I am new to HTB. I have no idea on what tools I should be using in order to get the usernames. I ran a nmap scan and found which ports are open. I tried looking for exploits for the windows version running on the server but it did not lead me anywhere. Where should I start looking? I understood by reading in the forum that i need to make a list of possible usernames and somehow check which ones actually exist.
I understood also that the “Im****et” tool should come in handy but again i have no clue on how to use it.
A very straight forward with a lot of concepts already tried and tested in different machines. I liked the initial foothold. There are multiple ways to go around it. You can guess or you can make a logical analysis with a simple script and then continue to build the attack.
Once you get to the first user, there is a very tempting attack that will eat a lot of your time if you try to execute it. However, if you pay close attention and utilize the dogs properly the root is a matter of minutes. Sometimes when you see the usernames as prefixed with those letters, there is always a window of opportunity to execute the said attack.
Enjoy the box!
When I try to use the dog, I get 0 results back using both the first and second user accounts. Is there something that I’m doing wrong?
A very straight forward with a lot of concepts already tried and tested in different machines. I liked the initial foothold. There are multiple ways to go around it. You can guess or you can make a logical analysis with a simple script and then continue to build the attack.
Once you get to the first user, there is a very tempting attack that will eat a lot of your time if you try to execute it. However, if you pay close attention and utilize the dogs properly the root is a matter of minutes. Sometimes when you see the usernames as prefixed with those letters, there is always a window of opportunity to execute the said attack.
Enjoy the box!
When I try to use the dog, I get 0 results back using both the first and second user accounts. Is there something that I’m doing wrong?
I am not sure, but when I ran the dog, it didnt show me any clear ways to get escpriv. I was able to do it with a different tool to get root.
If someone wants to show me another way to do something, I would be more than greatful!
A very straight forward with a lot of concepts already tried and tested in different machines. I liked the initial foothold. There are multiple ways to go around it. You can guess or you can make a logical analysis with a simple script and then continue to build the attack.
Once you get to the first user, there is a very tempting attack that will eat a lot of your time if you try to execute it. However, if you pay close attention and utilize the dogs properly the root is a matter of minutes. Sometimes when you see the usernames as prefixed with those letters, there is always a window of opportunity to execute the said attack.
Enjoy the box!
When I try to use the dog, I get 0 results back using both the first and second user accounts. Is there something that I’m doing wrong?
I am not sure, but when I ran the dog, it didnt show me any clear ways to get escpriv. I was able to do it with a different tool to get root.
If someone wants to show me another way to do something, I would be more than greatful!
Anybody know how to fix this. I get the error and tried fixing the time on the local machine based on the output of the server. Does the time zone have an impact?
Hey, did you get an answer on this? I’m having a similar issue
Rooted the box, but I am not sure what was the reason for this to work. Is there anybody who could explain me it, because after research about AD groups and permissions I feel a little bit lost
@VoltK said:
Rooted the box, but I am not sure what was the reason for this to work. Is there anybody who could explain me it, because after research about AD groups and permissions I feel a little bit lost
Send me a PM with exactly which bit you’re confused about and I’ll be happy to explain
User gained. So far it’s almost identical to Forest’s box, so if you’ve made that box, I don’t think you’ll have any problems.
The only different part is getting the user’s name.
My advice, check the users of the site and follow the Naming convention of the user names for AD
Hey there. I got the smgr account and his Pass.
Now im a bit lost. I try to find something in my imt toolkit to dump some secrets but nothing seems to work. s********p.py was my hope. But no results. Am i on the right path? something missing?
Yea I’m stuck guys…I got both low priv users creds but cant find a way to execute commands on the machine…ive done a ■■■■ ton of enumeration. My dog.py is sick or something and errors when trying to enumerate the box with my two users. Can someone hit me up and give me a nudge so i can get going on this box pls and thank you all!
having gone through a fresh piece of ■■■■ with another box that has similar ports & services to target, Sanua came with a bit less of those frustrations, or ‘growing pains’, than the aforementioned active box that i won’t name as i think its already named in the thread somewhere… but the cryptic hint is “if you take a step back, you can see THIS from the trees…”
boxes like these make me realize I have a lot to learn about Active Directory methodology and what to look for and do, etc.
advice is: stick with it and as much as you want to race to the flags, dont rush it - there is a lot of knowledge to be gained from this box and others like it. the value you will gain is worth more than the points assigned to the box, IMO
I finally got to root this and it took everything ive learned…here’s some hints…for users i was able to take “many guesses” of the users that can auth to the system. Some say they were able to enumerate this using other means but i know of a tool that can do many guesses against a very specific AD service. This tool will also let you know if you have VALID users or if users “do not exist”.
Getting the foothold: I didn’t use web or smb for this. there’s other ways to log on to the system than these and a particularly “evil” way will probably work best.
something something something…skipping stuff you gotta do…
