TryHackMe — Attacktive Directory Walkthrough

Aniket Badami
11 min readJan 21, 2021

--

This is a practical walkthrough of “Attacktive Directory” on TryHackMe. This room is created Sq00ky and it’s free room to try your skills, already 7800+ users are joined and tried it. Highest point so far achieved is 740 by s3ns3. This room has three flags to retrieve from target.

Passwords, hashes and Flags will be redacted to encourage you to solve those challenges on your own.

First Things First
Deploy the target machine (this machine might take upto 3–5 minutes to load and accessible)
There are two ways to access the deployed target machine.
1) Use attacker box — Provided by TryHackMe, it consist of all the required tools available for attacking.
2) Use OpenVpn configuration file to connect your machine (kali linux) to their network.
For the sake of demonstration I am using OpenVPN connection on my Kali Linux machine.

We won’t be using Metasploit for this challenge

All of my further commands will be executed as normal user not as root. So, if you’re also not executing all the commands as root then make sure to use sudo, as it can give you permission to run elevated programs.

Epitome

AD DS (Active Directory Domain Services) is widely used in corporate network environment to manage their users and services and allow system administrators to organize the data into logical hierarchies. PenTesters must understand the ways to compromise AD DS, as it can be found is 99% client IT environment.

There are eight tasks to complete, first two are about setting up the environment for attack and remaining six are actual Enumeration to Exploitation to Escalation to Flag retrieval. We will directly jump to Task three.
Note: If you are using Kali Linux 2020.4, then you can skip task two.

Task is Enumerate the DC

This task consist of gathering Information about domain controller of target machine. We can start our quest with initial nmap scan to find out what ports/services are open/running on target machine.

Nmap Scan

I ran nmap with flags no ping, service version and TCP scan on target IP address. As you can see the result, there are couple of ports which interests us, like 88 (Kerberos), 139 (NetBios), 445 (SMB) and 3389 (RDP). Although it’s not a bad idea to look into other ports, if necessary. There’s a local domain running on target machine, probably named spookysec.local and in task three section, they have also mentioned about it. Let’s enumerate 88, 135, 139, 3389 and 445 further to get more information by running scripts (NSE).

Nmap Script Scan

The above nmap command with perform default script scan (-sC) on specified ports.

Nmap Script Scan Result

As you can see we got some interesting information, first it’s domain name (as we suspected earlier), second NetBIOS Domain Name. (I have redacted it as it is answer to one of the question)

We can also try enumerating from Windows and Samba systems using another application. Although this application didn’t give any fruitful information other than NetBios Domain Name, however it’s really an amazing tool to have in your arsenal.

Enumeration

Note: I have redacted it because it is an answer to one of the question.

At this moment we got all the answers for this third task. However, it’s wise to try other enumeration methods on remaining open ports.

Note: I have tried couple other things while trying this room and it all lead to nowhere.

Task is Enumerate the DC Part 2

From previous task we gathered hostname, domain name, ports and it’s services. As this room is about Active Directory challenges, so we concentrate on related ports/services. Like Kerberos.

Kerberos is a network authentication protocol. It is designed to provide strong authentication for client/server applications by using secret-key cryptography. More Information: MIT

Kerberos port is open on target machine (Port 88), we can try further enumeration with another well known application called, Kerbrute.

Kerbrute — A tool to quickly bruteforce and enumerate valid Active Directory accounts through Kerberos Pre-Authentication. This tool can find usernames, passwords and even perform password spray attack on users.

Kali Linux doesn't come with this application, so we need to download this. THM has already given the link in this room, still I will leave it here too. https://github.com/ropnop/kerbrute/releases/download/v1.0.3/kerbrute_linux_amd64

Download Kerbrute

The above command will download the Kerbrute_linux_amd64 application and renames to Kerbrute in your present working directory.

Note: If you can create a folder for this room and download everything in that directory for easy accessibility.

Now, we need to give this new application execution rights.

Execution Rights
Kerbrute Help

You can check the help section of Kerbrute to find out flags/switches for enumeration.

Now we need to use one of the flag to enumerate valid domain usernames.

Couple of things before we move to Kerbrute, First, is to add spookysec.local to our hosts file. Use your favorite text editor to modify hosts file.

Modify Hosts
spookysec IP and domain

Second, download user list and password list specified by THM for this room.
Link: username and password

download password list
download username list
Kerbrute user enumeration

To enumerate users, you can run above command with different flags. (I have redacted one sub-command, because it is an answer to one of the question).

Enumeration result

As you can see, there are 5+ valid usernames are available on target domain. Out of all, 3 domain usernames which interests us and surely we will use these domain usernames in further tasks.

Now we need to copy these domain usernames to a new text file for further usage. I call it collected_users.txt.

Note: It is NOT recommended to brute force credentials due to account lockout policies that we cannot enumerate on the domain controller.

At this moment we have all the answers for this fourth task. Let’s move to next task.

Task is Exploiting Kerberos

With all the Information we have collected so far, using that we can exploit Kerberos feature called ‘ASREPRoasting’.

AS-REP Roasting is an attack against Kerberos for user accounts that do not require pre-authentication. Harmj0Y has explained more clearly how this attack works.

tl;dr — if you can enumerate any accounts in a Windows domain that don’t require Kerberos pre-authentication, you can now easily request a piece of encrypted information for said accounts and efficiently crack the material offline, revealing the user’s password.

For this attack we have to use one of the tool from Impacket Library

Impacket — It is a collection of Python classes for working with network protocols. Impacket is focused on providing low-level programmatic access to the packets and for some protocols (e.g. SMB1–3 and MSRPC) the protocol implementation itself. Packets can be constructed from scratch, as well as parsed from raw data, and the object oriented API makes it simple to work with deep hierarchies of protocols. The library provides a set of tools as examples of what can be done within the context of this library.

