Introduction

In this walkthrough, we covered a pentest for an windows active directory machine where we conducted different kinds of testing techniques such as AS-REP roasting, Kerberoasting and DC sync to complete the challenge.

Room Introduction

VulnNet Entertainment just deployed a new instance on their network with the newly-hired system administrators. Being a security-aware company, they as always hired you to perform a penetration test, and see how system administrators are performing.

  • Difficulty: Easy
  • Operating System: Windows

This is a much simpler machine, do not overthink. You can do it by following common methodologies.

Note: It might take up to 6 minutes for this machine to fully boot.

  • Author: TheCyb3rW0lf
  • Discord: TheCyb3rW0lf#8594

Room Link: https://tryhackme.com/room/vulnnetroasted

Getting the Lay of the Land

I started, as always, with a good old Nmap scan. This told me I was dealing with a Windows Active Directory domain controller, with the domain name vulnerablenetroasted.local.

Next, I checked out the SMB shares. I found a few, but the most interesting part was that I could list them without any credentials (a null session). This gave me a starting point.

To find some actual usernames, I used a nifty script from the Impacket collection called lookupsid.py. This script can enumerate users by looking up Security Identifiers (SIDs), and it gave me a nice list of active users, which I saved to a file.

The Roasting Begins: AS-Reproasting

Now for the fun part. I launched an AS-Reproasting attack. This attack looks for users who have a specific Kerberos setting disabled, which allows an attacker to request a piece of their authentication ticket and crack it offline to get their password.

I used another Impacket script, getnpusers.py, with my list of usernames. Sure enough, I got a hash for a user named tskit. I threw this hash into Hashcat, and a few moments later, I had the password!

Double Trouble: Kerberoasting

With the credentials for tskit in hand, I moved on to a Kerberoasting attack. This attack targets service accounts, which often have weak passwords. I used getuserspn.py to find any service accounts and grab their hashes.

This gave me another hash, this time for an account called enterprise_core_vn. Back to Hashcat I went, and soon enough, I had cracked that password too.

Getting In and Moving Up

Now that I had valid credentials for the enterprise_core_vn account, I used evil-winrm to get a remote shell on the machine. I was finally in!

But I wasn’t an administrator yet. I went back to the SMB shares and took a closer look at the netlogon share. There, I found a Visual Basic Script called reset_password.vbs. When I looked inside, I found hardcoded credentials for another user, whitehat. Jackpot!

With the whitehat credentials, I had enough power to perform a DC Sync attack using secretsdump.py. This attack mimics a domain controller and asks the real domain controller to replicate all its user data, including the password hashes. This gave me the NTLM hash for the administrator account.

For the final step, I used the administrator’s hash with evil-winrm to log in. A quick whoami /groups command confirmed it: I was the administrator. Challenge complete!

Technical Commands I Used

Here are some of the key commands I used in the terminal during this penetration test:

  • Nmap:
    • nmap -sV -sC -oA nmap_scan <IP Address>
  • SMB Enumeration:
    • sudo smbclient -L \\\\<IP Address>\\
    • sudo smbmap -H <IP Address>
  • User Enumeration:
    • python3 lookup_sid.py anonymous@<IP Address> > usernames.txt
  • AS-Reproasting:
    • sudo python3 getnpusers.py -usersfile users.txt -no-pass <Domain Controller IP> -dc-ip <Domain Controller IP> <Domain Name>
  • Kerberoasting:
    • sudo python3 getusersps.py -dc-ip <Domain Controller IP> <Domain Name>/<Username>:<Password> -outputfile pass.txt
  • Hash Cracking (Hashcat):
    • hashcat -m 18200 hashes.txt /usr/share/wordlists/rockyou.txt (for AS-Reproasting)
    • hashcat -m 13100 hashes2.txt /usr/share/wordlists/rockyou.txt (for Kerberoasting)
  • Remote Shell (Evil-WinRM):
    • evil-winrm -i <IP Address> -u <Username> -p <Password>
    • evil-winrm -i <IP Address> -u <Username> -H <Hash>
  • DC Sync Attack (SecretsDump):
    • sudo python3 secretsdump.py <Domain Name>/<Username>:<Password>@<IP Address>

Room Answers

Answer the questions below
What is the user flag? (Desktop\user.txt)
What is the system flag? (Desktop\system.txt)

Video Walk-through

,
Show Comments

The MasterMinds Notes

About the Author

Mastermind Study Notes is a group of talented authors and writers who are experienced and well-versed across different fields. The group is led by, Motasem Hamdan, who is a Cybersecurity content creator and YouTuber.

View Articles