HackTheBox Writeup — Forest

Faisal Husaini
4 min readMar 21, 2020

Hello Guys , I am Faisal Husaini. My username on HTB is “kNgF” . Also join me on discord.

The IP of this box is

Port Scan

Running masscan on it , we get

masscan -p1-65535,U:1-65535 --rate=1000 -e tun0

Whole loads of ports were discovered open , so moving onto running regular NMAP scan against the target

So we have alot of Ports Open, we move onto enumerating users

Enumerating Users

Using rpcclient as we have have Port 135 and Port 593 running Microsoft Windows RPC

Now we enumerate domain users using enumdomusers command

We got bunch of Users, so now we will now run an Impacket tool named GetNPUsers which will attempt to list and get TGTs for those users that have the property

We got a hash for user svc-alfresco,trying to crack it using john

We got the password cracked and use this creds to login through Evil-WinRM

Since Port 5985 is open , we can use WinRM to connect

We got logged in successfully and now move onto getting User Flag

Now its time for priv esc part

Privilege Escalation

We will use Bloodhound for the privilege escalation part

Here we run our python server and get the SharpHound.ps1 script to the remote machine

By using the above command, we upload the powershell script from our local machine to the remote box

We ran the Invoke-Bloodhound command along with the arguments as seen above and got the Bloodhound zip file which we will bring on my local machine

Since Evil-WinRM is full of functionalities, it provides us with a download option too

We first start our neo4j console

We can access it on localhost:7474

We put our password and then

Now we run Bloodhound

We click on Login and then

Now we will drag the bloodhound zip file we got here

We can see that we have WriteDACL permission enabled on Exchange Windows Permissions so we can modify object’s ACEs and give attacker full control right over the object

Here we add the user svc-alfresco to the group Exchange Windows Permissions

Here we use ntlmrelayx from Impacket which performs the SMB Relay attacks originally discovered by cDc extended to many target protocols (SMB, MSSQL, LDAP, etc). It receives a list of targets and for every connection received it will choose the next target and try to relay the credentials. Also, if specified, it will first to try authenticate against the client connecting to us.

We now go to our localhost /privexchange and see the ntlmrelayx server

We see that we got authentication against the ldap and also it relayed user’s privileges and now we use another Impacket tool named secretsdump to dump the hash



Faisal Husaini

Hacker | Red Teamer | Python Coder | Gamer | Reverse Engineering Lover