Open in app

Sign in

Write

Sign in

TryHackMe: Attacktive Directory (Active Directory Pentesting Practice)

Bryan Leong (NobodyAtall)
9 min readMay 23, 2021

As we know that 99% of the machines in the corporate network they’re running Active Directory. So this article we will be doing a room from TryHackMe to practice on how can we exploit a vulnerable Domain Controller.

Enumeration: Welcome to Attacktive Directory

To start our penetration testing on Active Directory, the 1st phase we need to do is gather the intel of the machine. We can start from running our Nmap port scanner.

Nmap Command format:

nmap -sC -sV -oN <output_file_name> <machine IP>

From the nmap result, we know that this machine is running Active Directory with Kerberos authentication service running. The Active Directory domain name are “spookysec.local

Now we gotten the Active Directory domain name, we need to edit our /etc/hosts file to point the IP to the domain name.

Now let’s answer the question in TryHackMe:

What tool will allow us to enumerate port 139/445?

To enumerate the 139/445 port which is the SMB port, we can use enum4linux to enumerate it.

The output will be something like this, it is quite long so I try to read it using my text editor.

answer: enum4linux

What is the NetBIOS-Domain Name of the machine?

The NetBIOS-Domain Name is ‘THM-AD’, we can find it from nmap scan result under the 3389 RDP port.

answer: THM-AD

What invalid TLD do people commonly use for their Active Directory Domain?

TLD stand for “Top Level Domain”. So what are they?

Let’s take an example of “www.study.com” this domain name, the “.com” is the Top Level Domain.

So in the active directory, based on experience most of the AD machines that I’ve done in HackTheBox they’ve the invalid TLD “.local”. Let’s gather some information from our Google-Fu.

From the article below, we can see that the commonly used AD invalid TLD are “.local” & “.internal”. So in our machine, the invalid TLD are “.local”, the answer should be “.local

answer: .local

Enumeration: Enumerating Users via Kerberos

Now after some enumeration on finding open ports & SMB. We carry on the enumeration process on finding the valid user using the Kerberos authentication service.

Normally to gather username, we need to craft our own username wordlist by scrapping the username from the organization website contact page or anywhere else that we can find it.

But in this machine room, the room creator had save the time for us & provide us the username & password wordlist.

So let’s download the user & password list into our machine.

To find the valid username & password we can use a tool called Kerbrute. You can download the tool from the link => Kerbrute.

Now let’s start to enumerate the username with the userlist provided. We can use the userenum to enumerate the usernames.

Kerbrute enumerate user command:

kerbrute userenum -d <domain name> — dc <domain controller IP> userlist.txt

As we can see that, we have just gotten a list of usernames that’s valid.

So, let’s quickly answer TryHackMe questions.

What command within Kerbrute will allow us to enumerate valid usernames?

To enumerate users with user list, we use the command userenum

answer: userenum

What notable account is discovered?

From the output result, we found 1 quite interesting account which will be the ‘svc-admin’ username.

svc-admin might be the Service Administrator account which used to manage the domain controllers & configure the AD Directory Server.

answer: svc-admin

What is the other notable account is discovered?

Another notable account which will be the backup user.

answer: backup

Exploitation: Abusing Kerberos

While letting the rest of the username enumerating from the kerberos authentication service, let’s try to check and see does these valid usernames have “Does not require Pre-Authentication” set. Which means that the account does not need to provide a valid identification before requesting a Kerberos Ticket on the specified user account. This technique are call ASREPRoasting.

To retrieve the Kerberos Tickets with ASREPRoasting , we can use one of the Impacket script called ‘GetNPUsers.py’ that will allow us to query ASReproastable accounts from the Key Distribution Center(KDC).

GETNPUsers.py command format:

impacket-GetNPUsers <Domain Name>/ -usersfile <valid username> -format <hashcat/john> -outputfile <output file name>

Now let’s run the script to check & see which username we can query a ticket. From the output, we have just successfully query a ticket for the ‘svc-admin’ user.

Now we need to crack the kerberos hash to get the credential. We can use hashcat.

The kerberos hash over here it told us 2 thing ‘$krb5asrep$23':

  • asrep
  • $23

So based on these attributes, we know that we need to use 18200 mode to crack it.

Now let’s launch our hashcat to crack the kerberos hash.

