HTB Forest: Walkthrough

This machine starts off with LDAP anonymous bind enabled, leading to the discovery of a user with no kerberos pre-auth required. We perform an AS-REP Roast attack on the user, and are able to access the machine with the cracked password. We then utilize Bloodhound to enumerate domain privileges, finding that the user is part of a few privileged groups. This eventually leads to a DC-Sync attack on the DC, compromising the domain.

0) Machine Overview

1. Scans
2. LDAP Enumeration
3. AS-REPRoasting
4. Privilege Escalation

1) Scans

Seems like we’re going to be interacting with Active Directory. After some enumeration and help from HackTricks, we find that the Domain is susceptible to anonymous binding, which allows us to enumerate/query LDAP for all kinds of information. Most importantly, we want to look for users.

2) LDAP Enumeration

We first use ldapsearch: (Here I specified CN=users to gather some user information, which with this command it didn’t prove too useful. However, the command in and of itself proves that anonymous bind works. Check HackTricks for more on syntax and tool usage)

Turns out ldapsearch is useful, but the reason certain users didnt show up was because the actual users were not in CN=Users, but rather in OU=Employees.

We can see some actual users:

Now that we have a list of users, lets see if any users do not have the “Kerberos Pre-Authentication Required” (DONT_REQ_PREAUTH) attribute.

What we’re about to do is called AS-REPRoasting.

3) AS-REPRoasting

Now we can use a tool called GetNPUsers.py that will do this for us. (If confused, check link up above). We can either give a list of usernames along with the domain:

python GetNPUsers.py jurassic.park/ -usersfile usernames.txt -format hashcat -outputfile hashes.asreproast

Or we can supply credentials and let the tool automatically grab us a list of users:

python GetNPUsers.py jurassic.park/triceratops:Sh4rpH0rns -request -format hashcat -outputfile hashes.asreproast

In our case, since we know anonymous-bind is enabled, we can provide no credentials and still have the tool retrieve the users for us: (Don’t need ‘’:’’)

That means now we can try and crack svc-alfrescos password offline.

Now that we have credentials, we can look back to the services that are open, and see which way may want to connect.

WinRM’s is open, we can try evil-winrm:

How about Psexec since SMB is open?

No luck. In any case, we have a foothold. Let’s begin with some enumeration via BloodHound.

4) Privilege Escalation

For this, I uploaded SharpHound.ps1 via WinRM, but i couldn’t get it to work properly. So let’s try the python ingester:

Now we should input that into bloodhound. With some reseach we can find some documentation on the privilege that svc-alfresco has.

We basically just need to create a user, add him to the “Exchange Windows Permissions”, which then he can give himself DCSync Rights/privileges that will allow us to then use that user to perform a DCSync attack.

Lets add our user:

Now, he just needs to give himself DC-Sync rights, which we can do with powerview: (NOTE: BloodHound actually shows you whow to exploit it if u select the help option when u right click on a path.)

First, since it seems some kind of AV is not letting us run scripts from the disk, we’ll need to import it to memory and run it:

Now that it is running in memory, we need to now give our user “bob” DCSync privileges:

Now that thats done, we simply can run secretsdump.py, which will remotely do it for us:

Now we can just PtH, either through Psexec or WinRM.

Pwned.