[HTB] Forest — Write-up

Welcome to the HTB Forest write-up! This box was an easy-difficulty Windows box. The attack vectors were very real-life Active Directory exploitation.

Initial Access

We will identify a user that doesn’t require Kerberos pre-Authentication. With that, we can perform an AS-REP Roasting to grab her password hash. After cracking the hash, we can log into the system via the exposed WinRM service.

Privilege Escalation

The user is a part of the “Account Operators” group which is responsible for user account management (add/delete/modify). With that access, we can create a new user and add it to the “Exchange Windows Permissions” group, which by default can perform replication on Domain Controller (= DCSync). Doing that, we can get the NTLM hash for the Administrator user to root the box.

Let’s get started!

Recon

_________________________________________________________________

Nmap

Let’s begin with an initial port scan using the following command:

$ nmap -Pn — open -sC -sV -p- -T4 10.10.10.161

Interesting Ports to Note:

• Kerberos (88/TCP) — Windows Kerberos protocol service.
• LDAP (389/TCP) — Active Directory LDAP. LDAP normally provides verbose information about the AD. And if anonymous bind is allowed, we can query many of good AD information, such as user information.
• SMB (445/TCP) — Windows Server Message Block (“SMB”) protocol. For SMB, it is always good to check if it allows null session. If allowed, like LDAP we can enumerate many of useful AD information.
• WinRM (5985/TCP) — Microsoft implementation of WS-Management protocol. This can allow a remote connection via PowerShell.

User Enumeration