Hashcat command format:

hashcat -m 18200 <kerberos hash file> <password wordlist>

The results shows us that we’ve just successfully cracked the password! the credential for the ‘svc-admin’ user will be:

svc-admin:management2005

Now let’s quickly answer TryHackMe questions.

We have two user accounts that we could potentially query a ticket from. Which user account can you query a ticket from with no password?

answer: svc-admin

Looking at the Hashcat Examples Wiki page, what type of Kerberos hash did we retrieve from the KDC?

answer: Kerberos 5, etype 23, AS-REP

What mode is the hash?

answer: 18200

Now crack the hash with the modified password list provided, what is the user accounts password?

answer: management2005

Enumeration: Back to the Basics

Now since we’ve gathered svc-admin user credential, let’s try to further enumerate this user SMB shares.

First, let’s check out what are the shares that have for this svc-admin user. We can use the command smbclient with the ‘-L’ flag.

So it seems like there’s quite amount of shares that’s available for this user.

Next, we need to check and see which shares we have the permission to access to with this svc-admin credential. We can use the smbmap command to do it.

Notes: I used python3.8 because there’s some problem the smbmap python script running with my python3.9.2, it’ll keep on shows some weird errors when running the script.

So as we can see that the backup, IPC$, NETLOGON & SYSVOL shares we have the permission to read it.

smbmap command format:

smbmap -u <user> -p <password> -H <target>

Then, we further enumerate the content in the shares, we can use smbmap ‘-r’ flag. Let’s try to check out the root directory of each shares. From here we found out that the backup share have 1 interesting file which is the ‘backup_credentials.txt’ file.

Now let’s gain access into the backup share & grab the text file. It looks like the content had been encoded with base64.

So now let’s decode it & looks like we just got backup user credential in plaintext!

Let’s test it out & see whether this is a valid credential or not for backup user & yes it’s a valid credential!

Now, let’s answer TryHackMe questions again:

What utility can we use to map remote SMB shares?

answer: smbclient

Which option will list shares?

answer: -L

How many remote shares is the server listing?

answer: 6

There is one particular share that we have access to that contains a text file. Which share is it?

answer: backup

What is the content of the file?

answer: YmFja3VwQHNwb29reXNlYy5sb2NhbDpiYWNrdXAyNTE3ODYw

Decoding the contents of the file, what is the full contents?

answer: backup@spookysec.local:backup2517860

Domain Privilege Escalation: Elevating Privileges within the Domain

Now, we have the new user ‘backup’ credential. We might be thinking what does that backup user does?

So this backup user actually is a backup account for the Domain Controller. This account has an unique permission that allows all Active Directory changes to be synced with this ‘backup’ user account including the password hashes.

So now we know what does this user does, so it’s time for us to do a pass the hash attack on the Domain Controller. We can utilize one of the Impacket python script called ‘secretsdump.py’.

Now let’s perform pass the hash attack on the Domain Controller with backup user credential.

Impacket secretsdump.py command format:

impacket-secretsdump -just-dc-ntlm <domain name>/<user>:<password>@<domain controller IP>

So, now we’ve gotten the Administrator user hash, let’s use evil-winrm to spawn a shell!

evil-winrm command format:

evil-winrm -u <user>-H <NTLM Hash> -i <target IP>

Now, we’ve just owned the Domain Controller machine!!

Let’s quickly answer TryHackMe questions again.

What method allowed us to dump NTDS.DIT?

answer: DRSUAPI

What is the Administrators NTLM hash?

answer: 0e0363213e37b94221497260b0bcb4fc

What method of attack could allow us to authenticate as the user without the password?

answer: pass the hash

Using a tool called Evil-WinRM what option will allow us to use a hash?

answer: -H

Time to find the flags!!

As the room creator mentioned, the flags can be found in each of the user Desktop directory, so let’s use the Administrator user to get into their Desktop directory to own the flag.

Finding svc-admin user flag

Finding backup user flag

Finding Administrator root flag

Cybersecurity
Active Directory
Penetration Testing
Pass The Hash
Tryhackme

--

--

Bryan Leong (NobodyAtall)

Written by Bryan Leong (NobodyAtall)

22 Followers

A Bachelor of Computer Science student that’s passion in CyberSec & Pentesting.

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams