User: every single hint described here is the SOLUTION… so read comments! It’s only about which tools you are using to enumerate… (that was my only problem).
ROOT:
Remember that there is an attack that have more than 20 years, which is directly connected to SSO.
Don’t waste your time with NyanCat, it’s really fast, just remember this words (not the meaning…) while trying to root:
“A trusted exchange with a secret, is evil” (who rooted this machine in my way I think will laugh until tomorrow)
I’ve been trying to get root for a couple of days now when I had a chance.
I got really stuck, I now the path to the exchange so I can take the dump, but it’s not working. I’m doing the user changes manually so I can use the python tool, but maybe there are too much people changing the user with scripts?
Group Name Type SID Attributes
========================================== ================ ============================================= ===============================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Administrators Alias S-1-5-32-544 Mandatory group, Enabled by default, Enabled group, Group owner
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
HTB\Group Policy Creator Owners Group S-1-5-21-3072663084-364016917-1341370565-520 Mandatory group, Enabled by default, Enabled group
HTB\Domain Admins Group S-1-5-21-3072663084-364016917-1341370565-512 Mandatory group, Enabled by default, Enabled group
HTB\Enterprise Admins Group S-1-5-21-3072663084-364016917-1341370565-519 Mandatory group, Enabled by default, Enabled group
HTB\Organization Management Group S-1-5-21-3072663084-364016917-1341370565-1104 Mandatory group, Enabled by default, Enabled group
HTB\Schema Admins Group S-1-5-21-3072663084-364016917-1341370565-518 Mandatory group, Enabled by default, Enabled group
~HTB\Denied RODC Password Replication Group Alias S-1-5-21-3072663084-364016917-1341370565-572 Mandatory group, Enabled by default, Enabled group, Local Group~
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Mandatory Label\High Mandatory Level Label S-1-16-12288
Thanks @VbScrub to pointing out my mistake, @trab3nd0 to confirm my thinking
Okay so I have nearly been stuck on root for 4 days solid.
I’m trying to be careful with this comment so I don’t spoil it for anyone else. If my comment doesn’t make sense please PM me.
I have the dog and see I have to write four letters.
I had a look at dirkjan pr********ge attack but that doesn’t work for me.
I also had a look at trying the Three Letter Pwn.ps1 method, but it fails on the dog finding the three letter objects.
I have tried PerV*.ps1, to do something such as add a three letter word so I can reset something juicy. But that isn’t a recognized commandlet for some reason, even though I have imported the module.
I have read up as much as possible and tried my best but I still can’t seem to grasp the concept. I wanted avoid as much as possible coming to the forums however I have finally been defeated…
Can anyone please help and nudge me in the correct direction, I feel I am right there but I still can’t see it… its driving me mad.
I am having an issue with the hound. When I import the JSON files into the program, via the .zip file, I still show nothing in the DB. There’s no error and it appears to be importing but everything shows 0. Any ideas? I did check the JSON files and there’s data in them.
Can I get some assistance with root. I’ve read tons of articles and have learned so much about AD. Got the hound working fine and understand exchange is the way. Loaded up ntl***x and pr****x and I am getting nothing but errors. I’m sure im missing a step or am having problems with syntax. Any help would be greatly appreciated.
I think ntl***x and pr****x is essential to get root. However, prx access port 80 or 443 on the target host. In this case, the port may be closed. What should I use tools instead of prx?
@alicemacs said:
I think ntl***x and pr****x is essential to get root. However, prx access port 80 or 443 on the target host. In this case, the port may be closed. What should I use tools instead of prx?
No ntl*****x is not essential to get root. In fact it gains you nothing you don’t already have (and I don’t even think it will work on this machine in the way you guys are trying to use it, but I’ve not confirmed that). Just because a blog post says they used that tool to gain certain permissions, does not mean we need to use it on this machine. They’re using it to become a member of a certain group, but maybe we already have the ability to just put ourselves in that group…
can anyone dm me to give me a hint on why when I add a user to the domain and necesary groups to get Dsy rights, it keeps telling me the user cannot be found in the database? Even though I can pull up my user info using Get-ADUser while connected to the machine.
I can create a new user, but cant log in using evil with that user or run A**pwn.py to give the user dsy* rights and dump secrets. I can give svc dsy rights, but then I can’t dump secrets after. It’s driving me crazy.
After days off trying for root I finally need to ask for help. I believe I’ve successfully completed everything in Bd but I can’t figure out the final step. The cat gives me errors and sp.py also says it can’t connect. I can get a e**-w*** session going as the new user but I can’t get further. A PM would be much appreciated
@chicxulub said:
can anyone dm me to give me a hint on why when I add a user to the domain and necesary groups to get Dsy rights, it keeps telling me the user cannot be found in the database? Even though I can pull up my user info using Get-ADUser while connected to the machine.
send me a PM with the exact commands you’re running to do all of this
@alicemacs said:
I think ntl***x and pr****x is essential to get root. However, prx access port 80 or 443 on the target host. In this case, the port may be closed. What should I use tools instead of prx?
No ntl*****x is not essential to get root. In fact it gains you nothing you don’t already have (and I don’t even think it will work on this machine in the way you guys are trying to use it, but I’ve not confirmed that). Just because a blog post says they used that tool to gain certain permissions, does not mean we need to use it on this machine. They’re using it to become a member of a certain group, but maybe we already have the ability to just put ourselves in that group…
@Xtronum see above
Thanks for your exactly advice. I undestand the next action and I have just gotten root!!
Working on root. Using nx.py and p***e.py. I know the commands are right but get an error after putting in the password with p**********e.py. Someone msg me please.