CTF writeup - Attacktive Directory
TryHackMe - Attacktive Directory [Creators - Spooks]
Summary
- Recon with nmap & Enumerate the services. SMB on port 139 and 445, and kerberos on 88.
- Enumeration with enum4linux reveals the domain name, computer name and domain controller.
- User enumeration with kerbrute against kerberos.
- With the user accounts we fetch the hashes with Kerberoasting / ASREPRoasting (users that dont require pre-auth)
- We get the kerberos hash and crack it with hashcat.
- Some more enumeration with our acquired hash and smbclient.
- We find some backup credentials in one of the shares.
- With the backup account credentials we dump the Domain Controllers NTLM hashes.
- With the Administrator NTLM hash we gain a shell with pass the hash and / or evil-WinRM
Recon & Scanning
Basic enumeration starts out with an nmap scan. Nmap is a relatively complex utility that has been refined over the years to detect what ports are open on a device, what services are running, and even detect what operating system is running. It’s important to note that not all services may be deteted correctly and not enumerated to it’s fullest potential. Despite nmap being an overly complex utility, it cannot enumerate everything. Therefore after an initial nmap scan we’ll be using other utilities to help us enumerate the services running on the device.
Our usual Nmap scan:
nmap -Pn -A -T4 -sV -sC -p- 10.10.222.250
We immidietaly discover some ports that quickly tells us this is a Windows machine with some services worth investigating.
- Port 445 - Which is SMB running on top of TCP
- Port 139 - Which is the old SMB that runs on top of NetBIOS.
Enumeration
So, our first step will be to look at the SMB shares using enum4linux and smbclient.
enum4linux -a 10.10.222.250
We got the domain name.
Also, our NMAP scan just finished and revealed alot more information about the machine.
Our scan also reveals the computer name, DNS domain name and even the version of Windows. We see something else interesting; KERBEROS is also running.
Enumerating Users via Kerberos
Kerberos is a key authentication service within Active Directory. With this port open, we can use a tool called Kerbrute (by Ronnie Flathers @ropnop) to brute force discovery of users, passwords and even password spray! It is NOT recommended to brute force credentials due to account lockout policies that we cannot enumerate on the domain controller.
Why Kerbrute you ask?
It’s a tool to quickly bruteforce and enumerate valid Active Directory accounts through Kerberos Pre-Authentication.
- Faster than any other approach Potentially stealthier since pre-auth failure does not trigger “traditional” Account failed logon even 4625. Can validate usernames or test a login by ONLY sending ONE UDP frame to the KDC (Domain Controller)
We Download the attached userlist and passwordlist. Once we have done that, we can use our Kerbrute attack against the domain by enumerating users.
We could additionally attempt password spraying attempts or brute force usernames and passwords.
./kerbrute userenum --dc spookysec.local -d spookysec.local '/home/kali/wordlists/userlistwindows.txt' -t 100
We can see here that we have pulled several usernames, including some that stand out; svc-admin and backup . They might prove useful… Note these down to complete the questions in the room.
Exploitation
So, we can exploit by abusing Kerberos with an attack method called ASREPRoasting. ASReproasting occurs when a user account has the privilege “Does not require Pre-Authentication” set. This means that the account does not need to provide valid identification before requesting a Kerberos Ticket on the specified user account.
Retrieving Kerberos Ticket
For this we use the Impacket suite. Impacket has a tool called “GetNPUsers.py” (located in impacket/examples/GetNPUsers.py) that will allow us to query ASReproastable accounts from the Key Distribution Center. The only thing that’s necessary to query accounts is a valid set of usernames which we enumerated previously via Kerbrute.
python3 GetNPUsers.py -dc-ip 10.10.210.91 spookysec.local/svc-admin -no-pass
So we got the Kerberos hash for the svc-admin user. Lets crack it using hashcat and the passwordlist we downloaded earlier! According to the Hashcat examples wiki, the hashtype is known as “Kerberos 5 AS-REP etype 23”.
We run Hashcat and crack the hashes:
bash hashcat -m 18200 -a 0 krbhashes.txt /home/kali/wordlists/passwordwindows.txt --force
Where the “mode” of the hash is 18200.
More Enumeration:
With a user’s account credentials we now have significantly more access within the domain. And because we have a valid username and password, We can now attempt to enumerate any shares that the domain controller may be giving out. We already know that SMB is running, so lets hop on to SMBclient!
smbclient -L 10.10.210.91 -U svc-admin
smbclient \\\\10.10.210.91\\backup -U 'svc-admin'
dir
more backup_credentials.txt
Interesting! We found what appears to be credentials for the “backup” user account. It looks like it is encoded with base64. Lets go to Cyberchef and decode it:
Dumping NTLM hashes
Great! We got the Administrator hash. This opens up a couple of different paths for us.
- Passing the hash with PSEXEC
- Evil-WINRM - which gives us a shell administrator privileges in this case
Gaining a shell
PsExec
psexec.py -hashes “inserthasheshere” administrator@spookysec.local
Evil-WinRM
evil-winrm -u administrator -H “inserthashhere” -i 10.10.68.12
With this shell we can retrieve all the information we want to complete the room:
Final thoughts
Attacktive Directory was an interesting room. I have never used Evil-WinRM before to gain a shell. Its always nice to learn something new.