Hello everyone and welcome back to another write-up.
Today we going to own the Forest's box... It was retired 21 March 2020.

As always and first of all, scanning the box for ports. Here's the command I use to do so :

nmap -v -Pn -T4 -p- -sV -oA forest.htb

And here's the output :

Nothing special, but here we know that we have LDAP as an active directory, which means we know that we're going to use some tools in impacket repository.

Also we have a domain "htb.local" let's go ahead and add it to "/etc/hosts".


Now, let's launch our enumeration.
enum4linux -a

Fortunately the tool was able to access to rpcclient anonymously, which got us a list of users. Let's go a head and make our own "list_users.txt" to be able to use "GetNPUsers.py" from "Impacket"... Here's the link to the repo :

I run the command and boom we have a hash to crack, for the service account "svc-alfresco".

So the password is "s3rvice", let's go a head and connect to the machine using "evil-winrm"... And congrats you got the user flag.


I tried running "winPEAS" script but nothing interesting came up.

So I did what any reasonable man would do, running "bloodhound" to get a map of all the domains and users and...

Here's the repo :‌‌
‌‌ https://github.com/BloodHoundAD/BloodHound

As you can see I'm uploading the .exe to the machine so I can run it.

After running the .exe, you can see we have a .zip file. Let's download it into our computer.

download name_of_the_zip_file

Now, time to run BloodHound.

The neo4j is ready now the BloodHound.‌

‌As you can see it's running and working, let me sign in into my database.

Drag the zip file into BloodHound.

You don't have to do this, but if you want to learn more on your own you should.

‌We can see in  the  graph that our account "svc-alfresco" is a member EXCHANGE  WINDOWS  PERMISSIONS, which means he can write ACL(access control  list). In other  words he can edit permissions. So let's give him  the role.

I run aclpwn.py to give the permission.

Done. So now let's go a head and run secretsdump.py in the impacket repo.

We have hashes now... Let's go a head and log in with the hashes using evil-winrm.

And here we go, we have the root flag.

I hope you guys enjoyed this write-up... stay tuned for more. :D