Walkthrough - TryHackMe "Attacktive Directory" Without Metasploit


Walkthrough - TryHackMe "Attacktive Directory" Without Metasploit

Large and small networks alike across the planet use and rely on the Windows Active Directory environment to ensure functional business capabilities in the IT realm.  This is why it is so unfortunate that the Windows Active Directory suite ships with essentially known weaknesses and vulnerabilities when configured improperly, or even properly in many cases.  Attacktive Directory is a full frontal attack on a Domain Controller running Active Directory, and today I will show you how to fully compromise the machine using publicly available command line tools, and no Metasploit. (https://tryhackme.com/room/attacktivedirectory)

Scanning

As always, we need an understanding of the attack surface.  We can get started with a basic Nmap scan, followed by a more informative Nmap -A scan.

nmap -Pn 10.10.68.12

nmap -A 10.10.68.12

As we can see, we have a lot going on here, and everything is pointing at an Active Directory environment.  We see Port 88 is running Kerberos, which is an authentication system used to authenticate users on the network.  We also see SMB is running on 445, as well as LDAP on 3268.  Looking farther down we see that our machine's domain name is THM-AD, and the domain is spookysec.local.

Enumeration

There are many ways to enumerate a domain controller.  Follow along with the challenge, we will explore the use of a tool called Kerbrute, which can be installed using Go.  

Installing Kerbrute using Go
Installation is straight forward if you have Go installed.  If you do not, I recommend doing so as many great tools, such as Gobuster, run on Go.  The room for this challenge provides us a necessary username and password list that will cut down on some of the time required to complete the challenge, so get those copied over to your Kali machine quick.  Once you have done that, we can levy our Kerbrute attack against the domain by enumerating users.  We could additionally attempt password spraying attempts or brute force usernames and passwords.
./kerbrute userenum --dc spookysec.local -d spookysec.local '/root/Desktop/tryhackme stuff/attacktive/kerbruteuser.txt' -t 100

As you can see we are able to pull several usernames, including a few that stand out which are also needed for questions in the room.  Make note of these as we move along. 

Exploitation

Now that we have enumerated some known users, we can begin with exploitation tasks.  We are going to conduct an "ASREPRoasting" attack, which leverages the Kerberos' Pre-Authentication service.  This means that a device has to be authorized to communicate before it is authorized to communicate on the network.  We can use a tool called GetNPUsers.py from the Impacket toolset to find preauthenticated accounts that can be exploited.

GetNUPsers.py -dc-ip 10.10.68.12 spookysec.local/svc-admin -no-ass

As we can see, we are able to collect a Kerberos hash for the svc-admin user.  We can now try to crack this hash using Hashcat and the provided wordlist earlier on.  I decided to use rockyou.txt however.
hashcat -m 18200 -a 0 /root/Desktop/tocrack /root/Desktop/passes/rockyou.txt --force

 Now that we have a username and a password, we can try to log on to the system.  We know that SMB is running, so let's check to see what shares are available, and then attempt to log on to them if possible.  As we can see, we are able to successfully do this.

Top - smbclient -L 10.10.68.12 -U 'svc-admin'; Second - smbclient \\\\10.10.68.12\\backup -U 'svc-admin' then dir to check directory; Third - more backup_credentials.txt; Fourth - Text String

We are able to successfully collect the contents of the backup_credentials.txt file, however it looks like it may be encoded with something like Base64.  We can copy and paste this into another Kali terminal and try to decode it.  As we find, we are able to secure a username and password combination.
base64 --decode <<< inserthashhere

As we now have a username and a password, we can try to enumerate additional user information, to include NTLM hashes if possible.  We do this using the secretsdump.py tool from Impacket, utilizing our newly found credentials.

secretsdump.py -just-dc backup@spookysec.local

 We now have a hash for the Administrator user account, and can take a couple of different paths.  My preferred path is to use psexec.py to log in by "passing the hash," utilizing the hash we've discovered as the password (This goes back to Windows shipping with vulnerabilities). For PSEXEC to work, we will need the entire hash, not just the highlighted hash above.  Enter the information correctly and as you see below we will be granted access to the system as the Administrator.

psexec.py -hashes inserthashes administrator@spookysec.local

Alternatively, and following the room guide, we can use a tool called Evil-WINRM, which is an incredibly powerful tool used to exploit Windows.  You can see how to log in below, making note that we are using the highlighted portion of our found hash above.
evil-winrm -u administrator -H inserthash -i 10.10.68.12

And again, as you can see, we have gained administrator access to the machine.  We can then quickly recover our necessary information for the room and then we're done!


Final Thoughts

Attacktive Directory is a great way to build, refresh, or hone your skills in Active Directory attacks.  Using Kerbrute was new to me, and it was a neat way to enumerate users in a way I haven't before.  Take what you can from this room as Active Directory is the way of the world, and internal engagements revolve around trying to take control of them.  I hope this guide helped, and I'll see you live!

Comments

Popular Posts