Running whoami /groups reveals a shocking privilege:
Now that we know we have the power to modify domain permissions (via the nested groups), we must act. We have two paths: the "Exploit" path using PowerShell, or the "Manual" path using impacket .
: Identify users that do not require Kerberos pre-authentication. Use GetNPUsers.py from the Impacket suite to request an AS-REP for the user svc-alfresco . Extract the hash and crack it locally using John the Ripper to obtain the plaintext password. : Use the cracked credentials to gain a remote shell via Evil-WinRM Privilege Escalation BloodHound Analysis SharpHound
✅ User flag at C:\Users\svc-alfresco\Desktop\user.txt forest hackthebox walkthrough best
Because LDAP is open, you can enumerate domain information without authentication using enum4linux-ng or rpcclient . enum4linux-ng -A Use code with caution. This step reveals the internal domain name: HTB.LOCAL . Phase 2: Weaponization and User Access
ldapsearch -H ldap://10.10.10.161 -x -s base namingcontexts
Search for svc-alfresco in BloodHound and map the path to the group. Running whoami /groups reveals a shocking privilege: Now
: Confirms the machine is a Domain Controller.
: Use tools like rpcclient or enum4linux to identify valid domain users. A notable account found during this phase is svc-alfresco . 2. Initial Access: AS-REP Roasting
sudo nmap -p- -T4 -Pn -oN forest_nmap_all 10.10.10.161 Use GetNPUsers
Since your user session has Account Operators permissions, you can abuse this power to add a new user directly into a high-privilege group like . Execution Steps Create a new domain user account: powershell net user attacker Password123! /add /domain Use code with caution. Add the new user to the Exchange Windows Permissions group: powershell
This attack is known as .