Found user, logged in as user, created new user, can’t login as that user. Anyone able to provide a hint through PM?
Found this one very challenging to be honest.
Its definitely helped me in my poweshell and windows exploits knowledge.
Tips for root:
Use the dog to see the route to take
There are tools that can take the dogs results and exploit further.
This should give a dump of “loot”
Remember you don’t have to spend a long time cracking things when you could just pass them around instead.
I found myself going back to the suit of python scripts i used at the start for the very last stage.
Hopefully that will give some direction or confirmation that your on the correct path.
DM and ill help if i can.
hello all can i PM someone on using th A*Lp** tool ive attempted to use the powershell version and getting multiple errors
That was a really good box, having very little AD experience, learned a ton. Thanks for all the tips in this thread, really helped move things along.
I was stuck on getting a foothold for a day, then I ask for help and I discover something weird.
-
I had a list of users from enum4linux.
-
I had the vulnerable services hash via GetN*******.py (but it was a wrong )
-
I cracked the hash with the cat and got a plaintext (different than the working one)
-
Trying to evil with no success.
-
Using the credential from the HelpGuy getting shell
-
comparing flow’s , mine with the HelpGuy and the flow’s was the same.
Any idea why I get wrong hash ?
Rooted this after a week.
Here’s my hints for those struggling
User
Standard enumeration should give you usernames
Imp**kt gives you a hash
Crack and use an evil way to get in
Root
Run the dog with params from the docs
Follow the dog but look for updated commands syntax elsewhere
Create a new user for your experiment
Here there’s more than one ways to do it, some use scripts, some do it manually, dont get confused reading the forum. Follow the dog.
When you do everything right and still don’t get what you need (weird error with the cat), keep trying, timing could be an issue. Try to be fast or try later (worked for me).
Imp**kt with hash gives you shell
If you find it useful, please leave some respect if possible (Login :: Hack The Box :: Penetration Testing Labs)
Remove/let me know if its a spoiler.
Very good box, I always learn from these challenges.
Enumeration is the key, pay attention to services, names and listening ports of windows.
User- in the first connection you get everything very easy.
Root- I love this kind of work, here it is important to keep in mind the biggest flag, in a simple way, you just have to follow the instructions and that’s it.
Tip, the biggest flag helps in SyStems.
If this results in a spoiler, remove …
thanks to creator…
I didn’t have much experience with Active Directory and learnt so much doing this box. Thanks to @egre55 and @mrb3n for creating it! DM me if you looking for specific hints…all the general hints you need are in the thread already.
first window rooted .if need help . pM
Any tips on where to look after finding the s**_a****** user? I still a pw for him…
Got user…
OK got Sharp running.
And now looking at info using the dog.
I see I am a member of a group.
I could really use a PM to nudge me in the right direction here…
I am struck on root part.
- I successfully uploaded the dogs to the target host.
- But After executing it doesn’t return anything.
please ping me with hints
I am open to discussion as well for root.
I know i have to grant some membership/permission to run the cat.
I have all those but the cat seems to fail me.
PM me to discuss.
@Saranraja said:
I am struck on root part.
- I successfully uploaded the dogs to the target host.
- But After executing it doesn’t return anything.
please ping me with hints
If you’re using the evil once you’ve run your exe or ps1 type ‘menu’ and you will see what you can invoke.
Can somebody help me? I’m getting this Errror:
[-] Kerberos SessionError: KDC_ERR_WRONG_REALM(Reserved for future use)
I don’t really know what I’m doing wrong.
Edit: NVM got it
Please can someone PM me - need help getting from s**_a******* to root.
Using the hound I believe I have identified a group I would like to be a member of but unable to add myself to it, the group is ‘A****** O********’.
Would really appreciate a PM here 
Type your comment> @TheRamen said:
Please can someone PM me - need help getting from s**_a******* to root.
Using the hound I believe I have identified a group I would like to be a member of but unable to add myself to it, the group is ‘A****** O********’.
Would really appreciate a PM here
my need move to one group and after that escalate with the technology of the box, here are 2 important things running , pay attention where do you need to use the creds.
Just spent 2 hours trying to get user flag and eventually got it (thanks to some hints in this thread).
I gotta say for the user flag on a box marked as “easy”, it feels pretty harsh to have hidden the user account behind restrictive permissions so you can’t even see any of its attributes through normal L*** query. Even if we could have seen the account and its properties, it would still take a very keen eye to have noticed that the option was set on the account to not require K****** p** a********** and then decide to try and exploit that.
Feel like it would have been a nice hint and even though I doubt I would have picked up on it, it wouldn’t have felt unfair and would teach me to look out for that option on user accounts in future. The other boxes that @egre55 has made have been great at gently guiding us, so maybe I just hold him to a high standard and got used to them being a bit too friendly 
EDIT: Just realised maybe this was done so that the various popular enum scripts don’t find it and just tell someone what to do straight away (■■■■, some of them might even just run the relevant impacket script automatically for you lol). If that’s the case then fair enough
I am getting this error. after granting user with permiision.
DRSR SessionError, anyone can give me a hint?
Thank you!