TryHackMe: Attacktive Directory - Walkthrough

December 23, 2024
December 23, 2024 Jasper

Welcome! It is time to look at the Attacktive Directory room of THM. I am making these walkthroughs to keep myself motivated to learn cyber security, and ensure that I remember the knowledge gained by THMs rooms.
Join me on learning cyber security. I will try and explain concepts as I go, to differentiate myself from other walkthroughs.

Attacktive Directory room

Room URL: https://tryhackme.com/room/attacktivedirectory


Task 1 (Deploy the machine)

I assume you have tried this before. Start up the machine on THM, and start up your Kali machine or AttackBox. Let’s move on.


Task 2 (Setup)

The only thing to do here is installing Impacket, Bloodhound and Neo4j.

In summary you need to take these steps:

git clone https://github.com/SecureAuthCorp/impacket.git /opt/impacket
pip3 install -r /opt/impacket/requirements.txt
cd /opt/impacket/ && python3 ./setup.py install

Read the instructions on THM if you need more help. If you use an AttackBox you are likely read to go!

Questions

Install Impacket, Bloodhound and Neo4j

Answer: No answer needed.


Task 3 (Welcome to Attacktive Directory)

Basic enumeration starts out with an nmap scan. Nmap is a relatively complex utility that has been refined over the years to detect what ports are open on a device, what services are running, and even detect what operating system is running. It’s important to note that not all services may be detected correctly and not enumerated to it’s fullest potential. Despite nmap being an overly complex utility, it cannot enumerate everything. Therefore after an initial nmap scan we’ll be using other utilities to help us enumerate the services running on the device.

For more information on nmap, check out the nmap room.

Questions

Let’s start running a nmap before answering questions. For this I use the following command:

nmap -sV -sC -oN nmap.out <target ip>

This gives the following results:

Results of running nmap

We see a bunch of services: DNS, IIS, Kerberos, RPC, netbios, Active Directory, and more! Now we can start answering questions.

What tool will allow us to enumerate port 139/445?

Ports 139 and 445 are used by SMB. To enumerate SMB a great tool to use is enum4linux.

Answer: enum4linux

What is the NetBIOS-Domain Name of the machine?

Here we can simply run:

enum4linux <target ip>

The NetBIOS domain name is mentioned several times.

Answer: THM-AD.

What invalid TLD do people commonly use for their Active Directory Domain?

TLD stands for Top Level Domain. If we look back at the nmap results, we can see the AD Domain mentioned in the info on port 3389. The domain is called spookysec.local.

Answer: local


Task 4 (Enumerating Users via Kerberos)

A whole host of other services are running, including Kerberos. Kerberos is a key authentication service within Active Directory. With this port open, we can use a tool called Kerbrute (by Ronnie Flathers @ropnop) to brute force discovery of users, passwords and even password spray!

For this box, a modified User List and Password List will be used to cut down on time of enumeration of users and password hash cracking. It is NOT recommended to brute force credentials due to account lockout policies that we cannot enumerate on the domain controller.

Questions

What command within Kerbrute will allow us to enumerate valid usernames?

Some good documentation can be found here:

We can find here that the answer to this question is userenum.

Answer: userenum

What notable account is discovered? (These should jump out at you)

First we need to download Kerbrute from here:

I used:

wget

https://github.com/ropnop/kerbrute/releases/download/v1.0.3/kerbrute_linux_amd64

Then we need to run chmod +x on the executable to get the proper permissions. We can then use ./kerbrute_linux_amd64 to run Kerbrute.

To discover user accounts we can now run:

kerbrute userenum -dc <target ip> -d spookysec.local userlist.txt

The userlist we need to use is found here:

https://raw.githubusercontent.com/Sq00ky/attacktive-directory-tools/master/userlist.txt

Running the command gives us the following:

Using kerkbrute to find Kerberos users

There are some interesting accounts here. The ones that stand out are svc-admin and backup.

Answer: svc-admin

What is the other notable account is discovered? (These should jump out at you)

Answer: backup


Task 5 (Abusing Kerberos)

After the enumeration of user accounts is finished, we can attempt to abuse a feature within Kerberos with an attack method called ASREPRoasting. ASReproasting occurs when a user account has the privilege “Does not require Pre-Authentication” set. This means that the account does not need to provide valid identification before requesting a Kerberos Ticket on the specified user account.

Retrieving Kerberos Tickets

Impacket has a tool called “GetNPUsers.py” (located in impacket/examples/GetNPUsers.py) that will allow us to query ASReproastable accounts from the Key Distribution Center. The only thing that’s necessary to query accounts is a valid set of usernames which we enumerated previously via Kerbrute.

Questions

We have two user accounts that we could potentially query a ticket from. Which user account can you query a ticket from with no password?

It’s time to find the GetNPUsers script, which is located at /opt/impacket/examples:

Finding the script

You can quickly get to the folder by running impacket in the terminal, after which you can change directory to the examples folder.

Afterwards, add the two numbers names from before in a simple text file.

