I think this would be a great starter for newcomers to get into active directory exploitation. Keep in mind that a lot of organizations use AD.
A few things you might learn:
- Kerberos enumeration
- Cracking kerberos hashes
- Using Impacket Secretsdump to dump DC hashes
- Pass the hash using Evil-WinRM
Quick note before starting: A good idea would be adding the IP of the machine to the hosts file (/etc/hosts for linux and for windows C:\Windows\System32\drivers\etc\hosts).
Let’s get it going. I start with a NMap scan
We can use enum4linux to enumerate port 139 and 445. The syntax is:
enum4linux -A <IP>.
I proceed to use kerbrute to enumerate the users.
I use GetNPUsers from Impacket to retrieve Kerberos ticket.
I use hashcat to crack it. Just a note:
In case you cannot crack the hash with the password list provided by Spooky you can use rockyou.
I list the shares and notice there is a share named backup. Took a look into it and retrieved a backup text file.
I had some issues with smblclient and smbmap so i used metasploit auxiliary module named download_file and used the following options to grab the file.
Inside the file there was a base64 encoded string. I decoded it and stumbled across a new username and pass. Therefore, i used Impacket SecretsDump script to dump the DC hashes. You can grab Impacket from this GitHub repo:
Now that i have the hashes, time to pass them. I used evil-winrm to pass the administrator hash and to successfully login. In case you do not have evil-winrm installed you can use the following command to install it:
pip3 install evil-winrm.
Once successfully logged in, we can get our flags. Each flag is located in each user desktop directory.
Hope you enjoyed and learned a few things out of this.