Attacktive Directory

99% of Corporate networks run off of AD. But can you exploit a vulnerable Domain Controller?

Nmap Scan

I performed an nmap scan to find open ports on the machine, the services running on them and their versions.

$ nmap -A -T4 -p- 10.10.79.214 -Pn

Nmap scan results
Nmap scan results continued

Since we have smb, I will use the smbclient tool to enumerate port 139. (I edited my /etc/hosts file to reflect that spookysec.local should be mapped to 10.10.79.214)

Unfortunately, there are no shares.

Let's continue with the guided exercises.

In order to use kerburte, we first need to install Go.

$ sudo apt install golang-go

Now let's go ahead and install kerbrute.

$ git clone https://github.com/ropnop/kerbrute.git

The guide has also provided us with a modified list of usernames and passwords. Let's download them as well.

Let's use the userenum command to enumerate valid usernames.

Afew notable accounts jump out at us: svc-admin@spookysec.local and backup@spookysec.local. We also get the hash of the svc-admin which we can crack offline using a tool like hashcat.

Exploiting Kerberos

After the enumeration of user accounts is finished, we can attempt to abuse a feature within Kerberos with an attack method called ASREPRoasting. ASReproasting occurs when a user account has the privilege "Does not require Pre-Authentication" set. This means that the account does not need to provide valid identification before requesting a Kerberos Ticket on the specified user account.

Exploitation

Impacket has a tool called "GetNPUsers.py" (located in Impacket/Examples/GetNPUsers.py) that will allow us to query ASReproastable accounts from the Key Distribution Center. The only thing that's necessary to query accounts is a valid set of usernames which we enumerated previously via Kerbrute.

Let us now use GETNPUsers.py to retrieve the TIcket Granting Ticket (TGT) of the svc-admin account.

TGT Retrieved

It's the same hash we got when we enumerated usernames using kerbrute.

Let's crack the hash we got using the modified password list. I'll use John The RIpper.

Password retreived

And our password is management2005.

NB: The hash I got using kerbrute is different from the hash I got using GetNPUsers.py. When I use the modified password list, I also get different passwords. But apparently the 'correct' password is management2005 (from the GetNPUsers.py tool) since that's what THM accepts as the answer. I wonder why this is so. I'll ask around. The other password from the cracked hash is pinkpurple.

Enumerating the DC (part 3)

Since we now have valid user credentials for the svc-admin account, we will use them to see if we can gain access to SMB and view the shares.

The backup share looks interesting. Let's see what's in it.

Backup credentials stored here
backup credentials

The credentials appear to be in base64. Let's decode it.

Plain text credentials retrieved

We can use it to dump the domain credentials. This is possible since the backup most likely has admin rights to the DC in order to make backups.

Hashes dumped

Since we have the Administrator's hash, we will perform a "pass the hash" attack. If this was a real assessment, we would take all the user accounts hashes and try to crack them offline. This would help us know whether or not they have a strong password policy.

And we get shell access as authority\system :)

WOOP WOOP!!!

Now let's continue on with the exercises on THM, retrieve the flags, and complete this machine.

Further Research

Read on:

  • Kerberos

  • Kerberoasting

  • ASREPRoasting

Practice more on machines with WIndows AD.

PreviousRelevantNextAnonymous (Not the hacking group)

Last updated

Was this helpful?