Attacktive Directory : TryHackMe Writeup

Attacktive Directory

99% of corporate networks run off of AD. But can you exploit a vulnerable Domain Controller?

In this room, we are going to learn how to exploit a vulnerable Domain Controller and get full control over it.

Specifically, we will learn how to:

• Enumerate a domain’s users using Kerbrute
• Exploit Kerberos misconfigurations using Impacket
• Crack hashes using hashcat
• Perform further enumeration after gaining an initial access to the target system using smbclient
• Elevate our privileges within the Domain

[Task 1] Deploy the machine

Deploy your attacker machine as well as the attacktive directory machine.

[Task 2] Setup

Impacket is a collection of Python classes for working with network protocols. It is widely used in the field of cybersecurity for various purposes, including network analysis, penetration testing, and security assessments.

BloodHound is a single page Javascript web application that uses graph theory to reveal the hidden and often unintended relationships within an Active Directory or Azure environment. Attackers can use BloodHound to easily identify highly complex attack paths that would otherwise be impossible to quickly identify. Defenders can use BloodHound to identify and eliminate those same attack paths. All in all, BloodHound allow both (red and blue teamers) to easily gain a deeper understanding of privilege relationships in an Active Directory or Azure environment.

[Task 3] Enumeration — Welcome to Attacktive Directory

Let’s get started the enumeration with a simple Nmap host discovery and service scanning:

Nmap scan

1°) What tool will allow us to enumerate port 139/445?

Port 139: SMB originally ran on top of NetBIOS using port 139. NetBIOS is an older transport layer protocol that allows Windows computers to talk to each other on the same network.

Port 445: later versions of SMB (after Windows 2000) began to use port 445 on top of a TCP stack. Using TCP allows SMB to work over the internet.

SMB is a network file sharing protocol that is used to share files and peripherals (printers, serial ports) between computers on a network.

Samba is the open source Linux implementation of SMB and allows Windows systems to access Linux shares and devices.

Answer : enum4linux ✅

Enum4linux is a tool for enumerating information from Windows and Samba systems. It attempts to offer similar functionality to enum.exe formerly available from www.bindview.com. It is written in PERL and is basically a wrapper around the Samba tools smbclient, rpcclient, net and nmblookup.

enum4linux

2°) What is the NetBIOS-Domain Name of the machine?

Answer: THM-AD ✅

3°) What invalid TLD do people commonly use for their Active Directory Domain?

Answer: .local ✅

[Task 4] Enumeration — Enumerating Users via Kerberos

Knowing that port 88 is open, we can use a tool called Kerbrute (by Ronnie Flathers @ropnop).

Kerbrute is a popular enumeration tool used for brute-force and enumerate valid active-directory users by abusing the Kerberos pre-authentication.

By brute-forcing Kerberos pre-authentication, you do not trigger the account failed to log on event which can throw up red flags to blue teams.

Indeed, when brute-forcing through Kerberos you can brute-force by only sending a single UDP frame to the KDC allowing you to enumerate the users on the domain from a wordlist.

Usage

kerbrute usage

We are going to use the userenum command in our case to enumerate valid domain users.

Here’s the syntax:

kerbrute userenum usage

Let’s first add the DNS domain name along with the machine IP to /etc/hosts inside of our attacker machine:

Add a new entry in /etc/hosts file

Syntax : kerbrute userenum -d DOMAIN_NAME --dc DOMAIN_CONTROLLER_IP user_wordlists.txt

Enumerating valid usernames using kerbrute

Answer the questions below

1°) What command within Kerbrute will allow us to enumerate valid usernames?

Answer: userenum ✅

2°) What notable account is discovered? (These should jump out at you)

Answer: svc-admin ✅

3°) What is the other notable account is discovered? (These should jump out at you)

Answer: backup ✅

[Task 5] Exploitation — Abusing Kerberos

Introduction

After the enumeration of user accounts is finished, we can attempt to abuse a feature within Kerberos with an attack method called ASREPRoasting.

ASReproasting occurs when a user account has the privilege “Does not require Pre-Authentication” set. This means that the account does not need to provide valid identification before requesting a Kerberos Ticket on the specified user account.

Retrieving Kerberos Tickets

Impacket has a tool called “GetNPUsers.py” that will allow us to query ASReproastable accounts from the Key Distribution Center (KDC). The only thing that’s necessary to query accounts is a valid set of usernames which we enumerated previously via Kerbrute.

