Forest HTB - Writeup
today i worked on forest, another AD machine! i didn't write a lot on this one because i didn't take much screenshots, but wanted to document it
after enumerating, i find anonymous access to LDAP enabled, and find some account usernames:
after running GetNPUsers on all the prominent usernames to find users that have do not require Kerberos preauthentication, we find that svc-alfresco has it enabled and grab its hash!
hashcat -m 18200 alfresco.hash /usr/share/wordlists/rockyou.txt --force
using the newly cracked credentials, we grab the user.txt
then, we use SharpHound to collect data to import to BloodHound and find the shortest path to high priority targets
we notice that svc-alfresco is part of the Account Operators group, which we can then use to add a user and give it "Exchange Windows Permissions" (don't forget to import PowerView!)
impacket-secretsdump mega:password123!@forest.htb
after that, just use the NTLM hash with evil-winrm and grab the root.txt. done!