#tryhackme #hard #activedirectory ![[Pasted image 20250726180517.png]] # Information Gathering - Nmap I started off with scanning all TCP ports ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ nmap $IP -Pn -n --open --min-rate 3000 -p- -oN tcpall Starting Nmap 7.95 ( https://nmap.org ) at 2025-07-26 18:25 UTC Nmap scan report for 10.10.219.16 Host is up (0.20s latency). Not shown: 65193 closed tcp ports (reset), 312 filtered tcp ports (no-response) Some closed ports may be reported as filtered due to --defeat-rst-ratelimit PORT STATE SERVICE 53/tcp open domain 80/tcp open http 88/tcp open kerberos-sec 135/tcp open msrpc 139/tcp open netbios-ssn 389/tcp open ldap 443/tcp open https 445/tcp open microsoft-ds 464/tcp open kpasswd5 593/tcp open http-rpc-epmap 636/tcp open ldapssl 3268/tcp open globalcatLDAP 3269/tcp open globalcatLDAPssl 3389/tcp open ms-wbt-server 7680/tcp open pando-pub 9389/tcp open adws 47001/tcp open winrm 49664/tcp open unknown 49665/tcp open unknown 49666/tcp open unknown 49668/tcp open unknown 49669/tcp open unknown 49678/tcp open unknown 49685/tcp open unknown 49686/tcp open unknown 49689/tcp open unknown 49694/tcp open unknown 49712/tcp open unknown 49722/tcp open unknown 49726/tcp open unknown Nmap done: 1 IP address (1 host up) scanned in 25.34 seconds ``` Another TCP scan against the open ports found. ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ nmap $IP -sCV -p 53,80,88,135,139,389,443,445,464,593,636,3268,3269,3389,7680,9389,47001,49664,49665,49666,49668,49669,49678,49685,49686,49689,49694,49712,49722,49726 Starting Nmap 7.95 ( https://nmap.org ) at 2025-07-26 18:28 UTC Nmap scan report for 10.10.219.16 Host is up (0.20s latency). PORT STATE SERVICE VERSION 53/tcp open domain Simple DNS Plus 80/tcp open http Microsoft IIS httpd 10.0 |_http-title: IIS Windows Server |_http-server-header: Microsoft-IIS/10.0 | http-methods: |_ Potentially risky methods: TRACE 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-07-26 18:28:09Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: thm.local0., Site: Default-First-Site-Name) | ssl-cert: Subject: | Subject Alternative Name: DNS:labyrinth.thm.local, DNS:thm.local, DNS:THM | Not valid before: 2023-05-12T07:32:36 |_Not valid after: 2024-05-11T07:32:36 |_ssl-date: 2025-07-26T18:29:17+00:00; 0s from scanner time. 443/tcp open ssl/http Microsoft IIS httpd 10.0 | tls-alpn: |_ http/1.1 |_http-title: IIS Windows Server |_ssl-date: 2025-07-26T18:29:17+00:00; 0s from scanner time. | ssl-cert: Subject: commonName=thm-LABYRINTH-CA | Not valid before: 2023-05-12T07:26:00 |_Not valid after: 2028-05-12T07:35:59 |_http-server-header: Microsoft-IIS/10.0 | http-methods: |_ Potentially risky methods: TRACE 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open ssl/ldap |_ssl-date: 2025-07-26T18:29:17+00:00; 0s from scanner time. | ssl-cert: Subject: | Subject Alternative Name: DNS:labyrinth.thm.local, DNS:thm.local, DNS:THM | Not valid before: 2023-05-12T07:32:36 |_Not valid after: 2024-05-11T07:32:36 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: thm.local0., Site: Default-First-Site-Name) | ssl-cert: Subject: | Subject Alternative Name: DNS:labyrinth.thm.local, DNS:thm.local, DNS:THM | Not valid before: 2023-05-12T07:32:36 |_Not valid after: 