{"id":340,"date":"2022-05-13T23:27:55","date_gmt":"2022-05-13T23:27:55","guid":{"rendered":"https:\/\/dextersec.xyz\/?p=340"},"modified":"2022-05-13T23:27:55","modified_gmt":"2022-05-13T23:27:55","slug":"active-directory-hacking-with-kali-attackative-directory","status":"publish","type":"post","link":"https:\/\/dextersec.xyz\/?p=340","title":{"rendered":"Active Directory Hacking with Kali: Attackative Directory"},"content":{"rendered":"\n<h2 class=\"wp-block-heading\"><strong>Introduction<\/strong><\/h2>\n\n\n\n<p>For my fifth machine in the Active Directory hacking with Kali series, I\u2019ll be pwning attackative directory from tryhackme. Attackative directory is an easy active directory machine that teaches the basics of active directory enumeration and ASREPROASTING attacks.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Recon<\/strong><\/h2>\n\n\n\n<p>Initial Nmap scan<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"733\" height=\"259\" src=\"https:\/\/dextersec.xyz\/wp-content\/uploads\/2021\/09\/image-4.png\" alt=\"\" class=\"wp-image-345\" srcset=\"https:\/\/dextersec.xyz\/wp-content\/uploads\/2021\/09\/image-4.png 733w, https:\/\/dextersec.xyz\/wp-content\/uploads\/2021\/09\/image-4-300x106.png 300w, https:\/\/dextersec.xyz\/wp-content\/uploads\/2021\/09\/image-4-210x74.png 210w\" sizes=\"(max-width: 733px) 100vw, 733px\" \/><\/figure>\n\n\n\n<p>Detailed Nmap Scan<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"769\" height=\"584\" src=\"https:\/\/dextersec.xyz\/wp-content\/uploads\/2021\/09\/image-6.png\" alt=\"\" class=\"wp-image-347\" srcset=\"https:\/\/dextersec.xyz\/wp-content\/uploads\/2021\/09\/image-6.png 769w, https:\/\/dextersec.xyz\/wp-content\/uploads\/2021\/09\/image-6-300x228.png 300w, https:\/\/dextersec.xyz\/wp-content\/uploads\/2021\/09\/image-6-210x159.png 210w\" sizes=\"(max-width: 769px) 100vw, 769px\" \/><\/figure>\n\n\n\n<p><strong>SMB Enumeration<\/strong><\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"779\" height=\"292\" src=\"https:\/\/dextersec.xyz\/wp-content\/uploads\/2021\/09\/image-5.png\" alt=\"\" class=\"wp-image-346\" srcset=\"https:\/\/dextersec.xyz\/wp-content\/uploads\/2021\/09\/image-5.png 779w, https:\/\/dextersec.xyz\/wp-content\/uploads\/2021\/09\/image-5-300x112.png 300w, https:\/\/dextersec.xyz\/wp-content\/uploads\/2021\/09\/image-5-768x288.png 768w, https:\/\/dextersec.xyz\/wp-content\/uploads\/2021\/09\/image-5-210x79.png 210w\" sizes=\"(max-width: 779px) 100vw, 779px\" \/><\/figure>\n\n\n\n<p>Crackmapexec RID brute<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"790\" height=\"233\" src=\"https:\/\/dextersec.xyz\/wp-content\/uploads\/2021\/09\/image-7.png\" alt=\"\" class=\"wp-image-349\" srcset=\"https:\/\/dextersec.xyz\/wp-content\/uploads\/2021\/09\/image-7.png 790w, https:\/\/dextersec.xyz\/wp-content\/uploads\/2021\/09\/image-7-300x88.png 300w, https:\/\/dextersec.xyz\/wp-content\/uploads\/2021\/09\/image-7-768x227.png 768w, https:\/\/dextersec.xyz\/wp-content\/uploads\/2021\/09\/image-7-210x62.png 210w\" sizes=\"(max-width: 790px) 100vw, 790px\" \/><\/figure>\n\n\n\n<p>Found some domain users<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"763\" height=\"298\" src=\"https:\/\/dextersec.xyz\/wp-content\/uploads\/2021\/09\/image-8.png\" alt=\"\" class=\"wp-image-350\" srcset=\"https:\/\/dextersec.xyz\/wp-content\/uploads\/2021\/09\/image-8.png 763w, https:\/\/dextersec.xyz\/wp-content\/uploads\/2021\/09\/image-8-300x117.png 