#tryhackme #activedirectory #hard
# Information Gathering - Nmap
Started off with scanning all TCP ports
```bash
┌──(kali㉿kali)-[~/Desktop]
└─$ sudo nmap -sS $IP -Pn -n --open --min-rate 3000 -p-
[sudo] password for kali:
Starting Nmap 7.95 ( https://nmap.org ) at 2025-07-21 22:20 EDT
Nmap scan report for 10.10.46.52
Host is up (0.19s latency).
Not shown: 65153 closed tcp ports (reset), 358 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE
53/tcp open domain
80/tcp open http
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
3389/tcp open ms-wbt-server
5357/tcp open wsdapi
5985/tcp open wsman
7990/tcp open unknown
9389/tcp open adws
47001/tcp open winrm
49664/tcp open unknown
49665/tcp open unknown
49666/tcp open unknown
49667/tcp open unknown
49671/tcp open unknown
49672/tcp open unknown
49673/tcp open unknown
49679/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 25.40 seconds
```
Then I ran one more TCP scan against the open ports found with `-sCV` options for more detailed information
```bash
┌──(kali㉿kali)-[~/Desktop]
└─$ nmap -sCV $IP -p 53,80,88,135,139,389,445,464,593,636,3389,5357,5985,7990,9389,47001,49664,49665,49666,49667,49671,49672,49673,49679
Starting Nmap 7.95 ( https://nmap.org ) at 2025-07-21 22:23 EDT
Nmap scan report for 10.10.46.52
Host is up (0.20s latency).
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http Microsoft IIS httpd 10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Site doesn't have a title (text/html).
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-07-22 02:23:17Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: ENTERPRISE.THM0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3389/tcp open ms-wbt-server Microsoft Terminal Services
|_ssl-date: 2025-07-22T02:24:25+00:00; 0s from scanner time.
| ssl-cert: Subject: commonName=LAB-DC.LAB.ENTERPRISE.THM
| Not valid before: 2025-07-21T02:19:54
|_Not valid after: 2026-01-20T02:19:54
| rdp-ntlm-info:
| Target_Name: LAB-ENTERPRISE
| NetBIOS_Domain_Name: LAB-ENTERPRISE
| NetBIOS_Computer_Name: LAB-DC
| DNS_Domain_Name: LAB.ENTERPRISE.THM
| DNS_Computer_Name: LAB-DC.LAB.ENTERPRISE.THM
| DNS_Tree_Name: ENTERPRISE.THM
| Product_Version: 10.0.17763
|_ System_Time: 2025-07-22T02:24:16+00:00
5357/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Service Unavailable
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
7990/tcp open http Microsoft IIS httpd 10.0
|_http-title: Log in to continue - Log in with Atlassian account
|_http-server-header: Microsoft-IIS/10.0
| http-methods:
|_ Potentially risky methods: TRACE
9389/tcp open mc-nmf .NET Message Framing
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49671/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49672/tcp open msrpc Microsoft Windows RPC
49673/tcp open msrpc Microsoft Windows RPC
49679/tcp open msrpc Microsoft Windows RPC
Service Info: Host: LAB-DC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
| smb2-time:
| date: 2025-07-22T02:24:18
|_ start_date: N/A
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 78.42 seconds
```
And finally a UDP scan against top 10 ports
```bash
┌──(kali㉿kali)-[~/Desktop]
└─$ nmap -sU $IP --min-rate 3000 --top-ports 10
Starting Nmap 7.95 ( https://nmap.org ) at 2025-07-21 22:25 EDT
Nmap scan report for 10.10.46.52
Host is up (0.20s latency).
PORT STATE SERVICE
53/udp open domain
67/udp open|filtered dhcps
123/udp open ntp
135/udp closed msrpc
137/udp open|filtered netbios-ns
138/udp open|filtered netbios-dgm
161/udp open|filtered snmp
445/udp open|filtered microsoft-ds
631/udp open|filtered ipp
1434/udp open|filtered ms-sql-m
Nmap done: 1 IP address (1 host up) scanned in 1.50 seconds
```
# Enumeration
Before diving into Enumeration, let's summarize what we gathered from the Nmap result. What I want to emphasize is the information from the port 3389, RDP. The `ssl-cert` reveals the FQDN of the system is `LAB-DC.LAB.ENTERPRISE.THM`, which indicates the domain name would be `LAB.ENTERPRISE.THM` and finally the Domain root is `ENTERPRISE.THM`
##### port 80 - HTTP
nothing important on the web page. I can run a tool like `gobuster` to enumerate directories but I'll just look into other ports instead and come back later
![[Pasted image 20250721214134.png]]
##### port 445 - SMB
The port 445 allows SMB Null Authentication and there's a custom share called `Docs`.
