Attacktive Directory | TryHackMe

Featured image

TryHackMe - Attacktive Directory

Windows - Medium Difficulty

Brought to you by

Write up by

By copy/pasting & cheating you only cheat yourself!

Lets first create a host record in our /etc/hosts file.

Enumerate the DC

The first objective: How many ports are open < 10000?

nmap -sV -sC -p 0-10000 -oA attacktive.nmap <ip>

I counted 15, but apparently this was incorrect. To double check, I added | grep open at the end of my nmap command.

I still count 15, but a less detailed nmap scan comes up with only 11 open ports.

The second objective: Which tool do we use to enumerate port 139/445 (SMB)?

A well known tool to do so is enum4linux this was also hinted at in the brief.

The third objective: Find out what the NetBIOS-Domain name is of the machine.

To do so, we run enum4linux <ip> 2>/dev/null > attacktive.e4l

This will return lots of information including the NetBIOS Domain Name

The fourth objective of the enumeration chapter is: What invalid TLD do people commonly use for their Active Directory Domain?

Our nmnap scan previously revealed the Domain Name being spookysec.local

.local is often miss-used as a .TLD (Top Level Domain)

Enumerate the DC Pt2 (KERBRUTE)

Lets proceed by downloading the userlist and passwordlist onto our machine.

The first objective of this chapter is: How to enumerate valid users with kerbrute?

Kerbrute has a parameter userenum to enumerate valid usernames.

To enumerate valid usernames from the userlist.txt provided to us we run the following command:

kerbrute_linux_386 userenum --dc spookysec.local -d spookysec.local userlist.txt

The output:

A couple notable accounts are the following:

Exploiting Kerberos

First objective: We have two user accounts that we could potentially query a ticket from. Which user account can you query a ticket from with no password?

We can use Impacket to do some ASREPRoasting to determine if there’s an account we can query Kerberos tickets from without password.

python spookysec.local/ -usersfile <file_dir>

svc-admin allows us to send a ticket without authentication!

Second objective: Looking at the Hashcat Examples Wiki page, what type of Kerberos hash did we retrieve from the KDC? (Specify the full name)?

If you visit

And search for kerberos 5, you’ll see the full name is “Kerberos 5 AS-REQ Pre-Auth etype 23” this seemed to be invalid still, so after doing some brute forcing Kerberos 5 AS-REQ etype 23 was valid.

Third objective: What mode is the hash?

Kerberos 5 AS-REQ etype 23 hashes are mode 18200 (defined when using hashcat) this is basic knowledge but can easily be found with a Google search.

Fourth objective: Now crack the hash with the modified password list provided, what is the user accounts password?

To crack the hash i use John with the following command:

john --wordlist=passwordlist.txt AS_REP.txt

AS_REP.txt is a file containing the hash we previously retrieved.

The password is man——-5

Enumerate the DC Pt 3 (SMB with credentials)

In this chapter we’ll be using the credentials we previously discovered to gain access to the smb file sharing system.

First objective: Using which utility can we map remote SMB shares?

Again, this is common knowledge but we’ll make use of the smbclient utility.

Second objective: Which option will list shares?

The -L parameter allows us to list shares. This information can be found in the man page.

Third objective: How many remote shares is the server listing?

To define a username using smbclient we define it by utilising the -U parameter.

There are 6 shares available!

Fourth objective: There is one particular share that we have access to that contains a text file. Which share is it?

We can mount each share by using the following command:

smbclient -U svc-admin //spookysec.local/<share_name>

I mounted the backup share and there was a .txt file inside!

Fifth objective: What is the content of the file?

We can retrieve its content by utilising the more command.


Sixth objective: Decoding the contents of the file, what is the full contents?

To identify the type of hash we’re dealing with I used

Character type base64 I then decrypted base64 in my Kali machine using the following command:

base64 -d backup_credentials.txt

The decrypted hash is backup@spookysec.local:ba———0

Elevating Privileges

First objective: What method allowed us to dump NTDS.DIT?


Second objective: What is the Administrators NTLM hash?

As you can see in the previous screenshot we use to extract the hashes from all users the Domain Controller has access to.

The administrator NTLM hash is e—————-b

Third objective: What method of attack could allow us to authenticate as the user without the password?

Pass the hash a hacking technique that allows an attacker to authenticate to a remote server or service by using the underlying NTLM or LanMan hash of a user’s password.

Fourth objective: Using a tool called Evil-WinRM what option will allow us to use a hash?

-H allows us to input NThash


We can now connect to each of the accounts with their NT:LM hashes.

Evil-winrm supports Pass The Hash, the -H flag allows us to authenticate with the NT hash as explained in the objective above.

evil-winrm -i <ip> -u Administrator -H <NT Hash>

We are now Administrator, each flag is located in the user Desktop directory.