2024-05-11T07:32:36 |_ssl-date: 2025-07-26T18:29:17+00:00; 0s from scanner time. 3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: thm.local0., Site: Default-First-Site-Name) | ssl-cert: Subject: | Subject Alternative Name: DNS:labyrinth.thm.local, DNS:thm.local, DNS:THM | Not valid before: 2023-05-12T07:32:36 |_Not valid after: 2024-05-11T07:32:36 |_ssl-date: 2025-07-26T18:29:17+00:00; 0s from scanner time. 3389/tcp open ms-wbt-server Microsoft Terminal Services |_ssl-date: 2025-07-26T18:29:17+00:00; 0s from scanner time. | ssl-cert: Subject: commonName=labyrinth.thm.local | Not valid before: 2025-07-25T18:21:38 |_Not valid after: 2026-01-24T18:21:38 7680/tcp closed pando-pub 9389/tcp open mc-nmf .NET Message Framing 47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found 49664/tcp open msrpc Microsoft Windows RPC 49665/tcp open msrpc Microsoft Windows RPC 49666/tcp open msrpc Microsoft Windows RPC 49668/tcp open msrpc Microsoft Windows RPC 49669/tcp open msrpc Microsoft Windows RPC 49678/tcp open msrpc Microsoft Windows RPC 49685/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 49686/tcp open msrpc Microsoft Windows RPC 49689/tcp open msrpc Microsoft Windows RPC 49694/tcp open msrpc Microsoft Windows RPC 49712/tcp open msrpc Microsoft Windows RPC 49722/tcp open msrpc Microsoft Windows RPC 49726/tcp open msrpc Microsoft Windows RPC Service Info: Host: LABYRINTH; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: | smb2-time: | date: 2025-07-26T18:29:08 |_ start_date: N/A | smb2-security-mode: | 3:1:1: |_ Message signing enabled and required Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 79.11 seconds ``` Lastly, I performed UDP scan against top 10 ports. ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ nmap $IP -sU --top-ports 10 Starting Nmap 7.95 ( https://nmap.org ) at 2025-07-26 18:31 UTC Nmap scan report for 10.10.219.16 Host is up (0.24s latency). PORT STATE SERVICE 53/udp open domain 67/udp closed dhcps 123/udp open ntp 135/udp closed msrpc 137/udp open|filtered netbios-ns 138/udp open|filtered netbios-dgm 161/udp closed snmp 445/udp closed microsoft-ds 631/udp closed ipp 1434/udp closed ms-sql-m Nmap done: 1 IP address (1 host up) scanned in 11.59 seconds ``` --- # Enumeration ##### SMB - TCP 139 445 Looking at the Nmap results, I am almost positive this is a Domain Controller host. Null Authentication allows us to list shares in the SMB but doesn't show any interesting shares. ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ smbclient -N -L //$IP Sharename Type Comment --------- ---- ------- ADMIN$ Disk Remote Admin C$ Disk Default share IPC$ IPC Remote IPC NETLOGON Disk Logon server share SYSVOL Disk Logon server share Reconnecting with SMB1 for workgroup listing. do_connect: Connection to 10.10.219.16 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND) Unable to connect with SMB1 -- no workgroup available ``` ##### LDAP 389 636 3268 3269 `ldapsearch` returns a lot of information and indicates it allows anonymous binding which means anyone can connect to LDAP and query information without authentication. ![[Pasted image 20250726141234.png]] I enumerated only users using `ldapsearch` with `sAMAccountName` parameter. Let's clean up the output and enumerate more from there. ![[Pasted image 