Reading Time: 6 minutes

For this post, I would like to share the knowledge and skills that I just acquire by doing this machine. Attacktive Directory is an old machine and there might already have a lot of walkthrough on this machine out there.

To be frankly honest, I didn’t have the knowledge on how to do Penetration Testing or Security Testing on Active Directory where it normally uses Domain Controller on its infrastructure. So, this room will be my first encounter in this environment

As mentioned in the screenshot above, this room was been created by Sq00ky and this room also have been released around 396 days ago.

Let’s Started!

As usual, we need to deploy the machine by clicking the deployed machine as shown above.

For the first task, we are required to download the tools that will be used in this activity.

In order to download and install the tool into our machine, we need to use the command

git clone https://github.com/Sq00ky/attacktive-directory-tools.git

Once the download completed, you will give permission to the Kerberos tools that located inside the attacktive-directory-tools folder as shown below:

While looking at what we got in this attacktive-directory-tools folder, we are lucky to have impackets been include as well.

So, Let’s install impackets too while we’re in it. We will be starting by unzipping the impacket-master.zip and move the unzipped folder to /opt/ directory

After the unzip progress finish, you will need to do some install on the requirement by running the command as follows:

pip3 install -r /opt/impacket-master/requirement.txt

After the python modules have been successfully installed in the machine, we can start the python by execute the python script such as below:

cd /opt/impacket-master/ && python3 ./setup.py install

Once all the installation above been completed, we can start gathering information on the machine by running nmap -sV -sC <IP Address> -pn as usual

From the output that we see, we can see that NetBIOS_Domain_Name is THM-AD and DNS_Domain_name is spookysec.local. Aside of that, we also know the NetBIOS_Computer_Name which is ATTACKTIVEDIREC

We can already answer a few question that required us to answer based on the nmap result above.

What tool will allow us to enumerate port 139/445?

To answer the question mentioned above, there’s a lot of tools that we can use just to enumerate port 139/445. Those tools are as follows:

• nmap
• enum4linux (This will be the answer for this question)
• nbtscan

For the upcoming question for this activity, we might need to use kerbrute by running ./kerbrute

To get the username of the machine can used the command

./kerbrute userenum –dc <IP Address> -d spookysec.local userlist.txt -t 100

From what i can digest on the result, there’s two notable username that we can use here which is svc-admin@spookysec.local and backup@spookysec.local

After the user account information gathering is completed, we can use the attack method that resides inside Kerberos features which called AS-REP Roasting where you can later see the output of this. Now, we know the user and we only need to gain password for the svc-admin.

For this activity, we are lucky because Impacket has a tool called “GetNPUsers.py which will help us to query AS-Reproastable accounts from the Key Distribution Center.

The command that we can use here are

GetNPUsers.py -no-pass -dc-ip <IP Address> spookysec.local/svc-admin

The output didn’t show anything that we can see because i have saved the output in .txt format so that we can use the it when we use hashcat

The screenshot below shown the result that we have successfully execute above

There’s a question about the hash mode. Let’s do some research on this.

The first website link that we should be looking into which it might help answer the question

Let’s open the website together!

Wow! There’s a lot of hash-mode that stored in the website.

What are we looking for?

$krb5asrep$23$user

This is my first time doing research on hashmode. So, Let’s moving on into the next challenge in this room.

We have most of the requirement to run the hashcat on this room. The command we be using on hashcat would

hashcat -m 18200 -a 0 svc-admin.txt passwordlist.txt –force

Now, we got the password for the username svc-admin

We will need to get the SMB share on the machine by running the command

smbclient -l <IP Address> -U ‘svc-admin’

The system will be asking for credentials of svc-admin where we already get the credentials in the previous task.

As we can see on the screenshot above, we can verify that SMB share been listed as follows:

• ADMIN$
• backup
• CS
• IPC$
• NETLOGON
• SYSVOL

There’s one SMB share that caught my attention which is backup. So let’s dive into that by running the command

smbclient //<IP Address>/backup -U ‘svc-admin’

To view the file that resides in this Backup directory can use the command “ls”

Let’s download the backup_credentials.txt and analysis the file by use the command get backup_credentials.txt

Let’s check what is written inside the backup_credentials.txt by running the syntax

cat backup_credentials.txt

On first glance, we notice that it was base64 hash. So, let’s go and run base64 -d backup_credentials.txt

For the next question, we need to use ‘secretdump.py’ that inside the impacket-master/example folder

For us to answer about the method use to get NTS.DIT and NTLM hashes for the administrator, we need to run the syntax

secretdump.py -just-dc backup:backup2517860@<IP Address>

Honestly, i don’t know the answer for the question below.

Q3 — What method of attack could allow us o authenticates as the user without the password?

Don’t be shame to just google the answer which lead to the answer pass the hash method

In order to use evil-winrm, the option that we can use to crack hash is -H

Finally, we are doing the last challenge on this room.

To pass this challenges, we will need to use the tools evil-winrm.

The command that we be using here evil-winrm -i <IP Address> -u Administrator -H 0e0363213e37b94221497260b0bcb4fc

*Hashes might be different for other players

For each user, we need to access /user account/Desktop in order to retrieve the flag

-THE END-

Happy Learning Guys!