Because LDAP is open, you can enumerate domain information without authentication using enum4linux-ng or rpcclient . enum4linux-ng -A Use code with caution. This step reveals the internal domain name: HTB.LOCAL . Phase 2: Weaponization and User Access
Account Operators can create new users and add them to groups that are not protected by AdminSDHolder. 1. Create a Malicious User
We use the rpcinfo tool to enumerate the RPC services.
Once connected, navigate to the Desktop directory to capture your first prize. powershell type C:\Users\svc-alfresco\Desktop\user.txt Use code with caution. Phase 4: Privilege Escalation to SYSTEM
We are in! However, svc-account is not a domain admin. We need to find a path to escalation. Analyzing with BloodHound
The machine's initial foothold relies on , an attack that targets users with the "Do not require Kerberos preauthentication" attribute enabled. HTB: Forest - 0xdf hacks stuff - GitLab forest hackthebox walkthrough best
sudo nmap -p53,88,135,139,389,445,593,636,3269,5985,9389 -sC -sV -A <Forest_IP>
Administrator:500:aad3b435b51404eeaad3b435b51404ee:32693b11e6aa90eb43d32c72a07ceea6:::
The results reveal that we have gained privileges.
Now that we have a list of potential usernames, we can test them for a vulnerability called "AS-REP Roasting". In Active Directory, some user accounts, especially service accounts, are configured with "Kerberos pre-authentication" disabled. This means an attacker can request an encrypted Ticket Granting Ticket (TGT) for that user without ever providing a password. The TGT is encrypted with the user's password hash, which we can then download and crack offline.
Now that we have low-privileged credentials, we can interact with the domain. We check if svc-account has WinRM access. evil-winrm -i 10.10.10.161 -u 'svc-account' -p 'PASSWORD' Use code with caution. Because LDAP is open, you can enumerate domain
As an Account Operator, create a new malicious domain user account. powershell net user attacker Password123! /add /domain Use code with caution. Step 2: Add the User to Exchange Groups
Forest OS: Windows Difficulty: Easy Release Date: October 2019 Retired Status: Yes
to request a Ticket-Granting Ticket (TGT) for these users. If successful, you'll receive a hash. : Crack the hash offline (e.g., using ) to retrieve the plaintext password. : Use the credentials to log in via WinRM (e.g., using evil-winrm ) to grab the
We can leverage the impacket suite to perform this attack:
Perform a Pass-the-Hash attack using evil-winrm to log in as the Domain Administrator: Phase 2: Weaponization and User Access Account Operators
: Use Impacket’s secretsdump.py with your new user's credentials to dump all domain hashes, including the Administrator NTLM hash.
Forest is a standout machine on the Hack The Box platform, designed to simulate a real-world Active Directory (AD) environment with a Domain Controller (DC) for the domain . Unlike many CTF challenges that focus on a single isolated vulnerability, Forest requires a chain of sophisticated techniques — from anonymous enumeration and Kerberos attacks to privilege escalation and full domain compromise.
Add your new user to the group. powershell
evil-winrm -i 10.10.10.161 -u svc-alfresco -p s3rvice