Remember: Impacket may also need you to use a Python version >=3.7. In the AttackBox you can do this by running your command with python3.9 /opt/impacket/examples/GetNPUsers.py.

Kerbrute results

Copy the usernames above and paste them in users.txt file, then save the file.

Let’s now query ASReproastable accounts from the Key Distribution Center (KDC) uisng Impacket’s GetNPUsers tool:

Querying ASReproastable accounts using GetNPUsers

Excellent! We got one account (svc-admin) that is ASReproastable.

1°) We have two user accounts that we could potentially query a ticket from. Which user account can you query a ticket from with no password?

Answer: svc-admin ✅

Let’s now try to crack the service account’s hash in order to retrieve its password. For that we first need to determine the hash type. A good resource to find that is hashcat examples wiki page:

Determining the hash type using hashcat examples wiki page

2°) Looking at the Hashcat Examples Wiki page, what type of Kerberos hash did we retrieve from the KDC? (Specify the full name)

Answer: Kerberos 5, etype 23, AS-REP ✅

3°) What mode is the hash?

Answer: 18200 ✅

Great! Now that we have an idea about the hash type we can try to crack it using hashcat as follows:

Cracking Kerberos 5, etype 23, AS-REP hash using hashcat

4°) Now crack the hash with the modified password list provided, what is the user accounts password?

Answer: management2005 ✅

[Task6 ] Enumeration — Back to basics

Enumeration:

With a user’s account credentials we now have significantly more access within the domain. We can now attempt to enumerate any shares that the domain controller may be giving out.

1°) What utility can we use to map remote SMB shares?

Answer: smbclient ✅

smbclient is a ftp-like client to access SMB/CIFS resources on servers.

2°) Which option will list shares?

Answer: -L ✅

Syntax: smbclient -L -U [Domain\]Username[%Password]

Listing shares using smbclient

In order to find the permissions associated with every share, we can use smbmap:

In the figure above, we used smbget (wget-like utility for download files over SMB) to recursively download the backup share’s files in the current working directory (share_content).

3°) There is one particular share that we have access to that contains a text file. Which share is it?

Answer: backup ✅

4°) What is the content of the file?

Answer: YmFja3VwQHNwb29reXNlYy5sb2NhbDpiYWNrdXAyNTE3ODY ✅

Decoding backup_credentials.txt file

5°) Decoding the contents of the file, what is the full contents?

Answer: backup@spookysec.local:backup2517860 ✅

[Task7] Domain Privilege Escalation — Elevating Privileges within the Domain

Let’s Sync Up!

Now that we have new user account credentials, we may have more privileges on the system than before. The username of the account “backup” gets us thinking. What is this the backup account do?

Well, it is the backup account for the Domain Controller. This account has a unique permission that allows all Active Directory changes to be synced with this user account. This includes password hashes.

Knowing this, we can use another tool within Impacket called “secretsdump.py”. This will allow us to retrieve all of the password hashes that this user account (that is synced with the domain controller) has to offer. Exploiting this, we will effectively have full control over the AD Domain.

1°) What method allowed us to dump NTDS.DIT?

NTDS stands for New Technologies Directory Services and DIT stands for Directory Information Tree. You can find NTDS file at “C:\Windows\NTDS”. This file acts as a database for Active Directory and stores all its data including all the credentials.

Answer: DRSUAPI ✅

Retrieving accounts’ password hashes using secretsdump

2°) What is the Administrators NTLM hash?

Answer: 0e0363213e37b94221497260b0bcb4fc ✅

3°) What method of attack could allow us to authenticate as the user without the password?

Answer: pass the hash ✅

evil-winrm usage

4°) Using a tool called Evil-WinRM what option will allow us to use a hash?

Answer: -H ✅

[Task 8] — Flag Submission Panel

Flag Submission Panel

Submit the flags for each user account. They can be located on each user’s desktop.

Administrator account’s flag

1°) Administrator

Answer: TryHackMe{4ctiveD1rectoryM4st3r} ✅

svc-admin account’s flag

2°) svc-admin

Answer: TryHackMe{K3rb3r0s_Pr3_4uth} ✅

backup account’s flag

3°) backup

Answer: TryHackMe{B4ckM3UpSc0tty!} ✅

Well done guys 👏!

That’s all for this interesting Capture The Flag.

Do not forget to click on the little clap icon below if you enjoyed the content.

Furthermore, thanks for subscribing to my newsletter to keep up with my latest articles.