{"id":368,"date":"2022-05-13T23:18:11","date_gmt":"2022-05-13T23:18:11","guid":{"rendered":"https:\/\/dextersec.xyz\/?p=368"},"modified":"2022-05-13T23:18:11","modified_gmt":"2022-05-13T23:18:11","slug":"active-directory-hacking-with-kali-thm-roasted","status":"publish","type":"post","link":"https:\/\/dextersec.xyz\/?p=368","title":{"rendered":"Active Directory Hacking with Kali: THM Roasted"},"content":{"rendered":"\n

Introduction<\/strong><\/h2>\n\n\n\n

For my fourth machine in the Active Directory hacking with Kali series, I\u2019ll be pwning roasted from tryhackme. Roasted is an easy active directory machine that teaches the basics of active directory enumeration and ASREPROASTING attacks.<\/p>\n\n\n\n

Reconnaissance <\/strong><\/p>\n\n\n\n

Start by running an Nmap scan<\/p>\n\n\n\n

P.S Use the -Pn switch to suppress pings<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

From the Nmap scan above we can gather the following:<\/p>\n\n\n\n

  1. Port 53 indicates that DNS is running on this machine<\/li>
  2. Port 88 is running the Kerberos authentication service<\/li>
  3. Ports 389 & 3628 have LDAP running<\/li>
  4. The host scripts reveal that SMBv2 is running on port 445<\/li>
  5. The host is a Domain Controller<\/li>
  6. LDAP provides us with the domain name vulnnet-rst.local<\/li><\/ol>\n\n\n\n

    Enumeration<\/strong><\/p>\n\n\n\n

    Enumerate SMB with SMBMAP<\/p>\n\n\n\n

    smbmap -H vulnnet-rst.local -u guest -p \"\"<\/code><\/pre>\n\n\n\n
    \"\"<\/figure>\n\n\n\n
    Enumerate domain users with crackmapexec by brute-forcing rids<\/p>\n\n\n\n
    crackmapexec smb vulnnet-rst.local -u \"guest\" -p '' --rid-brute<\/code><\/pre>\n\n\n\n
    \"\"<\/figure>\n\n\n\n
    Save discovered users into a file userslist.txt<\/p>\n\n\n\n
    \"\"<\/figure>\n\n\n\n
    Exploitation<\/strong><\/p>\n\n\n\n
    Using the information gathered so far we can attempt to exploit ASREPROASTABLE (Non-Preauthenticated) users<\/p>\n\n\n\n
    Run GETNPUSers.py from impacket against our list of gathered users<\/p>\n\n\n\n
    python3 GetNPUsers.py vulnnet-rst.local\/ -usersfile userslist.txt -dc-ip 10.10.184.239<\/code><\/pre>\n\n\n\n
    \"\"<\/figure>\n\n\n\n
    We are able to obtain t-skid’s hash from the AS-reply<\/p>\n\n\n\n
    Save the hash into a file and crack with john <\/p>\n\n\n\n
    sudo john hash.txt --wordlist=\/usr\/share\/wordlists\/rockyou.txt<\/code><\/pre>\n\n\n\n
    \"\"<\/figure>\n\n\n\n
    We have read access to Netlogon share <\/p>\n\n\n\n
    \"\"<\/figure>\n\n\n\n
    Interesting script in the NETLOGON share… Download and Open<\/p>\n\n\n\n
    \"\"<\/figure>\n\n\n\n
    Hmnnn hardcoded password in the script<\/p>\n\n\n\n
    \"\"<\/figure>\n\n\n\n
    Lets try it with crackmap exec on smb & winrm…<\/p>\n\n\n\n
     PWNED! <\/p>\n\n\n\n
    \"\"<\/figure>\n\n\n\n
    Login with evil-winrm<\/p>\n\n\n\n
    \"\"<\/figure>\n\n\n\n
    We’re in…<\/p>\n\n\n\n
    We enumerate again with SMBMAP for Privesc<\/p>\n\n\n\n
    \"\"<\/figure>\n\n\n\n
    We have Read & Write Access to the $ADMIN share, let’s dump secrets with impacket secretsdump.py<\/p>\n\n\n\n
    \"\"<\/figure>\n\n\n\n
    Login and profit with admin hash<\/p>\n\n\n\n
    \"\"<\/figure>\n","protected":false},"excerpt":{"rendered":"
    Introduction For my fourth machine in the Active Directory hacking with Kali series, I\u2019ll be pwning roasted from tryhackme. Roasted is an easy active directory machine that teaches the basics of active directory enumeration and ASREPROASTING attacks. Reconnaissance Start by running an Nmap scan P.S Use the -Pn switch to suppress pings From the Nmap […]<\/p>\n","protected":false},"author":1,"featured_media":392,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-368","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized"],"_links":{"self":[{"href":"https:\/\/dextersec.xyz\/index.php?rest_route=\/wp\/v2\/posts\/368"}],"collection":[{"href":"https:\/\/dextersec.xyz\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/dextersec.xyz\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/dextersec.xyz\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/dextersec.xyz\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=368"}],"version-history":[{"count":2,"href":"https:\/\/dextersec.xyz\/index.php?rest_route=\/wp\/v2\/posts\/368\/revisions"}],"predecessor-version":[{"id":393,"href":"https:\/\/dextersec.xyz\/index.php?rest_route=\/wp\/v2\/posts\/368\/revisions\/393"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/dextersec.xyz\/index.php?rest_route=\/wp\/v2\/media\/392"}],"wp:attachment":[{"href":"https:\/\/dextersec.xyz\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=368"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/dextersec.xyz\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=368"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/dextersec.xyz\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=368"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}