Walkthrough Best Fix — Forest Hackthebox
The presence of LDAP and Kerberos confirms this is an Active Directory Domain Controller. Enumerating Users via LDAP
Then, within the WinRM session on the target, download and run SharpHound:
To compromise the entire domain, you must elevate your privileges from a standard service account to Domain Administrator. Active Directory Mapping with BloodHound forest hackthebox walkthrough best
Using rpcclient or enum4linux can provide user lists, but since we have LDAP, we can use ldapsearch or windapsearch to enumerate valid domain users without credentials. windapsearch.py --dc-ip 10.10.10.161 -u "" -p "" --users Use code with caution.
GetNPUsers.py htb.local/ -userfile users.txt -format hashcat -outputfile hashes.asrep -dc-ip 10.10.10.161 Use code with caution. The presence of LDAP and Kerberos confirms this
Inside your WinRM session, leverage your Account Operators status to create a new backdoor account. powershell net user hacker Password123! /add /domain Use code with caution. 2. Abuse Group Membership
This command extracts a list of valid domain usernames, including: sebastien lucas andy mark santi Save these usernames into a text file named users.txt . Phase 2: Initial Foothold (AS-REP Roasting) windapsearch
Now that we have a list of potential usernames, we can test them for a specific Kerberos misconfiguration. This phase introduces the attack.
We have a username: svc-alfresco and a password: s3rvice . Observing our initial Nmap results, we saw that port is open, which indicates WinRM (Windows Remote Management) is available. If you have valid credentials and the user is in the "Remote Management Users" group, you can get a shell using evil-winrm :
To escalate privileges in an Active Directory environment, map out the domain relations and permissions using BloodHound. Collecting Data
This is a critical learning point for "Forest". Even without credentials, the machine allows two powerful forms of anonymous enumeration: and LDAP . This misconfiguration provides the initial list of domain users needed for the AS-REP Roasting attack.
