#tryhackme #activedirectory #hard # Information Gathering - Nmap Started off with scanning all TCP ports ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ sudo nmap -sS $IP -Pn -n --open --min-rate 3000 -p- [sudo] password for kali: Starting Nmap 7.95 ( https://nmap.org ) at 2025-07-21 22:20 EDT Nmap scan report for 10.10.46.52 Host is up (0.19s latency). Not shown: 65153 closed tcp ports (reset), 358 filtered tcp ports (no-response) Some closed ports may be reported as filtered due to --defeat-rst-ratelimit PORT STATE SERVICE 53/tcp open domain 80/tcp open http 88/tcp open kerberos-sec 135/tcp open msrpc 139/tcp open netbios-ssn 389/tcp open ldap 445/tcp open microsoft-ds 464/tcp open kpasswd5 593/tcp open http-rpc-epmap 636/tcp open ldapssl 3389/tcp open ms-wbt-server 5357/tcp open wsdapi 5985/tcp open wsman 7990/tcp open unknown 9389/tcp open adws 47001/tcp open winrm 49664/tcp open unknown 49665/tcp open unknown 49666/tcp open unknown 49667/tcp open unknown 49671/tcp open unknown 49672/tcp open unknown 49673/tcp open unknown 49679/tcp open unknown Nmap done: 1 IP address (1 host up) scanned in 25.40 seconds ``` Then I ran one more TCP scan against the open ports found with `-sCV` options for more detailed information ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ nmap -sCV $IP -p 53,80,88,135,139,389,445,464,593,636,3389,5357,5985,7990,9389,47001,49664,49665,49666,49667,49671,49672,49673,49679 Starting Nmap 7.95 ( https://nmap.org ) at 2025-07-21 22:23 EDT Nmap scan report for 10.10.46.52 Host is up (0.20s latency). PORT STATE SERVICE VERSION 53/tcp open domain Simple DNS Plus 80/tcp open http Microsoft IIS httpd 10.0 | http-methods: |_ Potentially risky methods: TRACE |_http-server-header: Microsoft-IIS/10.0 |_http-title: Site doesn't have a title (text/html). 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-07-22 02:23:17Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: ENTERPRISE.THM0., Site: Default-First-Site-Name) 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open tcpwrapped 3389/tcp open ms-wbt-server Microsoft Terminal Services |_ssl-date: 2025-07-22T02:24:25+00:00; 0s from scanner time. | ssl-cert: Subject: commonName=LAB-DC.LAB.ENTERPRISE.THM | Not valid before: 2025-07-21T02:19:54 |_Not valid after: 2026-01-20T02:19:54 | rdp-ntlm-info: | Target_Name: LAB-ENTERPRISE | NetBIOS_Domain_Name: LAB-ENTERPRISE | NetBIOS_Computer_Name: LAB-DC | DNS_Domain_Name: LAB.ENTERPRISE.THM | DNS_Computer_Name: LAB-DC.LAB.ENTERPRISE.THM | DNS_Tree_Name: ENTERPRISE.THM | Product_Version: 10.0.17763 |_ System_Time: 2025-07-22T02:24:16+00:00 5357/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Service Unavailable 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-title: Not Found |_http-server-header: Microsoft-HTTPAPI/2.0 7990/tcp open http Microsoft IIS httpd 10.0 |_http-title: Log in to continue - Log in with Atlassian account |_http-server-header: Microsoft-IIS/10.0 | http-methods: |_ Potentially risky methods: TRACE 9389/tcp open mc-nmf .NET Message Framing 47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found 49664/tcp open msrpc Microsoft Windows RPC 49665/tcp open msrpc Microsoft Windows RPC 49666/tcp open msrpc Microsoft Windows RPC 49667/tcp open msrpc Microsoft Windows RPC 49671/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 49672/tcp open msrpc Microsoft Windows RPC 49673/tcp open msrpc Microsoft Windows RPC 49679/tcp open msrpc Microsoft Windows RPC Service Info: Host: LAB-DC; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: | smb2-security-mode: | 3:1:1: |_ Message signing enabled and required | smb2-time: | date: 2025-07-22T02:24:18 |_ start_date: N/A Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 78.42 seconds ``` And finally a UDP scan against top 10 ports ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ nmap -sU $IP --min-rate 3000 --top-ports 10 Starting Nmap 7.95 ( https://nmap.org ) at 2025-07-21 22:25 EDT Nmap scan report for 10.10.46.52 Host is up (0.20s latency). PORT STATE SERVICE 53/udp open domain 67/udp open|filtered dhcps 123/udp open ntp 135/udp closed msrpc 137/udp open|filtered netbios-ns 138/udp open|filtered netbios-dgm 161/udp open|filtered snmp 445/udp open|filtered microsoft-ds 631/udp open|filtered ipp 1434/udp open|filtered ms-sql-m Nmap done: 1 IP address (1 host up) scanned in 1.50 seconds ``` # Enumeration Before diving into Enumeration, let's summarize what we gathered from the Nmap result. What I want to emphasize is the information from the port 3389, RDP. The `ssl-cert` reveals the FQDN of the system is `LAB-DC.LAB.ENTERPRISE.THM`, which indicates the domain name would be `LAB.ENTERPRISE.THM` and finally the Domain root is `ENTERPRISE.THM` ##### port 80 - HTTP nothing important on the web page. I can run a tool like `gobuster` to enumerate directories but I'll just look into other ports instead and come back later ![[Pasted image 20250721214134.png]] ##### port 445 - SMB The port 445 allows SMB Null Authentication and there's a custom share called `Docs`. ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ smbclient -N -L //$IP Sharename Type Comment --------- ---- ------- ADMIN$ Disk Remote Admin C$ Disk Default share Docs Disk IPC$ IPC Remote IPC NETLOGON Disk Logon server share SYSVOL Disk Logon server share Users Disk Users Share. Do Not Touch! Reconnecting with SMB1 for workgroup listing. do_connect: Connection to 10.10.46.52 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND) Unable to connect with SMB1 -- no workgroup available ``` Two files exist inside the share. Let me download both ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ smbclient //$IP/Docs Password for [WORKGROUP\kali]: Try "help" to get a list of possible commands. smb: \> dir . D 0 Sun Mar 14 22:47:35 2021 .. D 0 Sun Mar 14 22:47:35 2021 RSA-Secured-Credentials.xlsx A 15360 Sun Mar 14 22:46:54 2021 RSA-Secured-Document-PII.docx A 18432 Sun Mar 14 22:45:24 2021 15587583 blocks of size 4096. 9930328 blocks available smb: \> ``` I tried to open those downloaded files but there was a prompt required me to enter password. ![[Pasted image 20250721215050.png]] ##### Port 7990 - HTTP I navigated to port 7990 on the browser and it displayed `Atlassian` service. The message on the center caught my eyes. It says they are moving to `Github`. ![[Pasted image 20250721215229.png]] I searched for `Enterprise-THM` using google dorking and found the following github repo. ![[Pasted image 20250721215420.png]] There was this user named `Nik-enterprise-dev` who appears to be a member of the Enterprise organization. He has a single repo, let's check it out. ![[Pasted image 20250721220529.png]] One of the commits he pushed revealed a set of credentials! ![[Pasted image 20250721220713.png]] `nik:ToastyBoi!` `netexec` confirmed the user indeed exists in the system. ![[Pasted image 20250721221004.png]] ##### Bloodhound Since we found a set of valid credentials, we can now use `Bloodhound` to map out the AD network and discover what privileges our user has. ##### Back to NetExec... I was going to use `Bloodhound` but I kept running into issues. Therefore, I tried enumerating more users in the domain using `netexec`. ![[Pasted image 20250721230154.png]] After some filtering, I managed to get a clean list of usernames. Now let's see if any of the users are kerberoastable. ![[Pasted image 20250721230953.png]] Before trying Kerberoasting, I verified my list of users are valid using `Kerbrute` ![[Pasted image 20250721231513.png]] `impacket-GetUserSPNs` revealed there's an account named `bitbucket` and its SPN is set, which indicates it's kerberoastable! We obtained it's ticket. ![[Pasted image 20250721231924.png]] Successfully cracked the hash and obtained the password ![[Pasted image 20250721232509.png]] `bitbucket:littleredbucket` # Exploit - Initial Access via RDP I logged into RDP with the credentials I just found and there was the `user.txt` flag on the Desktop. ![[Pasted image 20250721232733.png]] # Privilege Escalation Exploring the system, I found this system named `zerotieroneservice` and it stood out to me because the service is not a default service and secondly its path appears to be vulnerable to `Unquoted Service Paths` attack. Let's look up the service using `sc.exe` ![[Pasted image 20250721233311.png]] ![[Pasted image 20250721233728.png]] `Get-Acl` reveals that `BUILTIN\Users` have `Write` privileges in the `C:\Program Files (x86)\Zero Tier` directory. ![[Pasted image 20250721235202.png]] Nice, we have permission to restart the service! Now let's make a payload ![[Pasted image 20250722000009.png]] In my local Kali, I generated a Windows reverse shell payload and also set up a listener. ![[Pasted image 20250722000206.png]] Successfully transferred the payload into the remote Windows system. Let's move the file to `C:\Program Files (x86)\Zero Tier\Zero.exe` ![[Pasted image 20250722000337.png]] ![[Pasted image 20250722000458.png]] Now let's restart the service and see if we can capture the reverse shell. `Restart-Service -Name zerotieroneservice` Got the reverse shell as `nt authority\system` user :) ![[Pasted image 20250722000612.png]] Found `root.txt` in `C:\Users\Administrator\Desktop` ![[Pasted image 20250722000815.png]] --- ##### Back to BloodHound again... Before loading up the BloodHound CE, let's first gather data using `bloodhound-python` collector. ![[Pasted image 20250722203536.png]] I installed `bloodhound-cli`, or the Community Edition version via Docker. Let's log in to Bloodhound and feed our .zip file ![[Pasted image 20250722203838.png]]