Labels

Attacktive Directory ~ Write-up

Attacktive Directory: Mm0

Write-up: Michael N Mm0






https://tryhackme.com/r/room/attacktivedirectory




Scanning:




Scanning the specific ports that I am interested in.




Enumerate SMB port 445


List share with smbclient:



no password prompt list shares.. but the Anonymous login worked but

the workgroup isnʼt available.



Enumerate SMB

I will use enum4linux/smbclient to enumerate smb on port 445




Using crackmapexec to brute force RID



The Guest user was disabled probably because tools like enum4linux likes to abuse the guest account to enumerate.




SMB         10.10.76.106    445    ATTACKTIVEDIREC  498: THM-AD\\Enterprise Read-only Domain Controllers (SidTypeGroup)

SMB         10.10.76.106    445    ATTACKTIVEDIREC  500: THM-AD\\Administrator (SidTypeUser)

SMB         10.10.76.106    445    ATTACKTIVEDIREC  501: THM-AD\\Guest (SidTypeUser)

SMB         10.10.76.106    445    ATTACKTIVEDIREC  502: THM-AD\\krbtgt (SidTypeUser)

SMB         10.10.76.106    445    ATTACKTIVEDIREC  512: THM-AD\\Domain Admins (SidTypeGroup)

SMB         10.10.76.106    445    ATTACKTIVEDIREC  513: THM-AD\\Domain Users (SidTypeGroup)

SMB         10.10.76.106    445    ATTACKTIVEDIREC  514: THM-AD\\Domain Guests (SidTypeGroup)

SMB         10.10.76.106    445    ATTACKTIVEDIREC  515: THM-AD\\Domain Computers (SidTypeGroup)

SMB         10.10.76.106    445    ATTACKTIVEDIREC  516: THM-AD\\Domain Controllers (SidTypeGroup)

SMB         10.10.76.106    445    ATTACKTIVEDIREC  517: THM-AD\\Cert Publishers (SidTypeAlias)

SMB         10.10.76.106    445    ATTACKTIVEDIREC  518: THM-AD\\Schema Admins (SidTypeGroup)

SMB         10.10.76.106    445    ATTACKTIVEDIREC  519: THM-AD\\Enterprise Admins (SidTypeGroup)

SMB         10.10.76.106    445    ATTACKTIVEDIREC  520: THM-AD\\Group Policy Creator Owners (SidTypeGroup)

SMB         10.10.76.106    445    ATTACKTIVEDIREC  521: THM-AD\\Read-only Domain Controllers (SidTypeGroup)

SMB         10.10.76.106    445    ATTACKTIVEDIREC  522: THM-AD\\Cloneable Domain Controllers (SidTypeGroup)

SMB         10.10.76.106    445    ATTACKTIVEDIREC  525: THM-AD\\Protected Users (SidTypeGroup)

SMB         10.10.76.106    445    ATTACKTIVEDIREC  526: THM-AD\\Key Admins (SidTypeGroup)

SMB         10.10.76.106    445    ATTACKTIVEDIREC  527: THM-AD\\Enterprise Key Admins (SidTypeGroup)

SMB         10.10.76.106    445    ATTACKTIVEDIREC  553: THM-AD\\RAS and IAS Servers (SidTypeAlias)

SMB         10.10.76.106    445    ATTACKTIVEDIREC  571: THM-AD\\Allowed RODC Password Replication Group (SidTypeAlias)

SMB         10.10.76.106    445    ATTACKTIVEDIREC  572: THM-AD\\Denied RODC Password Replication Group (SidTypeAlias)

SMB         10.10.76.106    445    ATTACKTIVEDIREC  1000: THM-AD\\ATTACKTIVEDIREC$ (SidTypeUser)

SMB         10.10.76.106    445    ATTACKTIVEDIREC  1101: THM-AD\\DnsAdmins (SidTypeAlias)

SMB         10.10.76.106    445    ATTACKTIVEDIREC  1102: THM-AD\\DnsUpdateProxy (SidTypeGroup)

SMB         10.10.76.106    445    ATTACKTIVEDIREC  1103: THM-AD\\skidy (SidTypeUser)

SMB         10.10.76.106    445    ATTACKTIVEDIREC  1104: THM-AD\\breakerofthings (SidTypeUser)

SMB         10.10.76.106    445    ATTACKTIVEDIREC  1105: THM-AD\\james (SidTypeUser)

SMB         10.10.76.106    445    ATTACKTIVEDIREC  1106: THM-AD\\optional (SidTypeUser)

SMB         10.10.76.106    445    ATTACKTIVEDIREC  1107: THM-AD\\sherlocksec (SidTypeUser)

SMB         10.10.76.106    445    ATTACKTIVEDIREC  1108: THM-AD\\darkstar (SidTypeUser)

SMB         10.10.76.106    445    ATTACKTIVEDIREC  1109: THM-AD\\Ori (SidTypeUser)

SMB         10.10.76.106    445    ATTACKTIVEDIREC  1110: THM-AD\\robin (SidTypeUser)

SMB         10.10.76.106    445    ATTACKTIVEDIREC  1111: THM-AD\\paradox (SidTypeUser)

SMB         10.10.76.106    445    ATTACKTIVEDIREC  1112: THM-AD\\Muirland (SidTypeUser)

SMB         10.10.76.106    445    ATTACKTIVEDIREC  1113: THM-AD\\horshark (SidTypeUser)

SMB         10.10.76.106    445    ATTACKTIVEDIREC  1114: THM-AD\\svc-admin (SidTypeUser)

SMB         10.10.76.106    445    ATTACKTIVEDIREC  1116: THM-AD\\CompStaff (SidTypeAlias)

SMB         10.10.76.106    445    ATTACKTIVEDIREC  1117: THM-AD\\dc (SidTypeGroup)

SMB         10.10.76.106    445    ATTACKTIVEDIREC  1118: THM-AD\\backup (SidTypeUser)

SMB         10.10.76.106    445    ATTACKTIVEDIREC  1601: THM-AD\\a-spooks (SidTypeUser)







these are all the accounts but there are two in particular that are standing out to me:






Let me check if pre-auth is required for this account with I

might be able to possible do roasting.



After some trial and error:





Cracking the TGT to get plaintext of the KRB-TGT account



We get the password of the since the TGT in kerbrose authentication

is encrypted with the NTLM hash of the KRBTGT account, so by successfully cracking TGT we can get the KRBTGT playing text password.


Password: management2005





Going back to SMB:




the contents of the file look like base64 lets pipe it to








Lets try to dump the NTDS.DIT






Lets do pass the hash to evil-winrm



lets check users desktop:


Labels:

Popular Posts