Forest write-up by limbernie

Great tool (GetNPUsers.py) from Impacket to check out the TGT from users. Lastly, it was the WriteDacl permission to grant a user with DCSync right to dump secrets (using DRSUAPI) that got me the root flag

https://hackso.me/forest-htb-walkthrough/

Nice concise write up, but one slight issue I have is that you changed the group membership and domain permissions for the svc-alfresco account that everyone else is also using. So if anyone else attacks the machine at the same time as you, they get those creds and instantly are a member of groups they shouldn’t be a member of.

I assume the reason the box author allowed svc-alfresco to create new user accounts was for this exact reason. So that we could create a new account and grant permissions to that, so it doesn’t affect the experience of others.

I guess if you’re on VIP and hardly anyone else was attacking that box at the same time, not such a big deal. But on the free servers this would definitely mess with a lot of other people

Yes, I noted that too that’s why I reset the box immediately after getting root.txt. Another advantage I had is that I’m based in Asia so most of the time, it’s off-peak hours for many in Europe, UK or North America. Cheers.

ah fair enough, not too bad then. Tbh I thought there was actually something stopping the svc-alfresco account from doing the DC sync attack, as a lot of people said they couldn’t do it and HAD to create a new user. Maybe its just a scheduled task or something that resets the group membership and you did it quick enough for that not to have any effect.

Thx for the writeup! I could’nt get root in time :frowning: All the time i missed to add the User to the “Exchange Trusted Subsystem Group”. But why is it necessary?. I would think adding him to “Exchange Windows Permissions” should be fine while looking at the BloodHound Graph? you know why it’s necessary? :slight_smile:

I could not own this machine because when I tried to attack with GetNPUsers I got an HTB:88 does not exist

@101001101029A said:
Thx for the writeup! I could’nt get root in time :frowning: All the time i missed to add the User to the “Exchange Trusted Subsystem Group”. But why is it necessary?. I would think adding him to “Exchange Windows Permissions” should be fine while looking at the BloodHound Graph? you know why it’s necessary? :slight_smile:

Its not necessary. I did it with only the Exchange Windows Permissions group. See my video here: Forest Video Walkthrough - Video Tutorials - Hack The Box :: Forums

@systemcheater said:
I could not own this machine because when I tried to attack with GetNPUsers I got an HTB:88 does not exist

Sounds like you put the wrong domain name in. The domain name you need to specify is “htb.local”

@VbScrub said:

@101001101029A said:
Thx for the writeup! I could’nt get root in time :frowning: All the time i missed to add the User to the “Exchange Trusted Subsystem Group”. But why is it necessary?. I would think adding him to “Exchange Windows Permissions” should be fine while looking at the BloodHound Graph? you know why it’s necessary? :slight_smile:

Its not necessary. I did it with only the Exchange Windows Permissions group. See my video here: Forest Video Walkthrough - Video Tutorials - Hack The Box :: Forums

@systemcheater said:
I could not own this machine because when I tried to attack with GetNPUsers I got an HTB:88 does not exist

Sounds like you put the wrong domain name in. The domain name you need to specify is “htb.local”

@VbScrub said:

@101001101029A said:
Thx for the writeup! I could’nt get root in time :frowning: All the time i missed to add the User to the “Exchange Trusted Subsystem Group”. But why is it necessary?. I would think adding him to “Exchange Windows Permissions” should be fine while looking at the BloodHound Graph? you know why it’s necessary? :slight_smile:

Its not necessary. I did it with only the Exchange Windows Permissions group. See my video here: Forest Video Walkthrough - Video Tutorials - Hack The Box :: Forums

@systemcheater said:
I could not own this machine because when I tried to attack with GetNPUsers I got an HTB:88 does not exist

Sounds like you put the wrong domain name in. The domain name you need to specify is “htb.local”

I put that and went I got this error, I think its something in my vpn because I cant use nslookup in none of the htb machines

I always got [Errno Connection error (HTB:88)] [Errno -2] Name or service not known

@systemcheater said:
I always got [Errno Connection error (HTB:88)] [Errno -2] Name or service not known

It’ll go out to the internet and try to look it up. I’m assuming you’re already adding the domain to the hostfile though?