We can then run:

python GetNPUsers.py -no-pass -usersfile ./users.txt -dc-ip <target ip> spooky.local/

This returns that the user svc-admin can query a ticket with no password! We the the following Kerberos hash:

$krb5asrep$23$svc-admin@SPOOKYSEC.LOCAL:408ee4a3e91ec877b931d35c56364c77$63dc9e093d6f3ddfd0074033786ed4d4d6e5f3e9f27be7f98866c0c91c4271c6c8a721eafa9e343a2b9638da64fe71d7563c31e51e6aac0686ba9025ab8ff2d41b8b24f38888cd803c70568744a12daa95cca16b73fa6bc5b20f1fb697b29fd1fe39fa0553ae07ad7e6e2f5232e306ee2abf3ee2ba8ebc704bc96f0d60cd245f96f4caa7c20c3a673fba2b25a384593b01e334560348a146d9168e1fc594b8c59e11382193bd2b3f1c421f9d5fdc61167c8f3bfa18d60fc6fca79923c16b707927719330363b593c28ccc0c7dd2c5e7696b43d45a4bc016341f773805c53f51d2b6ae4a0fa3c3280a18a9d53d9b5fd08337c

Answer: svc-admin

Looking at the Hashcat Examples Wiki page, what type of Kerberos hash did we retrieve from the KDC? (Specify the full name)

If we look at the following page:

We can see that it is hashmode number 18200, since it starts with the same characters ($krb5asrep). The name for this type of hash is Kerberos 5 AS-REP etype 23.

Answer: Kerberos 5 AS-REP etype 23

What mode is the hash?

Answer: 18200

Now crack the hash with the modified password list provided, what is the user accounts password?

Now that we know the mode, we can use hashcat to crack the Cerberus hash. Make sure you save it to a file. You also need to save the password list located at https://raw.githubusercontent.com/Sq00ky/attacktive-directory-tools/master/passwordlist.txt.

Then run the following command:

hashcat -m 18200 hash.txt passwordlist.txt

This gives us the answer:

Cracking the Kerberos hash

It is on the end of the string.

Answer: management2005


Task 6 (Back to the Basics)

We are half way through the Attacktive Directory room. Let’s mopve on!
With a user’s account credentials we now have significantly more access within the domain. We can now attempt to enumerate any shares that the domain controller may be giving out.

Questions

What utility can we use to map remote SMB shares?

Answer: smbclient

Which option will list shares?

You can find this answer by running man smbclient.

The answer is -L.

Answer: -L

How many remote shares is the server listing?

Run the following command:

smbclient -L <target ip> -U svc-admin
Listing the SMB shares as svc-admin

The number is 6.

Answer: 6

There is one particular share that we have access to that contains a text file. Which share is it?

We can run the following command to access the backup share as svc-admin:

smbclient \\\\<target ip>\\backup -U svc-admin
Accessing the backup share

Answer: backup

What is the content of the file?

See above. Download the file by using get.

Answer: YmFja3VwQHNwb29reXNlYy5sb2NhbDpiYWNrdXAyNTE3ODYw

Decoding the contents of the file, what is the full contents?

We can decode the base64 by entering it at the following url:

This seems to be a username and password!

Answer: backup@spookysec.local:backup2517860


Task 7 (Elevating Privileges within the Domain)

Now that we have new user account credentials, we may have more privileges on the system than before. The username of the account “backup” gets us thinking. What is this the backup account to?

Well, it is the backup account for the Domain Controller. This account has a unique permission that allows all Active Directory changes to be synced with this user account. This includes password hashes.

Knowing this, we can use another tool within Impacket called “secretsdump.py”. This will allow us to retrieve all of the password hashes that this user account (that is synced with the domain controller) has to offer. Exploiting this, we will effectively have full control over the AD Domain.

Questions

What method allowed us to dump NTDS.DIT?

Look at the output.

Using secretsdump to retrieve password hashes

Answer: DRSUAPI

What is the Administrators NTLM hash?

Answer: 0e0363213e37b94221497260b0bcb4fc

What method of attack could allow us to authenticate as the user without the password?

https://en.wikipedia.org/wiki/Pass_the_hash

Answer: pass the hash

Using a tool called Evil-WinRM what option will allow us to use a hash?

Read more info here:

https://github.com/Hackplayers/evil-winrm

-H

Answer: -H

Task 8 (Flag Submission Panel)

Submit the flags for each user account. They can be located on each user’s desktop.

Questions

We start by running the following command:

evil-winrm -i <target ip> -u Administrator -H 0e0363213e37b94221497260b0bcb4fc

This gives us the following result:

Using WinRM to authenticate without a password

We now have admin access!

Now we can visit each user’s desktop to find the flag.

svc-admin

Reading the svc-admin flag

Answer: TryHackMe{K3rb3r0s_Pr3_4uth}

Now do the same for the other users.

backup

Reading the backup flag

Answer: TryHackMe{B4ckM3UpSc0tty!}

Administrator

Reading the administrator flag

Answer: TryHackMe{4ctiveD1rectoryM4st3r}

We are done with Attacktive Directory! Great job.

This was at times slightly difficult for me, as THM as until now not given me tons of experience hacking Active Directory. It was definately fun though and has teached me tons!

Thank you for reading!


Like my articles?

You are welcome to give my article a clap or two 🙂
I would be so grateful if you support me by buying me a cup of coffee:

I learned a lot through HackTheBox’s Academy. If you want to sign up, you can get extra cubes, and support me in the process, if you use the following link:

Leave a Reply

Your email address will not be published. Required fields are marked *