Forest write-up by limbernie

Great tool (GetNPUsers.py) from Impacket to check out the TGT from users. Lastly, it was the WriteDacl permission to grant a user with DCSync right to dump secrets (using DRSUAPI) that got me the root flag

https://hackso.me/forest-htb-walkthrough/

limbernie
Write-ups of retired machines

Comments

  • Nice concise write up, but one slight issue I have is that you changed the group membership and domain permissions for the svc-alfresco account that everyone else is also using. So if anyone else attacks the machine at the same time as you, they get those creds and instantly are a member of groups they shouldn't be a member of.

    I assume the reason the box author allowed svc-alfresco to create new user accounts was for this exact reason. So that we could create a new account and grant permissions to that, so it doesn't affect the experience of others.

    I guess if you're on VIP and hardly anyone else was attacking that box at the same time, not such a big deal. But on the free servers this would definitely mess with a lot of other people

  • Yes, I noted that too that's why I reset the box immediately after getting root.txt. Another advantage I had is that I'm based in Asia so most of the time, it's off-peak hours for many in Europe, UK or North America. Cheers.

    limbernie
    Write-ups of retired machines

  • ah fair enough, not too bad then. Tbh I thought there was actually something stopping the svc-alfresco account from doing the DC sync attack, as a lot of people said they couldn't do it and HAD to create a new user. Maybe its just a scheduled task or something that resets the group membership and you did it quick enough for that not to have any effect.

  • Thx for the writeup! I could'nt get root in time :( All the time i missed to add the User to the "Exchange Trusted Subsystem Group". But why is it necessary?. I would think adding him to "Exchange Windows Permissions" should be fine while looking at the BloodHound Graph? you know why it's necessary? :)

  • I could not own this machine because when I tried to attack with GetNPUsers I got an HTB:88 does not exist

  • edited March 21

    @101001101029A said:
    Thx for the writeup! I could'nt get root in time :( All the time i missed to add the User to the "Exchange Trusted Subsystem Group". But why is it necessary?. I would think adding him to "Exchange Windows Permissions" should be fine while looking at the BloodHound Graph? you know why it's necessary? :)

    Its not necessary. I did it with only the Exchange Windows Permissions group. See my video here: https://forum.hackthebox.eu/discussion/2874/forest-video-walkthrough

    @systemcheater said:
    I could not own this machine because when I tried to attack with GetNPUsers I got an HTB:88 does not exist

    Sounds like you put the wrong domain name in. The domain name you need to specify is "htb.local"

  • @VbScrub said:

    @101001101029A said:
    Thx for the writeup! I could'nt get root in time :( All the time i missed to add the User to the "Exchange Trusted Subsystem Group". But why is it necessary?. I would think adding him to "Exchange Windows Permissions" should be fine while looking at the BloodHound Graph? you know why it's necessary? :)

    Its not necessary. I did it with only the Exchange Windows Permissions group. See my video here: https://forum.hackthebox.eu/discussion/2874/forest-video-walkthrough

    @systemcheater said:
    I could not own this machine because when I tried to attack with GetNPUsers I got an HTB:88 does not exist

    Sounds like you put the wrong domain name in. The domain name you need to specify is "htb.local"

    @VbScrub said:

    @101001101029A said:
    Thx for the writeup! I could'nt get root in time :( All the time i missed to add the User to the "Exchange Trusted Subsystem Group". But why is it necessary?. I would think adding him to "Exchange Windows Permissions" should be fine while looking at the BloodHound Graph? you know why it's necessary? :)

    Its not necessary. I did it with only the Exchange Windows Permissions group. See my video here: https://forum.hackthebox.eu/discussion/2874/forest-video-walkthrough

    @systemcheater said:
    I could not own this machine because when I tried to attack with GetNPUsers I got an HTB:88 does not exist

    Sounds like you put the wrong domain name in. The domain name you need to specify is "htb.local"

    I put that and went I got this error, I think its something in my vpn because I cant use nslookup in none of the htb machines

  • I always got [Errno Connection error (HTB:88)] [Errno -2] Name or service not known

Sign In to comment.