Capture the flag (CTF)

Hack the Box (HTB) machines walkthrough series — Forest

April 16, 2020 by Security Ninja

Today we will be continuing with our exploration of Hack the Box (HTB) machines as seen in previous articles. This walkthrough is of an HTB machine named Forest.

HTB is an excellent platform that hosts machines belonging to multiple OSes. It also has some other challenges as well. Individuals have to solve the puzzle (simple enumeration plus pentest) in order to log into the platform and download the VPN pack to connect to the machines hosted on the HTB platform.

Note: Only write-ups of retired HTB machines are allowed. The machine in this article, named Forest, is retired.


The walkthrough

Let’s start with this machine.

  1. Download the VPN pack for the individual user and use the guidelines to log into the HTB VPN.
  2. The Forest machine IP is
  3. We will adopt our usual methodology of performing penetration testing. Let’s start with enumeration in order to gain more information about the machine.
  4. As usual, let’s start with the nmap scan to learn more information about the services running on this machine. [CLICK IMAGES TO ENLARGE]
    <<nmap -sC -sV -oA Forest>>

  5. There are multiple ports shown in the output. As we can see, the server is currently showing kerberos, ldap, etc. as services, so it’s highly likely that it’s a domain controller.
  6. Let’s start the enumeration using enum4linux. We get the below users:
  7. We save them to a file and format it to get the required user names.
  8. Now let’s run the impact script to see if there is a possible user set with “UF_DONT_REQUIRE_PREAUTH” so that we can grab the TGT for that user. Below, you can see that we got TGT for a user.
    <<GetNPUsers htb.lcoal/ -dc-ip -no-pass>>

  9. Let’s crack the TGT offline using hashcat.
    <<hashcat -m 18200 -force>>

  10. Now we can use evil-winrm to log in with the above discovered creds and enumerate to grab user.txt.
    <<evil-winrm -u svc-alfresco -p -i>>

  11. Now let’s escalate the privileges. For that, let’s first upload powerview to see different attributes.
    <<Get-NetUser -Username svc-alfresco>>
    <<Get-NetGroup -username avc-alfresco>>

  12. Below are the groups available in the domain. Some of the groups listed have some default DACLs which can be abused. For example, by default, the group “Exchange Windows Permissions” has default behavior of WriteDACL onto the domain object.
  13. For this article, we will use BloodHound to map the whole environment. For that, we first will upload SharpHound to the victim machine.
    <<Invoke-BloodHound -CollectionMethod All>>

  14. We dot source to use it, and it generates a zip file.
  15. We set up share to get the share from the victim machine and upload it to BloodHound.
  16. As we can see, the group “Exchange Windows Permissions” is on default behavior and is the weak link. We will add ourselves to the “Exchange Windows Permissions” as per GenericAll rights and group inheritance.
  17. Once that is done, we need to perform DCSync so that we can dump the hashes from the domain object.
  18. For all this, we can use the Fox IT tool aclpwn. As can be seen, we have chosen path 0 (it was tested and both the paths work).
  19. Once that is done, we can dump the creds of all users using any suitable tool. Here we have used impacket’s secretsdump, as shown below.
    <<./ htb/svc-alfresco:s3rvice@>>

  20. Since we now have the hashes, we can use it directly with evil-winrm to log in and grab the root flag.

This was an interesting machine entirely focused on AD enumeration and attack.

We’ll be continuing this series with more examples of interesting HTB machines.

Posted: April 16, 2020
Security Ninja
View Profile