Note: If you want to know more details about all the tools of Impacket then you can visit the following link. https://www.secureauth.com/labs/impacket/

We are going to use Impacket’s ‘GetNPUsers.py” tool to allow us to query ASReproastable accounts from the Key Distribution Center.

GetNPUsers.py — This will attempt to list and get TGTs (ticket granting ticket) for those users that have the property ‘Do not require Kerberos preauthentication’ set (UF_DONT_REQUIRE_PREAUTH).

GetNPUsers.py Location

Above is the location of Impacket and its all tools. We need python3 to run the tools. Make sure to look into help menu of GetNPUsers.

Getnpusers Command

We have to provide domain name, username file and output format (hashcat or john). Make sure to use username file which we created recently after enumerating domain usernames.

getNPuser result

As you can see the result, we got hash from one domain account which do not require Kerberos pre-authentication. We need to save this hash in a text file for cracking purpose.

Let’s crack this hash using HashCat application.

Hashcat is the world’s fastest and most advanced password recovery utility, supporting five unique modes of attack for over 300 highly-optimized hashing algorithms. Hashcat currently supports CPUs, GPUs, and other hardware accelerators on Linux, Windows, and macOS, and has facilities to help enable distributed password cracking.

HashCat is shipped with Kali Linux, you can run below command to get help menu.

hashcat help

Before we start cracking blindly the collected hash, we need to find which cracking we have to use. For this you can use below command.

hashcat modes

Once you figure out which mode to use for cracking, then run below command.

hashcat command to crack

We have to provide hash mode, actual hash and password list to crack the hash. (I have redacted the mode, because it is an answer to one of the question).

Hashcat result

Once it’s finished cracking, you would see the result as mine.

At this moment we have all the answers for this task. Let’s move to next task.

Task is Enumerate the DC Part 3

In previous task we cracked the password for a specific domain user, now we use this user credentials to enumerate further.

Enumeration with domain user credentials

As you can see, I have redacted application name, it’s flag and username, because it is an answer some of the questions. But, I can explain what we are exactly trying to do here. We are querying the target IP address with recently collected username to find SMB shares. If any share are accessible then look into them for any information, probably flags or passwords or something like that.

SMB Share information

Now we need to manually try to access any of the shared folders/drive using same application.

Access Shared Folders

As you can see, we have access to one of the shared folder/drive, now we list the content of this folder/drive.

Content of shared folder/drive

Now read the txt file using ‘more’ command.

Encoded Creds

So, there’s a file and it has encoded credentials for one of the account. Now we need to decode it. It looks like it is encoded with base64. Let’s decode this by running below command.

Decoding

We have now another accounts credentials. We will use it for further exploitation.

At this moment, we have all the answers for this task. Let’s move to next task.

Task is Elevating Privileges

This task is about elevating privileges by taking advantage of previously collected Information, specifically credentials which we have collected of two different domain accounts.

For this task, we are going to use another tool from Impackets Library, called ‘SecretsDump.py’.

SecretsDump.py — It performs various techniques to dump secrets from the remote machine without executing any agent there. For SAM and LSA Secrets (including cached creds) we try to read as much as we can from the registry and then we save the hives in the target system (%SYSTEMROOT%\Temp directory) and read the rest of the data from there. For DIT files, we dump NTLM hashes, Plaintext credentials (if available) and Kerberos keys using the DL_DRSGetNCChanges() method. It can also dump NTDS.dit via vssadmin executed with the smbexec/wmiexec approach. The script initiates the services required for its working if they are not available (e.g. Remote Registry, even if it is disabled). After the work is done, things are restored to the original state.

Secretdump help

From above location you can get the secretdump tool and make sure to check the help menu to flags.

This application works locally if we have required files, check below section. As well as works remotely if we have required user credentials.

SecretDump
SecretDump Command

As you can see the above command, we have to run this using sudo and flag, as well as the domain account name which we previously collected from smbshare. Upon execution, first it will ask your kali linux password (sudo) and next it will ask you to enter target domain account passeword.

SecretDump result

As you can see we dumped hashes for all the available account from target machine. This was possible because the account which we used to dump has unique permission that allows all Active Directory changes to be synced with this user account. This includes password hashes.

So, now we have hash of the admin account of the domain controller, now can crack the hash to get the password or we can us pass the hash technique to access the machine using Evil-WinRM application.

Evil-WinRM — WinRM (Windows Remote Management) is the Microsoft implementation of WS-Management Protocol. A standard SOAP based protocol that allows hardware and operating systems from different vendors to interoperate. Microsoft included it in their Operating Systems in order to make life easier to system administrators.This shell is the ultimate WinRM shell for hacking/pentesting.

At this moment we have all the answers for the questions of this task. Let’s move to final task of this room.

Task is Flags

This is the final task, we need to collect flags from target machine using previously collected information.

At this stage we can use Evil-WinRM or PsExec tool to get the shell/cmd of target machine by passing the hash.

I am going to use Evil-WinRM for this task, I use PsExec all the time and I want to try this application. First we need to install this Evil-WinRM using below command.

Install Evil-WinRM

You must use sudo to install this ruby gem. Once installed now you can use below command to get the shell.

Evil-WinRM Command

I have redacted the user name as well as hash of the user. All the flags are lying around in Desktop of all user required user account. Submit all the flags and verify.

Root flag
User flag
PrivEsc Flag

Thank you for reading this blog. While attempting this challenge I learned so many things.

References

https://www.harmj0y.net/blog/activedirectory/roasting-as-reps/
https://www.harmj0y.net/blog/activedirectory/targeted-kerberoasting/

--

--