Finally rooted my first machine. Thx for all your help, especially @th3jiv3r and @VbScrub
Rooted it thanks to some help from @VbScrub. Very fun box, first Windows box I’ve been able to root in a while.
I made a tool to assist for the foothold, read comments so you aren’t feeling lost 
I’ve got user and I’m on my way to root. I’m trying to get the hound working but running into some issues as I’m not too familiar with the tool despite a lot of google research. Is anyone available to assist with this?
Also noticed something odd, I used something el to login to the box using F*** and found an interesting txt there. I used cat and found s***-*****r creds in cleartext? I don’t think this was supposed to happen?
@CSN said:
…
Also noticed something odd, I used something el to login to the box using F*** and found an interesting txt there. I used cat and found s***-*****r creds in cleartext? I don’t think this was supposed to happen?
Yes and no. They are somewhere in clear, but not inside a text file 
You are on the right track, though. Keep digging and you should be good to go.
Ive spent a day looking for a way to get foothold. smb turning up no shares, rooting through the website, any nudge for the foothold would be greatly appreciated. any suggestion for tools etc…
what happen with evil open port? It is open on previous day, but now it was keep filtered, unable to connect… 
Finally rooted this one.
Curious, since I was at a lost with this last step even if I already had all required information 
But doing another win box helped me out to understand how do the last steps.
Thanks for this training on doing correct enumeration, review what I got and using this as input for the needed tasks!
Tipp: just copy & paste is not the right way … verify what you got
Tipp: just copy & paste is not the right way … verify what you got
Yup. Remember your shell treats some characters differently. Sometimes it needs little… backstab
wasted 3 hrs in guessing username…■■■
Initial: guessing username is too painful, overthinking by adding name of role (dont do it!), dogs will help you
user1: simple, just enum
root: hunting dog is helpful
just got root.
user1 : find something word and use combinatorial logic from the page then shoot them all to the box
user2 : just enumerate using Pow****** and you get what you want
Root : Using that cred and the pocket to shoot down the root!
thanks a lot to @cyberafro , @FDS , and @gverre
Type your comment> @Rainsec said:
I made a tool to assist for the foothold, read comments so you aren’t feeling lost
your my hero
Finally rooted ?
Man this was tough. Took me like 5 days now, and “thanks to Corona” I really have a lot of time for pen testing stuff these days…
But ok this was basically my first AD machine and I had (and still have) to learn a lot.
The videos by @VbScrub (https://www.youtube.com/channel/UCpoyhjwNIWZmsiKNKpsMAQQ) definitely helped me a lot, to get a basic understanding, what AD is, how it works and even explained some attack scenarios and how the actually work. Awesome job, man! Thanks a lot!
My route:
- User1: Was kind of guessing for me, but I think there are definitely tools out there that could help or make this somewhat easier. Anyway everything you need is there, “just” find it and “feed the snake”
- User2: Rabbit hole? 0_o
- User3: Using evil powers and probably basic windows enum (at least this will have a fix place in my windows enum toolbox in the future!)
- Admin: “Return of the snake”, just a bit different food
Actually I hated this “snake” hints a bit, but now everything came together and makes sense to me. Thanks guys for all those tips here in the forums!
I have a username and pass but every connection attempt for a shell times out. Looking for someone to help confirm that I’m on the right path and the timeouts are not self-inflicted. Any messages are appreciated.
Edit: Was just an issue with the box apparently. Rooted.
Type your comment> @Hazard said:
I have a username and pass but every connection attempt for a shell times out. Looking for someone to help confirm that I’m on the right path and the timeouts are not self-inflicted. Any messages are appreciated.
Hi mate, I think I am in the same place as you do… just trying to use that creds s**_er:Mon*************! somewhere and no luck…
any hint here?
EDIT
OK I got It… so many hours in this hole… for those trying to use that creds from enumeration with Wm, just check the username it’s exactly that one, with other outptus (like rp*ct). Then just use the same tool for login as USER1
Great machine. Just rooted. Lot like Forest.
Time to go check my clients domains against this sort of stuff.
PM for root or user hints.
That taught me a ton and very glad to finally have got system. Thanks @VBScrub for the material made available online, and @thammarit, @d4Rk1337 for the pointers.
User1: Enumeration is key. You will want to search for usernames and make an educated guess on what usernames may be based on AD convention. For example, a user named John Doe may have an account called john.doe, johndoe, jdoe, j_doe, etc. If you know how to script, it should be fairly easy to generate a text file with all of the possible usernames and use that file to find a valid login.
User2: You will now have access to the machine and can now enumerate there. There are some tools out there that can help speed this process up.
Root: Once you have User2’s credentials, you can utilize these to access the Administrator account’s secrets.
Some tools I would recommend learning about are evil-winrm, the impacket suite, and Windows privilege escalation tools.
To address a couple rabbit holes:
- You do not need Bloodhound for this box.
- There are only two relevant users and the administrator account. You do not need a third user to obtain root.
I would rate this as an easy-medium box. If you have completed a box such as Forest before or have experience with Active Directory, it will be much easier to root compared to someone with very limited experience with Windows boxes or AD. However, there are still plenty of differences between this box and other Windows AD boxes to keep you guessing.