Hack the Box – Forest Writeup []

Hack the Box – Forest Writeup []

Forest is a Windows based easy box.

You will learn folloiwng by exploiting the machine.

  • Enumeration of Windows Domain Services and gathering users
  • Learn how to list and get TGTs for those users that have the property ‘Do not require Kerberos preauthentication’ set (UF_DONT_REQUIRE_PREAUTH).
  • Learn how to crack Windows Remote Management (WinRM) service

As usual I add the IP of the Forest machine to /etc/hosts as forest.htb and started off with nmap port scan.

I found there are several ports opened, it seems interesting to me. From the scan report and the opened ports, I found the machine is possibly a domain contollerr of the domain “htb.local“. The domain services like kerberos, ldap, SMB and WinRM port are open and accessable from the internet – which in reality a huge vulnaribility.

So, being a Windows system administrator for more than 10 years, I know where to start. I can use a tool called enum4linux to see if I can enumerate user and other domain information.

So as expected, Enum4linux command returned with a lot of information. Within the information, I found few users sebastien,lucinda,andy,mark,santi and service account called svc-alfresco. Also, I found the domain policy was so loosely configured – no password complexity enforced. This hints that the password can be easily cracked. I as well found the server as well installed with a Microsoft Exchange instance.

As from my past experience, I decided to run impacket/GetNPUsers.py (https://github.com/SecureAuthCorp/impacket/blob/master/examples/GetNPUsers.py) to see if I can get the users that have the property Do not require Kerberos pre-authentication set (UF_DONT_REQUIRE_PREAUTH).

I tried the user names I gathered in previous step – but none worked, luckily the service account svc-alfresco revealed his TGT (ticket-granting ticket)

I knew that, I can crack the TGT hash using hashcat.

I used the rockyou.txt wordlist for Hashcat, it cracked the password of service account svc-alfresco:s3rvice
The next step is to get the shell. There is a WinRM exploit tool called Evil-WinRM Shell in the GitHub repository that allows me to get shell if I have the right credentials. Since I have svc-alfresco’s credentials, I fire up the Evil-WinRM after a slight modification in the command.

Getting User.txt

I immidiatly got the shell as svc-alfresco and I grab the user.txt

Privilege Escalation

Now that I had a user shell, my next goal is to get admin shell. The HTB forum someone said, SharpHound.ps1 can be used to identify a possible route to domain admin. But this script need to upload to the Forest machine.


Since the user svc-alfresco has rights to create a folder within C, I made a temporary directory called the temp
Now that I had this directory, I uploaded the Sharphound.ps1 file to this directory.

Now I got the SharpHound.ps1 file uploaded, I imported it into the PowerShell sessions so that I could then run it.

Import-module ./SharpHound.ps1

Invoke-BloodHound -CollectionMethod All

As soon as I ran this command, I had a zip file within the same directory.

I download the file was successfully transferred and I loaded instantly into BloodHound by simply dragging and dropping it.

The bloodhound revealed that the user who is part of the ‘Exchange Windows Permissions’ group, has the possibility to Write the ACL of the entire HTB.Local domain.

I immidiatly gave user svc-alfresco the required permission

Now that I had a possible route, I decided to use the impacket tool ntlmrealyx.py.

Now I need to authorize the connection, I need to browse the http://localhost/privexchange and login as user svc-alfresco to authenticate the action. As soon as I authenticate, I can see the user svc-alfresco got permission.

I went on to get the hash from administrator using impacket-secretsdump tool

And, we have the password hash from htb.local/Administrator. I used the impacket/wmiexec.py to pass the hash and get the root.txt


Hey there, I'm Navin, a passionate Info-Sec enthusiast from Bahrain. I started this blog to share my knowledge. I usually write on HackTheBox machines and challenges, cybersecurity-related articles and bug-bounty. If you are an HTB user and like my articles, please respect here: https://www.hackthebox.eu/home/users/profile/68523

View all posts by Navin →
Notify of
Newest Most Voted
Inline Feedbacks
View all comments
5 months ago

PRO TIP : you could also use “-request” option in GetNPusers to get hashes of users without enumerating users 😉

Reply to  0verflowme
5 months ago

need to browse the http://localhost/privexchange . and how to do it. thx:-) . i got root not in the way

5 months ago

[…] Hack the Box – Forest Writeup [] […]

5 months ago

[…] Hack the Box – Forest Writeup [] […]

4 months ago

[…] Hack the Box – Forest Writeup [] […]

4 months ago

Why did you confidently say that svc-alfresco is a service account based on the enum4linux output?

3 months ago

hello,when i browse to http://localhost/privexchange i get stuck on [*] Domain info dumped into lootdir! . Yesterday it somehow worked but im probably making the problem here. Do i have to install privexchange on localhost?

Sorry, that action is blocked.
%d bloggers like this: