CTF Walkthroughs, TryHackMe

TryHackMe – Attacktive Directory Walkthrough

Introduction

This was an intermediate Windows machine that involved enumerating an active directory domain, using ASREPRoasting to obtain initial access, and performing a DCSync attack to escalate privileges to Administrator-level access.

Enumeration

The first thing to do is to run a TCP Nmap scan against the 1000 most common ports, and using the following flags:

  • -sC to run default scripts
  • -sV to enumerate applications versions

The scan has identified port 53(DNS), 80(HTTP), 135(MSRPC), 139(NetBIOS), 445(SMB), 3389(RDP) and a bunch of other windows-related ports.

Adding the host to the /etc/hosts file using the name specified in the room:

Using the Enum4Linux tool to enumerate information about the domain, such as SIDs, users, groups etc:

The room provides a user list and password list to cut down on time of enumeration of users and password hash cracking. Downloading the user list and running Kerbrute with the following option to start enumerating valid users:

  • Userenum to specify the type of attack, in this case user enumeration
  • –dc to specify the domain controller, in this case spookysec.local
  • -d to specify the domain, in this case spookysec.local
  • The user list to be used for the enumeration

Kerbrute has identified a number of valid users on the domain. The next step will be to start enumerating those users and hopefully obtain some access

Abusing Kerberos

Using the GetNPUsers.py script from Impacket to perform an ASREPRoasting attack against the domain, which exploits user accounts that do not require preauthentication (the first step in Kerberos authentication, designed to prevent brute-forcing), and requests authentication data for users, at which point the domain will return an encrypted TGT that can be brute-forced offline. 

The attack worked and has provided the NTLM hash for the svc-admin user. Checking the hash type number to be used with Hashcat for Kerberos AS-REP hashes:

Adding the hash to a text file so that it can be cracked using Hashcat:

Downloading the password list provided in the room and starting a brute-force attack against the hash using the following flags:

  • -m to specify the hash type, in this case, Kerberos 5 AS-REP
  • -a to specify the attack mode, in this case, 0 for dictionary
  • the file containing the hashes
  • –force to ignore warnings

The hash was successfully cracked.

Authenticated Enumeration

Armed with credentials, authenticating shares available on the host using SMBClient reveals an unusual “backup” share:

Connecting to the share and enumerating files, the share seems to contain a backup_credentials.txt file, downloading it:

The file appears to contain some base64-encoded text. Decoding its contents reveals a password for the backup user:

Privilege Escalation

The backup user has a unique permission that allows all Active Directory changes to be synced with this user account, including password hashes. The secretsdump.py tool from Impacket can be used to retrieve all of the password hashes that this user account has access to. The hashes can then be used later on in various ways to escalate privileges.

Finding the script and running it to view the available options and any necessary information about it:

It mentions it has indeed the ability to extract NTDS.DIT data using the DRSUAPI approach:

Using the script to dump NTLM hashes for users on the domain, with the help of the-just-dc-ntlt flag:

A hash for the Administrator user was dumped.

Using Evil-WinRM to connect to the machine through pass the hash, providing the NTLM password for the Administrator user:

Conclusion

This box was part of TryHackMe’s Offensive Pentesting path and it is great when approaching Active Directory attacks, even though I completed this a while back now I can still remember this as being of incredible help in understanding some of the techniques required for AD penetration testing.