Attacktive Directory – Try Hack Me

Short Intro

Hello guys! This room is designed by Sq00ky. Thanks for the little challenge you’ve put on the platform. You can access the room by clicking HERE.

I think this would be a great starter for newcomers to get into active directory exploitation. Keep in mind that a lot of organizations use AD.

A few things you might learn:

  • Kerberos enumeration
  • Cracking kerberos hashes
  • Using Impacket Secretsdump to dump DC hashes
  • Pass the hash using Evil-WinRM

Quick note before starting: A good idea would be adding the IP of the machine to the hosts file (/etc/hosts for linux and for windows C:\Windows\System32\drivers\etc\hosts).

Enumeration

Let’s get it going. I start with a NMap scan

Initial NMap scan
NMap Scan

We can use enum4linux to enumerate port 139 and 445. The syntax is: enum4linux -A <IP>.

I proceed to use kerbrute to enumerate the users.

Kerberos usernames enumeration
Kerberos Users Enumeration

I use GetNPUsers from Impacket to retrieve Kerberos ticket.

Retrieving kerberos ticket
Kerberos Ticket

I use hashcat to crack it. Just a note: In case you cannot crack the hash with the password list provided by Spooky you can use rockyou.

I list the shares and notice there is a share named backup. Took a look into it and retrieved a backup text file.

Listing shares
Listing SMB Shares

I had some issues with smblclient and smbmap so i used metasploit auxiliary module named download_file and used the following options to grab the file.

Metasploit configuration
MSF Options

Inside the file there was a base64 encoded string. I decoded it and stumbled across a new username and pass. Therefore, i used Impacket SecretsDump script to dump the DC hashes. You can grab Impacket from this GitHub repo: Impacket

Hash dump
Dumped Hashes

Getting access

Now that i have the hashes, time to pass them. I used evil-winrm to pass the administrator hash and to successfully login. In case you do not have evil-winrm installed you can use the following command to install it: pip3 install evil-winrm.

PassTheHash
Evil-WinRM to pass the hash

Once successfully logged in, we can get our flags. Each flag is located in each user desktop directory.

Hope you enjoyed and learned a few things out of this.