Forest
Last updated
Last updated
A domain controller created by HackTheBox with Exchange server installed in a minimal AD domain.
The machine covers the following techniques:
Bloodhound
We use nmap
to figure out what services are running on the target.
The results reveal the following information.
port 88 tells us that this should be a domain controller
port 389 allows us to fetch information about target AD domain via LDAP
port 5985 may allow us access the target using WinRM later
By querying the RootDSE information, we see that the target domain name is htb.local.
From the information gathered through anonymous LDAP query, we found a service account named svc-alfresco
.
To expand our knowledge of the technology used by our client, the next thing to do is to find what third-party service, which shall be AD-integrated, related this account.
From the configuration, we see that the account related to this service has been configured with Kerberos pre-authentication disable.
We use the Impacket-GetNPUsers
to get the TGT ticket for the account svc-alfresco
:
We can crack the hash using hashcat
with mode 18200:
and get the password s3rvice
for the account svc-alfresco.
It seems that we can fetch information about the target AD domain via .
By Google, we found a product named .
This allows us to get the TGT for this account svc-alfresco
, and conduct the to retrieve the account password from the requested TGT.
Refer to for more information.
We can now login to the target host with the credential we got via .
Since we get the account krbtgt
's password hash, we can conduct the .