TryHackMe: Attacktive Directory (Active Directory Pentesting Practice)
As we know that 99% of the machines in the corporate network they’re running Active Directory. So this article we will be doing a room from TryHackMe to practice on how can we exploit a vulnerable Domain Controller.
Enumeration: Welcome to Attacktive Directory
To start our penetration testing on Active Directory, the 1st phase we need to do is gather the intel of the machine. We can start from running our Nmap port scanner.
Nmap Command format:
nmap -sC -sV -oN <output_file_name> <machine IP>
From the nmap result, we know that this machine is running Active Directory with Kerberos authentication service running. The Active Directory domain name are “spookysec.local”
Now we gotten the Active Directory domain name, we need to edit our /etc/hosts file to point the IP to the domain name.
Now let’s answer the question in TryHackMe:
What tool will allow us to enumerate port 139/445?
To enumerate the 139/445 port which is the SMB port, we can use enum4linux to enumerate it.
The output will be something like this, it is quite long so I try to read it using my text editor.
answer: enum4linux
What is the NetBIOS-Domain Name of the machine?
The NetBIOS-Domain Name is ‘THM-AD’, we can find it from nmap scan result under the 3389 RDP port.
answer: THM-AD
What invalid TLD do people commonly use for their Active Directory Domain?
TLD stand for “Top Level Domain”. So what are they?
Let’s take an example of “www.study.com” this domain name, the “.com” is the Top Level Domain.
So in the active directory, based on experience most of the AD machines that I’ve done in HackTheBox they’ve the invalid TLD “.local”. Let’s gather some information from our Google-Fu.
From the article below, we can see that the commonly used AD invalid TLD are “.local” & “.internal”. So in our machine, the invalid TLD are “.local”, the answer should be “.local”
answer: .local
Enumeration: Enumerating Users via Kerberos
Now after some enumeration on finding open ports & SMB. We carry on the enumeration process on finding the valid user using the Kerberos authentication service.
Normally to gather username, we need to craft our own username wordlist by scrapping the username from the organization website contact page or anywhere else that we can find it.
But in this machine room, the room creator had save the time for us & provide us the username & password wordlist.
So let’s download the user & password list into our machine.
To find the valid username & password we can use a tool called Kerbrute. You can download the tool from the link => Kerbrute.
Now let’s start to enumerate the username with the userlist provided. We can use the userenum to enumerate the usernames.
Kerbrute enumerate user command:
kerbrute userenum -d <domain name> — dc <domain controller IP> userlist.txt
As we can see that, we have just gotten a list of usernames that’s valid.
So, let’s quickly answer TryHackMe questions.
What command within Kerbrute will allow us to enumerate valid usernames?
To enumerate users with user list, we use the command userenum
answer: userenum
What notable account is discovered?
From the output result, we found 1 quite interesting account which will be the ‘svc-admin’ username.
svc-admin might be the Service Administrator account which used to manage the domain controllers & configure the AD Directory Server.
answer: svc-admin
What is the other notable account is discovered?
Another notable account which will be the backup user.
answer: backup
Exploitation: Abusing Kerberos
While letting the rest of the username enumerating from the kerberos authentication service, let’s try to check and see does these valid usernames have “Does not require Pre-Authentication” set. Which means that the account does not need to provide a valid identification before requesting a Kerberos Ticket on the specified user account. This technique are call ASREPRoasting.
To retrieve the Kerberos Tickets with ASREPRoasting , we can use one of the Impacket script called ‘GetNPUsers.py’ that will allow us to query ASReproastable accounts from the Key Distribution Center(KDC).
GETNPUsers.py command format:
impacket-GetNPUsers <Domain Name>/ -usersfile <valid username> -format <hashcat/john> -outputfile <output file name>
Now let’s run the script to check & see which username we can query a ticket. From the output, we have just successfully query a ticket for the ‘svc-admin’ user.
Now we need to crack the kerberos hash to get the credential. We can use hashcat.
The kerberos hash over here it told us 2 thing ‘$krb5asrep$23':
- asrep
- $23
So based on these attributes, we know that we need to use 18200 mode to crack it.
