Persecure : my learning archive

,

Attacktive Directory

https://tryhackme.com/room/attacktivedirectory

99% of Corporate networks run off of AD. But can you exploit a vulnerable Domain Controller?

Use nmap to find open ports in the machine.

Task 3  Enumeration Welcome to Attacktive Directory

What tool will allow us to enumerate port 139/445?

Enum4linux

Enum4linux is a command-line tool used to gather information from Windows and Samba systems in the same network. It can enumerate user accounts, groups, shares, policies, and password hashes, among other things. It is commonly used by network administrators and security professionals to identify vulnerabilities, but it can also be misused by attackers.

What is the NetBIOS-Domain Name of the machine?
What invalid TLD do people commonly use for their Active Directory Domain?

Task 4  Enumeration Enumerating Users via Kerberos

Download Kerbrute from Github.

What command within Kerbrute will allow us to enumerate valid usernames?

userenum

What notable account is discovered? (These should jump out at you)
What is the other notable account is discovered? (These should jump out at you)

backup

Task 5  Exploitation Abusing Kerberos

We have two user accounts that we could potentially query a ticket from. Which user account can you query a ticket from with no password?
Looking at the Hashcat Examples Wiki page, what type of Kerberos hash did we retrieve from the KDC? (Specify the full name)
What mode is the hash?

18200

Now crack the hash with the modified password list provided, what is the user accounts password?

management2005

Task 6  Enumeration Back to the Basics

What utility can we use to map remote SMB shares?

Smbclient

Which option will list shares?

-L

How many remote shares is the server listing?

6

There is one particular share that we have access to that contains a text file. Which share is it?

backup

What is the content of the file?

YmFja3VwQHNwb29reXNlYy5sb2NhbDpiYWNrdXAyNTE3ODYw

Decoding the contents of the file, what is the full contents?

backup@spookysec.local:backup2517860

Task 7  Domain Privilege Escalation Elevating Privileges within the Domain

What method allowed us to dump NTDS.DIT?

DRSUAPI

What is the Administrators NTLM hash?

0e0363213e37b94221497260b0bcb4fc

What method of attack could allow us to authenticate as the user without the password?

Pass The Hash

Using a tool called Evil-WinRM what option will allow us to use a hash?

Task 8  Flag Submission Flag Submission Panel

Use Winrm to enter the Administrator account

Check the desktop of the required users to find the flags.

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

Comments (

0

)

%d bloggers like this: