#tryhackme #hard #activedirectory
![[Pasted image 20250726180517.png]]
# Information Gathering - Nmap
I started off with scanning all TCP ports
```bash
┌──(kali㉿kali)-[~/Desktop]
└─$ nmap $IP -Pn -n --open --min-rate 3000 -p- -oN tcpall
Starting Nmap 7.95 ( https://nmap.org ) at 2025-07-26 18:25 UTC
Nmap scan report for 10.10.219.16
Host is up (0.20s latency).
Not shown: 65193 closed tcp ports (reset), 312 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE
53/tcp open domain
80/tcp open http
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
443/tcp open https
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
3389/tcp open ms-wbt-server
7680/tcp open pando-pub
9389/tcp open adws
47001/tcp open winrm
49664/tcp open unknown
49665/tcp open unknown
49666/tcp open unknown
49668/tcp open unknown
49669/tcp open unknown
49678/tcp open unknown
49685/tcp open unknown
49686/tcp open unknown
49689/tcp open unknown
49694/tcp open unknown
49712/tcp open unknown
49722/tcp open unknown
49726/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 25.34 seconds
```
Another TCP scan against the open ports found.
```bash
┌──(kali㉿kali)-[~/Desktop]
└─$ nmap $IP -sCV -p 53,80,88,135,139,389,443,445,464,593,636,3268,3269,3389,7680,9389,47001,49664,49665,49666,49668,49669,49678,49685,49686,49689,49694,49712,49722,49726
Starting Nmap 7.95 ( https://nmap.org ) at 2025-07-26 18:28 UTC
Nmap scan report for 10.10.219.16
Host is up (0.20s latency).
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http Microsoft IIS httpd 10.0
|_http-title: IIS Windows Server
|_http-server-header: Microsoft-IIS/10.0
| http-methods:
|_ Potentially risky methods: TRACE
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-07-26 18:28:09Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: thm.local0., Site: Default-First-Site-Name)
| ssl-cert: Subject:
| Subject Alternative Name: DNS:labyrinth.thm.local, DNS:thm.local, DNS:THM
| Not valid before: 2023-05-12T07:32:36
|_Not valid after: 2024-05-11T07:32:36
|_ssl-date: 2025-07-26T18:29:17+00:00; 0s from scanner time.
443/tcp open ssl/http Microsoft IIS httpd 10.0
| tls-alpn:
|_ http/1.1
|_http-title: IIS Windows Server
|_ssl-date: 2025-07-26T18:29:17+00:00; 0s from scanner time.
| ssl-cert: Subject: commonName=thm-LABYRINTH-CA
| Not valid before: 2023-05-12T07:26:00
|_Not valid after: 2028-05-12T07:35:59
|_http-server-header: Microsoft-IIS/10.0
| http-methods:
|_ Potentially risky methods: TRACE
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap
|_ssl-date: 2025-07-26T18:29:17+00:00; 0s from scanner time.
| ssl-cert: Subject:
| Subject Alternative Name: DNS:labyrinth.thm.local, DNS:thm.local, DNS:THM
| Not valid before: 2023-05-12T07:32:36
|_Not valid after: 2024-05-11T07:32:36
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: thm.local0., Site: Default-First-Site-Name)
| ssl-cert: Subject:
| Subject Alternative Name: DNS:labyrinth.thm.local, DNS:thm.local, DNS:THM
| Not valid before: 2023-05-12T07:32:36
|_Not valid after: 2024-05-11T07:32:36
|_ssl-date: 2025-07-26T18:29:17+00:00; 0s from scanner time.
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: thm.local0., Site: Default-First-Site-Name)
| ssl-cert: Subject:
| Subject Alternative Name: DNS:labyrinth.thm.local, DNS:thm.local, DNS:THM
| Not valid before: 2023-05-12T07:32:36
|_Not valid after: 2024-05-11T07:32:36
|_ssl-date: 2025-07-26T18:29:17+00:00; 0s from scanner time.
3389/tcp open ms-wbt-server Microsoft Terminal Services
|_ssl-date: 2025-07-26T18:29:17+00:00; 0s from scanner time.
| ssl-cert: Subject: commonName=labyrinth.thm.local
| Not valid before: 2025-07-25T18:21:38
|_Not valid after: 2026-01-24T18:21:38
7680/tcp closed pando-pub
9389/tcp open mc-nmf .NET Message Framing
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49668/tcp open msrpc Microsoft Windows RPC
49669/tcp open msrpc Microsoft Windows RPC
49678/tcp open msrpc Microsoft Windows RPC
49685/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49686/tcp open msrpc Microsoft Windows RPC
49689/tcp open msrpc Microsoft Windows RPC
49694/tcp open msrpc Microsoft Windows RPC
49712/tcp open msrpc Microsoft Windows RPC
49722/tcp open msrpc Microsoft Windows RPC
49726/tcp open msrpc Microsoft Windows RPC
Service Info: Host: LABYRINTH; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2025-07-26T18:29:08
|_ start_date: N/A
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 79.11 seconds
```
Lastly, I performed UDP scan against top 10 ports.
