Ryan YagerFollowSystem Weakness--ListenShareToday we will be looking at a retired HTB Machine Forest, which is an Active Directory machine. This machine is part of the Beyond this Module in Hack The Box Academy, Active Directory Enumeration and attacks. Starting off as usual with a port scan we see the following:We utilized rustscan above with the command:We see a couple of different attack vectors that we can check for, null SMB session, anonymous RPC and maybe kerbrute if all else fails:We can also use netexec which is the newest crackmapexec and drop with SMB as shown:And we can also try with LDAP:Now lets run the rpc command again, save it to a file and then cut everything we do not need:Looks good so far. Now that we have some usernames lets use kerbrute to see if they are real or not:They are real and we have an asrep roastable user… lets use GetNPUsers impacket script to grab a hash we can crack with hashcat or john the ripper:Now save the hash to a file and then crack with hashcat:Or with john:Now lets use a tool called CrackEverything to see if this user can login, this tool goes through different netexec commands (or crackmapexec if still using that) and can be found here https://github.com/overgrowncarrot1/CrackEverything6.In the above your -Z will be different, this is whatever you changed your .conf file to, if you have never changed it then it will just be -Z Pwn3d!.Looks like we can get in through WinRM, before this lets run bloodhound:Now that we have this we upload it into bloodhound and see that the svc-alfresco is part of Account Operators, this is verified with a whoami /all.We have a lot of juicy stuff above. Looking deeper into the group Account Operators we can see that they have GenericAll privs over Exchange Windows Permissions, who can writedacl, lets exploit that:Now we need to put powerview on the machine and exploit that DACLWrite that we have seen throughout Bloodhound:Notice above we have given DCSync rights to svc-alfresco, which now means that we can run secrets dump (may have to run the command more than once):Now we can pash the hash and get in:Hopefully you enjoyed the box and learned something new when going throught it, have a good one.----System WeaknessKnown on Twitch and YouTube as OvergrownCarrot1 or OGCRyan YagerinSystem Weakness--Mr JokarinSystem Weakness--2Yashwant Singh 🐧inSystem Weakness--26Ryan Yager--Ryan YagerinSystem Weakness--Daniel KulainInfoSec Write-ups--3John Ford--Vengeance--1n4d--John Krupakar--HelpStatusAboutCareersBlogPrivacyTermsText to speechTeams