Attacktive Directory

Room Link: https://tryhackme.com/room/attacktivedirectory

Walkthrough

Setup

Installing Impacket

git clone https://github.com/SecureAuthCorp/impacket.git /opt/impacket
pip3 install -r /opt/impacket/requirements.txt
cd /opt/impacket/ && python3 ./setup.py install

Installing Bloodhound and Neo4j

apt install bloodhound neo4j

Installing kerbrute

git clone https://github.com/ropnop/kerbrute.git
cd kerbrute/
make all

username and password custom lists for this machine

Welcome to Attacktive Directory

Initial Scan

Scan all ports

netbios-ssn port 139 & microsoft-ds port 445

The NetBIOS-Domain Name of the machine

Enumerating Users via Kerberos port 88

Abusing Kerberos

validusers.txt

svc-admin allows us to get a ticket without a password. The hash type is Kerberos 5 etype 23 AS-REP.

Cracking the hash we can see the password is management2005

Back to the Basics

netbios-ssn port 139 & microsoft-ds port 445

Its a base64 encoded username and password. backup@spookysec.local:backup2517860

Elevating Privileges within the Domain - WinRM port5985

Flag Submission PaneLogin as Administrator

PreviousJohn The RipperNextWeaponization

Last updated