```bash
┌──(kali㉿kali)-[~/Desktop]
└─$ smbclient -N -L //$IP
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
Docs Disk
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
SYSVOL Disk Logon server share
Users Disk Users Share. Do Not Touch!
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.10.46.52 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available
```
Two files exist inside the share. Let me download both
```bash
┌──(kali㉿kali)-[~/Desktop]
└─$ smbclient //$IP/Docs
Password for [WORKGROUP\kali]:
Try "help" to get a list of possible commands.
smb: \> dir
. D 0 Sun Mar 14 22:47:35 2021
.. D 0 Sun Mar 14 22:47:35 2021
RSA-Secured-Credentials.xlsx A 15360 Sun Mar 14 22:46:54 2021
RSA-Secured-Document-PII.docx A 18432 Sun Mar 14 22:45:24 2021
15587583 blocks of size 4096. 9930328 blocks available
smb: \>
```
I tried to open those downloaded files but there was a prompt required me to enter password.
![[Pasted image 20250721215050.png]]
##### Port 7990 - HTTP
I navigated to port 7990 on the browser and it displayed `Atlassian` service. The message on the center caught my eyes. It says they are moving to `Github`.
![[Pasted image 20250721215229.png]]
I searched for `Enterprise-THM` using google dorking and found the following github repo.
![[Pasted image 20250721215420.png]]
There was this user named `Nik-enterprise-dev` who appears to be a member of the Enterprise organization. He has a single repo, let's check it out.
![[Pasted image 20250721220529.png]]
One of the commits he pushed revealed a set of credentials!
![[Pasted image 20250721220713.png]]
`nik:ToastyBoi!`
`netexec` confirmed the user indeed exists in the system.
![[Pasted image 20250721221004.png]]
##### Bloodhound
Since we found a set of valid credentials, we can now use `Bloodhound` to map out the AD network and discover what privileges our user has.
##### Back to NetExec...
I was going to use `Bloodhound` but I kept running into issues. Therefore, I tried enumerating more users in the domain using `netexec`.
![[Pasted image 20250721230154.png]]
After some filtering, I managed to get a clean list of usernames. Now let's see if any of the users are kerberoastable.
![[Pasted image 20250721230953.png]]
Before trying Kerberoasting, I verified my list of users are valid using `Kerbrute`
![[Pasted image 20250721231513.png]]
`impacket-GetUserSPNs` revealed there's an account named `bitbucket` and its SPN is set, which indicates it's kerberoastable! We obtained it's ticket.
![[Pasted image 20250721231924.png]]
Successfully cracked the hash and obtained the password
![[Pasted image 20250721232509.png]]
`bitbucket:littleredbucket`
# Exploit - Initial Access via RDP
I logged into RDP with the credentials I just found and there was the `user.txt` flag on the Desktop.
![[Pasted image 20250721232733.png]]
# Privilege Escalation
Exploring the system, I found this system named `zerotieroneservice` and it stood out to me because the service is not a default service and secondly its path appears to be vulnerable to `Unquoted Service Paths` attack. Let's look up the service using `sc.exe`
![[Pasted image 20250721233311.png]]
![[Pasted image 20250721233728.png]]
`Get-Acl` reveals that `BUILTIN\Users` have `Write` privileges in the `C:\Program Files (x86)\Zero Tier` directory.
![[Pasted image 20250721235202.png]]
Nice, we have permission to restart the service! Now let's make a payload
![[Pasted image 20250722000009.png]]
In my local Kali, I generated a Windows reverse shell payload and also set up a listener.
![[Pasted image 20250722000206.png]]
Successfully transferred the payload into the remote Windows system. Let's move the file to `C:\Program Files (x86)\Zero Tier\Zero.exe`
![[Pasted image 20250722000337.png]]
![[Pasted image 20250722000458.png]]
Now let's restart the service and see if we can capture the reverse shell.
`Restart-Service -Name zerotieroneservice`
Got the reverse shell as `nt authority\system` user :)
![[Pasted image 20250722000612.png]]
Found `root.txt` in `C:\Users\Administrator\Desktop`
![[Pasted image 20250722000815.png]]
---
##### Back to BloodHound again...
Before loading up the BloodHound CE, let's first gather data using `bloodhound-python` collector.
![[Pasted image 20250722203536.png]]
I installed `bloodhound-cli`, or the Community Edition version via Docker. Let's log in to Bloodhound and feed our .zip file
![[Pasted image 20250722203838.png]]