家studyをつづって

IT技術やセキュリティで勉強したことをつづっています。

【TryHackMe】Attacktive Directory

表題

 

Task3

What tool will allow us to enumerate port 139/445?

enum4linux

 

What is the NetBIOS-Domain Name of the machine?

THM-AD

 

enum4linuxの実行結果

nmapの結果からも回答を見つけられます。

nmap実行結果

 

What invalid TLD do people commonly use for their Active Directory Domain?

.local

 

上記のnmapの結果でも確認できます。

 

Task4

What command within Kerbrute will allow us to enumerate valid usernames?

userenum

kerbruteのオプション

What notable account is discovered? (These should jump out at you)

svc-admin

 

Task4で提示されているuserリストを使用して以下のコマンドで確認できます。

実行結果

 

What is the other notable account is discovered? (These should jump out at you)

backup

 

Task5

We have two user accounts that we could potentially query a ticket from. Which user account can you query a ticket from with no password?

svc-admin

実行結果

 

Looking at the Hashcat Examples Wiki page, what type of Kerberos hash did we retrieve from the KDC? (Specify the full name)

Kerberos 5, etype 23, AS-REP

 

上記実行結果の「krb5asrep」をWikiで検索するとHash-Nameがわかります。

 

What mode is the hash?

18200

hash形式の確認

 

Now crack the hash with the modified password list provided, what is the user accounts password?

management2005

hashcat実行結果

 

Task6

What utility can we use to map remote SMB shares?

smbclient

 

Which option will list shares?

-L

 

How many remote shares is the server listing?

6

コマンド実行結果

There is one particular share that we have access to that contains a text file. Which share is it?

backup

 

What is the content of the file?

YmFja3VwQHNwb29reXNlYy5sb2NhbDpiYWNrdXAyNTE3ODYw

 

Decoding the contents of the file, what is the full contents?

backup@spookysec.local:backup2517860

 

Burpより、「デコーダー」でエンコードされた文字列を貼り付け、base64 メソッドでデコードします。

デコード結果

Task7

What method allowed us to dump NTDS.DIT?

DRSUAPI

実行結果

 

What is the Administrators NTLM hash?

0e0363213e37b94221497260b0bcb4fc

 

What method of attack could allow us to authenticate as the user without the password?

pass the hash

 

Using a tool called Evil-WinRM what option will allow us to use a hash?

-H

 

Task8

svc-admin

TryHackMe{K3rb3r0s_Pr3_4uth}

 

backup

TryHackMe{B4ckM3UpSc0tty!}

 

Administrator

TryHackMe{4ctiveD1rectoryM4st3r}