Forest
Summary
The machine was vulnerable to AS-REP roasting, and we found that
svc-alfrescohadDo not require Kerberos preauthenticationenabled.Extracted the AS-REP hash using
GetNPUsersand cracked it with John to retrieve the password:s3rvice.Used Evil-WinRM to log in as
svc-alfrescoand got the user flag.Ran BloodHound and discovered:
svc-alfrescohas ownership over userskyleandrdiaz.kylehas DCSync rights over the domain.
Reset the passwords for both
kyleandrdiazusingrpcclient.Performed DCSync attack using
kyleto dump Administrator's NTLM hash.Used that hash with Evil-WinRM to gain an elevated shell and grab the root flag.
Enumeration
Enumerating SMB
Discovered valid users:
Checked for AS-REP roasting:
Found:
Cracked it with:
Recovered password:
Initial Foothold
Used Evil-WinRM to connect:
User shell landed — ✅ Got user flag!
Privilege Escalation
Ran BloodHound using bloodhound-python:
Key Finding:
svc-alfrescoowns:kyle(has DCSync rights)rdiaz(has special access in Forest.HTB.local)
Used rpcclient to change passwords of owned users:
Performed DCSync attack:
Dumped the Administrator’s hash:
Used it to log in with Evil-WinRM:
Got SYSTEM shell — 🎯 Grabbed root.txt!
Last updated
Was this helpful?