300w, https:\/\/dextersec.xyz\/wp-content\/uploads\/2021\/09\/image-8-210x82.png 210w\" sizes=\"(max-width: 763px) 100vw, 763px\" \/><\/figure>\n\n\n\n<p>Save users into a text file <\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"723\" height=\"40\" src=\"https:\/\/dextersec.xyz\/wp-content\/uploads\/2021\/09\/image-10.png\" alt=\"\" class=\"wp-image-352\" srcset=\"https:\/\/dextersec.xyz\/wp-content\/uploads\/2021\/09\/image-10.png 723w, https:\/\/dextersec.xyz\/wp-content\/uploads\/2021\/09\/image-10-300x17.png 300w, https:\/\/dextersec.xyz\/wp-content\/uploads\/2021\/09\/image-10-210x12.png 210w\" sizes=\"(max-width: 723px) 100vw, 723px\" \/><\/figure>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"802\" height=\"336\" src=\"https:\/\/dextersec.xyz\/wp-content\/uploads\/2021\/09\/image-9.png\" alt=\"\" class=\"wp-image-351\" srcset=\"https:\/\/dextersec.xyz\/wp-content\/uploads\/2021\/09\/image-9.png 802w, https:\/\/dextersec.xyz\/wp-content\/uploads\/2021\/09\/image-9-300x126.png 300w, https:\/\/dextersec.xyz\/wp-content\/uploads\/2021\/09\/image-9-768x322.png 768w, https:\/\/dextersec.xyz\/wp-content\/uploads\/2021\/09\/image-9-210x88.png 210w\" sizes=\"(max-width: 802px) 100vw, 802px\" \/><\/figure>\n\n\n\n<p>Try ASREPROAST on discovered users<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"343\" src=\"https:\/\/dextersec.xyz\/wp-content\/uploads\/2021\/09\/image-12-1024x343.png\" alt=\"\" class=\"wp-image-354\" srcset=\"https:\/\/dextersec.xyz\/wp-content\/uploads\/2021\/09\/image-12-1024x343.png 1024w, https:\/\/dextersec.xyz\/wp-content\/uploads\/2021\/09\/image-12-300x101.png 300w, https:\/\/dextersec.xyz\/wp-content\/uploads\/2021\/09\/image-12-768x257.png 768w, https:\/\/dextersec.xyz\/wp-content\/uploads\/2021\/09\/image-12-210x70.png 210w, https:\/\/dextersec.xyz\/wp-content\/uploads\/2021\/09\/image-12.png 1179w\" sizes=\"(max-width: 980px) 100vw, 980px\" \/><\/figure>\n\n\n\n<p>We discover the user svc-admin is Asreproasteble and save the obtained hash into a file to be cracked<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"742\" height=\"74\" src=\"https:\/\/dextersec.xyz\/wp-content\/uploads\/2021\/09\/image-13.png\" alt=\"\" class=\"wp-image-355\" srcset=\"https:\/\/dextersec.xyz\/wp-content\/uploads\/2021\/09\/image-13.png 742w, https:\/\/dextersec.xyz\/wp-content\/uploads\/2021\/09\/image-13-300x30.png 300w, https:\/\/dextersec.xyz\/wp-content\/uploads\/2021\/09\/image-13-210x21.png 210w\" sizes=\"(max-width: 742px) 100vw, 742px\" \/><\/figure>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"741\" height=\"87\" src=\"https:\/\/dextersec.xyz\/wp-content\/uploads\/2021\/09\/image-14.png\" alt=\"\" class=\"wp-image-356\" srcset=\"https:\/\/dextersec.xyz\/wp-content\/uploads\/2021\/09\/image-14.png 741w, https:\/\/dextersec.xyz\/wp-content\/uploads\/2021\/09\/image-14-300x35.png 300w, https:\/\/dextersec.xyz\/wp-content\/uploads\/2021\/09\/image-14-210x25.png 210w\" sizes=\"(max-width: 741px) 100vw, 741px\" \/><\/figure>\n\n\n\n<p><strong>Exploitation<\/strong><\/p>\n\n\n\n<p>SVC-Admin&#8217;s password cracked with john<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"819\" height=\"165\" src=\"https:\/\/dextersec.xyz\/wp-content\/uploads\/2021\/09\/image-15.png\" alt=\"\" class=\"wp-image-357\" srcset=\"https:\/\/dextersec.xyz\/wp-content\/uploads\/2021\/09\/image-15.png 819w, https:\/\/dextersec.xyz\/wp-content\/uploads\/2021\/09\/image-15-300x60.png 300w, https:\/\/dextersec.xyz\/wp-content\/uploads\/2021\/09\/image-15-768x155.png 