Task3
What tool will allow us to enumerate port 139/445?
enum4linux
What is the NetBIOS-Domain Name of the machine?
THM-AD
nmapの結果からも回答を見つけられます。
What invalid TLD do people commonly use for their Active Directory Domain?
.local
上記のnmapの結果でも確認できます。
Task4
What command within Kerbrute will allow us to enumerate valid usernames?
userenum
What notable account is discovered? (These should jump out at you)
svc-admin
Task4で提示されているuserリストを使用して以下のコマンドで確認できます。
What is the other notable account is discovered? (These should jump out at you)
backup
Task5
We have two user accounts that we could potentially query a ticket from. Which user account can you query a ticket from with no password?
svc-admin
Looking at the Hashcat Examples Wiki page, what type of Kerberos hash did we retrieve from the KDC? (Specify the full name)
Kerberos 5, etype 23, AS-REP
上記実行結果の「krb5asrep」をWikiで検索するとHash-Nameがわかります。
What mode is the hash?
18200
Now crack the hash with the modified password list provided, what is the user accounts password?
management2005
Task6
What utility can we use to map remote SMB shares?
smbclient
Which option will list shares?
-L
How many remote shares is the server listing?
6
There is one particular share that we have access to that contains a text file. Which share is it?
backup
What is the content of the file?
YmFja3VwQHNwb29reXNlYy5sb2NhbDpiYWNrdXAyNTE3ODYw
Decoding the contents of the file, what is the full contents?
backup@spookysec.local:backup2517860
Burpより、「デコーダー」でエンコードされた文字列を貼り付け、base64 メソッドでデコードします。
Task7
What method allowed us to dump NTDS.DIT?
DRSUAPI
What is the Administrators NTLM hash?
0e0363213e37b94221497260b0bcb4fc
What method of attack could allow us to authenticate as the user without the password?
pass the hash
Using a tool called Evil-WinRM what option will allow us to use a hash?
-H
Task8
svc-admin
TryHackMe{K3rb3r0s_Pr3_4uth}
backup
TryHackMe{B4ckM3UpSc0tty!}
Administrator
TryHackMe{4ctiveD1rectoryM4st3r}