Attacktive Directory
ACTIVE DIRECTORY ROOM FROM TRY HACK ME
INTRODUCTION:
This room is designed to give you a little inside of what is Active Directory Enviorment. And how can you Enumerate , Exploit and Escalate your privileges with in the domain envoirment.
WHAT IS ACTIVE DIRECTORY ?
Active Directory (AD) is a database and set of services that connect users with the network resources they need to get their work done.
The database (or directory) contains critical information about your environment, including what users and computers there are and who’s allowed to do what. For example, the database might list 100 user accounts with details like each person’s job title, phone number and password. It will also record their permissions.
ENUMERATION:
Lets start off with the enumeration. Nmap can help us in this regard. You can use any portscanner you like for example : Rustscan , Masscan would work as well .
NMAP# Nmap 7.92 scan initiated Mon Aug 1 09:40:35 2022 as: nmap -sC -sV -p- --min-rate 1500 -oN nmap.out 10.10.210.216
Nmap scan report for 10.10.210.216
Host is up (0.18s latency).
Not shown: 65508 closed tcp ports (reset)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
|_http-title: IIS Windows Server
| http-methods:
|_ Potentially risky methods: TRACE
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2022-08-01 13:41:39Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: spookysec.local0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: spookysec.local0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
3389/tcp open ms-wbt-server Microsoft Terminal Services
| rdp-ntlm-info:
| Target_Name: THM-AD
| NetBIOS_Domain_Name: THM-AD
| NetBIOS_Computer_Name: ATTACKTIVEDIREC
| DNS_Domain_Name: spookysec.local
| DNS_Computer_Name: AttacktiveDirectory.spookysec.local
| Product_Version: 10.0.17763
|_ System_Time: 2022-08-01T13:42:43+00:00
|_ssl-date: 2022-08-01T13:43:13+00:00; +1s from scanner time.
| ssl-cert: Subject: commonName=AttacktiveDirectory.spookysec.local
| Not valid before: 2022-07-31T13:20:35
|_Not valid after: 2023-01-30T13:20:35
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf .NET Message Framing
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open unknown
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49669/tcp open unknown
49672/tcp open msrpc Microsoft Windows RPC
49675/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49676/tcp open msrpc Microsoft Windows RPC
49679/tcp open msrpc Microsoft Windows RPC
49685/tcp open msrpc Microsoft Windows RPC
49696/tcp open msrpc Microsoft Windows RPC
49824/tcp open msrpc Microsoft Windows RPC
Service Info: Host: ATTACKTIVEDIREC; OS: Windows; CPE: cpe:/o:microsoft:windowsHost script results:
| smb2-time:
| date: 2022-08-01T13:42:43
|_ start_date: N/A
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled and requiredService detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon Aug 1 09:43:18 2022 -- 1 IP address (1 host up) scanned in 163.82 seconds
We can get some information about our target.
| Target_Name: THM-AD
| NetBIOS_Domain_Name: THM-AD
| NetBIOS_Computer_Name: ATTACKTIVEDIREC
| DNS_Domain_Name: spookysec.local
| DNS_Computer_Name: AttacktiveDirectory.spookysec.local
| Product_Version: 10.0.17763SMB ENUMERATION:
We see SMB is Active lets try to enumerate it . We can use multiple tools to enumerate SMB
1: Smbclient
2: Smbmap
3: Enum4linux
=================================( Share Enumeration on 10.10.210.216 )=================================do_connect: Connection to 10.10.210.216 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)Sharename Type Comment
--------- ---- -------
Reconnecting with SMB1 for workgroup listing.
Unable to connect with SMB1 -- no workgroup available[+] Attempting to map shares on 10.10.210.216
I tried enumerating with all the tools but no shares are listing .
Enumerating Users via Kerberos:
At port 88 Kerberos is runing maybe we can enumerate valid users through Kerbrute. If you want to learn more about what kerberos is and how it works You can watch this video it explains how kerbreos performs authentication.
Use userenum flag and try to enumerate users with the username list provided by the room author .
[0/45]
__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/Version: v1.0.3 (9dad6e1) - 08/03/22 - Ronnie Flathers @ropnop2022/08/03 09:20:12 > Using KDC(s):
2022/08/03 09:20:12 > spookysec.local:88james@spookysec.local
svc-admin@spookysec.local
James@spookysec.local
robin@spookysec.local
darkstar@spookysec.local
administrator@spookysec.local
backup@spookysec.local
paradox@spookysec.local
JAMES@spookysec.local
Robin@spookysec.local
Administrator@spookysec.local
Darkstar@spookysec.local
Paradox@spookysec.local
DARKSTAR@spookysec.local
ori@spookysec.local
ROBIN@spookysec.local
ASREPRoasting:
After the enumeration of user accounts is finished, we can attempt to abuse a feature within Kerberos with an attack method called ASREPRoasting. ASReproasting occurs when a user account has the privilege “Does not require Pre-Authentication” set. This means that the account does not need to provide valid identification before requesting a Kerberos Ticket on the specified user account.
There is a great video explaning ASREPRoasing by Brandon.
Lets try to perform the attack.
After we got a hash just copy the hash and save it to a file and run hascat in attempt to crack this hash.
Syntax :
hashcat -m 18200 hash password.list
After we got the valid credentials we can try to list the smb shares which requried authentication.
SMB SHARES:
We see backup share which is paticularly intresting lets connect to it with smbclient.
we can see a backup_credentials.txt lets get it .
Looks like base64 encoded lets decode it
We got the credentials of another user .
Elevating Privileges within the Domain:
Now that we have new user account credentials, we may have more privileges on the system than before. The username of the account “backup” gets us thinking. What is this the backup account to? Well, it is the backup account for the Domain Controller. This account has a unique permission that allows all Active Directory changes to be synced with this user account. This includes password hashes.
We can use impacket’s secretsdump.py to retrive all the hashes.
With the hashes of users we can perform a very effective attack “PASS THE HASH” if you want to lern more about pass the hash attack.
We can use evil-winrm to attack .
Now just get all the flags and submit it .
See all later.
Happy Hacking !