768w, https:\/\/dextersec.xyz\/wp-content\/uploads\/2021\/09\/image-15-210x42.png 210w\" sizes=\"(max-width: 819px) 100vw, 819px\" \/><\/figure>\n\n\n\n<p>Let&#8217;s  spray this password with crackmapexec, we  have access to SMB<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"821\" height=\"84\" src=\"https:\/\/dextersec.xyz\/wp-content\/uploads\/2021\/09\/image-16.png\" alt=\"\" class=\"wp-image-358\" srcset=\"https:\/\/dextersec.xyz\/wp-content\/uploads\/2021\/09\/image-16.png 821w, https:\/\/dextersec.xyz\/wp-content\/uploads\/2021\/09\/image-16-300x31.png 300w, https:\/\/dextersec.xyz\/wp-content\/uploads\/2021\/09\/image-16-768x79.png 768w, https:\/\/dextersec.xyz\/wp-content\/uploads\/2021\/09\/image-16-210x21.png 210w\" sizes=\"(max-width: 821px) 100vw, 821px\" \/><\/figure>\n\n\n\n<p>Enumerate share access with SMB Map<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"829\" height=\"195\" src=\"https:\/\/dextersec.xyz\/wp-content\/uploads\/2021\/09\/image-18.png\" alt=\"\" class=\"wp-image-360\" srcset=\"https:\/\/dextersec.xyz\/wp-content\/uploads\/2021\/09\/image-18.png 829w, https:\/\/dextersec.xyz\/wp-content\/uploads\/2021\/09\/image-18-300x71.png 300w, https:\/\/dextersec.xyz\/wp-content\/uploads\/2021\/09\/image-18-768x181.png 768w, https:\/\/dextersec.xyz\/wp-content\/uploads\/2021\/09\/image-18-210x49.png 210w\" sizes=\"(max-width: 829px) 100vw, 829px\" \/><\/figure>\n\n\n\n<p>We have access to three shares, backups is a non-default share so lets check it out first<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"812\" height=\"214\" src=\"https:\/\/dextersec.xyz\/wp-content\/uploads\/2021\/09\/image-19.png\" alt=\"\" class=\"wp-image-361\" srcset=\"https:\/\/dextersec.xyz\/wp-content\/uploads\/2021\/09\/image-19.png 812w, https:\/\/dextersec.xyz\/wp-content\/uploads\/2021\/09\/image-19-300x79.png 300w, https:\/\/dextersec.xyz\/wp-content\/uploads\/2021\/09\/image-19-768x202.png 768w, https:\/\/dextersec.xyz\/wp-content\/uploads\/2021\/09\/image-19-210x55.png 210w\" sizes=\"(max-width: 812px) 100vw, 812px\" \/><\/figure>\n\n\n\n<p>Interesting a credentials file&#8230; download locally and open<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"690\" height=\"96\" src=\"https:\/\/dextersec.xyz\/wp-content\/uploads\/2021\/09\/image-20.png\" alt=\"\" class=\"wp-image-362\" srcset=\"https:\/\/dextersec.xyz\/wp-content\/uploads\/2021\/09\/image-20.png 690w, https:\/\/dextersec.xyz\/wp-content\/uploads\/2021\/09\/image-20-300x42.png 300w, https:\/\/dextersec.xyz\/wp-content\/uploads\/2021\/09\/image-20-210x29.png 210w\" sizes=\"(max-width: 690px) 100vw, 690px\" \/><\/figure>\n\n\n\n<p>decode the base64 text <\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"759\" height=\"138\" src=\"https:\/\/dextersec.xyz\/wp-content\/uploads\/2021\/09\/image-21.png\" alt=\"\" class=\"wp-image-363\" srcset=\"https:\/\/dextersec.xyz\/wp-content\/uploads\/2021\/09\/image-21.png 759w, https:\/\/dextersec.xyz\/wp-content\/uploads\/2021\/09\/image-21-300x55.png 300w, https:\/\/dextersec.xyz\/wp-content\/uploads\/2021\/09\/image-21-210x38.png 210w\" sizes=\"(max-width: 759px) 100vw, 759px\" \/><\/figure>\n\n\n\n<p>Try evil-winrm with back creds &#8230;<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"827\" height=\"184\" src=\"https:\/\/dextersec.xyz\/wp-content\/uploads\/2021\/09\/image-22.png\" alt=\"\" class=\"wp-image-364\" srcset=\"https:\/\/dextersec.xyz\/wp-content\/uploads\/2021\/09\/image-22.png 827w, https:\/\/dextersec.xyz\/wp-content\/uploads\/2021\/09\/image-22-300x67.png 300w, https:\/\/dextersec.xyz\/wp-content\/uploads\/2021\/09\/image-22-768x171.png 768w, https:\/\/dextersec.xyz\/wp-content\/uploads\/2021\/09\/image-22-210x47.png 210w\" sizes=\"(max-width: 827px) 100vw, 827px\" \/><\/figure>\n\n\n\n<p>No luck..