top of page
Image by Blake Cheek
  • Writer's pictureBeri Contraster

Attacktive Directory: TryHackMe Walkthrough



Welcome Reader, Today we'll hack Attacktive Directory from TryHackMe. Over 73,859 companies have started using Microsoft Active Directory as an identity-and-access-management tool. Let's start with an Nmap scan.


Enumeration

Nmap Scan


Nmap received NetBios name and DNS name. Let's start by adding the domain "spookysec.local" to /etc/hosts.



Let's enumerate smb ports using smbmap to check if we can access any shares.



I scanned smb shares with smbmap but Anonymous log is not allowed. Let's take a look at the website.



Default IIS web page is running. Let's try directory fuzzing to discover hidden directories using gobuster.



Kerberaosting

Nothing with Gobuster as well. Let's use Kerbrute to enumerate users. Kerbrute is a popular tool for performing Kerberos-based attacks such as Kerberoasting, which typically operates over the Kerberos protocol. I'm using this list for user enumeration.



Kerbrute also retrieved the password hash of user svc-admin but this hash is not crackable we can retrieve a crackable hash using impacket (GetNpUsers).


ASREPRoasting


I copied the hash to a file and we'll crack it using Hashcat mode 18200 (Kerberos 5, etype 23, AS-REP).



Let's see if we can access any smb shares with these credentials.



We have now read access to some shares, backup share stands out from others let's see what is in there.



There is a credentials backup file I downloaded to my attacking machines let's take a look at the file contents.



Dumping Hashes & Escalating Privileges

The file had base64 encoded credentials of the user backup. This account has a unique permission that allows all Active Directory changes to be synced with this user account. This includes password hashes. Let's see what password hashes we can dump with this account using Secretsdump.



I successfully retrieved the Administrator's hash. We can perform a Pass the Hash attack to log in as Administrator using Psexec. We can also use evil-winrm.



FLAGS

SVC-ADMIN


Backup


Administrator


Thanks for reading. If you have any questions please don't hesitate to ask me.

13 views0 comments

Recent Posts

See All

Comments


bottom of page