Tryhackme Attackive Directory Writeup
Post
Cancel

# Tryhackme Attackive Directory Writeup

Hey, reader!! In this blog (writeup) I am going to discuss about the Tryhackme room attacktivedirectory.
Before moving ahead I would like to strongly recommend you to first try this room on your own and then ,if you stuck anywhere, feel free to read this writeup :D
so without any due let’s get started.
First thing you need to do is to click on Start Machine button, it will spin the machine for you.

Note: While writing this writeup I had to start the machine thrice because of some issues because of that different IP will be shown.

Before moving ahead you need to download few things shown in the task-1 & 2 . Now let’s do it quickly with the simple script shown below

1 2 3 4 5 6 sudo apt-get update -y sudo apt-get update sudo git clone https://github.com/SecureAuthCorp/impacket.git /opt/impacket pip3 install -r /opt/impacket/requirements.txt cd /opt/impacket/ && python3 ./setup.py apt install bloodhound neo4j 

After completing the Task 1 and 2 you need to start Enumeration with the NMAP

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 ┌──(mrgrep㉿kali)-[/opt] └─\$ sudo nmap -sSVC -A -T4 10.10.192.10 1 ⨯ [sudo] password for kali: Starting Nmap 7.91 ( https://nmap.org ) at 2021-09-15 03:08 EDT Nmap scan report for 10.10.192.10 Host is up (0.16s latency). Not shown: 987 closed ports PORT STATE SERVICE VERSION 53/tcp open domain Simple DNS Plus 80/tcp open http Microsoft IIS httpd 10.0 | http-methods: |_ Potentially risky methods: TRACE |_http-server-header: Microsoft-IIS/10.0 |_http-title: IIS Windows Server 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2021-09-15 07:08:57Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: spookysec.local0., Site: Default-First-Site-Name) 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open tcpwrapped 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: spookysec.local0., Site: Default-First-Site-Name) 3269/tcp open tcpwrapped 3389/tcp open ms-wbt-server Microsoft Terminal Services | rdp-ntlm-info: | Target_Name: THM-AD | NetBIOS_Domain_Name: THM-AD | NetBIOS_Computer_Name: ATTACKTIVEDIREC | DNS_Domain_Name: spookysec.local | DNS_Computer_Name: AttacktiveDirectory.spookysec.local | Product_Version: 10.0.17763 |_ System_Time: 2021-09-17T11:02:27+00:00 | ssl-cert: Subject: commonName=AttacktiveDirectory.spookysec.local | Not valid before: 2021-09-16T10:39:56 |_Not valid after: 2022-03-18T10:39:56 |_ssl-date: 2021-09-17T11:02:36+00:00; -1s from scanner time. No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ). 

As we can see clearly that we have 53,80,88,135,139,445,464,593,636,3268,3269 and 3389 port is open but we do not need to enumerate every single port. Lets enumerate users using enum4linux tool.

Enum4LINUX OUTPUT

We can clearly see that known users are administrator, guest, krbtgt, domain admins, root, bin, none Now moving to the questions of this task.

What tool will allow us to enumerate port 139/445? enum4linux
What is the NetBIOS-Domain Name of the machine? THM-AD
What invalid TLD do people commonly use for their Active Directory Domain? .local

Before moving ahead, open your hosts file by typing nano /etc/hosts and add a line <ip of tryhackme machine> spookysec.local

## Taks 4

Here we need to use Kerbrute tool as mentioned in the description to brute force and discovery of users, passwords and even password spray! So, make sure to clone that in your local computer. Lets git clone it but before that make sure you have golang installed.

1 2 3 4 sudo apt install golang-go sudo git clone https://github.com/ropnop/kerbrute.git cd kerbrute && sudo go build cp kerbrute /usr/local/bin 

Note: Several users have faced an issue that the latest version of Kerbrute does not contain the UserEnum flag in Kerbrute, if that is the case with the version you have selected, try a older version!

For this box, a modified User List and Password List will be used to cut down on time of enumeration of users and password hash cracking. It is NOT recommended to brute force credentials due to account lockout policies that we cannot enumerate on the domain controller.

Now moving to the questions of this task.

What command within Kerbrute will allow us to enumerate valid usernames? userenum
What notable account is discovered? (These should jump out at you) svc-admin
What is the other notable account is discovered? (These should jump out at you) backup

As description suggests after the enumeration of user accounts is finished, we can attempt to abuse a feature within Kerberos with an attack method called ASREPRoasting. ASReproasting occurs when a user account has the privilege “Does not require Pre-Authentication” set. This means that the account does not need to provide valid identification before requesting a Kerberos Ticket on the specified user account. For Retrieving Kerberos Tickets we can use a tool called “GetNPUsers.py” (located in impacket/examples/GetNPUsers.py) that will allow us to query ASReproastable accounts from the Key Distribution Center. The only thing that’s necessary to query accounts is a valid set of usernames which we enumerated previously via Kerbrute. getting TGT

Now save this in file called hash.txt and use hashcat over it.

1 hashcat -m 18200 -a 0 hash.txt passwordlist.txt --force 

password you can see red highlighted

Now with this credential lets login in to the smbshare

We have two user accounts that we could potentially query a ticket from. Which user account can you query a ticket from with no password? svc-admin
Looking at the Hashcat Examples Wiki page, what type of Kerberos hash did we retrieve from the KDC? (Specify the full name) Kerberos 5 AS-REP etype 23
What mode is the hash? 18200
Now crack the hash with the modified password list provided, what is the user accounts password? find yourself :)

With a user’s account credentials we now have significantly more access within the domain. We can now attempt to enumerate any shares that the domain controller may be giving out.

here we can see that interesting share backup

Now let’s see what’s in the share backup.

here we have backup_credential.txt file

Here we can see this backup_credentials.txt so get it in local and let’s decode this

password you can see red highlighted We have got the creds for backup account. So first let’s answer the questions of this task.

Last two answers you need to get yourself as I don’t want to ruin your experience

As mentioned in the description itself, we have to use a tool within Impacket called “secretsdump.py”. This will allow us to retrieve all of the password hashes that this user account (that is synced with the domain controller) has to offer and after exploiting this, we will effectively have full control over the AD Domain. we can use previously found password for backup account. So lets use that :D

for flag that is used you can check by secretsdump.py -h

as we can see that we have got ntlm hashes of all the users now we can use pass the hash attack to login as that user without using password.

Now, lets quickly install evil-winrm by using command sudo gem install evil-winrm

we can see the flag to use hash Now before moving to next task lets see the answer of task 7

we can see the flag to use hash