Walkthrough | Forest Hackthebox

You recall that with AD credentials, you can use if the user is in the right group. But svc-alfresco is not. You check group membership using net rpc or ldapsearch :

Account Operators can create and modify non-admin users and groups. You create a new user and add them to Domain Admins : forest hackthebox walkthrough

GetNPUsers.py htb.local/ -dc-ip 10.10.10.161 -no-pass -usersfile users.txt Where users.txt is every user you scraped from LDAP. The script runs… and a few seconds later, a hash drops: You recall that with AD credentials, you can

echo "10.10.10.161 forest.htb.local htb.local" >> /etc/hosts First, you try enum4linux . It's polite but fruitless—null sessions are disabled. So you turn to the sharpest knife in the AD drawer: ldapsearch . You recall that with AD credentials