Forest | HackTheBox Writeup


Forest is an easy windows machine by mrb3n and egre55

User Part

Start with Nmap scan found many ports are open.

Service msrpc is available.

So I used rpcclient and using rpcclient i got usernames.

Then I used GetNPUsers to dump Kerberos hash. I got a hash of user svc-alfresco.

I used hashcat for cracking password and a password.

Using the credentials I can log in to the user account using evil-winrm and got user flag.

Root Part

For further privilege escalation, I uploaded the SharpHound to collect all information and saved it to a zip file.

Then I downloaded that file, so I can use it in BloodHound.

I drag and dropped the zip file in BloodHound and all files are uploaded.

The next step I used is to find the shortest path to the admin from the current user.

For that, I made SVC-ALFRESCO as the Owned user.

Then I checked the Shortest path from ADMINISTRATOR to Owned User. 

I got a graph which shows detail.

Then I checked how to get the privilege of Admin and got how to abuse the current user privilege.

I searched google for this method and got an article regarding this abuse.

I used this method for further steps.

As mentioned in the Article i entered the current username and password.

now I can dump hashes.

using secretdump i dumped the NTLM hash.

I used that in winrm and got root flag. 

Share on facebook
Share on twitter
Share on linkedin