Forest | HackTheBox Writeup
Start with Nmap scan found many ports are open.
Service msrpc is available.
So I used rpcclient and using rpcclient i got usernames.
Then I used GetNPUsers to dump Kerberos hash. I got a hash of user svc-alfresco.
I used hashcat for cracking password and a password.
Using the credentials I can log in to the user account using evil-winrm and got user flag.
For further privilege escalation, I uploaded the SharpHound to collect all information and saved it to a zip file.
Then I downloaded that file, so I can use it in BloodHound.
I drag and dropped the zip file in BloodHound and all files are uploaded.
The next step I used is to find the shortest path to the admin from the current user.
For that, I made SVC-ALFRESCO as the Owned user.
Then I checked the Shortest path from ADMINISTRATOR to Owned User.
I got a graph which shows detail.
Then I checked how to get the privilege of Admin and got how to abuse the current user privilege.
I searched google for this method and got an article regarding this abuse.
I used this method for further steps.
As mentioned in the Article i entered the current username and password.
now I can dump hashes.
using secretdump i dumped the NTLM hash.
I used that in winrm and got root flag.