Now let’s launch our hashcat to crack the kerberos hash.
Hashcat command format:
hashcat -m 18200 <kerberos hash file> <password wordlist>
The results shows us that we’ve just successfully cracked the password! the credential for the ‘svc-admin’ user will be:
svc-admin:management2005
Now let’s quickly answer TryHackMe questions.
We have two user accounts that we could potentially query a ticket from. Which user account can you query a ticket from with no password?
answer: svc-admin
Looking at the Hashcat Examples Wiki page, what type of Kerberos hash did we retrieve from the KDC?
answer: Kerberos 5, etype 23, AS-REP
What mode is the hash?
answer: 18200
Now crack the hash with the modified password list provided, what is the user accounts password?
answer: management2005
Enumeration: Back to the Basics
Now since we’ve gathered svc-admin user credential, let’s try to further enumerate this user SMB shares.
First, let’s check out what are the shares that have for this svc-admin user. We can use the command smbclient with the ‘-L’ flag.
So it seems like there’s quite amount of shares that’s available for this user.
Next, we need to check and see which shares we have the permission to access to with this svc-admin credential. We can use the smbmap command to do it.
Notes: I used python3.8 because there’s some problem the smbmap python script running with my python3.9.2, it’ll keep on shows some weird errors when running the script.
So as we can see that the backup, IPC$, NETLOGON & SYSVOL shares we have the permission to read it.
smbmap command format:
smbmap -u <user> -p <password> -H <target>
Then, we further enumerate the content in the shares, we can use smbmap ‘-r’ flag. Let’s try to check out the root directory of each shares. From here we found out that the backup share have 1 interesting file which is the ‘backup_credentials.txt’ file.
Now let’s gain access into the backup share & grab the text file. It looks like the content had been encoded with base64.
So now let’s decode it & looks like we just got backup user credential in plaintext!
Let’s test it out & see whether this is a valid credential or not for backup user & yes it’s a valid credential!
Now, let’s answer TryHackMe questions again:
What utility can we use to map remote SMB shares?
answer: smbclient
Which option will list shares?
answer: -L
How many remote shares is the server listing?
answer: 6
There is one particular share that we have access to that contains a text file. Which share is it?
answer: backup
What is the content of the file?
answer: YmFja3VwQHNwb29reXNlYy5sb2NhbDpiYWNrdXAyNTE3ODYw
Decoding the contents of the file, what is the full contents?
answer: backup@spookysec.local:backup2517860
Domain Privilege Escalation: Elevating Privileges within the Domain
Now, we have the new user ‘backup’ credential. We might be thinking what does that backup user does?
So this backup user actually is a backup account for the Domain Controller. This account has an unique permission that allows all Active Directory changes to be synced with this ‘backup’ user account including the password hashes.
So now we know what does this user does, so it’s time for us to do a pass the hash attack on the Domain Controller. We can utilize one of the Impacket python script called ‘secretsdump.py’.
Now let’s perform pass the hash attack on the Domain Controller with backup user credential.
Impacket secretsdump.py command format:
impacket-secretsdump -just-dc-ntlm <domain name>/<user>:<password>@<domain controller IP>
So, now we’ve gotten the Administrator user hash, let’s use evil-winrm to spawn a shell!
evil-winrm command format:
evil-winrm -u <user>-H <NTLM Hash> -i <target IP>
Now, we’ve just owned the Domain Controller machine!!
Let’s quickly answer TryHackMe questions again.
What method allowed us to dump NTDS.DIT?
answer: DRSUAPI
What is the Administrators NTLM hash?
answer: 0e0363213e37b94221497260b0bcb4fc
What method of attack could allow us to authenticate as the user without the password?
answer: pass the hash
Using a tool called Evil-WinRM what option will allow us to use a hash?
answer: -H
Time to find the flags!!
As the room creator mentioned, the flags can be found in each of the user Desktop directory, so let’s use the Administrator user to get into their Desktop directory to own the flag.
Finding svc-admin user flag
Finding backup user flag
Finding Administrator root flag