20250726141759.png]] We now got a clean list of users in the domain. ![[Pasted image 20250726142220.png]] Just to double check our list, I confirmed with `Kerbrute` and it tells me we have 488 valid usernames. ![[Pasted image 20250726142346.png]] Now we got a list of 488 valid usernames, we can test if any of the users have `UF_DONT_REQUIRE_PREAUTH` set, which will lead to `AS-REP Roasting` attack. I found 5 `as-reproastable` users. Let's crack their hash with `hashcat` ```bash [email protected]:d6b612fdd97abd1051b577be9475d82c$23dc0cd387fd56974c2adf60cc9ef324d02bc1e6a880d94338c740ed95672484e7d75a0b9b565514f14d 9c7c364457adf724e16dc9c16c7511dba63fdb2e5c40a4d1cecc2d01016cb5d7209442b5ff4344f9525a51496aadd0720a84d18214ebd1171c932c05040a5958fa798437191a5b6c2bb0140a6223 7f0f9bed8d86210207bc59b18ef8349f9993f56c96f717f3ce695eb7fcf42134b3e9cdd0257e644e78922a15de2c03543910498e49d0f3e70509eb50d485d9af076c80e0ca854a55bbf372ba21ea 953550c57233024a4e053abcaf63072d80b11a39f520a39d8e1580051ee2ec83 ``` ```bash [email protected]:72a7f7797d60966d21d2267b0a3aaeb9$1c61f86fdd2f92a190eb95198f7d2849e40f0422b8cd61d258945d4c96f29b695d19f4c5f0e20738ba711 f4a87f8dc2a24eb8d099d3f9deb1bb6f86e41a2535407ff586e03cfb6f8dfaccff230e87ed9b4a0ee18e75500621191da943935941c6ab4611bb3eff15aecf060cb09def979df3e01d43695c4752 f3df91f8b0582940ebec085a2d09102383b319fb80f75082887fa6adde4c886c9ff164c307b5a574b56a9c7c5494ff0ce057f72874bba7dc89745fc846e757a9d7460b8b9b0870feceeadce61069 b39ec072977b5b81a568161aaa34259bf86f460252423fea7a4e92d1100bc2f ``` ```bas [email protected]:f4ec003e6dca12262a9acde0d5db98c2$1d8e08b1ed0323c5c891d9d4263b560e608fc6f90c794b0c79a34a207716b63b14afbdb91187ce9f04c52b c3264486866eba845571dfc3067639bfca48e65e7f2a7bd013ec8a2114afebcc26aa745677c1d6753ee29c587e09c7d5002352840d56191d28763b5ef495b5b4a7cf824111149601ea10fdc8e676 e20f927c8e543d739fc88f734d12677de65513443a07452699a2c1edb20cd9ecb5c26402e110d504038b3a0693d445007cf4c2e74712d14557fe86068ce39a57875a207d418d8cdeaa0db0512196 f1c6639e7eaa25e781258186889f47f486e4bc201f4240669c1b86e3d75da9 ``` ```bash [email protected]:c512e56187f7ffdce5e289ba0c866da3$24dc40e741fc8997a5e31cb5e7b3116b77d1597f4cf3f9a2f84ab3890f4368e1274a845d368d3befdd2485 c27a2086532c81851b494f38a9c1cf6ac89cd119e5e02645ef373e6a2e08ecc1e0e7a001b21d29d77203cdc1c2ae486b241542e5e579654bf429bd95d0007a5ebd1f6b058c9de71b99edb81d692f fbde93d7d87b75589b3b42e79a924720d88d31d029d83d13e27a2c4fdcd40bdd13d94ba7837f8b153d718c14c40882f70c1f92ae2d339726c0a5dfa04004f7402a61f04f097579a30e8ff9a60a7f e826576b7af7fa2517eb6300b567d030a6b082a494fe6dbe3699645dbdb8e4 ``` ```bash [email protected]:2624351d76c72cd3c601f981f05650ce$5fb5ed362fe3f5264a886d4dcde8b2c8756acff95b5c98d0b37a35ebfbad48746ba38a545a31cec770e87 4bda16a12d5807d8a6974194b0fb69d32ff45cc38f849f83691133487f9cbb6e541378a66fabaf069c36867a441c11fd5e1b9cc1462982491ae9f7dd9d59e02d32d95851525c6b0f67088b527c15 fe8875e77039b52bac34083785d0f5ac265eaffd6a7a376bd243ebc7999fe065010674ef23f91de6f6fa3e4059dd5ea44ee4657c71f300831f4670a29e217d91e859eb438c7dfcd9855726c34488 1e713b1ad6b2a1a933f9c8ddb3d8f686ec193280c88f65266e3cb94400066df ``` I performed hash-cracking with `hashcat` multiple times, but no matter how many times I try I kept failing. Not sure why :( ![[Pasted image 20250726145632.png]] So I came back to `ldapsearch` enumeration result and looked through it. Two users have descriptions set to `Please Change it: CHANGEME2023!