<\/p>\n\n\n\n<p>Try dumping secrets with Impacket-SecretDump.py <\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"929\" height=\"187\" src=\"https:\/\/dextersec.xyz\/wp-content\/uploads\/2021\/09\/image-23.png\" alt=\"\" class=\"wp-image-365\" srcset=\"https:\/\/dextersec.xyz\/wp-content\/uploads\/2021\/09\/image-23.png 929w, https:\/\/dextersec.xyz\/wp-content\/uploads\/2021\/09\/image-23-300x60.png 300w, https:\/\/dextersec.xyz\/wp-content\/uploads\/2021\/09\/image-23-768x155.png 768w, https:\/\/dextersec.xyz\/wp-content\/uploads\/2021\/09\/image-23-210x42.png 210w\" sizes=\"(max-width: 929px) 100vw, 929px\" \/><\/figure>\n\n\n\n<p>We get admin hash!<\/p>\n\n\n\n<p>Use evil-winrm to pass the hash and profit<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"933\" height=\"120\" src=\"https:\/\/dextersec.xyz\/wp-content\/uploads\/2021\/09\/image-24.png\" alt=\"\" class=\"wp-image-366\" srcset=\"https:\/\/dextersec.xyz\/wp-content\/uploads\/2021\/09\/image-24.png 933w, https:\/\/dextersec.xyz\/wp-content\/uploads\/2021\/09\/image-24-300x39.png 300w, https:\/\/dextersec.xyz\/wp-content\/uploads\/2021\/09\/image-24-768x99.png 768w, https:\/\/dextersec.xyz\/wp-content\/uploads\/2021\/09\/image-24-210x27.png 210w\" sizes=\"(max-width: 933px) 100vw, 933px\" \/><\/figure>\n","protected":false},"excerpt":{"rendered":"<p>Introduction For my fifth machine in the Active Directory hacking with Kali series, I\u2019ll be pwning attackative directory from tryhackme. Attackative directory is an easy active directory machine that teaches the basics of active directory enumeration and ASREPROASTING attacks. Recon Initial Nmap scan Detailed Nmap Scan SMB Enumeration Crackmapexec RID brute Found some domain users [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":394,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[8,14,9],"tags":[],"class_list":["post-340","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-active-directory-101","category-security-articles","category-walkthroughs"],"_links":{"self":[{"href":"https:\/\/dextersec.xyz\/index.php?rest_route=\/wp\/v2\/posts\/340"}],"collection":[{"href":"https:\/\/dextersec.xyz\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/dextersec.xyz\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/dextersec.xyz\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/dextersec.xyz\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=340"}],"version-history":[{"count":3,"href":"https:\/\/dextersec.xyz\/index.php?rest_route=\/wp\/v2\/posts\/340\/revisions"}],"predecessor-version":[{"id":395,"href":"https:\/\/dextersec.xyz\/index.php?rest_route=\/wp\/v2\/posts\/340\/revisions\/395"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/dextersec.xyz\/index.php?rest_route=\/wp\/v2\/media\/394"}],"wp:attachment":[{"href":"https:\/\/dextersec.xyz\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=340"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/dextersec.xyz\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=340"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/dextersec.xyz\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=340"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}