```bash
┌──(kali㉿kali)-[~/Desktop]
└─$ nmap $IP -sU --top-ports 10
Starting Nmap 7.95 ( https://nmap.org ) at 2025-07-26 18:31 UTC
Nmap scan report for 10.10.219.16
Host is up (0.24s latency).
PORT STATE SERVICE
53/udp open domain
67/udp closed dhcps
123/udp open ntp
135/udp closed msrpc
137/udp open|filtered netbios-ns
138/udp open|filtered netbios-dgm
161/udp closed snmp
445/udp closed microsoft-ds
631/udp closed ipp
1434/udp closed ms-sql-m
Nmap done: 1 IP address (1 host up) scanned in 11.59 seconds
```
---
# Enumeration
##### SMB - TCP 139 445
Looking at the Nmap results, I am almost positive this is a Domain Controller host. Null Authentication allows us to list shares in the SMB but doesn't show any interesting shares.
```bash
┌──(kali㉿kali)-[~/Desktop]
└─$ smbclient -N -L //$IP
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
SYSVOL Disk Logon server share
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.10.219.16 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available
```
##### LDAP 389 636 3268 3269
`ldapsearch` returns a lot of information and indicates it allows anonymous binding which means anyone can connect to LDAP and query information without authentication.
![[Pasted image 20250726141234.png]]
I enumerated only users using `ldapsearch` with `sAMAccountName` parameter. Let's clean up the output and enumerate more from there.
![[Pasted image 20250726141759.png]]
We now got a clean list of users in the domain.
![[Pasted image 20250726142220.png]]
Just to double check our list, I confirmed with `Kerbrute` and it tells me we have 488 valid usernames.
![[Pasted image 20250726142346.png]]
Now we got a list of 488 valid usernames, we can test if any of the users have `UF_DONT_REQUIRE_PREAUTH` set, which will lead to `AS-REP Roasting` attack.
I found 5 `as-reproastable` users. Let's crack their hash with `hashcat`
```bash
[email protected]:d6b612fdd97abd1051b577be9475d82c$23dc0cd387fd56974c2adf60cc9ef324d02bc1e6a880d94338c740ed95672484e7d75a0b9b565514f14d
9c7c364457adf724e16dc9c16c7511dba63fdb2e5c40a4d1cecc2d01016cb5d7209442b5ff4344f9525a51496aadd0720a84d18214ebd1171c932c05040a5958fa798437191a5b6c2bb0140a6223
7f0f9bed8d86210207bc59b18ef8349f9993f56c96f717f3ce695eb7fcf42134b3e9cdd0257e644e78922a15de2c03543910498e49d0f3e70509eb50d485d9af076c80e0ca854a55bbf372ba21ea
953550c57233024a4e053abcaf63072d80b11a39f520a39d8e1580051ee2ec83
```
```bash
[email protected]:72a7f7797d60966d21d2267b0a3aaeb9$1c61f86fdd2f92a190eb95198f7d2849e40f0422b8cd61d258945d4c96f29b695d19f4c5f0e20738ba711
f4a87f8dc2a24eb8d099d3f9deb1bb6f86e41a2535407ff586e03cfb6f8dfaccff230e87ed9b4a0ee18e75500621191da943935941c6ab4611bb3eff15aecf060cb09def979df3e01d43695c4752
f3df91f8b0582940ebec085a2d09102383b319fb80f75082887fa6adde4c886c9ff164c307b5a574b56a9c7c5494ff0ce057f72874bba7dc89745fc846e757a9d7460b8b9b0870feceeadce61069
b39ec072977b5b81a568161aaa34259bf86f460252423fea7a4e92d1100bc2f
```
```bas
[email protected]:f4ec003e6dca12262a9acde0d5db98c2$1d8e08b1ed0323c5c891d9d4263b560e608fc6f90c794b0c79a34a207716b63b14afbdb91187ce9f04c52b
c3264486866eba845571dfc3067639bfca48e65e7f2a7bd013ec8a2114afebcc26aa745677c1d6753ee29c587e09c7d5002352840d56191d28763b5ef495b5b4a7cf824111149601ea10fdc8e676
e20f927c8e543d739fc88f734d12677de65513443a07452699a2c1edb20cd9ecb5c26402e110d504038b3a0693d445007cf4c2e74712d14557fe86068ce39a57875a207d418d8cdeaa0db0512196
f1c6639e7eaa25e781258186889f47f486e4bc201f4240669c1b86e3d75da9
```
```bash
[email protected]:c512e56187f7ffdce5e289ba0c866da3$24dc40e741fc8997a5e31cb5e7b3116b77d1597f4cf3f9a2f84ab3890f4368e1274a845d368d3befdd2485
c27a2086532c81851b494f38a9c1cf6ac89cd119e5e02645ef373e6a2e08ecc1e0e7a001b21d29d77203cdc1c2ae486b241542e5e579654bf429bd95d0007a5ebd1f6b058c9de71b99edb81d692f
fbde93d7d87b75589b3b42e79a924720d88d31d029d83d13e27a2c4fdcd40bdd13d94ba7837f8b153d718c14c40882f70c1f92ae2d339726c0a5dfa04004f7402a61f04f097579a30e8ff9a60a7f
e826576b7af7fa2517eb6300b567d030a6b082a494fe6dbe3699645dbdb8e4
```
```bash