` It appears that `CHANGEME2023!` is the temporary password for those two users but it's possible they haven't changed it. ![[Pasted image 20250726150322.png]] Let's perform a password-spraying since we have a list of valid users and a potential valid password. Found 2 users who have the password: `IVY_WILLIS` and `SUSANNA_MCKNIGHT` ![[Pasted image 20250726150908.png]] `netexec` shows both credentials are allowed for RDP login but failed to make a RDP session with `IVY_WILLIS`. Let's login with `SUSANNA_MCKNIGHT` ![[Pasted image 20250726151309.png]] # Initial Access - RDP As I logged into RDP server with `SUSANNA_MCKNIGHT`, there was `user.txt` file on the Desktop ![[Pasted image 20250726160636.png]] # Privilege Escalation Our current user `SUSANNA_MCKNIGHT` doesn't have much privileges and also does not belong to Domain Admins group as expected. ![[Pasted image 20250726161809.png]] ![[Pasted image 20250726160858.png]] I decided to enumerate the domain more with `Bloodhound` to map out the AD. In order to do that, I first collected data using `bloodhound-python` ![[Pasted image 20250726161711.png]] `Bloodhound` helped mapping out the domain visually but it didn't appear to be possible for our user to perform privilege escalation with the given information. ![[Pasted image 20250726163042.png]] Then I turned to `Active Directory Certificate Services`. To enumerate certificate templates, I used `certipy-ad` and the following command: `certipy-ad find -u susanna_mcknight -p CHANGEME2023! -target $IP -stdout -vulnerable` It revealed `ServerAuth` template is vulnerable to `ESC1` which will enable users to request TGT with the certificates. ![[Pasted image 20250726165755.png]] Request a certificate from vulnerable `ServerAuth` template while impersonating the `Administrator`. Successfully wrote certificate and private key to `administrator.pfx` file now we can use this `.pfx` file to request TGT. ![[Pasted image 20250726170753.png]] However, I kept facing this error. I thought this might be because I tried to impersonate `Administrator` so I looked for users in the `Domain Admins` group. ![[Pasted image 20250726174044.png]] Found 3 other users in the `Domain Admins` group. ![[Pasted image 20250726174026.png]] this time I'm requesting a TGT impersonating as `BRADLEY ORTIZ` but it gave me the same error as before. I spent so much time tweaking values in the parameters but nothing worked. ![[Pasted image 20250726175441.png]] Then I found a workaround. After some research, I discovered we can also open up a `LDAP-shell` using `.pfx` certificate obtained from the ADCS via LDAP authentication. successfully logged in as `BRADLEY_ORTIZ` and opened LDAP shell ![[Pasted image 20250726180039.png]] It provides `change_password` feature, which I used to change `BRADLEY_ORTIZ` password to 'wook413' ![[Pasted image 20250726180108.png]] Then using `xfreerdp3`, I finally got a shell as `Domain Admin`!!!! ![[Pasted image 20250726180249.png]] Make sure to run PowerShell as `Administrator` or else you are not going to be able to access `C:\Users\Administrator` directory. Finally found `root.txt` ![[Pasted image 20250726180427.png]]