Forest — HTB walkthrough

ENUMERATION

Nmap Scan

we get domain name Forest.htb.local, add this to /etc/hosts

RPC ENUMERATION

Make user list using above lists

SMB ENUMERATION

anonymous Login successful but no share visible
Gave us the hash
hash for svc-alfresco

CRACKING HASH

using john and rockyou.txt we crack hash

CRACKMAPEXEC verification

Using crackmapexec to see if it works with smb and winrm

Doesn’t work for SMB
But worked for winrm

EXPLOITATION

PRIVILEGE ESCALATION

After enumerating and playing around . I found I couldn’t execute any script. So we will do AD Enumeration

downloading on attacker machine
On attacker machine keep smbserver on
And login with new password
Right click on WriteDacl Help which will show you what exploit does and how to do that
Steps to exploit WriteDACL priv
Got LM:NTLM Hash for Administrator

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Dhanishtha Awasthi

Dhanishtha Awasthi

OSCP | CEH | Cyber Security Enthusiast.