[TryHackMe][CompTIA_Pentest+][Active_Directory_Basics]

Wednesday. May 25, 2022 - 3 mins

Summary:

Learn the basics of Active Directory and how it is used in the real world today.

Tasks

Setup
Welcome to Attacktive Directory
Enumerating Users via Kerberos
Abusing Kerberos
Back to the Basics
Elevating Privileges within the Domain
Flag Submission Panel

Setup

# apt install bloodhound neo4j -y
# sudo git clone https://github.com/SecureAuthCorp/impacket.git /opt/impacket
# sudo pip3 install -r /opt/impacket/requirements.txt
# cd /opt/impacket/
# sudo pip3 install .
# sudo python3 setup.py install

Welcome to Attacktive Directory

Question : What tool will allow us to enumerate port 139/445?

Answer : enum4linux

Question : What is the NetBIOS-Domain Name of the machine?

Answer : THM-AD

Question : What invalid TLD do people commonly use for their Active Directory Domain?

Answer : .local

Enumerating Users via Kerberos

Question : What command within Kerbrute will allow us to enumerate valid usernames?

Answer : userenum

Question : What notable account is discovered? (These should jump out at you)

Answer : svc-admin

Question : What is the other notable account is discovered? (These should jump out at you)

Answer : backup

Abusing Kerberos

Question : We have two user accounts that we could potentially query a ticket from. Which user account can you query a ticket from with no password?

Answer : svc-admin

Question : Looking at the Hashcat Examples Wiki page, what type of Kerberos hash did we retrieve from the KDC? (Specify the full name)

Answer : Kerberos 5 AS-REP etype 23

Question : What mode is the hash?

Answer : 18200

Question : Now crack the hash with the modified password list provided, what is the user accounts password?

Answer : management2005

Back to the Basics

Question : What utility can we use to map remote SMB shares?

Answer : smbclient

Question : Which option will list shares?

Answer : -L

Question : How many remote shares is the server listing?

Answer : 6

Question : There is one particular share that we have access to that contains a text file. Which share is it?

Answer : backup

Question : What is the content of the file?

Answer : YmFja3VwQHNwb29reXNlYy5sb2NhbDpiYWNrdXAyNTE3ODYw

Question : Decoding the contents of the file, what is the full contents?

Answer : backup@spookysec.local:backup2517860

Elevating Privileges within the Domain

Question : What method allowed us to dump NTDS.DIT?

Answer : DRSUAPI

Question : What is the Administrators NTLM hash?

Answer : 0e0363213e37b94221497260b0bcb4fc

Question : What method of attack could allow us to authenticate as the user without the password?

Answer : Pass The Hash

Question : Using a tool called Evil-WinRM what option will allow us to use a hash?

Answer : -H

Flag Submission Panel

Question : svc-admin

Answer : TryHackMe{K3rb3r0s_Pr3_4uth}

Question : backup

Answer : TryHackMe{B4ckM3UpSc0tty!}

Question : Administrator

Answer : TryHackMe{4ctiveD1rectoryM4st3r}