do that.
Do yourself a favor and create a new domain user for privesc instead of using an existing account.
This was a challenging box for me and I learned a lot and enjoyed it (even though it took me a long time). PM me if you need a nudge. I believe there are different ways than what I did, but I think I took the intended route for this box and will offer help if I can.
Stuck at the last (I think) steps before root. Found the ACL to modify DCSc with PrV*w but even the the command outputs nothing it doesnāt appear to be working.
Can someone please DM me? Thx 
I can help for Resolute, Traverxec 
@NicoHD Iām in the same boatā¦I can add myself to the proper group but canāt DCS via katz. Pretty sure I need to spawn a new process (once in the group) but the abuse info in the dog is outdated and I canāt pass a credential object.
I feel like this box is more challenging than āeasyā since PowerView has been updatedā¦(see edit below)
I should also mention that I keep getting this error:
ERROR kuhl_m_lsadump_dcsync ; GetNCChanges: 0x000020f7 (8439)
EDIT
Alright, so I finally figured it out with some help from @pryon (thank you!)
turns out I was on the āmasterā branch of PowerSploit. The ādevā branch exposes the proper function that the dogās abuse info references. Also, creating a new user and doing everything though him allowed me to get it in the end.
Thanks Ctlfish for the help.
Got user for this box. Now heading voor root.
First box ever, got the user and password, but now Iām stuck. Using the evil tool to set up a remote shell but canāt get the hound to work on Forest. Not getting any output. Anyone who can help me in the right direction?
I have successfully invoked BlHd and mapped out the path from s**-*******o to Administrator, but the documentation is outdated and I cannot grant my new user DCSync rights using the Add-******Acl. Any tips?
Finally got user, that evil is powerful.
Finally rooted! Many thanks to @NicoHD for help with the very last step!
Since these boxes should be for learning and there is somewhat of a catch-22 on solving them, I will try to provide spoiler-free advice to give anyone who needs it a running start. You should research how Active Directory works and read up on BloodHound and Impacket. They will prove very beneficial in assisting with solving this machine.
For user, the first step as always is to enumerate. Read up on LDAP, SMB, and WinRM and after you have learned the basics of what they do, you should be ready to pursue user. One of the many Impacket scripts will help here. You can always use the āhelp argument to get more information on how each script works.
For root, you should research the other tool and how it works. It will recommend other tools to help you escalate privileges. Be advised that some of the steps it will elucidate are outdated and you may need to peruse the Github documentation. I spent quite a few hours reading through code to ensure I was using the correct arguments for each script.
My Advice
- Read the documentation thoroughly. It isn't fun, but it's necessary. Oftentimes when something didn't work for me, I was not providing the correct arguments (e.g., walking the dog, escalating privileges, etc.).
- Read write-ups on Reel and Sizzle. They will help you with getting an idea of how some of the concepts work and how to format some of the necessary commands.
- Brute-forcing is almost never the way. If you feel as though you have to brute-force a login, take a step back and think about what kind of credentials you are trying to get.
- This is about learning, not points.
If you need a push in the right direction, feel free to reach out in a PM and I will reply when I can.
After 5 days obsessing I finally got User. This is my first box with no prior pentesting knowledge. I spent a lot of time reading about the tools and working out commands. Thanks for all the tips.
I could use a little help. Got bloodhound data,
and also , I am trying to use Invoke-ACLpwn but it does not run the sharphound.exe for some reason. When I originally ran sharphound, i added the ldap user and pass to get it to run. so for ACLpwn i am using creds but it still doesnāt work. been at this for a while. Am i in the right direction?
Really struggling with trying to figure out which impacket script to use. I am pretty certain it is ./gtTT.py, but keep getting non hexadecimal digit found when running. PM please
can someone pm me a hint on how to get user creds? I got a list of users but canāt find the passwordā¦ and Impacket is uselessā¦ iāve tried every scriptā¦