[email protected]:2624351d76c72cd3c601f981f05650ce$5fb5ed362fe3f5264a886d4dcde8b2c8756acff95b5c98d0b37a35ebfbad48746ba38a545a31cec770e87
4bda16a12d5807d8a6974194b0fb69d32ff45cc38f849f83691133487f9cbb6e541378a66fabaf069c36867a441c11fd5e1b9cc1462982491ae9f7dd9d59e02d32d95851525c6b0f67088b527c15
fe8875e77039b52bac34083785d0f5ac265eaffd6a7a376bd243ebc7999fe065010674ef23f91de6f6fa3e4059dd5ea44ee4657c71f300831f4670a29e217d91e859eb438c7dfcd9855726c34488
1e713b1ad6b2a1a933f9c8ddb3d8f686ec193280c88f65266e3cb94400066df
```
I performed hash-cracking with `hashcat` multiple times, but no matter how many times I try I kept failing. Not sure why :(
![[Pasted image 20250726145632.png]]
So I came back to `ldapsearch` enumeration result and looked through it. Two users have descriptions set to `Please Change it: CHANGEME2023!` It appears that `CHANGEME2023!` is the temporary password for those two users but it's possible they haven't changed it.
![[Pasted image 20250726150322.png]]
Let's perform a password-spraying since we have a list of valid users and a potential valid password.
Found 2 users who have the password: `IVY_WILLIS` and `SUSANNA_MCKNIGHT`
![[Pasted image 20250726150908.png]]
`netexec` shows both credentials are allowed for RDP login but failed to make a RDP session with `IVY_WILLIS`. Let's login with `SUSANNA_MCKNIGHT`
![[Pasted image 20250726151309.png]]
# Initial Access - RDP
As I logged into RDP server with `SUSANNA_MCKNIGHT`, there was `user.txt` file on the Desktop
![[Pasted image 20250726160636.png]]
# Privilege Escalation
Our current user `SUSANNA_MCKNIGHT` doesn't have much privileges and also does not belong to Domain Admins group as expected.
![[Pasted image 20250726161809.png]]
![[Pasted image 20250726160858.png]]
I decided to enumerate the domain more with `Bloodhound` to map out the AD. In order to do that, I first collected data using `bloodhound-python`
![[Pasted image 20250726161711.png]]
`Bloodhound` helped mapping out the domain visually but it didn't appear to be possible for our user to perform privilege escalation with the given information.
![[Pasted image 20250726163042.png]]
Then I turned to `Active Directory Certificate Services`.
To enumerate certificate templates, I used `certipy-ad` and the following command:
`certipy-ad find -u susanna_mcknight -p CHANGEME2023! -target $IP -stdout -vulnerable`
It revealed `ServerAuth` template is vulnerable to `ESC1` which will enable users to request TGT with the certificates.
![[Pasted image 20250726165755.png]]
Request a certificate from vulnerable `ServerAuth` template while impersonating the `Administrator`.
Successfully wrote certificate and private key to `administrator.pfx` file now we can use this `.pfx` file to request TGT.
![[Pasted image 20250726170753.png]]
However, I kept facing this error. I thought this might be because I tried to impersonate `Administrator` so I looked for users in the `Domain Admins` group.
![[Pasted image 20250726174044.png]]
Found 3 other users in the `Domain Admins` group.
![[Pasted image 20250726174026.png]]
this time I'm requesting a TGT impersonating as `BRADLEY ORTIZ` but it gave me the same error as before. I spent so much time tweaking values in the parameters but nothing worked.
![[Pasted image 20250726175441.png]]
Then I found a workaround. After some research, I discovered we can also open up a `LDAP-shell` using `.pfx` certificate obtained from the ADCS via LDAP authentication.
successfully logged in as `BRADLEY_ORTIZ` and opened LDAP shell
![[Pasted image 20250726180039.png]]
It provides `change_password` feature, which I used to change `BRADLEY_ORTIZ` password to 'wook413'
![[Pasted image 20250726180108.png]]
Then using `xfreerdp3`, I finally got a shell as `Domain Admin`!!!!
![[Pasted image 20250726180249.png]]
Make sure to run PowerShell as `Administrator` or else you are not going to be able to access `C:\Users\Administrator` directory.
Finally found `root.txt`
![[Pasted image 20250726180427.png]]