[TryHackMe][CompTIA_Pentest+][Attacktive_Directory]

Wednesday. May 25, 2022 - 3 mins

Summary:

99% of Corporate networks run off of AD. But can you exploit a vulnerable Domain Controller ?

Tasks

Setup
Welcome to Attacktive Directory
Enumerating Users via Kerberos
Abusing Kerberos
Back to the Basics
Elevating Privileges within the Domain
Flag Submission Panel

Setup

# apt install bloodhound neo4j -y
# sudo git clone https://github.com/SecureAuthCorp/impacket.git /opt/impacket
# sudo pip3 install -r /opt/impacket/requirements.txt
# cd /opt/impacket/ 
# sudo pip3 install .
# sudo python3 setup.py install

Welcome to Attacktive Directory

Question : What tool will allow us to enumerate port 139/445?

Answer : enum4linux

Question : What is the NetBIOS-Domain Name of the machine?

Answer : THM-AD

Question : What invalid TLD do people commonly use for their Active Directory Domain?

Answer : .local

Enumerating Users via Kerberos

Question : What command within Kerbrute will allow us to enumerate valid usernames?

Answer : userenum

Question : What notable account is discovered? (These should jump out at you)

Answer : svc-admin

Question : What is the other notable account is discovered? (These should jump out at you)

Answer : backup

Abusing Kerberos

Question : We have two user accounts that we could potentially query a ticket from. Which user account can you query a ticket from with no password?

Answer : svc-admin

Question : Looking at the Hashcat Examples Wiki page, what type of Kerberos hash did we retrieve from the KDC? (Specify the full name)

Answer : Kerberos 5 AS-REP etype 23

Question : What mode is the hash?

Answer : 18200

Question : Now crack the hash with the modified password list provided, what is the user accounts password?

Answer : management2005

Back to the Basics

Question : What utility can we use to map remote SMB shares?

Answer : smbclient

Question : Which option will list shares?

Answer : -L

Question : How many remote shares is the server listing?

Answer : 6

Question : There is one particular share that we have access to that contains a text file. Which share is it?

Answer : backup

Question : What is the content of the file?

Answer : YmFja3VwQHNwb29reXNlYy5sb2NhbDpiYWNrdXAyNTE3ODYw

Question : Decoding the contents of the file, what is the full contents?

Answer : backup@spookysec.local:backup2517860

Elevating Privileges within the Domain

Question : What method allowed us to dump NTDS.DIT?

Answer : DRSUAPI

Question : What is the Administrators NTLM hash?

Answer : 0e0363213e37b94221497260b0bcb4fc

Question : What method of attack could allow us to authenticate as the user without the password?

Answer : Pass The Hash

Question : Using a tool called Evil-WinRM what option will allow us to use a hash?

Answer : -H

Flag Submission Panel

Question : svc-admin

Answer : TryHackMe{K3rb3r0s_Pr3_4uth}

Question : backup

Answer : TryHackMe{B4ckM3UpSc0tty!}

Question : Administrator

Answer : TryHackMe{4ctiveD1rectoryM4st3r}